Listen early, and ad-free!

250: Yes, you heard that correctly. Two hundred and fifty

With , , , , , , , , ,
November 3, 2021
Read the transcript

A game about Squid Game pulls the rug from under cryptocurrency investors in what appears to be a scam, PayPal hackers use a devious trick to break into 2FA-protected accounts, and have you received a job offer that's too good to be true?

All this and much much more is discussed in this celebratory edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dr Jessica Barker.

Plus don't miss our featured interview with the CEO and president of Qualys, Sumedh Thakar.

Oh, and huge thanks to Darknet Diaries' Jack Rhysider, F-Secure's Mikko Hyppönen, The Cyberwire's Dave Bittner, and Host Unknown's Andrew Agnês, Thom Langford, and Javvad Malik for their special contributions to this episode.

Visit https://www.smashingsecurity.com/250 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Andrew Agnês, Dave Bittner, Jack Rhysider, Javvad Malik, Jessica Barker, Mikko Hyppönen, Sumedh Thakar, and Thom Langford.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Do you want me to start?

CAROLE THERIAULT. I don't know. I'm just waiting.

CAROLE THERIAULT. I'm thrilled with how excited you are about this process. And it's really wonderful to be here. And Jess, I'm glad you're witnessing it. Anytime, Graham.

GRAHAM CLULEY. It's 250. 250.

CAROLE THERIAULT. Woo!

GRAHAM CLULEY. Woo!

CAROLE THERIAULT. Woo!

GRAHAM CLULEY. Are you not going to do a woo? Wow.

CAROLE THERIAULT. Woo-hoo!

JESSICA BARKER. Woo-woo!

CAROLE THERIAULT. That's how you do it, Graham.

GRAHAM CLULEY. That's it. That's it.

JESSICA BARKER. Yee-hee!

MIKKO HYPPONEN. This is Mikko.

MIKKO HYPPONEN. Is Smashing Security the most popular infosec podcast?

MIKKO HYPPONEN. No.

MIKKO HYPPONEN. But do they have the largest cult following?

MIKKO HYPPONEN. No.

MIKKO HYPPONEN. But do Graham and Carole try their hardest with every single episode? Also no.

CAROLE THERIAULT. Smashing Security, episode 200. 250. Yes, you heard that correctly, 250, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 250. My name is Graham Cluley.

JESSICA BARKER. Sorry, I got carried away there.

GRAHAM CLULEY. Sorry.

CAROLE THERIAULT. And I am Carole Theriault, and we are joined by Dr.

CAROLE THERIAULT. Jessica Barker.

GRAHAM CLULEY. Hooray!

JESSICA BARKER. Hi, hi!

JESSICA BARKER. Lovely to be here.

CAROLE THERIAULT. Really thrilled to have you here.

GRAHAM CLULEY. Lovely to have you here, especially on such an auspicious day as our 250th episode.

JESSICA BARKER. I am honoured to be celebrating this with you. It is an amazing achievement.

GRAHAM CLULEY. Is it?

CAROLE THERIAULT. Graham, one day we're going to get to— I think our next milestone has to be 365, because then we'll have an episode for every single day of the year.

GRAHAM CLULEY. Well, you know, somebody said to me, why don't you celebrate episode 256? Because that's a bit more nerdy.

JESSICA BARKER. Nice.

CAROLE THERIAULT. Did they have a breathing problem or?

CAROLE THERIAULT. Now, Graham, you said you had a surprise for me.

GRAHAM CLULEY. So, oh, I do, because I have gone to some of our fellow podcasters out there, people who've been on the show, some famous, some who'd love to be famous, to see what they have to say about Smashing Security. And they recorded a few words. Let's check it out right now.

JACK RHYSIDER. Hey, this is Jack Rhysider. Congrats on making it to episode 250. And to think this was all Carole's idea.

CAROLE THERIAULT. Wow.

JACK RHYSIDER. Nice going. Thank you both for making this show. And I can't wait to see what comes next for you.

CAROLE THERIAULT. Oh, that's great.

GRAHAM CLULEY. Carole, what's going on this week on the show?

CAROLE THERIAULT. Well, first, let's thank this week's sponsors, 1Password and Qualys.

CAROLE THERIAULT. It's their support to help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. Oh, this week I'm squinting.

CAROLE THERIAULT. Ah, what about you, Jess?

JESSICA BARKER. I'll be talking about some social engineer bots.

CAROLE THERIAULT. Ooh, and mine is for all you job hunters out there. Plus, we have a featured interview with CEO and President of Qualys, Sumedh Thakar. We talk about his career and the upcoming annual security conference, their 21st, if you can believe it. So all this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, Jess, Jess, I have one burning question for you.

CAROLE THERIAULT. Uh-oh. I think he wants a new co-host, Jess. I think that's what's happening. I think I better—

GRAHAM CLULEY. Jess, I want to know if you have been watching the hit TV show Married at First Sight Australia Season 6.

JESSICA BARKER. It's on my list. Can I say that? No, I'm afraid not.

CAROLE THERIAULT. I am.

GRAHAM CLULEY. We've been talking about it the last couple of weeks. Carole is now watching it. I watched all of it. I binged on it.

CAROLE THERIAULT. It's horrific, and it's like heroin. You can't—

CAROLE THERIAULT. You can't get off the train. Not that I've ever done heroin. I'm imagining that's what happens with heroin.

JESSICA BARKER. What a sales pitch. Netflix using that on their trailers.

CAROLE THERIAULT. Yeah, it's car crash TV and editing and everything. Anyway, Graham, I hate you forever for it.

GRAHAM CLULEY. Thank you. Thank you. Jess, you are missing a treat because while the rest of the world is watching Squid Game on Netflix, Carole and I, we've been watching horrendous people doing horrendous things, marrying complete strangers, predictable outcomes. But we can't get enough of it.

JESSICA BARKER. Is that not Squid Game?

JESSICA BARKER. I haven't watched that either.

GRAHAM CLULEY. No, you haven't seen that either?

JESSICA BARKER. No, not yet.

JESSICA BARKER. Not yet.

GRAHAM CLULEY. Have you seen Squid Game, Carole?

CAROLE THERIAULT. Nope.

GRAHAM CLULEY. Okay, so we're talking from a position of knowledge then about Squid Game.

CAROLE THERIAULT. We're not.

CAROLE THERIAULT. You've obviously watched it.

GRAHAM CLULEY. No, I haven't watched it at all. I just assumed you would have seen it. My understanding is Squid Game is like a South Korean remake of The Sound of Music, but with more machine guns. It's something like that. It's a bit Hunger Games. It's a bit gore and violence. It's a bit—

CAROLE THERIAULT. You know, I think I got turned off by the fact that everyone talked about it so quickly. No, but it's so stupid in a way because there's this big conversation where I could have a point of view on it, and that's kind of cool. But in fact, I was "Oh, too many people are talking about it. I don't want to do it." And now look at me now.

