[SPEAKER_01]: They would use pre-arranged physical cues like touching a particular chair, or adjust items on the table, or scratching their nose, or their buttocks or whatever it was.

[SPEAKER_01]: Obviously it's a problem if you have got an itchy bottle, you can send the wrong message.

[SPEAKER_00]: smashing security, episode 441, inside the mobs million dollar poker hack, and a formula one fumble, with grand, clueless and special guest Danny Palmer.

[SPEAKER_01]: Hello, hello, welcome to smashing security episode 441, my name's Grant Cluelly.

[SPEAKER_01]: And I'm Danny Palmer.

[SPEAKER_01]: Danny, first time on the show, welcome.

[SPEAKER_02]: Thank you for having me, long time listener, first time caller.

[SPEAKER_01]: Now Danny, it is your first time in the show.

[SPEAKER_01]: There may be some people out there who don't know who you are.

[SPEAKER_01]: Why don't you describe what you do and what you're doing on special security.

[SPEAKER_01]: What brings you here?

[SPEAKER_02]: Cool.

[SPEAKER_02]: Well, I suppose the summary is I'm a cybersecurity journalist and writer which I've been doing for the past.

[SPEAKER_02]: Oh.

[SPEAKER_02]: 15 years or so now I was probably best known for my time at Zedine at where I've seen your reporter for about seven and a half years up until 2023.

[SPEAKER_02]: I've been freelance from the start of this year.

[SPEAKER_02]: I've peered in various publications that people will probably aware of, and I'll register the stack.

[SPEAKER_02]: computer weekly, that sort of thing, do a bit of consulting on the side as well, and prior to Zedina, I was at Computing Magazine for a number of years, where I was talking about and reporting on things with CIOs, were thinking about talking about, which is where we first came into contact, I believe.

[SPEAKER_01]: I think it was.

[SPEAKER_01]: I actually remember an interview we did down in some London hotel one time.

[SPEAKER_01]: and you wrote an article about how...

What was that?

[SPEAKER_02]: Don't call it the cloud call it someone else's computer.

[SPEAKER_02]: He said I managed to dig up the article.

[SPEAKER_01]: Oh yeah, I think that may be in the first time that we actually met it.

[SPEAKER_01]: And for a really long time, I believed maybe I had been the first person to come up with that phrase.

[SPEAKER_02]: Yeah, we're still still early back then as suppose.

[SPEAKER_02]: Because I was in a cloud this newfangled thing that CIOs and IT leaders were trying to get to grips with, [SPEAKER_01]: But your beat is very much cyber security, isn't it?

[SPEAKER_02]: Yes, yes.

[SPEAKER_02]: I did a bit of security back then.

[SPEAKER_02]: Is that Dina, I really focused on society security as a beat?

[SPEAKER_02]: I worked internally at a cyber security company for two years, doing editorial strategy for them.

[SPEAKER_02]: So yeah, it's the bread and butter of what I do, 95% of it is yes, cyber security, I've been covering the space for a long time, I think.

[SPEAKER_02]: I like to think about how one of my very first stories was Edine at back in 2016, which was about a ransomware attack.

[SPEAKER_02]: It could hit a hospital I believe it was in the north of England.

[SPEAKER_02]: Yep.

[SPEAKER_02]: And the ransom demand for that was a colossal total of £500.

[SPEAKER_02]: How times have changed?

[SPEAKER_02]: Yeah, you're lucky now if they only want an inverted commerce £500,000.

[SPEAKER_02]: It's evolved and everything's evolved and it's just getting faster, it seems.

[SPEAKER_02]: which can read people like me to write about and explain these issues to know.

[SPEAKER_02]: I hope I can help in that way because I don't have any technical background myself, you know, I buy backgrounds as a journalist and reporter, but everything I've learned over the years has been covering the space.

[SPEAKER_02]: I've always found it so fascinating.

[SPEAKER_02]: There's always stuff to write about.

[SPEAKER_02]: People want to hear about it.

[SPEAKER_02]: And as has been discussed, no plenty of times from the podcast, cybersecurity is the one to better phrase and real world, real news now.

[SPEAKER_02]: And if we all know about the Jaguar Land Rover thing, M&S to co-op, it's not just this thing that's at arm's length.

[SPEAKER_02]: It's affecting the real world and it's impacting all of us, isn't it?

[SPEAKER_02]: Yeah, yeah.

[SPEAKER_02]: I remember that weekend when the co-op thing happened and thinking, hey, shelves are a bit empty or must be just because it's the bank holiday weekend.

[SPEAKER_02]: Turns out it was not.

[SPEAKER_01]: Well, before we kick off, let's thank this week's wonderful sponsors, Action 1, Vanta and Seculerts.

[SPEAKER_01]: We'll be hearing more about them later on in the podcast.

[SPEAKER_01]: This week on smashing security, we're not going to be talking about how a fake telegram app has infected over 58,000 Android devices with malware, stealing data, and seizing control of accounts.

[SPEAKER_01]: You'll hear no discussion of how food shipments in Russia have been disrupted nationwide after its food safety agency was hit by a dedos attack.

[SPEAKER_01]: and we won't even mention how people searching for videos about Game Hacks, Cheats and Software Cracks are being targeted by sophisticated network of malicious accounts on YouTube, Distribute and malware.

[SPEAKER_01]: So Danny, what are you going to be talking about this week?

[SPEAKER_02]: I'm going to be talking about how hackers manage access to passports of Formula One drivers.

[SPEAKER_01]: And I'm going to be talking about high stake hackers.

[SPEAKER_01]: All this and much more coming up on this episode of Smashing Security.

