This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Do you want me to start? I don't know. I'm just waiting. I'm thrilled with how excited you are about this process. And it's really wonderful to be here. And Jess, I'm glad you're witnessing it. Anytime, Graham. It's 250. 250. Woo! Woo! Woo! Are you not going to do a woo? Wow. Woo! Woo woo! That's how you do it, Graham. That's it. That's it.

---

MIKKO HYPPONEN. Yay! This is Mikko. Is Smashing Security the most popular Infosec podcast? No. But do they have the largest cult following? No. But do Graham and Carole try their hardest with every single episode? Also no. Smashing Security, episode 250. Yes, you heard that correctly. 250, with

---

GRAHAM. Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 250. My name is Graham Cluley. Sorry, I got carried away there, sorry. And I am Carole Theriault, and we are joined by Dr. Jessica Barker. Hooray! Hi, hi. Lovely to be here. Really thrilled to have you here. Lovely to have you here, especially on such an auspicious day as our 250th episode. I am honoured to be celebrating this with you. It is an amazing achievement. Is it? Graham, one day we're going to get to, I think our next milestone has to be 365, because then we'll have an episode for every single day of the year. Well, you know, somebody said to me, why don't you celebrate episode 256? Because that's a bit more nerdy. Nice. Did they have a breathing problem? Now, Graham, you said you had a surprise for me. Oh, I do, because I have gone to some of our fellow podcasters out there, people who've been on the show, some famous, some who'd love to be famous, to see what they have to say about smashing security. And they recorded a few words. Let's check it out right now.

---

JACK RECIDER. Hey, this is Jack Recider. Congrats on making it to episode 250.

---

GRAHAM. And to think this was all Karol's idea. Wow, nice going. Thank you both for making this show. And I can't wait to see what comes next for you. Oh, that's great. Karol, what's going on this week on the show? Well, first, let's thank this week's sponsors, 1Password and Qualys. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? Oh, this week I'm squintzing. Oh, what about you, Jess? I'll be talking about some social engineer bots. Ooh, and mine is for all you job hunters out there. Plus, we have a featured interview with CEO and President of Qualys, Sumed Takhar. We talk about his career and the upcoming annual security conference. They're 21st, if you can believe it. So all this and much more coming up on this episode of Smashing Security. Now Jess, Jess I have one burning question for you. I think he wants a new co-host Jess. I think that's what's happening. I think I want to know if you have been watching the hit TV show Married At First Sight Australia season six. It's on my list. Wait can I say that? No I'm afraid not. I am... We've been talking about it the last couple of weeks. Carole is now watching it. I watched all of it. I binged on it. It's horrific and it's like heroin. You can't get off the train. Not that I've ever done heroin. I'm imagining that's what happens with heroin. What a sales pitch. And Netflix using that on the trailers? Yeah, it's car crash TV and editing and everything. Anyway, Graham, I hate you forever for it. Thank you, thank you. Jess, you are missing a treat. Because while the rest of the world is watching Squid Game on Netflix, Carole and I, we've been watching horrendous people. Doing horrendous things. Marrying complete strangers. Predictable outcomes. But we can't get enough of it. Is that not Squid Game? I haven't watched that either. No, you haven't seen that either? No, not yet, not yet. Have you seen Squid Game, Carole? Nope. Okay, so we're talking from a position of knowledge then about Squid Game. We're not. You've obviously watched it. No, I haven't watched it at all. I just assumed, Crow, you would have seen it. My understanding is Squid Game is a South Korean remake of The Sound of Music, but with more machine guns. It's something that. It's a bit Hunger Games. It's a bit gore and violence. It's a bit... You know, I think I got turned off by the fact that everyone talked about it so quickly. Exactly. And it's so stupid in a way, because there's this big conversation where I could have a point of view on it. And that's kind of cool. But in fact, I kind of was, oh, too many people are talking about it. I don't want to do it. And now look at me now. I'm exactly the same. And I feel it's as stupid as watching something just because people are talking about it. Yeah. To not watch something just because people are talking about it. And yeah, it puts me off. Right. You know? Yeah. It does put me off. I didn't watch Line Of Duty for years and years. Of course I just thought, oh, I want to talk about Line Of Duty. Same. And then I watched it and I left it. I thought, oh, why didn't I start watching this air?

---

JACK RECIDER. Don't throw the baby Jesus out with the bathwater.

---

GRAHAM. Mary Joseph, the baby cheeses as well. I love a baby cheese.

Now, the South Korean horror show, it's been a huge hit for Netflix. People have been binging on it and they've been watching hundreds of cash strapped contestants accepting invitation to compete in children's games for a tempting prize.

At least that's what I've read, but with deadly stakes. Can I even ask, is this like a game show or like a fictiony thing?

We don't know. Somewhere in the middle.

It's a fictionalized thing. Okay.

So it's a piece of drama about some dystopian future and, you know. Fab.

It does sound delish. I'm sure it's good.

I'm sure it's good. But it's just too many people are talking about it, so I don't want to watch it.

Anyway, it's become a huge deal. And, of course, that means that some people think, oh, hello, Squid Game, that's popular.

How can we take advantage of that so some opportunistic fellows thought let's do an online version of Squid Game and so they posted up online six different games and 456 people take part in each game what right no but you don't have to have them all crowded around the same monitor that girl. This is online.

---

JACK. Are they on the same Zoom? How does this work?

---

GRAHAM. That's an expensive account. Anyway, they're playing these games, which look a bit like some of the games which are dramatized in the TV show. You've been told because you haven't seen it.

What? From the screenshots I've seen, yeah. I've seen the trailer for Squid Game. Hence, I know it's like the sound of music. Good old research. Yeah.

And so how do you get to play the online version of Squid Game? You need to be the holder of some squid tokens. And at the end of the game, if you're the ultimate winner of these online games, you collect all the tokens, right? Squid tokens.

Oh, so you pay like a token to play and then the winner of the 156 players takes all the tokens. It takes all the tokens.