JESSICA BARKER. I'm exactly the same. And I feel like it's as stupid as watching something just because people are talking about it to not watch something just because people are talking about it. And yet it puts me off.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. You know?

JESSICA BARKER. Yeah!

GRAHAM CLULEY. It does put me off. I didn't watch Line of Duty for years and years. I was "Everyone's talking about Line of Duty." And then I watched it and I loved it.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. I thought, oh, why didn't I start watching this earlier?

CAROLE THERIAULT. Don't throw the baby Jesus out with the bathwater. Oh, no, no, no.

GRAHAM CLULEY. Mary, Joseph, the baby cheeses as well. So, I love a baby cheese. Now, the South Korean horror show, it's been a huge hit for Netflix. People have been binging on it. And they've been watching hundreds of cash-strapped contestants accept an invitation to compete in children's games for a tempting prize. At least that's what I've read, but with deadly stakes.

CAROLE THERIAULT. Can I even ask, is this a game show or a fiction-y thing?

CAROLE THERIAULT. We don't know.

CAROLE THERIAULT. Somewhere in the middle.

GRAHAM CLULEY. It's a fictionalised thing.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. So it's a piece of drama about some dystopian future and, you know—

CAROLE THERIAULT. Fab. It does sound delish.

GRAHAM CLULEY. I'm sure it's good. I'm sure it's good. But it's just too many people are talking about it, so I don't want to watch it. Anyway, it's become a huge deal. And of course, that means that some people think, oh, hello, Squid Game, that's popular. How can we take advantage of that? So some opportunistic fellows thought, let's do an online version of Squid Game. And so they posted up online 6 different games and 456 people take part in each game.

CAROLE THERIAULT. What?

GRAHAM CLULEY. Right?

CAROLE THERIAULT. No, but—

GRAHAM CLULEY. You don't have to have them all crowded around the same monitor.

JESSICA BARKER. Are they on the same Zoom? How does this work? That's an expensive account.

GRAHAM CLULEY. Anyway, they're playing these games, which look a bit like some of the games which are dramatised in the TV show. And—

CAROLE THERIAULT. You've been told, 'cause you haven't seen it.

GRAHAM CLULEY. Well, from the screenshots I've seen, yeah. I've seen the trailer for Squid Game. Hence I know it's like The Sound of Music.

CAROLE THERIAULT. Good old research.

GRAHAM CLULEY. Yeah. And so how do you get to play the online version of Squid Game? Well, you need to be the holder of some squid tokens. And at the end of the game, if you are the ultimate winner of these online games, collects all the tokens, right? Squid tokens.

CAROLE THERIAULT. Oh, so you pay a token to play and then the winner of the 156 players takes all the tokens.

GRAHAM CLULEY. Takes all the tokens. Right. So people have been buying squid tokens in order to participate. And squid tokens, you aren't gonna be surprised to find out, is a hot new cryptocurrency. And it's called a play-to-earn cryptocurrency inspired by the TV show. There's a white paper explaining all about Squid tokens. And they were launched on Tuesday of last week.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. So you could buy yourself a Squid token for just 1 US cent with the promise that you'd be able to then play to earn online, right, in the game. 72 hours later, each Squid token, which started off at 1 cent, was worth $4.42.

CAROLE THERIAULT. Geez. Nice return.

GRAHAM CLULEY. An increase of 44,000%. Wow. So if you had bought $100 worth of Squid token, which isn't an outrageous amount, right? If you'd bought $100 worth, that would've been turned into $44,200 in just a few days. So a huge amount of money, obviously quite unbelievable.

Now, some people thought that it might be a scam, because there had been a few clues. For instance, nobody knew who was behind the Squid tokens.

JESSICA BARKER. Oh dear.

GRAHAM CLULEY. And there'd also been messages posted under the name of Elon Musk supporting Squid tokens, which I think makes you suspicious regardless of whether it's Elon Musk who's really posting those supportive comments or the fake Elon Musk. Who's typing those comments?

JESSICA BARKER. I was just thinking, who now?

CAROLE THERIAULT. Which do you trust more?

GRAHAM CLULEY. It doesn't really matter.

CAROLE THERIAULT. Do you trust—

CAROLE THERIAULT. Cardboard cutout probably would be my favourite of that, but—

GRAHAM CLULEY. Furthermore, this whole online game, it wasn't endorsed by Netflix. They had nothing to do with it. So someone was kind of riffing off the Squid Game TV show.

CAROLE THERIAULT. And I can see that.

CAROLE THERIAULT. That must be happening all the time, right, with all TV shows.

GRAHAM CLULEY. It's probably an Antiques Roadshow Crypto Coin. Yeah, yeah. Starsky and Hutch. So the biggest concern though, the thing which made people most suspicious was, well, what happens if you want to get hold of your money? 'Cause you've made suddenly $44,000. Right. Maybe you'd like to get hold of it.

CAROLE THERIAULT. Time to milk the cow. Right.

JESSICA BARKER. Yeah.

GRAHAM CLULEY. The problem was there didn't actually seem to be any way to actually sell Squid tokens.

JESSICA BARKER. Oh dear.

JESSICA BARKER. That doesn't bode well.

GRAHAM CLULEY. And there's no point having a cryptocurrency token that's surging in value if you are not able to sell it. And meanwhile, other people were still buying Squid tokens, pushing up the price. And they were tempted as the price was racing up. So it was going up, further up and further up. By Monday of this week, the week that we're recording this, the price of Squid tokens became truly enormous. It reached a height. Each Squid token, remember it was 1 cent, became $2,861.80.

CAROLE THERIAULT. Jesus.

GRAHAM CLULEY. It had raced up 7,500% in just 3.5 hours.

CAROLE THERIAULT. Yikes.

GRAHAM CLULEY. If you had bought right at the beginning $100 worth of Squid tokens, it wasn't worth $44,000 anymore. It was now worth $28.6 million.

CAROLE THERIAULT. But was it worth it if you couldn't sell it, Graham?

GRAHAM CLULEY. Exactly.

JESSICA BARKER. Theoretically, that's a lot of money.

CAROLE THERIAULT. Yeah, I know there's a lot of adverbs missing in this segment. Reportedly. Allegedly.

GRAHAM CLULEY. People were complaining. People were leaving comments on the Squid token Twitter account until—

CAROLE THERIAULT. I'd to have my cash, please. Thank you.

JESSICA BARKER. Right.

GRAHAM CLULEY. And the Squid token Twitter account was closing off replies so people couldn't post replies anymore to them. And on a Telegram group seemingly run by the token's administrators, they said, oh, someone's tried to hack our project and our Twitter account. If anyone's having problems selling their Squid tokens because of anti-dumping measures we put in place to stop people artificially lowering the price.

CAROLE THERIAULT. I should have an anti-dumping sign in my house.

CAROLE THERIAULT. Well, in which room? I have a room that might be perfect for it, yeah.

GRAHAM CLULEY. Well, you don't want them dumping in other rooms, surely. That's true.