[SPEAKER_01]: Right then, we've got time for a quick word now, about one of our sponsors today, Action 1.

[SPEAKER_01]: Now, most security breaches still happen because of unpatched vulnerabilities, and the worst part, many already have fixes available for them, but patching can be a real pain, right?

[SPEAKER_01]: If staying up at night, worrying about the next cyber attack headline sounds familiar, it's time to try Action 1, the patch management platform that just works.

[SPEAKER_01]: You can start updating Windows Mac and third party apps in under five minutes, and Linux support is coming very soon.

[SPEAKER_01]: The best part, well your first 200 end points are free, forever with no functional limits.

[SPEAKER_01]: This isn't a disguised free trial, there's no credit card required, no hidden limits, no tricks.

[SPEAKER_01]: All you have to do is visit smashingsecurity.com slash action one and get started today.

[SPEAKER_01]: So if you're looking to automate patching and save weeks or even months doing it, go to smashingsecurity.com slash action one and sign up for patching that just works.

[SPEAKER_01]: And thanks to action one for supporting the show.

[SPEAKER_01]: Now, Dammy, Dammy, I've got a question for you.

[SPEAKER_01]: Yes.

[SPEAKER_01]: Have you ever wanted to join the Mafia?

[SPEAKER_02]: I code to think I do that well in that entire environment if I'm honest.

[SPEAKER_01]: You don't pick to yourself as Danny cold-grip parma rally or something like that, you'd be you'd be offering to whack people's unpatched networks, you don't pick to yourself in that way.

[SPEAKER_01]: Whatever not!

[SPEAKER_02]: Well, would he give you a cool nickname like that?

[SPEAKER_02]: Maybe.

[SPEAKER_02]: Maybe I can consider it that more.

[SPEAKER_01]: I could see you offering protection contracts on people's USB drives.

[SPEAKER_01]: You know, sidering up to people sent awful lot of data you've got there would be a real shame if something would have happened to it.

[SPEAKER_01]: Every week you'd have to come kneel before me, don't cluely, only pay your respect.

[SPEAKER_01]: Well, here's the thing, Danny.

[SPEAKER_01]: Don't imagine that it is all pretzels and horses heads on the pillow in organized crime because sometimes things can get pretty sticky.

[SPEAKER_01]: As they have done in the United States, we're 31 people.

[SPEAKER_01]: have just been arrested and charged with running illegal, rigged poker games.

[SPEAKER_01]: Oh dear.

[SPEAKER_01]: Yeah, and of course they're using technology to help them.

[SPEAKER_01]: Of course.

[SPEAKER_01]: According to FBI Director Cash Patel, he says we're talking about tens of millions of dollars in fraud and theft and robbery, and this was a multi-year investigation.

[SPEAKER_01]: Well, I was seeing, well, that sounds interesting.

[SPEAKER_01]: I thought it'd be interesting here.

[SPEAKER_01]: How they've managed to hack these poker games.

[SPEAKER_01]: I thought, is it online gambling?

[SPEAKER_01]: What's going on?

[SPEAKER_01]: Turns out it's not online gambling.

[SPEAKER_01]: Turns out this is real like stuff.

[SPEAKER_01]: IRL as the kids say.

[SPEAKER_01]: Ah, that's interesting.

[SPEAKER_02]: You think it would be virtual, because yeah, it's probably easier.

[SPEAKER_02]: Yeah, of course.

[SPEAKER_02]: Yeah, of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_02]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: Of course.

[SPEAKER_01]: So I looked into this and it sounds like a remarkably sophisticated cheating operation and it makes old fashion methods like card counting seem positively quaint.

[SPEAKER_01]: But first let's let's set the scene.

[SPEAKER_01]: So this operation, it allegedly ran from about 2019.

[SPEAKER_01]: until quite recently, and it involved a mixture of people so that people are organised in the poker games.

[SPEAKER_01]: There were people supplying technology which helps them cheat.

[SPEAKER_01]: There were money launders.

[SPEAKER_01]: And in addition, they also had well-known sports stars.

[SPEAKER_02]: who are helping them.

[SPEAKER_02]: Interesting, were these sports stars willing a compasses or you sometimes see people pay to get cami-o's and things?

[SPEAKER_02]: Yes.

[SPEAKER_02]: Sports stars will say something and yeah, not really knowing what they're saying.

[SPEAKER_01]: Yes, you sometimes get that.

[SPEAKER_01]: But according to FBI, these were people who knew what they were doing.

[SPEAKER_01]: They say they were employed as what they called face cards to lure in victims.

[SPEAKER_01]: There are former and current NBA figures.

[SPEAKER_01]: who were used to attract, draw people in to play high stakes, private poker games against them.

[SPEAKER_01]: Most of people arrested is Miami Heat and B.A.

[SPEAKER_01]: Player.

[SPEAKER_01]: Terry Rosier, also known as Scary Terry.

[SPEAKER_01]: That's a good mod name.

[SPEAKER_01]: And Chancy Bilops, who is the head coach of the Portland Trailblazers, who was inducted into the basketball Hall of Fame last year.

[SPEAKER_01]: And these poker games took place in private houses and high-end card rooms.

[SPEAKER_01]: So there's no traditional casino involved here.

[SPEAKER_02]: So you're not going in, can't in their chips in it, then Las Vegas or somewhere.

[SPEAKER_01]: Yeah, it's not the macabin go haul.

[SPEAKER_01]: It's not the belafio.

[SPEAKER_01]: Same thing.

[SPEAKER_01]: So this is someone's probably quite a nice house, I imagine.