So people have been buying squid tokens in order to participate. And squid tokens, you aren't going to be surprised to find out, is a hot new cryptocurrency. And it's called a play to earn cryptocurrency inspired by the TV show.

There's a white paper explaining all about squid tokens. And they were launched on Tuesday of last week. Okay.

So you could buy yourself a squid token for just one US cent with the promise that you'd be able to then play to earn online right in the game. 72 hours later, each squid token, which started off at one cent, was worth $4.42.

Jeez. Nice return. An increase of 44,000%. Wow.

So if you had bought $100 worth of Squid token, which isn't an outrageous amount, right? If you bought $100 worth, that would have been turned into $44,200 in just a few days. So a huge amount of money, obviously quite unbelievable.

Now, some people thought that it might be a scam because there had been a few clues. For instance, nobody knew who was behind the Squid tokens. Oh, dear.

And there'd also been messages posted under the name of Elon Musk supporting Squid Tokens, which I think makes you suspicious regardless of whether it's Elon Musk who's really posting those supportive comments or the fake Elon Musk who's posting those comments. I was just thinking that.

Which do you trust more? It doesn't really matter. Yes. Cardboard cutout, probably, would be my favourite of that.

Furthermore, this whole online game, it wasn't endorsed by Netflix. They had nothing to do with it. So someone was kind of riffing off the Squid Game TV show.

I can see that. That must be happening all the time, right, with all TV shows. It's probably an antiques roadshow crypto coin. Yeah, yeah. Starsky and Hutch.

So the biggest concern, though, the thing which made people most suspicious, well, what happens if you want to get a hold of your money? Because you've made suddenly $44,000. Right. Maybe you'd like to get a hold of that. Time to milk the cow. Yeah. Yeah.

The problem was there didn't actually seem to be any way to actually sell squid tokens. Oh, dear. That doesn't bode well.

And there's no point having a cryptocurrency token that's surging in value if you're not able to sell it. And meanwhile, other people were still buying squid tokens, pushing up the price. And they were tempted as the price was racing up. So it was going up further up and further up.

By Monday of this week, the week that we're recording this, the price of squid tokens became truly enormous. It reached a height. Each squid token, remember it was one cent, became $2,861.80. Jesus.

It had raced up 7,500% in just three and a half hours. Yikes.

If you had bought right at the beginning $100 worth of squid tokens, it wasn't worth $44,000 anymore. It was now worth $28.6 million.

But was it worth it if you couldn't sell it, Graham? Exactly. Theoretically, that's a lot of money. Yeah.

I know there's a lot of adverbs missing in this segment. Reportedly. Allegedly.

People were complaining. People were leaving comments on the Squid Token Twitter account. I'd like to have my cash, please. Thank you.

And the Squid Token Twitter account was closing off replies, so people couldn't post replies anymore to them. And on a Telegram group, seemingly run by the tokens administrators, they said, oh, someone's tried to hack our project and our Twitter account. If anyone's having problems selling their squid tokens because of anti-dumping measures we put in place to stop people artificially lowering the price.

I should have an anti-dumping sign in my house. What? In which room? A room that might be perfect for it, yeah.

Well, you don't want them dumping in other rooms. It's true. That's a good point.

I think you want to very clearly sign which room is for dumping and which one isn't. Well, yes. Right.

Well, the Squid Game developers, the developers of this online game, eventually they said, well, we don't want to carry on running this project because we're getting a bit depressed because people are scamming us and we're overwhelmed with stress. And so the website, the website with the game shut down, the Twitter account was removed, leaving 57,000 followers in the lurch.

And the squid token price, five minutes after it reached its high of $2,861.80 on Monday, it plummeted within five minutes to 0.00079 cents.

I really want to ask how something like that plummets if you couldn't sell the tokens. Yeah. Right? If they can't get rid of the tokens, how can they be demonetized? I don't understand.

But anyway, again, I've probably been sleeping. Yeah, so you know me. Just cotton head.

I think essentially the theory is that someone has run off with all of the real money and left people with worthless squid tokens in this stupid online game, which you can no longer access as a consequence. Who would have thought cryptocurrency would have ended in this way? Who saw this happening with the squid tokens that never seemed like a bubble that was—

---

ROBOT. Dave Bittner here from the Cyber Wire wishing Carole and Graham a heartfelt congratulations on 2,500 episodes quite an achievement I'm sorry what 250 episodes and how long five years I mean, come on,

---

JACK. That's like a hobby. I did 250 episodes last week. Yeesh, I guess I should wish you well for the next 250, but honestly, Graham's not getting any younger. Anyway, congratulations on 250. It's adorable.

---

GRAHAM. Jess, what have you got for us this week?

I am talking about the underground market for bots that steal your 2FA and OTP codes. So this is an article by Joseph Cox for Vice Motherboard.

And it starts by describing a call, seemingly from PayPal's fraud prevention team. And it is an automated call, an automated voice.

You pick up the phone and it explains someone has tried to take a payment, a $50 payment, say. And if that wasn't you, you need to verify your identity to block the payment.

So it wasn't you. So, of course, you want to block the payment.

Yeah. And at that moment, you get a 2FA code from PayPal, comes in over SMS.

So you're told to input the code. You do.

And the voice says, thank you. Don't worry, the transaction has been blocked.

Here is your reference number reeling off a string, a long string of numbers. And don't worry.

Can you repeat? Yes, press 1 to the end of that reference code again.

Capital M56 hashtag hyphen 1337. And it ends with some nice reassurance.

You know, if you see unauthorized payments going out of your account, don't worry, it's going to be reversed in the next 24 or 48 hours. Now, of course, you know what's coming.

It is, of course, all a scam. And the fraudster is using bots that are now being bought and sold underground.

So the article is a great analysis of this seemingly new type of scam. And you can actually listen to the audio, which Joseph Cox got hold of, received from a scammer who sells these bots.