CAROLE THERIAULT. That's a good point.

GRAHAM CLULEY. I think you want to very clearly sign which room is for dumping and which one isn't.

CAROLE THERIAULT. Well, yes.

GRAHAM CLULEY. Right. Well, the Squid Game developers, the developers of this online game, eventually they said, well, we don't want to carry on running this project because we're getting a bit depressed because people are scamming us and we're overwhelmed with stress. And so the website, the website with the game shut down, the Twitter account was removed, leaving 57,000 followers in the lurch. And the Squid token price—

CAROLE THERIAULT. I'm sure they'll get over it. But anyway, yeah. Okay.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Squid token price 5 minutes after it reached its high of $2,861.80. On Monday, it plummeted within 5 minutes to $0.00079.

CAROLE THERIAULT. I really want to ask how something plummets if you couldn't sell the tokens.

JESSICA BARKER. Yeah.

CAROLE THERIAULT. Right? If they can't get rid of the tokens, how can they be demonetized? I don't understand. But anyway, again, I've probably been sleeping. Yeah. So you know me. Just cotton, cotton heads.

GRAHAM CLULEY. But I think essentially the theory is that someone has run off with all of the real money and left people with worthless squid tokens in this stupid online game, which you can no longer access as a consequence. Who would've thought cryptocurrency would've ended in this way?

JESSICA BARKER. Who saw this happening with the squid tokens? That never seemed a bubble that was gonna burst.

DAVE BITTNER. Dave Bittner here from the CyberWire wishing Carole and Graham a heartfelt congratulations on 2,500 episodes. Quite an achievement. I'm sorry, what? 250 episodes? And how long?

CAROLE THERIAULT. 5 years?

DAVE BITTNER. I mean, come on, that's a hobby. I did 250 episodes last week.

CAROLE THERIAULT. Yeesh.

DABVE BITTNER. I guess I should wish you well for the next 250, but honestly, Graham's not getting any younger. Anyway, congratulations on 250. It's adorable.

GRAHAM CLULEY. Jess, what have you got for us this week?

JESSICA BARKER. I am talking about the underground market for bots that steal your two-factor authentication and OTP codes. This is an article by Joseph Cox for Vice Motherboard, and it starts by describing a call seemingly from PayPal's fraud prevention team. And it is an automated call, an automated voice.

You pick up the phone and it explains someone has tried to take a payment, a $50 payment, say, and if that wasn't you, you need to verify your identity to block the payment. So it wasn't you, so of course you want to block the payment.

CAROLE THERIAULT. Yeah.

JESSICA BARKER. And at that moment you get a two-factor code from PayPal, comes in over SMS. So you're told to input the code, you do, and the voice says, "Thank you. Don't worry, the transaction has been blocked. Here is your reference number," reeling off a string, a long string of numbers. And don't worry—

CAROLE THERIAULT. Can you repeat?

JESSICA BARKER. Yes. Yeah. Press 1 to hear that reference code again.

CAROLE THERIAULT. Capital M, 5, 6, hashtag, hyphen, 1, 3, 3, 7. 7.

JESSICA BARKER. And it ends with some nice reassurance. You know, if you see unauthorised payments going out of your account, don't worry, it's going to be reversed in the next 24 or 48 hours.

JESSICA BARKER. Now, of course, you know what's coming.

JESSICA BARKER. It is, of course, all a scam, and the fraudster is using bots that are now being bought and sold underground. So the article is a great analysis of this seemingly new type of scam, and you can actually listen to the audio which Joseph Cox got hold of, received from a scammer who sells these bots.

Listen to how convincing it is.

SUMEDH THAKAR. Welcome to PayPal's fraud prevention system. We have recently received a payment request of $58.82. If this was not you, please press 1.

In order to secure your account, please enter the code we have sent to your mobile device now. Thank you. Your account has been secured and this request has been blocked. Please make sure to only enter your password at paypal.com. Don't worry if any payment has been charged to your account, we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.

CAROLE THERIAULT. The thing is though, if I get an automated voice on the phone, I just hang up always. They could be saying anything to me.

JESSICA BARKER. Yeah, but I think at the same time we're getting more and more used to them, don't you think?

CAROLE THERIAULT. I don't know if I am, but I don't think I answer my phone enough.

JESSICA BARKER. Yeah, I'm the same.

GRAHAM CLULEY. I don't think they all talk like Derek the Dalek anymore. Some of them are increasingly convincing.

CAROLE THERIAULT. Hi, this is Elon.

GRAHAM CLULEY. Look at the guy who announces our show every week, right? He's pretty good.

CAROLE THERIAULT. What, Steve? He's great.

GRAHAM CLULEY. Yeah, Steve.

CAROLE THERIAULT. Love Steve. Have you not met him, Graham?

JESSICA BARKER. What's Steve got to do with this?

JESSICA BARKER. And I think if you go so far as to listen to the message, for some people, you're right, they'll pick up the phone, they'll hear an automated voice, they'll hang up. Other people, if they are likely to listen to the message, then maybe they're more likely to be persuaded by it.

CAROLE THERIAULT. Uh-huh.

CAROLE THERIAULT. I think that's fair.

GRAHAM CLULEY. I think that's definitely the case because particularly when you're dealing with a large organisation, or a large financial institution, it's not unusual, is it, to get an automated message saying, "This is a call from so-and-so. Ring us back on this number," or, you know, "Press this number to go through our switchboard system." I've had this recently from a gym.

JESSICA BARKER. Trying to leave this gym, as we all know, that's impossible. And they keep ringing me with an automated voice message saying I have to call them back, which obviously means I'm never gonna call them back and they're gonna continue taking money from me.

GRAHAM CLULEY. Hang on, Jess, it's November. You are trying to leave a gym in November? I thought the traditional time to leave a gym was at the end of January.

JESSICA BARKER. Yeah, but I haven't watched Squid Games.

JESSICA BARKER. I like to buck trends. We've established this.

GRAHAM CLULEY. Oh, okay.

CAROLE THERIAULT. All right, okay.

JESSICA BARKER. But what's interesting, I think, is how this can lower the barrier of entry to criminals, right? It's another kind of cybercrime as a service.

And the scammer even comments on how great the bots are because not everyone is comfortable on the phone. So if you're the awkward type of criminal that doesn't have a great telephone manner, don't worry, these bots will do the social engineering for you.

CAROLE THERIAULT. Yeah.

JESSICA BARKER. So I actually heard this audio from Joseph Cox before he published. He was kind enough to share it with me.

And that's one thing we spoke about, you know, how this lowers the bar for criminals and the fact that as we get more accustomed to communicating with bots, the more, of course, cybercriminals are going to try and subvert it and take advantage of the fact that we're using that and we're more comfortable with speaking with robots.

CAROLE THERIAULT. Yeah.

JESSICA BARKER. And of course, the voice message uses those classic social engineering techniques of both fear and reassurance. Oh, your account's been compromised, money's been taken.