[SPEAKER_01]: But there's no oversight.

[SPEAKER_01]: It's the perfect environment for scamming the unwellery.

[SPEAKER_01]: So this is a combination of celebrities being present.

[SPEAKER_01]: Let's seek for a sea.

[SPEAKER_01]: There's a perceived exclusive high roller table.

[SPEAKER_01]: And this is social engineering, where big teams.

[SPEAKER_01]: Assume the games are legitimate and maybe up more willing to bet large sums.

[SPEAKER_01]: Are you a gambler at all?

[SPEAKER_02]: No, not really.

[SPEAKER_02]: I've been to Vegas.

[SPEAKER_02]: Yeah.

[SPEAKER_02]: I've put $5 in a machine and it gave me back $70.

[SPEAKER_02]: That was me done.

[SPEAKER_02]: I was like, yeah, okay.

[SPEAKER_02]: I've won gambling now and you can go join my winnings.

[SPEAKER_01]: Well done to you.

[SPEAKER_01]: Well done for walking away and congratulations on walking away with more than you went in with that's brilliant.

[SPEAKER_01]: So, [SPEAKER_01]: In a normal poker game across the table, they will have in the casinos a shuffling machine, that's something which randomly mixes the cards before they're dealt, presumably that's to stop any shenanigans or if the dealer is crooked and doing a sort of dodgy shuffle.

[SPEAKER_01]: So, avoid the accusations of cheating.

[SPEAKER_02]: No dodgy dealers here, of course.

[SPEAKER_01]: No, no dodgy deals, no dodgy dealers.

[SPEAKER_01]: In this case, they were using something called the Deck Mate 2 card shopler.

[SPEAKER_01]: These are machines that you'll find in proper casinos that are meant to ensure a deck has been perfectly randomly shuffled.

[SPEAKER_01]: but the deck mate too.

[SPEAKER_01]: In what can only be described in retrospect as an accident waiting to happen, has a curious component because part of it's gobbins inside is an internal camera.

[SPEAKER_01]: Yeah, now this normally, this normally verifies the integrity of a deck of cards that it hasn't been tampered with and that it is being shuffled properly, but back at the black hat security conference a couple of years ago, a security research called Joseph Tartaro demonstrated that if you could gain access to that camera, you've essentially got, well, it's like having extra [SPEAKER_02]: are we going to find out next at this camera was connected to the internet somehow or was there just links if you link to a local laptop?

[SPEAKER_01]: I can see already that you are auditioning for your place inside some sort of criminal organisation done.

[SPEAKER_01]: You've got that kind of mindset, so normally the device doesn't have that, but it does have a USB port and it turns out that you can alter the firmware through that USB port.

[SPEAKER_01]: and the new firmware which you put on can access the camera feed and will then send images of every single card as it's been shuffled via Bluetooth to a nearby phone.

[SPEAKER_01]: So someone standing around the table has got a phone which is connected to the card shuffler.

[SPEAKER_01]: Because that's easier if you think about it.

[SPEAKER_01]: It's easier to have some sort of dodgy piece of software on your phone than to have it on the card shop.

[SPEAKER_01]: Let's see if you can just get the feed sent to your phone, then your phone can do more.

[SPEAKER_01]: And maybe your phone has got a better connection to 4G data or Wi-Fi or whatever it may be.

[SPEAKER_02]: From what I know about card games, I don't know, it merely isn't that much.

[SPEAKER_02]: I believe in places like Las Vegas should not allow to your phone at the table.

[SPEAKER_02]: While it shows in environments like this, [SPEAKER_02]: Yeah.

[SPEAKER_01]: That's allowed.

[SPEAKER_01]: This is the thing.

[SPEAKER_01]: You see, it's not as though the person around the table is looking at their phone.

[SPEAKER_01]: Right?

[SPEAKER_01]: The phone is being used to transmit the images further.

[SPEAKER_01]: So it is then transmitting this data.

[SPEAKER_01]: The data doesn't just go to one person around the table.

[SPEAKER_01]: It goes to someone who's off site.

[SPEAKER_01]: I'm imagining a guy in a van parked outside, but maybe that's just my cinematic, you know, I'm just too many high smoothies.

[SPEAKER_02]: With some sort of non-descript description on the side, it's like a catering company or...

Yeah, it's a lot of real.

[SPEAKER_02]: Yeah, it's exactly that.

[SPEAKER_02]: Can I always buy Irene?

[UNKNOWN]: That's awesome.

[SPEAKER_01]: But in fact, it could just as easily be someone in a different room who knows, because this isn't a private home, and that person who safely removed from the actual game, they probably got their proper computer there, which is receiving the full deck in order, and they're running it through a custom app, which is calculating the optimal betting strategies for each hand.

[SPEAKER_01]: And that remote operator, let's imagine they are in a van.

[SPEAKER_01]: They have become the command center.

[SPEAKER_01]: And they are transmitting instructions back to someone at the table.

[SPEAKER_01]: And that person, they called the Quarterback.

[SPEAKER_01]: They liked a lot of sporting terminology, maybe because they were doing stuff with the NBA here.

[SPEAKER_02]: Yep, that sounds right, they do like a brand criminal, don't they?

[SPEAKER_01]: So, the quarterback, they can't obviously, you know, go, a couple of races, they can't, you know, fold, they can't do that.

[SPEAKER_01]: So, they developed a rather elegant signaling system for the people playing around the table.

[SPEAKER_01]: They would used pre-arranged physical cues like a touching a particular chip or adjust items on the table or scratching their nose or their buttocks or whatever it was that they tried.

[SPEAKER_01]: They had to communicate.