Listen to how convincing it is.

---

JACK. Welcome to PayPal's fraud prevention system. We had recently received a payment request of $58.82. If this was not you, please press 1. In order to secure your account, please enter the code we have sent to your mobile device now. Thank you. Your account has been secured and this request has been blocked. Please make sure to only enter your password at paypal.com. Don't worry if any payment has been charged to your account, we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.

---

GRAHAM. The thing is, though, if I get an automated voice on the phone, I just hang up always.

---

JACK. Nice. They could be saying anything to me.

---

GRAHAM. Yeah, but I think at the same time, we're getting more and more used to them. Don't you think?

---

JACK. I don't know if I am, but I don't think I answer my phone enough. Yeah, I'm the same. I don't think they all talk like Derek the Dalek anymore. Some of them are increasingly convincing. Hi, this is Elon. Look at the guy who announces our show every week, right?

---

GRAHAM. What, Steve?

---

JACK. He's great.

---

GRAHAM. Yeah, Steve. Love Steve. Have you not met him, Graham?

---

JACK. What's Steve got to do with him?

And I think if you go so far as to listen to the message, for some people, you're right, they'll pick up the phone, they'll hear an automated voice, they'll hang up. Other people, if they are likely to listen to the message, then maybe they're more likely to be persuaded by it.

---

GRAHAM. I think that's fair. I think that's definitely the case because particularly when you're dealing with a large organisation or like a large financial institution it's not unusual is it to get an automated message saying this is a call from so and so ring us back on this number or you know press this number to go through our switchboard system.

I've had this recently from a gym trying to leave this gym as we all know that's impossible and they keep ringing me with an automated voice message saying I have to call them back, which obviously means I'm never going to call them back and they're going to continue taking money from me.

---

JACK. Hang on, Jess, it's November. You're trying to leave a gym in November. I thought the traditional time to leave a gym was at the end of January.

---

GRAHAM. Yeah, but I haven't watched Squid Games. I to buck trends. We've established this.

---

JACK. All right. Okay.

But what's interesting, I think, is how this can lower the barrier of entry to criminals. It's another kind of cybercrime as a service. And the scammer even comments on how great the bots are because not everyone is comfortable on the phone. So if you're the awkward type of criminal that doesn't have a great telephone manner, don't worry, these bots will do the social engineering for you.

---

GRAHAM. Yeah. So I actually heard this audio from Joseph Cox before he published. He was kind enough to share it with me. And that's one thing we spoke about, you know, how this lowers the bar for criminals and the fact that as we get more accustomed to communicating with bots, the more, of course, cyber criminals are going to try and subvert it and take advantage of the fact that we're using that and we're more comfortable with speaking with robots.

---

JACK. Yeah. And of course, the voice message uses those classic social engineering techniques of both fear and reassurance. Oh, your account's been compromised. Money's been taken. You need to act now. Put in your code. Then you receive the code at exactly the right time. And for some... I'm sure I understand. Oh.

Siri's not sure. Siri's not sure if they understand that. Sorry, that was my watch piping up at that point. I obviously wasn't explaining it.

---

GRAHAM. Speaking of bots. Siri is maybe taking offense to this.

---

JACK. Yeah, shut up, Jessica. Some of us bots are legit. Siri, format Jess's hard drive.

---

GRAHAM. It's a good job I've got my headphones on.

---

JACK. And then the reassurance at the end, which I just think is so clever, giving the reference code to seem extra professional, saying, don't worry if you see payments go out, they'll all be reversed. So you leave it two days before you start to realise, hold on, loads of money's been siphoned out of my account and it's not going back in.

---

GRAHAM. No, it sucks, man. Yeah. And they just keep on getting more sneaky, don't they? What are PayPal doing about this? Anything?

---

JACK. It's not just PayPal. I mentioned PayPal, but it's, of course, all sorts of other services. And I mean they're putting out the communications don't share your code with anyone who asks for it we will never call and ask for it in that way.

What's interesting is the scammer says they're using some communication tools I think is it Twilio one of them other ones where they will make calls on your behalf so obviously legit services where as a business you can get that service to put calls out for you. And so those platforms are also saying they're trying to crack down on the use of bots. And they're aware of this and they're doing what they can to try and squash it.

---

GRAHAM. You know, Graham, you know how you go around saying you were once named the 11th greatest Britain in the UK?

---

JACK. In IT history.

---

GRAHAM. In IT history. Oh, okay, yes.

---

JACK. So someone could basically fake your voice and put your voice on these recordings, right? Saying, hi, I'm Graham Cluley, you know, you know me from Smashing Security, we do this. And you do not own your voice. There's no copyright for voice ownership, so you wouldn't be able to say, hey.

---

GRAHAM. I don't know that my voice would be effective at scamming someone. Surely that wouldn't.

---

JACK. Well, I was just trying to appeal to your egos. That's how I get you to listen to what I'm saying.

But I think it's a very interesting technique that Jess is talking about here, because I think we've all heard before that you shouldn't share those 2FA codes with someone else. So if someone asks you, oh, can you tell me what the 2FA code is that you've just been sent? You should be wary of that. But the fact that it's a robot asking you somehow might reassure people and think, oh, well, I'm just dealing with some automated system. then maybe this is part of PayPal or whichever other company it is that's called me up.

---

GRAHAM. Yes, it's not a person. It's just a computer. Because they're safe, aren't they?

But the truth is, of course, it means that they can do it at such a bigger scale than if they had humans ringing you up and doing all of this.

---

JACK. What if you just sort of wasted its time and just when they said, please give me this, you just go, and then they would go, I'm sorry, I didn't catch that. You'd go, honk, honk, honk, honk, and just see how long you could do that for.

---

GRAHAM. I would love to hear that call.

---

JACK. Please.

Talking of recording, someone else has been in touch about our 250th episode. Let's hope they've got something nice to say.

---

GRAHAM. I hope so. Why would they not?

---

JACK. Because some of them didn't. Some of them were a bit catty.