You need to act now, put in your code, then you receive the code at exactly the right time. And for some— Oh, Siri's not sure. Siri's not sure if they understand that. Sorry, that was my watch piping up at that point.

JESSICA BARKER. I obviously wasn't explaining it.

JESSICA BARKER. Speaking of bots, Siri is maybe taking offense to this.

CAROLE THERIAULT. Yeah, shut up, Jessica.

JESSICA BARKER. Yeah, some of those bots are legit.

GRAHAM CLULEY. Siri, format Jess's hard drive.

JESSICA BARKER. It's a good job I've got my headphones on.

JESSICA BARKER. And then the reassurance at the end, which I just think is so clever, giving the reference code to seem extra professional, saying, don't worry if you see payments go out, they'll all be reversed. So you leave it two days before you start to realise, hold on, loads of money's been siphoned out of my account and it's not going back in.

CAROLE THERIAULT. No, it sucks, man.

JESSICA BARKER. Yeah, and they just keep on getting more sneaky, don't they?

GRAHAM CLULEY. What are PayPal doing about this? Anything?

JESSICA BARKER. It's not just PayPal. I mentioned PayPal, but it's of course all sorts of other services.

And I mean, they're putting out the communications, don't share your code with anyone who asks for it. We will never call and ask for it in that way. What's interesting is the scammer says they're using some communication tools, I think Is it Twilio, one of them? Other ones where they will make calls on your behalf. So obviously legit services where as a business you can get that service to put calls out for you. And so those platforms are also saying they're trying to crack down on the use of bots and they're aware of this and they're doing what they can to try and squash it.

CAROLE THERIAULT. You know, Graham, you know how you go around saying you were once named the 11th greatest Briton in the UK?

GRAHAM CLULEY. In IT history. In IT history.

CAROLE THERIAULT. Oh, in IT history. Yes. Okay. Yes. So someone could basically fake your voice and put your voice on these recordings, right? Saying, "Hi, I'm Graham Cluley. You know me from Smashing Security. We do this." And you do not own your voice. There's no copyright for voice ownership.

GRAHAM CLULEY. So you wouldn't be able to say, "Hey." I don't know that my voice would be effective at scamming someone. I'm surely that wouldn't have worked.

CAROLE THERIAULT. Well, I was just trying to appeal to your ego. That's how, that's how I get you to listen to what I'm saying.

GRAHAM CLULEY. But I think it's a very interesting technique that Jess is talking about here, because I think we've all heard before that you shouldn't share those two-factor codes with someone else. So if someone asks you, oh, can you tell me what the two-factor code is that you've just been sent? You should be wary of that.

But the fact that it's a robot asking you somehow might reassure people and think, oh, well, I'm just dealing with some automated system. Maybe this is part of PayPal or whatever company it is that's called me up.

JESSICA BARKER. Yes, it's not a person, it's just a computer.

GRAHAM CLULEY. Because they're safe, aren't they? But the truth is, of course, it means that they can do it at such a bigger scale than if they had humans ringing you up and doing all of this.

CAROLE THERIAULT. What if you just sort of wasted its time and just went, when they said, "Please give me this," you just go, "Whipple, whipple, whipple, whipple, whipple." And they would go, "I'm sorry, I didn't catch that." You'd go, "Honk, honk, honk, honk." And just see how long you could do that for.

JESSICA BARKER. I would love to hear that call.

JESSICA BARKER. Please.

GRAHAM CLULEY. Talking of recording, someone else has been in touch about our 250th episode. Let's hope they've got something nice to say.

CAROLE THERIAULT. I hope so.

CAROLE THERIAULT. Why would you—

CAROLE THERIAULT. Why would they not?

GRAHAM CLULEY. Because some of them didn't. Some of them were a bit catty. Naming no names.

CAROLE THERIAULT. No, no, no.

CAROLE THERIAULT. 250 episodes, blimey, I didn't think Graham was capable of lasting that long.

GRAHAM CLULEY. Long time to stick to the same formula, jingles, and 4 guests.

CAROLE THERIAULT. You guys are like the Hutch to our Starsky, the Lacey to our Cagney, the Doyle to our Bodie, the Hutch to our Turner, the Danny DeVito to our Arnold Schwarzenegger, the Robin to our Batman, the Rodney to our Del Boy, the Cheech to our Chong, the canine to our Doctor. From all of your friends at Host Unknown.

GRAHAM CLULEY. Officially more entertaining than smashing security.

CAROLE THERIAULT. In your face!

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. In the last few years, because of the pandemic and stuff, people have looked more closely at their lives, their jobs, their routines. And according to ProPublica, millions of people have just upped and quit their jobs, right? Looking for a new life or a new way of life.

In fact, in August, 3% of Americans, 2.9% of Americans quit their jobs.

CAROLE THERIAULT. Wow.

CAROLE THERIAULT. Which is huge. That's apparently a record-breaking number. And to add to the mix, there's a glut of laid-off workers scrambling for work.

So we're seeing this really huge churn in the labor market, particularly in the States, although I'm sure it's happening elsewhere. So Graham, I want you to imagine that you are one of this 3% and you need a new job, right?

This podcast gig isn't working out for you. You've done 250 episodes. You've heard everything that I have to say about everything on this topic. We could just move on.

JESSICA BARKER. Do you think Carole's trying to tell you something, Graham?

GRAHAM CLULEY. Hang on, are you saying I'm looking for a new job or I'm looking for a new co-host? What is the thing? What are you after here?

CAROLE THERIAULT. No, no, you're looking for a new job. Job, okay?

CAROLE THERIAULT. And you're job hunting and you see an ad that says airport shuttle driver wanted. Oh yeah, and your job would be to pick up passengers for 35 hours a week. All right, at a pay that actually works out to about $100 grand a year, right?

And let's imagine this is exactly the gig you've been looking for. No more sitting at home in your stupid studio, you're hitting the open road. And so you're excited about this opportunity, so you click on the link and you send in your CV.

GRAHAM CLULEY. Wibble wibble, honk honk.

CAROLE THERIAULT. And luckily, you get a call a few hours later, right, from someone going, hey, hey, hey, Mr.

CAROLE THERIAULT. Cluley, love the resume, love the resume. Can I ask you a few questions about this?

CAROLE THERIAULT. And then, okay, so let's play along.

CAROLE THERIAULT. So I might say, have you ever fallen asleep at the wheel, Mr.

CAROLE THERIAULT. Cluley?

GRAHAM CLULEY. Well, what do you mean by asleep? I mean, I might have had a little nap. I mean, I haven't really sort of—

CAROLE THERIAULT. Excellent.

GRAHAM CLULEY. Okay, okay, good.

CAROLE THERIAULT. Excellent.

CAROLE THERIAULT. How do you feel about picking up celebrities?

GRAHAM CLULEY. Ooh, I'd love— there's some celebrities I'd love to pick up. Yes, why not?

CAROLE THERIAULT. Fabulous.