[SPEAKER_02]: It's a very sort of old school that is, isn't it?

[SPEAKER_02]: In terms of how it's operated in the physical space.

[SPEAKER_01]: Yes, but at this stage, what else can you do?

[SPEAKER_01]: You know, obviously it's a problem.

[SPEAKER_01]: If you have got an itchy bottom, or if you have got a coward, and you're touching your face all the time, you could obviously send the wrong messages.

[SPEAKER_02]: Yeah, you don't, you don't the coughing major at your table.

[SPEAKER_01]: So each gesture they make translates to specific instruction.

[SPEAKER_01]: So, you know, who has got the winning hand or watch out for them or when to raise, when to fold, when to go all in, they don't need to be too specific.

[SPEAKER_01]: They just need to give a general direction of, [SPEAKER_01]: Ask for another card or give up now because it's been looked.

[SPEAKER_02]: It's really interesting though, you'd say it's quite innovative, obviously being used for naughty purposes, but they've put in the work to figure out how to get this whole scheme going.

[SPEAKER_01]: And if you're going to.

[SPEAKER_01]: make millions which apparently this gang did.

[SPEAKER_01]: It's obviously worth the investment and the number of people on the technology which they're using.

[SPEAKER_01]: According to the indictment, they won large sums of money from unsuspecting players, these people who came to these games were losing some cases hundreds of thousands of dollars out.

[SPEAKER_01]: And it wasn't just the tech which we've spoken about, the shop [SPEAKER_01]: which was fitted with hidden cameras as well to read cards as cards are sort of melt round the table.

[SPEAKER_01]: They had a special get this.

[SPEAKER_01]: They had apparently an x-ray table that could see face down cards.

[SPEAKER_01]: It's all very changed bond, isn't it?

[SPEAKER_01]: You can imagine queue coming up with this.

[SPEAKER_01]: They had contact lenses or glasses that apparently could detect marked cards.

[SPEAKER_01]: Now that must be part of a Bond film.

[SPEAKER_01]: There must be a movie where that happens.

[SPEAKER_01]: Apparently they were also up to Ravishnan and so they apparently allegedly robbed someone at gunpoint to steal their cart shuffler.

[SPEAKER_01]: I don't know why they stole one, but apparently they stole one, which already been rigged in this particular way.

[SPEAKER_01]: Maybe they're having problems with the supply chain, I don't know, I suppose you can't go on an eBay.

[SPEAKER_01]: No.

[SPEAKER_01]: Bye.

[SPEAKER_01]: One, which has already been tampered with.

[SPEAKER_02]: Maybe they're a dark, weird, market-plated, recently suffered a takedown, so yeah, supply chain issues there, not just for the general public, but also for cyber criminals.

[SPEAKER_01]: So they had these basketball stars who were drawing people in, who had money.

[SPEAKER_01]: There was this quarterback who was receiving the card information and distributed it through pre-arranged signals.

[SPEAKER_01]: And they also, all these chap strands have they have, they have a couple names, there's people, there's a guy called Juice Thill.

[SPEAKER_01]: There's another guy who was called Black Tony, another guy called Flapapoka.

[SPEAKER_01]: And there was a number of infamous crime families involved.

[SPEAKER_01]: The bananas, the Gambino's, the Genevieve's, these little branches of the Mafia.

[SPEAKER_01]: They were taken to cut from these games, which were running from Manhattan to the Hampton to Miami.

[SPEAKER_01]: It's a pretty big deal, didn't he?

[SPEAKER_02]: Yeah, I can't help but chuckle at those names.

[SPEAKER_02]: They do sound like stereotypically made up.

[SPEAKER_02]: Italian gangster names, but I suppose no real life influences the movies.

[SPEAKER_02]: So Gambino's, I mean, that's so close to being Gambino's, which would be all we're on the nose, isn't it?

[SPEAKER_01]: And of course, sometimes the people thought, well, how come I keep on losing these games?

[SPEAKER_01]: Yeah, normally I do better than this.

[SPEAKER_01]: And some of these people refuse to pay their debts.

[SPEAKER_01]: But of course, if you refuse to pay your debt to these kind of people, they are going to deploy their traditional collection methods, right?

[SPEAKER_01]: Which quite often, maybe down a back alley with a bit of lead drain pipes, so, you know, chances are you're going to pay that.

[SPEAKER_02]: Yeah, these are that all loose use of your knees, I suppose.

[SPEAKER_01]: Yes.

[SPEAKER_01]: Now it turns out the guys are wired magazine a while back.

[SPEAKER_01]: After the research was announced a black hat, they actually tested out this deck mate to vulnerability themselves.

[SPEAKER_01]: They demonstrated the hack in a real game.

[SPEAKER_01]: They successfully placed two unsuspecting players.

[SPEAKER_01]: So there's a news also being come for any journalists who are...

[SPEAKER_01]: There's a tough industry out there.

[SPEAKER_01]: It is!

[SPEAKER_01]: It is!

[SPEAKER_01]: So I hope this has given you some ideas, Danny.

[SPEAKER_01]: But unfortunately for you, the Deck Mate 2, the manufacturers had since issued patches and disabled and USB port, maybe with a bit of chewing gum, I don't know.

[SPEAKER_01]: But apparently those fixes are only applied to new units in licensed establishments.

[SPEAKER_01]: So if you're going for a private poker game and they've got a deck shuffling machine, [SPEAKER_01]: maybe be a little bit careful.

[SPEAKER_01]: Also, if you hear the x-ray machine, we're up as it hits you with a fretteation and takes your x-ray in order to find out what's on the cards.