---

GRAHAM. Naming their names.

---

MIKKO. No. 250 episodes. Blimey, I didn't think Graham was capable of lasting that long. Long time to stick to the same formula, jingles. And four guests. You guys are like the Hutch to our Starsky. The Lacey to our Cagney. The Doyle to our Bodie. The Hutch to our Turner. The Danny DeVito to our Arnold Schwarzenegger. The Robin to our Batman. The Rodney to our Del Boy. The Cheech to our Chong. The Canine to our Doctor. From all of your friends at Host Unknown. Officially more entertaining than Smashing Security. In your face.

---

GRAHAM. Karol, what have you got for us this week?

In the last few years, because of the pandemic and stuff, people have looked more closely at their lives, their jobs, their routines. And according to ProPublica, millions of people have just upped and quit their jobs, right? Looking for a new life or a new way of life.

In fact, in August, 3% of Americans, 2.9% of Americans quit their jobs. Which is huge. That's apparently a record-breaking number.

And to add to the mix, there's a glut of laid-off workers scrambling for work. So we're seeing this really huge churn in the labor market, particularly in the States, although I'm sure it's happening elsewhere.

So, Graham, I want you to imagine that you are one of this 3% and you need a new job, right? This podcast gig isn't working out for you. You've done 250 episodes.

You've heard everything that I have to say about everything on this topic. We could just move on.

---

GRAHAM. Do you think Carole's trying to tell you something?

Hang on. Are you saying I'm looking for a new job or I'm looking for a new co-host? What is the thing? What are you after here?

No, no. You're looking for a new job.

Okay. And you're job hunting and you see an ad that says airport shuttle driver wanted.

Oh, yeah. And your job would be to pick up passengers for 35 hours a week.

All right. At a pay that actually works out to about 100 grand a year.

Right. And let's imagine this is exactly the gig you've been looking for. No more sitting at home in your stupid studio. You're hitting the open road.

And so you're excited about this opportunity. So you click on the link and you send in your CV.

Wibble, wibble, honk, honk. And luckily you get a call a few hours later, right? From someone going, hey, hey, hey, Mr. Cluley, love the resume, love the resume. Can I ask you a few questions about this?

And then, okay, so let's play along. So I might say, have you ever fallen asleep at the wheel, Mr. Cluley?

---

GRAHAM. Well, what do you mean by sleep? I mean, I might have had a little nap. I mean, I haven't really sort of...

Excellent. Okay, good. How do you feel about picking up celebrities?

Oh, I'd love, there's some celebrities I'd love to pick up. Yes, why not?

Fabulous. And what would you do if passengers got all hot and smoochy in the back seat? Would you avert your eyes or, you know, get your phone out?

Turn on the webcam, post it on Instagram and TikTok.

Fabulous. And I got to say, Graham, I'm super impressed with your answers. I think you are our best candidate for this job.

Thank you very much. This is easy.

All I got to do is get a little standard background ID check out of the way. And once that's cleared, we are ready to get you a brand new job.

All right. Let's do it.

No, Graham, it's fake. It's a fake job ad, Graham.

---

GRAHAM. What? How did you not spot that?

And the website, which totally looked legit, where you post your CV, totally wasn't. And the person on the phone that called you isn't an interviewer, but a scammer, trying to get as much info about you as they can to use their legit identity for their own nefarious purposes.

So it's really interesting. So one version of the scam was posted in a Telegram channel of a Nigerian scam group called Yahoo Boys Community. This is according to ProPublica.

And then there was instructions on what to tell applicants to get them to share their social security numbers, photographs of their driver's license and other personal details. They weren't presumably looking for victims on the Yahoo Boys Telegram.

That's the criminals talking to each other, isn't it?

---

GRAHAM. I haven't hung out there, but I'm presuming no.

Yeah, they're a bunch of notorious scammers, the Yahoo Boys. I've heard of them before.

Yeah. And there's 5,000 members strong on this, apparently. And the idea is you ask an applicant generic questions after they've sent in a CV, and then you offer them a gig.

Right. But what you need is to get their personal info in order to land them, get through the ID check. You know, make sure you are who you say you are, Mr. Cluley, type thing.

But asking some interview questions sort of lulls the applicant into a false sense of security.

---

GRAHAM. Yes. We used to work for a computer security company, and they had a hiring policy of asking people how many ping pong balls could fit into this room.

And do you read Live in Marxism and stuff that, didn't they? Which helped them decide who they wanted to employ. Terribly bad these days.

And they just generally ask you questions about sine and cosine to make you feel thick. And then they'd feel justified in offering you less money for the job.

But it's kind of worked, I think, as an approach for them. But for many people, it would make them think, oh, I've been through some sort of process and haven't I done well to get through it?

Now I will upload my passport details or my social security numbers or whatever else.

---

GRAHAM. Yeah, it's quite convincing, isn't it? You've answered some questions. You've spoken to someone. They love you. They think you're great. You're looking for a job.

I mean, you know, maybe in a vulnerable position where you've been made redundant. Yeah, I can see that's the clincher here.

Because where you're seeing these ads are places Facebook or LinkedIn or Indeed, places where you expect to find positions being advertised. So last December, Alexandra Mateus-Vasquez, she was speaking at ProPublica, she was applying for a graphic designer position at a restaurant chain called Steak and Shake.

Which, you know, gives me, I don't want anyone taking a steak and then shaking it around the room. It's a really weird name for a restaurant.

I think it means milkshake, girl.

---

GRAHAM. Oh, right, right. Dear, dear.

And she found this job on the Indeed job website, right? And the so-called steak and shake rep called her up to participate in an email screening test for the job.

And at first she thought it was a bit weird, but then the question seemed super standard. How do you meet tough deadlines? You know, so she just provided the earnest answers to this.

And hours later, she received an email offering the job asking her for her address and phone number so a formal letter could be dispatched. And, you know, the pay was super attractive.