CAROLE THERIAULT. And what would you do if passengers got all hot and smoochy in the back seat? Would you avert your eyes or, you know, get your phone out?

GRAHAM CLULEY. Turn on the webcam, post it on Instagram and TikTok.

JESSICA BARKER. Fabulous.

CAROLE THERIAULT. And I got to say, Graham, I'm super impressed with your answers. I think you are our best candidate for this job.

GRAHAM CLULEY. Thank you very much. This is easy.

CAROLE THERIAULT. All I got to do is get a little standard background ID check out of the way. And once that's cleared, we are ready to get you a brand new job.

GRAHAM CLULEY. All right, let's do it.

CAROLE THERIAULT. No, Graham, it's fake. It's a fake job ad, Graham.

GRAHAM CLULEY. What?

CAROLE THERIAULT. How did you not spot that?

CAROLE THERIAULT. And the website, which totally looked legit where you post your CV, totally wasn't. And the person on the phone that called you isn't an interviewer but a scammer trying to get as much info about you as they can to use their legit identity for their own nefarious purposes.

So it's really interesting. So one version of the scam was posted in a Telegram channel of a Nigerian scam group called Yahoo Boys Community. This is according to ProPublica. And then there was instructions on what to tell applicants to get them to share their Social Security numbers, photographs of their driver's license, and other personal details.

GRAHAM CLULEY. They weren't presumably looking for victims on the Yahoo Boys Telegram chat. That's the criminals talking to each other.

CAROLE THERIAULT. I haven't hung out there, but I'm presuming no.

GRAHAM CLULEY. Yeah, they're a bunch of notorious scammers, the Yahoo Boys. I've heard of them before.

CAROLE THERIAULT. Yeah.

CAROLE THERIAULT. And there's 5,000 members strong on this, apparently. And the idea is you ask an applicant generic questions after they've sent in a CV, and then you offer them a gig. But what you need is to get their personal info in order to land them, get through the ID check, you know, make sure you are who you say you are, Mr. Cluley type thing.

GRAHAM CLULEY. But asking some interview questions sort of lulls the applicant into a false sense of security. Because I remember we used to work for a computer security company, and they had a hiring policy of asking people how many ping pong balls could fit into this room, and do you read Living Marxism and stuff like that, didn't they? And which helped them decide who they wanted to employ.

CAROLE THERIAULT. And terribly bad these days.

GRAHAM CLULEY. Right. And they just generally ask you questions about sine and cosine to make you feel thick, and then they'd feel justified in offering you less money for the job. But it's kind of worked, I think, as an approach for them. But for many people, it would make them think, well, I've been through some sort of process and haven't I done well to get through it? Now I will upload my passport details or my Social Security numbers or whatever else.

JESSICA BARKER. Yeah, it's quite convincing, isn't it? You've answered some questions, you've spoken to someone, they love you, they think you're great, you're looking for a job. I mean, it's, you know, maybe in a vulnerable position where you've been made redundant.

CAROLE THERIAULT. Yeah, I can see that's the clincher here, because where you're seeing these ads are places like Facebook or LinkedIn or Indeed, places where you expect to find positions being advertised. So last December, Alexandra Mateus Vasquez, so she was speaking to ProPublica, and she was applying for a graphic designer position at a restaurant chain called Steak 'n Shake, which, you know, gives me— I don't want anyone taking a steak and then shaking it around the room.

CAROLE THERIAULT. It's a really weird name for a restaurant.

GRAHAM CLULEY. I think it means milkshake, Carole.

CAROLE THERIAULT. Oh, right, right. And she found this job on the Indeed job website. And the so-called Steak 'n Shake rep called her up to participate in an email screening test for the job. And at first, she thought it was a bit weird, but then the questions seemed super standard, how do you meet tough deadlines? So she just provided the earnest answers to this. And hours later, she received an email offering the job, asking her for her address and phone number so a formal letter could be dispatched.

And the pay was super attractive. And when the letter arrived, it sought her Social Security number too, which she provided the information for. And then she was invited to do a background check via online chat with a supposed hiring manager. She found herself trading messages with an account that had a blurry photograph of an old man and the name Iran Coleman attached to it. And apparently other applicants described a similar experience about at Steak 'n Shake, which is weird.

But this hiring manager requested copies of Vasquez's personal records to verify her identity. She shared photographs of her New York State ID, her green card, but grew suspicious when the person got, in my view, super greedy and asked for her credit card number too.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. And then she was, hey, wait a minute.

JESSICA BARKER. Right?

CAROLE THERIAULT. Yeah.

JESSICA BARKER. I mean, everything before that, there's different layers. You're speaking to different people. They're asking, and they kind of lulled the target in, haven't they? As you said, asking expected questions, reassuring them, and then moving on to all things you would expect. You know, we need to verify your identity. Well, yeah, of course, I'm applying for a job.

GRAHAM CLULEY. I wouldn't trust a job interview unless they asked me that question of, tell me your worst characteristic, what you're really bad at. And then you say, oh, well, I'm just, sometimes I'm just too devoted.

CAROLE THERIAULT. Workaholic?

GRAHAM CLULEY. I'm too devoted to the job.

JESSICA BARKER. I'm a perfectionist.

GRAHAM CLULEY. I suffer from too much humility sometimes. I'm probably the best person at humility you've ever met.

CAROLE THERIAULT. I think yours would be I pay a lot of attention to detail.

GRAHAM CLULEY. Outrageous.

CAROLE THERIAULT. So Alexandra, she's hesitated. And then she gets a call from ID.me. You might remember we talked about them a few weeks ago. And this is an identity verification vendor used by 27 states to safeguard unemployment insurance from fraud.

And they called her and said, hey, are you trying to apply for jobless aid in California? And that's when she realized she was for sure being scammed because she wasn't, right? So they were using her details to apply for aid in California.

GRAHAM CLULEY. Yeah, I mean, yeah, yeah, yeah, yeah.

CAROLE THERIAULT. So she reported the incident and she contacted the Social Security Administration. They told her that they denied multiple requests to create an account in her name.

So I really feel for those that are duped by such a scam because it's in that world. You are looking for a job, right? And someone's suddenly saying you are great for this, and you think you've spotted a great job at a salary.

JESSICA BARKER. Yeah, and it's adverts in places you would expect them. You'd expect to see job adverts on LinkedIn.

CAROLE THERIAULT. Yep. And the Better Business Bureau said in an alert last month that indeed LinkedIn and Facebook top the list of online platforms where users reportedly spot these fraudulent job advertisements, which doesn't really surprise me. They're the three big ones, aren't they, really?

GRAHAM CLULEY. For people who are trying to protect themselves, people are looking for jobs legitimately and trying to protect themselves from being scammed in this way, would it be possible to throw in some deliberately ridiculous answers to interview questions and see if they get accepted or not? You see what I mean?

If someone says, oh yeah, that's good, that's good. So if they said, what do you like in the office? Say, well, I tend to burp and fart a lot.