[SPEAKER_01]: So watch out.

[SPEAKER_02]: I mean, security patching is difficult for many people, options like this, where they, well, they just don't want to apply them.

[SPEAKER_02]: There's no sort of we can or we can't, just like you're riding on the goodness of their criminal hearts to patch this thing out, [SPEAKER_01]: Let me tell you about Secolettes, who are sponsoring today's show.

[SPEAKER_01]: Look, if you're drowning in invulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, Secolettes solves that problem.

[SPEAKER_01]: They monitor over 100 sources and automatically match vulnerabilities to your specific software versions.

[SPEAKER_01]: Be here's the clever bit.

[SPEAKER_01]: You can build custom queries that filter out all the noise.

[SPEAKER_01]: Want to see only critical Microsoft vulnerabilities with a CBS of 8 to 10 that have been actively exploded this week?

[SPEAKER_01]: Done.

[SPEAKER_01]: No more weighed in through irrelevant alerts.

[SPEAKER_01]: You can push those alerts directly to the people who need them very mal slack teams, whatever works for you, and set the frequency yourself.

[SPEAKER_01]: One of their clients said it best.

[SPEAKER_01]: They said, Sec alerts has been an absolute game changer with strengthened our security posture and improved response times significantly.

[SPEAKER_01]: They've got plans for businesses of all sizes.

[SPEAKER_01]: And right now, you can try Seculerts for free for 30 days.

[SPEAKER_01]: Use the code Smashing and you'll get 50% off a yearly subscription.

[SPEAKER_01]: Check them out at Seculerts.co.

[SPEAKER_01]: That's S-E-C alerts.co and thanks to Seculerts for supporting the show.

[SPEAKER_01]: Danny, what's your story for us this week?

[SPEAKER_02]: Well, I found this really interesting, it's also kind of sports themed.

[SPEAKER_02]: Okay, so basically some cybersecurity researchers in Carroll, Galnagly and Sam Curry, they thought it would be fun to try and essentially hack and test some of the websites around Formula One.

[SPEAKER_02]: As I'm sure many people know, cybersecurity and Formula One.

[SPEAKER_02]: A very link to these days to half the teams have a cybersecurity company's name on their car, which is, you see sort of these big name drivers, they've got the names of companies on their jackets on the side of the car.

[SPEAKER_02]: It was always interesting when I was playing Formula One games.

[SPEAKER_02]: I was going to relax after a day at work and I'd be stuck behind a car with a security company's name on the back.

[SPEAKER_02]: I was trying to relax in my evening away from [SPEAKER_02]: Anyway, they had a look at the FIA, which is essentially the global body that runs international motor sport.

[SPEAKER_02]: They looked at the super licence and driver-cassaration portal.

[SPEAKER_02]: And long story short, they managed to access max-fast-appened passport, driver-lightens and personal information within about 10 minutes.

[SPEAKER_02]: Oh, Krike!

[SPEAKER_02]: They didn't do anything bad with it.

[SPEAKER_02]: They just [SPEAKER_02]: this vulnerability has been closed, it was all responsibly disclosed, but essentially there's a public facing system because why you do have the super star motorsport drivers in Formula One and the other high-level sports.

[SPEAKER_02]: You can do motor racing as a more amateur pursuit.

[SPEAKER_02]: Yes.

[SPEAKER_02]: You still have to get your license, your paperwork to allow you to do so.

[SPEAKER_02]: You have to be loaded as well.

[SPEAKER_02]: Don't you have to be rich?

[SPEAKER_02]: I think it helps.

[SPEAKER_02]: Yeah, I think it does help.

[SPEAKER_02]: I mean, I don't think you need one of these to go sort of bang a racing.

[SPEAKER_02]: But yeah, if you want to sort of do your sports car Porsche racing and that sort of thing, yeah, you do need to be quite rich.

[SPEAKER_02]: And again, I believe some cybersecurity executives are welcoming.

[SPEAKER_02]: That should do take part in actual sports [SPEAKER_02]: But if this case, the portal is public-facing, like any website you sign up to, you can enter your name and password to sign up, which anyone can do, because anyone could really be involved in this.

[SPEAKER_02]: Right.

[SPEAKER_02]: So essentially, they logged into this system, got in there, and they started poking around the back end of things, and they found a JavaScript exploit.

[SPEAKER_02]: in the login portal which allowed them to sort of see a bit more information than they perhaps should have been able to see.

[SPEAKER_02]: They also gave them the access to tools which could escalate administrative privileges.

[SPEAKER_02]: So oh boy.

[SPEAKER_02]: Yes, you could sort of get it for people who were responsible for their handing out the licensees.

[SPEAKER_02]: You get responsibilities for other people involved in most sport.

[SPEAKER_02]: And you could get responsibilities that the administrator of the website was able to hand out, which is as we know, the most important one when it comes to a website.

[SPEAKER_02]: So they managed to get access to this [SPEAKER_02]: They could categorize drivers, they could manage employees, updates, server-side things like email templates, and more.

[SPEAKER_02]: What they managed to do was they loaded a driver's profile, it doesn't say who this driver was, but they managed to, it could have been any sort of sports car driver around the world.

[SPEAKER_02]: They managed to find the users password hash that email address the phone number, passport and resume, and other personal information.

[SPEAKER_02]: which is not ideal.

[SPEAKER_02]: Far from it.

[SPEAKER_02]: Also, no, you don't want that out there, but also, they managed to load internal communications about the driver customization, including comments about the driver's performances.