And when the letter arrived, it sought her social security number too, which she provided the information for. And then she was invited to do a background check via online chat with a supposed hiring manager.

She found herself trading messages with an account that had a blurry photograph of an old man and the name Iran Coleman attached to it. And apparently other applicants described a similar experience at Steak and Shake, which is weird.

But this hiring manager requested copies of Vasquez's personal records to verify her identity. She shared photographs of her New York state ID, her green card, but grew suspicious when the person got, in my view, super greedy and asked for her credit card number too.

And then she was, hey, wait a minute. Right.

---

GRAHAM. Yeah. I mean, everything before that, there's different layers. You're speaking to different people. They're asking and they kind of lulled the target in, haven't they?

As you said, asking expected questions, reassuring them and then moving on to all things you would expect. You know, we need to verify your identity. Well, yeah, of course, I'm applying for a job.

I wouldn't trust a job interview unless they ask me that question of it. Tell me your worst characteristic, what you're really bad at. And then you say, oh, well, I'm just sometimes I'm just too devoted.

Workaholic. I'm too devoted to the job. I'm a perfectionist.

I suffer from too much humility sometimes. I'm probably the best person at humility you've ever met.

I think yours would be, I pay a lot of attention to detail.

---

GRAHAM. Outrageous. What?

So Alexandra, she's hesitated. And then she gets a call from ID.me. Or ID.me.

You might remember we talked about them a few weeks ago. And this is a identity verification vendor used by 27 states to safeguard unemployment insurance from fraud.

And they called her and said, hey, are you trying to apply for jobless aid in California? And that's when she realized she was for sure being scammed.

Because she wasn't, right? So they were using her details to apply for aid in California.

---

GRAHAM. Wow. You see what I mean?

Yeah, yeah, yeah. So she reported the incident and she contacted the Social Security Administration. They told her that they denied multiple requests to create an account in her name.

So I really feel for those that are duped by such a scam because it's in that world. You are looking for a job, right? And someone's suddenly saying, you are great for this and you think you've spotted a great job at a great salary.

---

GRAHAM. Yeah. And it's adverts in places, you say, you would expect them. You'd expect to see job adverts on LinkedIn.

Yep. And the Better Business Bureau said in an alert last month that indeed LinkedIn and Facebook top the list of online platforms where users reportedly, you know, spot these fraudulent job advertisements, which doesn't really surprise me.

They're the three big ones, aren't they, really? For people who are trying to protect themselves, people who are looking for jobs legitimately and trying to protect themselves from being scammed in this way would it be possible to throw in some deliberately ridiculous answers to interview questions and see if they get accepted or not?

You see what I mean? If someone says oh yeah that's good that's good. So if they said what do you in the office say well i tend to burp and fart a lot or I was just gonna I was just thinking I have a problem with projectile vomiting.

Exactly. Yeah. But then what if it's legit? What if you actually are would I be able to do this job while also playing Fortnite or something.

You know, if you said something that. You could say for your airport shuttle job, you have narcolepsy. Right.

Which might interfere slightly. And if the interviewer raises an eyebrow and goes, what? You can say, oh, I'm just checking if you're a scammer or not.

But then you know, you see. Whereas if they kind of go, great, great. Yeah, sure, no problem.

And if they just say no, there's no chance we're hiring you. We do not accept farters in this job. You're stuck then.

I'm not sure Graham's thought this all the way through because what if it is a legit job you've kind of blown that out of the water.

---

GRAHAM. Hopefully you'd be able to say oh I was just checking I was this is an example of. Admittedly I haven't been to a job interview for over 30 years so I'm possibly the wrong person to ask about technique.

I mean if you try that and you you don't get the job then just send them you know this episode say this is this is legitimate advice I was given to see if you were a scammer.

Legitimate advice that I gave to the world is what it is. Let's crack on, shall we?

From startup to enterprise, 1Password makes it easy for your team to store, generate and share strong passwords. The less time you need to spend dealing with hacks, phishing scams, lost passwords, the better, right?

Well, it's not just for IT and security teams. All kinds of teams inside your company finance, HR, legal, marketing. They can also store and share sensitive information, such as business credit cards, sensitive documents and shared logins inside 1Password.

Work securely from home or in the office, 1Password allows secure access to logins and important resources anywhere you work. Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show.

Qualys, one of the pioneering providers of disruptive cloud-based IT, were one of the first SaaS security companies. And they deliver continuous critical security intelligence via their Qualys cloud platform and integrated cloud apps.

Plus, their 21st annual security conference is coming up between November 15th and 18th this year in Las Vegas. But you can also attend online.

One cool highlight is you'll get a keynote speech from Chris Krebs, former director of CISA, with further talks around the role of automation in security. Want to learn more? Of course you do.

Visit smashingsecurity.com/qualys-las-vegas. That's Q-U-A-L-Y-S Las Vegas. And thanks to Qualys for sponsoring the show.

And welcome back and you join us at our favourite part of the show the part of the show that we to call Pick Of The Week.

---

JACK. Pick Of The Week Pick Of The Week

---

GRAHAM. Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. 250th show better not be. Well, my pick of the week this week is not security related. Yay!

It is the game of Pit. Have you guys ever played Pit? No. Oh, Carole, next time you invite me over, I'm going to bring Pit with me. It's good fun.

It is a fabulous, raucous card game that I remember from my youth. It's been in existence since 1904, according to Wikipedia, inspired by the Chicago Stock Exchange, also known as The Pit.

And what happens is this. You deal out cards. You have three or more people. You deal out cards. Not playing cards. These are special cards. Cards with different commodities on them, like wheat, barley, flax, rye, etc., right? Whatever the commodity is. Right.

And your mission in the game is to get a complete set of the same commodity. So you've all got cards. You don't know what other cards other people have, but you have an option to trade.

So you can put down, for instance, you may have two flax, for instance, which you want to get rid of in order to get more barleys, right? And so you put them down, face down, and go 2, 2, 2, 2, 2, 2, 2.