JESSICA BARKER. Or—

CAROLE THERIAULT. I was just thinking I have a problem with projectile vomiting.

GRAHAM CLULEY. Exactly.

JESSICA BARKER. Yeah. But then what if it's legit? What if you actually are a burper?

GRAHAM CLULEY. Would I be able to get 'Are you able to do this job while also playing Fortnite?' Or something. You know, if you said something like that.

CAROLE THERIAULT. Yeah.

CAROLE THERIAULT. You could say for your airport shuttle job, you have narcolepsy.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Which might interfere slightly, but—

GRAHAM CLULEY. And if the interviewer raises an eyebrow and goes, 'What?' You can say, 'Oh, just checking if you're a scammer or not.' But then you know, whereas if they kind of go, 'Great, great.'

CAROLE THERIAULT. Yeah, sure.

JESSICA BARKER. No problem.' And if they just say, 'No, there's no chance we're hiring you. We do not accept farters in this job.' You're stuck then.

CAROLE THERIAULT. I'm not sure Graham's thought this all the way through, because what if it is a legit job? You've kind of blown that out of the water.

GRAHAM CLULEY. Hopefully you'd be able to say, "Oh, I was just checking. This is an example of—" Admittedly, I haven't been to a job interview for over 30 years, so I'm possibly the wrong person to ask about technique.

JESSICA BARKER. I mean, if you try that and you don't get the job, then just send them this episode and say, "This is legitimate advice I was given to see if you were a scammer." No, it's the legitimate advice that I gave to the world is what it is.

CAROLE THERIAULT. Let's crack on, shall we?

GRAHAM CLULEY. From startup to enterprise, 1Password makes it easy for your team to store, generate, and share strong passwords. The less time you need to spend dealing with hacks, phishing scams, lost passwords, the better, right? Well, it's not just for IT and security teams. All kinds of teams inside your company like finance, HR, legal, marketing, they can also store and share sensitive information such as business credit cards, sensitive documents, and shared logins inside 1Password. Work securely from home or in the office. 1Password allows secure access to logins and important resources anywhere you work. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for supporting the show.

CAROLE THERIAULT. Qualys, one of the pioneering providers of disruptive cloud-based IT, were one of the first SaaS security companies, and they deliver continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps. Plus, their 21st annual security conference is coming up between November 15th and 18th this year in Las Vegas. But you can also attend online. One cool highlight is you'll get a keynote speech from Chris Krebs, former director of CISA, with further talks around the role of automation in security. Want to learn more? Of course you do. Visit smashingsecurity.com/qualyslasvegas. That's Q-U-A-L-Y-S Las Vegas. And thanks to Qualys for sponsoring the show.

GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. 250th show better not be. Well, my pick of the week this week is not security related. Yay! It is the game of Pit. Have you guys ever played Pit? No. No. Carole, next time you invite me over, I'm going to bring Pit with me. It's good fun. It is a fabulous, raucous card game that I remember from my youth. It's been in existence since 1904, according to Wikipedia, inspired by the Chicago Stock Exchange, also known as The Pit. And what happens is this. You deal out cards. You have 3 or more people, right? You deal out cards. Not playing cards. These are special cards. Cards with different commodities on them, like wheat, barley, flax, rye, etc., right? Whatever the commodity is. Right. And your mission in the game is to get a complete set of the same commodity. So you've all got cards. You don't know what other cards other people have, but you have an option to trade. So you can put down, for instance, you may have two flax, for instance, which you want to get rid of in order to get more barleys, right? And so you'd put them down face down and go 2, 2, 2, 2, 2, 2, 2. And other people meanwhile are doing the same, right? So someone may have put down two cards or three cards or four cards, whatever. And if you get a match and you want, you can then swap top with the other person without looking at their cards.

CAROLE THERIAULT. Are you going through the entire rule book of it?

GRAHAM CLULEY. No, but I'm explaining how it works. Now, there's no taking turns in Pit. It is just chaos because everyone's shouting out 2, 2, 3, 3, 3, etc., etc. Oh my God, very raw.

CAROLE THERIAULT. It sounds like hell. Yeah, so it's like a trading floor.

JESSICA BARKER. It is exactly like a trading floor. It is capitalism. That's right.

GRAHAM CLULEY. Yes. And then when you get a— you go, "Corner!" Right? Which means that you've done it, and you win some points.

JESSICA BARKER. What do you shout? Corner?

GRAHAM CLULEY. Corner. Yeah. Corner.

JESSICA BARKER. That's what you shout.

GRAHAM CLULEY. Corner! I don't know why. And different commodities have different— Anyway, it's a lot of fun. I haven't even mentioned the bull and the bear cards. Don't worry about that.

CAROLE THERIAULT. Surely you're going to give us instructions to play PizZazza. Oh no, we need to buy the— You need to have the exact cards. You need the cards.

GRAHAM CLULEY. You could make your own, to be honest. If you go to the Wikipedia page, you know enough basically to create your own set, or you can go out and buy them. Some modern implementations of Pit have a little bell you can ring, but I think it's more fun to say corner when you do it. And Pit is a— look, there will be someone listening to this who knows this game and will agree with me that this is an enormously fun game. I would—

CAROLE THERIAULT. I'd love to have independent verification of that.

GRAHAM CLULEY. Next time I'm at your place, we are going to play Pit.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And you can report back to listeners. Can't wait.

JESSICA BARKER. All right. I want to hear all about this.

CAROLE THERIAULT. We'll invite you, Jess. Don't worry.

GRAHAM CLULEY. That is my Pit of the Week. Oh!

CAROLE THERIAULT. Jess, what's your Pick of the Week?

JESSICA BARKER. Well, I have become mildly obsessed over the last 18 months with TV shows that essentially are about making or restoring things. Things, particularly if they have an element of competition. And so my latest watch in this genre was Metal Shop Masters on Netflix. And basically it's a group of— it's an American TV show— a group of metal artists who have to take scrap metal and then they torch it, they cut it, they weld it, and they make creations according to—

CAROLE THERIAULT. Is it Scrappy Challenge with an arty twist?

JESSICA BARKER. It sort of is. I do feel there could be more challenges, particularly in the final. I'm just leaving that as a note for Netflix. But I think it's so therapeutic, you know, particularly when our day jobs are about people who break things, break technology, exploit people. It's so therapeutic to watch people just build something beautiful out of basically scrap metal.

GRAHAM CLULEY. Yeah, I'm watching the trailer right now. It's a bit The Great British Bake Off, isn't it? But with metal rather than soggy bottoms.

JESSICA BARKER. It is exactly. And I mean, there's so many of these shows. The one where people make weapons is quite fun. Forged with Fire, that's a good one. Blown Away, where people do the glass blowing. Amazing. Smashing, love that one, highly recommended. And I think I partly them because it is just so far out of my skill set or my potential ability. If you gave me a pile of scrap metal and told me to make something, you could give me 10 hours and you will end up with me showing you a pile of scrap metal. That's the limit.