[SPEAKER_02]: So, you know, if these were proper baddies, in addition to going access to data, they could have, you know, people are looking at the kind of going [SPEAKER_02]: I'm sure would be quite demoralizing for people, but no, they essentially got to a point where they manage to access the details of Max's dappons, so that's the Formula One world drivers champion, four-time world championship winner, famous Dutch motor racing driver.

[SPEAKER_01]: Yes, I mean, I don't know anything about Formula One, but I've heard of him.

[SPEAKER_02]: He's a big deal.

[SPEAKER_02]: Yeah, he's quite good at driving a car.

[SPEAKER_02]: Right, okay.

[SPEAKER_02]: they were managed to find his passport, his regular driving license, his super license, his password hash and PII, and his CV, which I kind of wonder what that looks like.

[SPEAKER_02]: Does he have sort of linked in the approvals, no drives, car, well.

[SPEAKER_01]: As you said, there will be personal information, his contact details, these are things which fraudsters and identity thieves could exploit or they could contact him, pretending to be the [SPEAKER_01]: If they can change the email template for instance, which is sent out, there would be the potential for sending out malicious lists.

[SPEAKER_01]: And grab an even more sensitive data.

[SPEAKER_02]: Yeah, as we've seen, plenty of times in the past, no cybercriminals love a celebrity hack information, photos, email addresses, that sort of thing.

[SPEAKER_02]: Things are blackmail purposes, but fortunately in this case, these are some ethical, white hat security researchers.

[SPEAKER_02]: Yes.

[SPEAKER_02]: They were not managed to sort of see or the data alongside what they've described as sensitive information about internal FIA operations.

[SPEAKER_02]: They didn't say what it was and they said they did not actually access any of the passport's sensitive information and anything they were able to see, they've deleted their ability to get hold of it again.

[SPEAKER_02]: The good news is they weren't baddies.

[SPEAKER_02]: They took this information to the FIA who essentially took this vulnerability report and fixed the vulnerability.

[SPEAKER_02]: And so they got an official response and the blog post was released note in the last week and the public disclosure of all this do.

[SPEAKER_02]: Ensure that this is all fixed.

[SPEAKER_01]: Did the FIA pay them a bounty?

[SPEAKER_01]: Did they say thank you very much?

[SPEAKER_01]: Yes, I'm cash, we appreciate that.

[SPEAKER_02]: That's on the clear.

[SPEAKER_02]: The spokesperson for the researchers, even if they haven't got a cash surprise to this, [SPEAKER_02]: I suppose it's quite a big sort of name to point out.

[SPEAKER_01]: Yeah, it's not as I've formed with the one is short of a few queries.

[SPEAKER_01]: We're right there.

[SPEAKER_01]: you would have expected them to be able to afford better security, and you have to wonder what other resources they may have online, which may be susceptible to flaws or indeed other sports as well, which may have similar operations where the sports does create accounts and upload sense to information as they travel around the world, which may be vulnerable to similar problems.

[SPEAKER_01]: I mean, at the very least, they could give them some [SPEAKER_01]: free tickets to go and watch a race or something.

[SPEAKER_02]: Think I get hat with a formal one team, Brett Browning on Danny.

[SPEAKER_01]: That's not good enough, Danny.

[SPEAKER_02]: I do have a statement here for them.

[SPEAKER_02]: So the FIA spokesperson said the FIA became aware of a cyber incident.

[SPEAKER_02]: good phrase, good phrasing.

[SPEAKER_02]: Involving FIA driver catarization website over the summer, immediate steps were taken to secure driver's data and the FIA reported this issue to the applicable data protection authorities in accordance to the FIA's obligations.

[SPEAKER_02]: No other FIA digital platforms impacted in this instance, and then we have the final line of the statement here.

[SPEAKER_02]: The FIA has invested extensively in cybersecurity and resilience measures across its digital estate.

[SPEAKER_02]: It has put world-class data security measures in place, protect all its stakeholders and implement the policy of secure by design, nor new digital initiatives.

[SPEAKER_01]: Because if they want to know the names of some cyber security firms, all they got to do is look at half of the cars on the track.

[SPEAKER_02]: Yeah, it's a very sure who's who of sure they're well known side security firms.

[SPEAKER_01]: quick word about one of our sponsors today, Vanta.

[SPEAKER_01]: Now I know what you're thinking.

[SPEAKER_01]: Oh good, another bit of software promising to make my security easier.

[SPEAKER_01]: But honestly, Vanta's actually pretty handy.

[SPEAKER_01]: Here's the deal.

[SPEAKER_01]: If you're spending half your week chasing down evidence for audit, saw updating in the spreadsheet, saw trying to prove that, yes, you do take security seriously, Vanta automates all of that.

[SPEAKER_01]: It pulls everything together, keeps an iron your [SPEAKER_01]: No panic, no last minutes, scavenger hunts for screenshots or policies you've forgotten to upload six months ago.

[SPEAKER_01]: It also plugs into the tools you're already using, and uses a bit of AI magic to flag up issues before they become a proper mess.

[SPEAKER_01]: So, if that sounds like something that might save you from a few sleepless nights, check them out at vanter.com slash smashing, that way there know that you heard about them on this show.

[SPEAKER_01]: And if you use that link, you'll get a thousand dollars off, which is nice as well, isn't it?

[SPEAKER_01]: So, thanks to Vanter for sponsoring this week's episode, and let's crack them up the show.

[SPEAKER_01]: And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pickers a Week.

[SPEAKER_01]: Take a look at the week.

[SPEAKER_01]: just a little bit.

[SPEAKER_01]: Just a little bit.

[SPEAKER_01]: And I think that's allowed, because I'm kind of fascinated by captures.