And other people, meanwhile, are doing the same, right? So someone may have put down 2 cards or 3 cards or 4 cards or whatever. And if you get a match and you want, you can then swap with the other person without looking at their cards.

---

JACK. Are you going through the entire rulebook of it?

---

GRAHAM. No, but I'm explaining how it works. Now, there's no taking turns in Pit. It is just chaos because everyone's shouting out two, two, three, three, three, et cetera, et cetera.

---

JACK. Oh, my God. It's very raucous. It sounds like hell.

---

GRAHAM. Yeah. So it's like a trading floor, basically.

---

JACK. It is exactly like a trading floor. That's right. Yes.

---

GRAHAM. And when you get a set, you go, corner! Right? Which means that you've done it and you win some points.

---

JACK. What do you shout?

---

GRAHAM. Corner. Corner. Yeah. Corner. That's what you shout. Corner. I don't know why.

And different commodities have different... Anyway, it's a lot of fun. I haven't even mentioned the bull and the bear cards. Don't worry about that.

---

JACK. Surely you're going to give us instructions to play pizza. Oh, no, we need to buy the... You need to have the exact cards.

---

GRAHAM. You need the cards. You could make your own, to be honest. If you go to the Wikipedia page, you know enough, basically, to create your own set. Or you can go out and buy them.

Some modern implementations of Pit have a little bell you can ring. But I think it's more fun to say corner when you do it.

And Pit is a... Look, there will be someone listening to this who knows this game and will agree with me that this is an enormously fun game.

---

JACK. I'd love to have independent verification of that. Next time I'm at your place, we are going to play Pit.

---

GRAHAM. Okay.

---

JACK. And you can report back to the listeners. Can't wait.

---

GRAHAM. All right. I want to hear all about this. We'll invite you, Jess. Don't worry. That is my Pit of the Week. Oh.

Jess, what's your Pit of the Week? Well, I have become mildly obsessed over the last 18 months with TV shows that essentially are about making or restoring things, particularly if they have an element of competition.

And so my latest watch in this genre was Metal Shop Masters on Netflix. And basically, it's a group of, it's an American TV show, a group of metal artists who have to take scrap metal and then they torch it, they cut it, they weld it, and they make creations according to a brief.

---

JACK. Is it like Scrappy Challenge with an arty twist?

---

GRAHAM. It sort of is. I do feel like there could be more challenges, particularly in the final. I'm just leaving that as a note for Netflix.

But I think it's so therapeutic, you know, particularly when our day jobs are about people who break things, break technology, exploit people. It's so therapeutic to watch people just build something beautiful out of basically scrap metal.

---

JACK. Yeah, I'm watching trailer right now. It's a bit like the great british bake-off isn't it but with metal rather than soggy bottoms.

---

GRAHAM. It is exactly. And I mean there's so many of these shows. The one where people make big weapons is quite fun. Forged with fire, that's a good one. Blown Away, where people do glass blowing. Amazing, love that one, highly recommended.

And I think I partly like them because it is just so far out of my skillset or my potential ability. If you gave me a pile of scrap metal and told me to make something, you could give me 10 hours and you will end up with me showing you a pile of scrap metal. That's the limit.

---

JACK. Do you not find these shows, though, give you a false sense of, hey, that doesn't look that hard. I could go do that. Like, I've watched one of these, make your own small house. I'm like, yeah, I could do that. Tiny house. Yeah.

---

GRAHAM. Yeah. Same. Same. Yeah, I definitely have that with, I have that with Nailed It, the bake show where people are actually, no offence, Nailed It contestants, but they are rubbish and they know they're rubbish and they turn out these just monstrosities. So when I watch that, I know I can do better.

---

JACK. Is it about fingernails or is it about nails as in hammers?

---

GRAHAM. Although Nailed It with fingernails would be good, but no, this is Nailed It and it's sort of the British Bake Off, but it's American and it is people who have to recreate a sort of baking work of art, but they choose people who know that they're terrible at baking. So what they produce is horrendous.

---

JACK. Oh, that sounds fun.

---

GRAHAM. And some of the shows are hilarious. And when I watch that, I'm like, yeah, I can do better. Although I then attempted to make cake pops, and let me tell you, I could be a contestant on Nailed It. They were terrible.

So I just love this stuff, you know what people make. Yeah, and the fact that I know I could never ever do it. So much fun. But hey, we can dream, we can dream. Yeah.

So metal shop masters on netflix metal shop masters great fun that's my pick of the week. What have you got Carole?

Well, mine's actually pretty useful or I think it's useful and I'd like you guys to take a look and see what you think. tools.techjunkie.com and this is a site that has basically short links to all those little annoying things having to do with file conversions. You know, when you have to just send in only pdfs to someone or you need to convert your photos to pngs or whatever. This site might be for you.

So you can look through if you look through is there any that just jump out at you going oh I wouldn't mind a quick link to that. So I'm seeing some which say trim a video for instance or compress a video. There's a whole bunch for doing things with pdfs like adding a password or compressing them because sometimes pdfs are quite large aren't they. That's right. Taking one page out of a pdf.

And url tracer, sorry to bring it back to security but yeah tracking the redirection checking the redirection path. No, no it's really cool I think and it's kind of those things that might be really useful in your bookmark bar because you're oh I gotta do this I know I can you know I don't have to think about what particular app I've got on my system you can just run it through here.

And they say they say that they all files are deleted 15 minutes after upload so you won't load it up you do what you need to do and then it goes poof.

---

JACK. Oh well if they say it it must be true. I know do your own recon people.

---

GRAHAM. That's it isn't it you immediately see something like this and you're it looks so useful unless it's a scam. Yeah, yeah, yeah, totally.

And as it's our 250th episode I'm going to give you the source of this pretty cool tool because there are 15 others that you know that they've waxed lyrical about. So this is on alphor or alphor.com link in the show notes but you can see the few here that you might actually recognize from your own use. Duck duck go for example, the way back machine.