CAROLE THERIAULT. Do you not find these shows, though, give you a false sense of, hey, that doesn't look that hard, I could go do that? I've watched one of these make your own small house, and I'm yeah, I could do that. Tiny House.

JESSICA BARKER. Yeah, yeah, same, same. Yeah, I definitely have that with— I have that with Nailed It, the bake show. Well, people are actually— no offense, Nailed It contestants— but they are rubbish, and they know they're rubbish, and they turn out these just monstrosities. So, when I watch that, I know I can do better.

GRAHAM CLULEY. Is it about fingernails or is it about nails as in hammers?

JESSICA BARKER. Although, nailed it with fingernails would be good, but no, this is Nailed It. And it's sort of the British Bake Off, but it's American. And it is people who have to recreate a sort of baking work of art, but they choose people who know that they're terrible at baking. So what they produce is horrendous. Horrendous. And then some of the shows, oh, they're hilarious.

And when I watch that, I'm like, yeah, I can do better. Although I then attempted to make cake pops, and let me tell you, I could be a contestant on Nailed It. They were terrible.

CAROLE THERIAULT. We can dream. Yeah. So Metal Shop Masters on Netflix.

JESSICA BARKER. Metal Shop Masters. Great fun. That's my pick of the week.

GRAHAM CLULEY. What have you got, Carole?

CAROLE THERIAULT. Well, mine's actually pretty useful, or I think it's useful. And I'd like you guys to take a look and see what you think. Tools.techjunkie.com. And this is a site that has basically short links to all those little annoying things having to do with file conversions.

You know, when you have to just send in only PDFs to someone or you need to convert your photos to PNGs or whatever. This site might be for you.

GRAHAM CLULEY. So I'm seeing some which say trim a video for instance, or compress a video. There's a whole bunch for doing things with PDFs, adding a password or compressing them, because sometimes PDFs are quite large, aren't they? That's right.

JESSICA BARKER. And just taking one page out of a PDF. And URL tracer. Sorry to bring it back to security, but yeah.

CAROLE THERIAULT. Tracking the redirection.

JESSICA BARKER. Yeah. Tracking the redirection path.

CAROLE THERIAULT. No, no, it's really cool, I think. And it's one of those things that might be really useful if your bookmark bar, because you're, oh, I gotta do this. I know I can, you know, I don't have to think about what particular app I've got on my system.

You can just run it through here. And they say that they, all files are deleted 15 minutes after upload. So you load it up, you do what you need to do, and then it goes poof.

GRAHAM CLULEY. Oh, well, if they say it, it must be true.

CAROLE THERIAULT. I know, do your own recon, people.

JESSICA BARKER. That's, I mean, that's it, isn't it? You immediately see something and you're, it looks so useful unless it's a scam.

CAROLE THERIAULT. Yeah. Yeah, totally.

CAROLE THERIAULT. And as it's our 250th episode, I'm going to give you the source of this pretty cool tool because there are 15 others that, you know, that they've waxed lyrical about. So this is on Alphr or Alphr.com, link in the show notes. But you can see the view here that you might actually recognize from your own use, DuckDuckGo, for example, the Wayback Machine.

GRAHAM CLULEY. So this is just a list of other sort of quirky, handy websites.

CAROLE THERIAULT. They're called the 15 secret websites, but there's a few having to do with news, arts, searching and reference, and then there's math ones, academics. So it's worth checking. There's some quite good ones here.

Okay. Nice. There you are. Those are my picks of the week. A useful thing after you finish playing Graham's game and watching Jess's TV show.

GRAHAM CLULEY. I think Jess and I, our picks a week are more fun than yours, to be honest, Craig. Oh, we've got a featured interview this week, haven't we?

CAROLE THERIAULT. Yes, we do. Listen up. All right, so today is exciting. We are chatting with Sumedh Thakar, CEO and President of Qualys, a pioneering provider of disruptive cloud-based IT. Now, delighted to have you on the show, Sumedh.

SUMEDH THAKAR. Thank you for having me.

CAROLE THERIAULT. Now, Qualys has been around a long time. You must be one of the first SaaS security companies to have ever even existed.

SUMEDH THAKAR. Yeah, you know, we really pioneered this notion that you can deliver scalable and cost-effective security solutions. When we started back then, the words SaaS and cloud as the nice marketing words today did not exist. It was very interesting, but the idea came even before the terminology SaaS was really used publicly.

We're quite excited about the innovation that we brought into cybersecurity and have continued to build on top of that with our belief that the SaaS model and the cloud model is the best scalable model for today's needs for cybersecurity.

CAROLE THERIAULT. Yeah, and I've read actually that you have been with Qualys since the early noughties, and you held a number of different roles before you became President and CEO. And I was curious if you thought having those different roles really helped give you the skills to be CEO, if it helped you out at all.

SUMEDH THAKAR. It certainly does. I started as a software engineer, one of the first 4 people who worked on the platform back in the very early day.

Not to date myself, but it's been about almost 20 years that I've been part of this journey and driven this journey in many ways. I think the really great part about that is just the experiences that you get along the way that really help you understand the customers, help you understand what you can do to innovate and drive that innovation.

Having these different roles in engineering, product management, support, and now I'm— as I focus on sales, marketing, go-to-market, it's just given me a very well all-rounded perspective of the market, what works, what customers want, and really how we can help the customers. So it's been a very rewarding experience.

CAROLE THERIAULT. I have worked for many different CEOs in my time and not all of them have been well-rounded.

CAROLE THERIAULT. So I think your employees are quite lucky on that front.

CAROLE THERIAULT. Now, Qualys and you are going to be hosting your 21st annual security conference in Las Vegas on November 15th to 18th. And this is also an online opportunity. So what can you tell us about this event?

SUMEDH THAKAR. Yeah, I think first of all, we're quite excited to do this as a hybrid event. I think we have been very committed to getting everybody back into having meetings face-to-face, interactions that really help increase productivity.

And that's been one of the things why we've been pushing this year to really participate in this conference in person because of COVID last couple years. At least last year we couldn't do the conference in person, we do a virtual conference, which was very well attended.

And this year we're going to do a hybrid. The reason this conference is really well attended and appreciated because we really focus on showcasing the innovation that Qualys is doing at this conference.

And this is about our engineers getting an opportunity to work directly with our customers, understand from them how they look at the challenges that they face in the cybersecurity realm and how they can solve them. And then the ability for them to showcase the innovations and get feedback from customers in the direction that we're going.

So for customers and security professionals, it's a great opportunity to come and interact with other security professionals who are in the same space trying to solve the same problems and have that interaction with each other to really understand how somebody else might be solving a cybersecurity challenge that you may be facing. And then it's also great because one of the things we offer here is two days of free training on the Qualys capabilities. So for a lot of them, it's great to come have a refresher for two days.