[SPEAKER_01]: Do you like captures?

[SPEAKER_01]: Like the strong word.

[SPEAKER_02]: Yeah, it's interesting how they've been getting more complex over the years as well.

[SPEAKER_02]: Going from, yeah, enter this text into, choose what is a bike or two.

[SPEAKER_02]: There's once now, you're like turn a 3D model of animal around, make sure it is facing the right way.

[SPEAKER_01]: Well, I have found a new game online.

[SPEAKER_01]: It is free, Danny.

[SPEAKER_01]: You may want to play it yourself.

[SPEAKER_01]: It is called I'm Not a Robot.

[SPEAKER_01]: It is by the ingenious Neil Argoel who's written a number of other fantastic online games in the past.

[SPEAKER_01]: I see this here.

[SPEAKER_01]: So, it gives you a capture.

[SPEAKER_01]: And it starts off with a very simple capture of, you know, tick a box to say you're not a robot.

[SPEAKER_01]: And then, every time it shows you a new capture and things get worse and worse and more complicated it is an escalating nightmare of quirky puzzles.

[SPEAKER_01]: What begins as ticking a checkbox?

[SPEAKER_01]: quickly spirals into deciphering warped text or parallel parking a car with arrow keys or drawing perfect circles or building a Minecraft pickaxe or even after order algebraic equations or assemble Ikea furniture in one of them.

[SPEAKER_02]: I already start here so select all the squares with a vegetable.

[SPEAKER_02]: Uh, some of these, I'm generally not sure about, uh, it's a call on the cob of vegetable.

[SPEAKER_02]: Oh, I don't think it is, you know.

[SPEAKER_01]: No, that's not vegetable.

[SPEAKER_01]: No, I wouldn't have said so.

[SPEAKER_01]: Oh, it is.

[SPEAKER_01]: It must be.

[SPEAKER_01]: I clicked on it.

[SPEAKER_02]: It would let me through, then I clicked on it, and it went through.

[SPEAKER_02]: So call on the cob, a vegetable.

[SPEAKER_01]: So it's educational as well.

[SPEAKER_01]: At one point, I was being asked to break up with my AI girlfriend, so I was chatting to a chat bot.

[SPEAKER_01]: I had to try and get rid of her.

[SPEAKER_01]: How did that go?

[SPEAKER_01]: Well, you'd be surprised, Danny.

[SPEAKER_01]: I actually have a great deal of experience of breakups, but normally I'm not the one delivering the proof.

[SPEAKER_01]: Normally I'm the one receiving it.

[SPEAKER_01]: Now, there are even some people who have lied streamed their attempts to play this game and see how far they managed to get.

[SPEAKER_01]: If you like this game, you can actually maybe compete with your friends and colleagues to see how far they get as well.

[SPEAKER_01]: Anyway, it's a lot of fun.

[SPEAKER_01]: How far have you got so far, Danny?

[SPEAKER_02]: I'm on level 5.

[SPEAKER_02]: I'm going to have to rotate an intersection around to make it, [SPEAKER_02]: Yeah, it is.

[SPEAKER_02]: Yeah, it's not spaghetti junction.

[SPEAKER_02]: No, it is.

[SPEAKER_02]: But it's that sort of thing.

[SPEAKER_02]: Yeah, I've managed complete.

[SPEAKER_02]: They're like, no, I haven't managed complete that.

[SPEAKER_02]: I could be here a while.

[SPEAKER_01]: There was one where, um, it says, uh, avenged Gary Casper off, try and beat D.

Blue at chess.

[SPEAKER_01]: And so you're playing a chess game.

[SPEAKER_01]: And you've got to beat it.

[SPEAKER_01]: It's like, what?

[SPEAKER_01]: This is pretty good chess play.

[SPEAKER_01]: I want to level six now I've got to I've got to win tick-tack toe or north and crosses as us bridge call it so I could be here Well, I just lost I lost I'll do anyway lots of fun.

[SPEAKER_01]: It's called I'm not a robot I will put a link in the show notes and that is my pick of the week [SPEAKER_01]: Danny, what's your pick of the week?

[SPEAKER_02]: Well, I am going to go for a book I've been reading.

[SPEAKER_02]: It's like all my sort of work around the cyber security and modern tech.

[SPEAKER_02]: I do like reading a bit of history.

[SPEAKER_02]: I guess when you get to a certain age and you basically fall into one of two camps.

[SPEAKER_02]: You either like walls or rows is or World War II, I think that's how it works.

[SPEAKER_02]: But I've decided to try and expand my horizons.

[SPEAKER_02]: Let's first quite, quite literally, if you turn the terms of distance.

[SPEAKER_02]: I mean a book.

[SPEAKER_02]: It's by former BBC journalist Zinnab Fadawi.

[SPEAKER_02]: It's called an African history of Africa from the dawn of humanity to independence.

[SPEAKER_02]: And it's made me feel like just how little about African history I knew about.

[SPEAKER_02]: Yeah.

[SPEAKER_02]: It starts off with [SPEAKER_02]: the sort of the dawn of humanity.

[SPEAKER_02]: So humans are evolving from apes in Central Africa, starting from there, then it's all jumps forward, part of lots to, um, ancient Egypt.

[SPEAKER_02]: It's a thing where, as the author points out, it's not really associated as African history, by the wider world.

[SPEAKER_02]: It's sort of its own [SPEAKER_02]: The fair rose, student car moon, all that sort of thing, it's kind of in its own little pocket, and now I've gone on to read about various other kingdoms that the kingdom of Kush.

[SPEAKER_02]: I'm only half way through it, but it's really, really interesting.