So this is just a list of other sort of quirky handy websites. They're called the 15 secret websites but there's a few having to do with news, arts, searching and reference and then there's math ones academics. So it's worth checking there's some quite good ones here.

---

JACK. Okay nice. There you are those are my picks of the week a useful thing after you finish playing Graham's game and watching Jess's TV show. I think Jess and I with our picks a week are more fun than yours to be honest. Correct.

We've got a featured interview this week haven't we? Yes we do. Listen up.

All right, so today is exciting. We are chatting with Sumed Tekkar, a CEO and president of Qualys, a pioneering provider of disruptive cloud-based IT.

Now, delighted to have you on the show, Sumed. Thank you for having me. Now, Qualys has been around a long time. You must be one of the first SaaS security companies to have ever even existed.

---

MIKKO. Yeah, you know, we really pioneered this notion that you can deliver scalable and cost-effective security solutions. And when we started back then, the words SaaS and cloud as the nice marketing words today did not exist. So it was very interesting. But the idea, you know, came even before the terminology SaaS was really used publicly. And so we're quite excited about the innovation that we brought into cybersecurity and have continued to build on top of that with our belief that the SaaS model and the cloud model is the best scalable model for today's needs for cybersecurity.

---

GRAHAM. Yeah. And I've read actually that you have been with Qualys since like the early noughties, and you held a number of different roles before you became president and CEO. And I was curious if you thought having those different roles really helped give you the skills to be CEO, if it helped you out at all.

---

MIKKO. It certainly does. I started as a software engineer, one of the first four people who worked on the platform back in the very early day. And not to date myself, but it's been about almost 20 years that I've been part of this journey and driven this journey in many ways. And I think the really great part about that is just the experiences that you get along the way that really help you understand the customers, help you understand what you can do to innovate and drive that innovation. And so having these different roles in engineering, product management, support, and now as I focus on sales, marketing, go to market, it's just given me a very well-rounded perspective of the market, what works, what customers want, and really how we can help the customers. So it's been a very rewarding experience.

---

GRAHAM. I have worked for many different CEOs in my time, and not all of them have been well-rounded. So I think your employees are quite lucky on that front. Now, Qualys and you are going to be hosting your 21st annual security conference in Las Vegas on November 15th to 18th. And this is also an online opportunity. So what can you tell us about this event?

---

MIKKO. Yeah, I think, first of all, we're quite excited to do this as a hybrid event. I think we have been very committed to getting everybody back into having meetings, face to face interactions that really help increase productivity. And that's been one of the things why we've been pushing this year to really participate in this conference in person because of COVID last couple of years, at least last year we couldn't do the conference in person to do a virtual conference, which was very well attended. And this year we're gonna do a hybrid. The reason this conference is really well attended and appreciated because we really focus on showcasing the innovation that Qualys is doing at this conference. And this is about our engineers getting an opportunity to work directly with our customers, understand from them how they look at the challenges that they face in the cybersecurity realm and how they can solve them. And then the ability for them to showcase the innovations and get feedback from customers in the direction that we're going. So for customers and security professionals, it's a great opportunity to come and interact with other security professionals who are in the same space trying to solve the same problems and have that interaction with each other to really understand how somebody else might be solving a cybersecurity challenge that you may be facing. And then it's also great because one of the things we offer here is two days of free training on the Qualys capabilities. So for a lot of them, it's great to come have a refresher. For two days, we go through many different capabilities. And that's one of the most liked aspect of it.

---

GRAHAM. Yeah, it's true. After the pandemic, I think a lot of IT professionals have had to work in silos and have had to react to constant requirements from, you know, staff across the company requiring access to this and that. And I'm sure a lot of people feel a bit stressed out, you know.

---

MIKKO. We're going to make sure that we follow all protocol from a safety perspective to keep everybody safe. But that in-person interaction, being able to talk to each other in person, being able to do a quick diagram on the back of a napkin on the table sometimes, you know, brings you a lot more value than trying to schedule a Zoom call with somebody. It takes time and then people are distracted with other things.

---

GRAHAM. Well, I know from the IT professionals in my life that they cannot wait to get back out there safely, of course, but they are just dying to start networking again and building their networks and building, you know, relationships with people that can help them along their, you know, work IT journey, security journey. I noticed as well that Qualys has launched a number of new cybersecurity solutions to help businesses get to grips with this new working world. And one I noticed was a ransomware risk assessment. Can you tell us about that?

---

SPEAKER_02. Yeah, it's been quite exciting to kind of launch this service to help the situation that we are in with ransomware attacks. If you look at where Qualys started and where we are, today customers have just way too many tools that they have to use for cybersecurity.

Individual siloed solutions that don't work with each other. And a lot of times people just don't know what they have on their network.

So when we started developing this platform and expanding it, we took a step back and we said, really, at the end of the day, cybersecurity professionals are looking to do three main things. One is find all devices in their environment, which is their asset inventory.

And is do your best effort to reduce your risk by patching, hardening, fixing what you can, CICD pipeline scanning. So now you've done everything to make sure that you've eliminated as many possibilities of somebody coming in the environment, which is reducing your risk.

And then the third part is to monitor if after all of that, somebody gets into your environment, can you actually keep track and take some action on it, which is typically your EDR solutions or your SIM XDR solutions. And so what we did is we took a step back and we said, let's put all of these capabilities together on a single platform so customers can go from detecting something to actually taking action on it very, very quickly because it's all in one tool rather than having to go to multiple tools.

Instead of just going and launching some free marketing gimmick, we said, why don't our researchers go? And they spent a bunch of time analyzing ransomware attacks over the last five years so that we can actually find out what techniques are used by these families.

And it's, you know, it's kind of a mafia. So they have families of ransomware that basically do different attacks, leveraging similar techniques.

And so kind of each family has a characteristic of how they go about and what they focus on from an exploitation perspective. And based on the research, we identified about 100 or so very commonly used vulnerabilities and techniques that are being exploited by these attackers.

We created a very simple workflow, which was actionable and measurable, which says, OK, get into the Qualys assessment tool. It is going to focus and show you exactly those issues that exist in your environment that map to that.

So that ability to find your asset, detect the vulnerabilities, prioritize them and patch them. That is what the service does on a single platform.

---

GRAHAM. I mean, I'm sure a lot of listeners out there that haven't worked, you know, haven't rolled up their sleeves and worked in an IT or a cyber environment just can't really understand how it's so difficult, the environments these days. But especially since the pandemic, the number of apps that people are using simply to communicate and store data and share information, it is astounding.

---

SPEAKER_02. Yeah, you know, this is always the sort of the battle between the innovation and the safety and all of that, right? Like how fast do you go?

And you see that today with self-driving car technology, right? There's people trying to go very fast on the technology.

And then, you know, you kind of have this pull from how safe is it? Is it safe?

So that kind of pulls back some of the innovation, but in a positive way, because you can't have this innovation without the security aspect. And the same thing is happening in IT and security.

As we have been entering this new world of cloud and containerization, there's a lot of very new innovation that is happening in terms of IT and how you deploy apps and lots of databases. In the past, it was only one database that you or two databases that you could use.

So the positive side is there's a very fast growth of expansion in the technology that is being used so we can have nimble and very scalable and nice apps that we can use. The flip side of that is that it creates, obviously, an architecture where you have a lot of different things.

Data is stored in many different areas and things moving at a fast speed. And the IT team doesn't always communicate that or most of the time communicate that fully to the security team.

So they see that there's a bunch of servers running, but they don't quite know what is running on each one of them. Exactly.

What we are going to talk about is what are the challenges coming from moving into cloud containerization from a security perspective, right? And what are the solutions?

What are people looking at out there? And obviously how Qualys platform is going to help you sort of see the full picture so that in the same platform, you can manage your remote laptops for the employees, where you can manage your cloud and your container environment and your handheld mobile devices, all of that.

So you can get a bigger and better picture of the risk in one place. And that's really the focus for us here.

---

GRAHAM. Yeah, and it's great because you'll be able also to get pain points from people out there, from people going, this is what I'm having trouble with, with my employees, and what solutions or what advice do you have for me? And this is a great place for them to do that.

---

SPEAKER_02. Exactly. And for us, we develop solutions. And I was a chief product officer for many years. So that's been very exciting to create capabilities and solutions that some of the largest businesses in the world are using. But you know, sometimes you do something and then when they look at it, they say, this is great. But you know, I need this one basic thing to get started in my environment.

Without that, I cannot deploy what you have. So that feedback is very important. And as I mentioned, we have really good customers. We have Euronet and a few other customers who are coming there who are going to actually present.

Yeah, that's so great. And so that's a good way to learn how are other people solving some of the challenges and to what extent have they been successful?

One of the things that they're going to cover is what are CISOs presenting to their management, to their board to show success when it comes to cybersecurity and what measures they're taking, what is measurable, what is actionable. And then there's a lot of good, exciting sessions around that and in-person interaction because we will have hopefully a couple hundred people at least who will be coming there in person.

---

GRAHAM. Is there anything else that you'd like to add before we close this interview, Sumit?

---

SPEAKER_02. Lots of things happening in the IT space, lots of new innovation, lots of new technology. But at the end of the day, when you look at a breach that happened recently where it was a cloud-based breach because people use new technology, put things in the cloud and they are breached.

But if you go and look at it a lot of time, it's just the same basic issue that we have had for many years, which is cloud asset was misconfigured. Oh, we didn't change the password. We use a default password. Oh, we didn't apply a patch that was available, or we didn't close this particular port.

So I think a lot of times as we are looking at the expansion of IT and it may seem daunting, I think it is very important to be able to take a step back. A lot of times it just comes down to the basics, just the basic hygiene of detecting and misconfigurations, fixing vulnerabilities.

And the basic process of security at that point is just the ability to find your devices, do everything that you can to reduce your risk and then make sure that you're able to monitor and detect any threats in the environment and I think that's the journey that Qualys is pioneering in a single platform to do all of that and so really looking forward I really encourage your listeners to come and join us at the conference and tell us and give us feedback so we can improve these capabilities and create new capabilities that are going to help us as an industry overall to fight back against the attackers.

---

GRAHAM. Brilliant. Listeners, you've heard, Sumit, if you want to get together with other cyber leaders and hash out today's problems and get some serious solutions, all you got to do is clear your calendar from number 15th to 18th. That's in two weeks time and sign up at smashingsecurity.com slash Qualys Las Vegas to attend in person at Las Vegas or remotely via the powers of the internet.

That link again is smashingsecurity.com forward slash Qualys Las Vegas. Sumit Dhankhar, CEO and President of Qualys, thank you so, so much for your time today.

---

SPEAKER_02. Thank you very much. It was a pleasure being with you and I wish your listeners a great day. Brilliant. Thank you.

---

GRAHAM. Terrific stuff. Well, that just about wraps it up for this week. Jess, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What's the best way for folks to do that?

You can find me on Twitter at Dr. Jessica Barker and check us out at sygenta.co.uk. And you can follow us on Twitter at Smash Insecurity, no G, Twitter at last ever G, and we're also up on the Smashing Security subreddit as well.

And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Google Podcasts. And of course, thank you to this episode's sponsors, Qualys and 1Password, and of course to our wonderful Patreon communities.

Thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 249 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. Bye. Bye. Bye for the 250th time.

Fun, though. Well, the last two... Are we going to do a few more, Graham? Before we throw in the towel?

You've got to get to 256. 256 and then 365. That's true. Okay, good point. Then 365. Jess is giving us the strength to carry on.

256, 512, 1024, 2048, 4096, 8192, 1600. And I will stop the recording now.

-- TRANSCRIPT ENDS --