[SPEAKER_02]: I'm feeling like I'm learning a lot.

[SPEAKER_02]: It's one of those books where I'm almost staying up very much past my bedtime, so I just want to keep reading, [SPEAKER_02]: This is very good thing, so yeah, I hardly recommend it, especially if you want to perspective on history, which is outside of just the regular stuff.

[SPEAKER_02]: You know, we always hear about it.

[SPEAKER_02]: I do believe we covered ancient Egypt battles in school a long time ago.

[SPEAKER_02]: I think you went ancient Egypt, 1066, Henry VIII.

[SPEAKER_02]: Yeah.

[SPEAKER_02]: What were two?

[SPEAKER_02]: Yeah.

[SPEAKER_01]: That's history.

[SPEAKER_01]: And they stopped there, didn't they?

[SPEAKER_01]: Yes.

[SPEAKER_01]: And I think the way many of us were taught, at least in Europe and America, I imagine, it was very much a European and American perspective on the world.

[SPEAKER_01]: Yes, so Africa, for instance, we would be thinking a bit in terms of, well, what did the Europeans do there?

[SPEAKER_01]: It reminds you, they may not tell us everything that the Europeans got to in certain parts of Africa as well.

[SPEAKER_01]: But, you know, clearly civilizations were there and extraordinary things were happening in history [SPEAKER_02]: Yeah, it's so really interesting that you mentioned sort of there is these advanced civilizations, no, in Africa at a time when, no, in the British Isles, we were still, you know, rolling around in dirt, essentially.

[SPEAKER_02]: No, not much has changed.

[SPEAKER_01]: No, not much has changed.

[SPEAKER_01]: So that's why pick the root.

[SPEAKER_01]: Fantastic.

[SPEAKER_01]: Well, just about wraps up the show for this week.

[SPEAKER_01]: Danny, thank you so much for joining us.

[SPEAKER_01]: I'm sure lots of our listeners would love to find out what you're up to and follow you online.

[SPEAKER_02]: Thanks very much for having me again.

[SPEAKER_02]: It's been a real pleasure.

[SPEAKER_02]: I suppose the best way to find me these days, or there was my website, which is www.dannyparmer.co.uk.

[SPEAKER_02]: Makes sense.

[SPEAKER_02]: You can search me on BlueSky on LinkedIn.

[SPEAKER_02]: But yeah, those are the key ways to find me.

[SPEAKER_01]: And people can hit you up filing to me if they want some help with their side of security, writing and things like that.

[SPEAKER_02]: Yes, definitely.

[SPEAKER_02]: I do the editorial askers as well.

[SPEAKER_02]: I also have been doing some sort of, I guess you call it behind the scenes stuff, consultation, that sort of thing, training for, you know, people in terms of, you know, what to do and not do when you've been hit by a side security incident.

[SPEAKER_01]: And of course, smashing security is on social media as well.

[SPEAKER_01]: You can find us on BlueSky, you can find me on LinkedIn.

[SPEAKER_01]: And don't forget to ensure you never miss an episode for those smashing security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts.

[SPEAKER_01]: For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 440 episodes.

[SPEAKER_01]: Check out smashingscurity.com.

[SPEAKER_01]: Until next time, Cheerio, bye-bye.

[SPEAKER_01]: Bye.

[SPEAKER_01]: You've been listened to Smashing Security with me, Grand Clearly.

[SPEAKER_01]: Well, thanks very much to Danny Palmer for joining us this week and also big thanks to this episode's sponsors, Action One, Vanta and Secolettes.

[SPEAKER_01]: And, to all the chums who've signed up the Smashing Security Plus over on Patreon, they include Panos, Isaac Kim, 636B.

[SPEAKER_01]: Marvin 71, Ryan House, Andrew Webster, Bobar, James Leonard, Ferrell, Rory, Mark, Crustley, Joe's Edwards, Veil Dog, Jack, Rache K, Phil, Colin Gurley, Kevin Windsor, Chima Orem, Tashl Gordon and King Cyril.

[SPEAKER_01]: Now, wouldn't you like to have your name read out at the end of the show, [SPEAKER_01]: If so, you should sign up for smashing security plus for as little as $5 a month.

[SPEAKER_01]: You can become a member of our happy little tribe and your game early access to the episodes with none of the pesky efforts.

[SPEAKER_01]: Ooh, just go to smashingscurity.com slash plus for more details.

[SPEAKER_01]: Now, I know not everyone can afford something like that, that's quite understandable, so don't feel any pressure to become a member of smashing security plus.

[SPEAKER_01]: What you can do, though, it's absolutely free.

[SPEAKER_01]: You can tell your friends about smashing security.

[SPEAKER_01]: You can go up and say, oh, do you listen to any cyber security podcasts?

[SPEAKER_01]: No, well, maybe you should listen to smashing security.

[SPEAKER_01]: It's the cyber security podcast for people who don't like cyber security podcasts.

[SPEAKER_01]: Or maybe you could wear one of our lovely t-shirts from our merch store.

[SPEAKER_01]: Just go to smashingscurity.com slash store.

[SPEAKER_01]: You'll wear it, you'll feel gorgeous all against your skin, it will feel so lovely.

[SPEAKER_01]: And of course you're helping to spread the word.

[SPEAKER_01]: Whatever you're doing, thank you very, very much for listening, tuning in each week.

[SPEAKER_01]: It really means so much to me.

[SPEAKER_01]: Well, I'm going to sign off now.

[SPEAKER_01]: Birder, I'll see you in a week.

[SPEAKER_01]: Cheerio, bye-bye.