CAROLE THERIAULT. We go through many different capabilities, and that's one of the most liked aspects. Yeah, after the pandemic, I think a lot of IT professionals have had to work in silos and have had to react to constant requirements from staff across the company requiring access to this and that.

CAROLE THERIAULT. And I'm sure a lot of people feel a bit stressed out, you know.

SUMEDH THAKAR. We're going to make sure that we follow all protocol from a safety perspective, keep everybody safe, but that in-person interaction, being able to talk to each other in person, being able to do a quick diagram on the back of a napkin on the table sometimes brings you a lot more value than trying to schedule a Zoom call with somebody. It takes time and then people are distracted with other things.

CAROLE THERIAULT. Well, I know from the IT professionals in my life that they cannot wait to get back out there safely, of course, but they are just dying to start networking again and building their networks and building relationships with people that can help them along their work IT journey, security journey. I noticed as well that Qualys has launched a number of new cybersecurity solutions to help businesses get to grips with this new working world. And one I noticed was a ransomware risk assessment. Can you tell us about that?

SUMEDH THAKAR. Yeah, it's been quite exciting to launch this service to help the situation that we are in with ransomware attacks. If you look at where Qualys started and where we are today, customers have just way too many tools that they have to use for cybersecurity, individual siloed solutions that don't work with each other. And a lot of times people just don't know what they have on their network.

So when we started developing this platform and expanding it, we took a step back and we said, really at the end of the day, cybersecurity professionals are looking to do three main things. One is find all devices in their environment, which is their asset inventory.

The second is do your best effort to reduce your risk by patching, hardening, fixing what you can, CI/CD pipeline scanning. Now you've done everything to make sure that you've eliminated as many possibilities of somebody coming in the environment, which is reducing your risk.

Then the third part is to monitor if after all of that somebody gets into your environment, can you actually keep track and take some action on it, which is typically your EDR solutions or your SIEM/XDR solutions. What we did is we took a step back and we said, let's put all of these capabilities together on a single platform so customers can go from detecting something to actually taking action on it very, very quickly because it's all in one tool rather than having to go to multiple tools.

Instead of just going and launching some free marketing gimmick, we said, why don't our researchers go and they spend a bunch of time analyzing ransomware attacks over the last five years so that we can actually find out what techniques are used by these families. And it's kind of a mafia, right?

So they have families of ransomware that basically do different attacks leveraging similar techniques. And so each family has a characteristic of how they go about and what they focus on from an exploitation perspective.

And based on the research, we identified about 100 or so very commonly used vulnerabilities and techniques that are being exploited by these attackers. We created a very simple workflow which was actionable and measurable, which says, okay, get into the Qualys assessment tool.

It is going to focus and show you exactly those issues that exist in your environment that map to that. So that ability to find your asset, detect the vulnerabilities, prioritize them, and patch them is what the service does on a single platform.

CAROLE THERIAULT. I mean, I'm sure a lot of listeners out there that haven't worked, haven't rolled up their sleeves and worked in an IT or a cyber environment just can't really understand how it's so difficult, the environments these days. But especially since the pandemic, the number of apps that people are using simply to communicate and store data and share information, it is astounding.

SUMEDH THAKAR. Yeah, this is always the battle between the innovation and the safety and all of that, right? How fast do you go? And you see that today with self-driving car technology, right? There's people are trying to go very fast on the technology and then you kind of have this pull from, well, how safe is it? Is it safe? So that kind of pulls back some of the innovation, but in a positive way because you can't have this innovation without the security aspect.

And the same thing is happening in IT and security. As we have been entering this new world of cloud and containerization, there's a lot of very new innovation that is happening in terms of IT and how you deploy apps and lots of databases. In the past, it was only one database or two databases that you could use. The positive side is there's a very fast growth of expansion in the technology that is being used so we can have nimble and very scalable and nice apps that we can use.

The flip side of that is that it creates obviously an architecture where you have a lot of different things, data stored in many different areas and everything is moving at a fast speed and the IT team doesn't always communicate that or most of the time communicate that fully to the security team. So they see that there's a bunch of servers running, but they don't quite know what is running on each one of them.

Exactly. What we are going to talk about is what are the challenges coming from moving into cloud containerization from a security perspective, and what are the solutions, what are people looking at out there and obviously how Qualys platform is going to help you sort of see the full picture so that in the same platform you can manage your remote laptops for the employees, where you can manage your cloud and your container environment and your handheld mobile devices, all of that. So you can get a bigger and better picture of the risk in one place. And that's really the focus for us here.

CAROLE THERIAULT. Yeah, and it's great because you'll be able also to get pain points from people out there, from people going, this is what I'm having trouble with, with my employees, and what solutions or what advice do you have for me? And this is a great place for them to do that.

SUMEDH THAKAR. Exactly. And for us, we develop solutions and I was a chief product officer for many years, so that's been very exciting to create capabilities and solutions that some of the largest businesses in the world are using. But sometimes you do something and then when they look at it, they say, this is great, but I need this one basic thing to get started in my environment. Without that, I cannot deploy what you have. So that feedback is very valuable.

And as I mentioned, we have really good customers. We have Euronet and few other customers who are coming there who are going to actually present. Yeah, that's so great. And so that's a good way to learn. How are other people solving some of the challenges and to what extent have they been successful?

One of the things that they're going to cover is what are CISOs presenting to their management, to their board, to show success when it comes to cybersecurity and what measures they're taking, what is measurable, what is actionable. And then there's a lot of good, exciting sessions around that and in-person interaction because we will have, you know, hopefully a couple hundred people at least who will be coming there in person.

CAROLE THERIAULT. Is there anything else that you'd like to add before we close this interview, Sumedh Thakar?

SUMEDH THAKAR. Lots of things happening in the IT space, lots of new innovation, lots of new technology. But at the end of the day, when you look at a breach that happened recently where it was a cloud-based breach because people use new technology, put things in the cloud and they are breached. But if you go and look at it, a lot of time it's just the same basic issue that we have had for many years, which is cloud asset was misconfigured.

Oh, we didn't change the password. We used a default password. Oh, we didn't apply a patch that was available or we didn't close this particular port. So I think a lot of times as we are looking at the expansion of IT and it may seem daunting, I think it is important to be able to take a step back.

A lot of times it just comes down to the basics, just the basic hygiene of detecting misconfigurations, fixing vulnerabilities. And the basic process of security at that point is just the ability to find your devices, do everything that you can to reduce your risk, and then make sure that you're able to monitor and detect any threats in the environment.

And I think that's the journey that Qualys is pioneering in a single platform to do all of that. Really looking forward, I really encourage your listeners to come and join us at the conference and tell us and give us feedback so we can improve these capabilities and create new capabilities that are going to help us as an industry overall to fight back against the attackers. Brilliant.

CAROLE THERIAULT. Listeners, you've heard Sumedh. If you want to get together with other cyber leaders and hash out today's problems and get some serious solutions. All you got to do is clear your calendar for November 15th to 18th, that's in two weeks' time, and sign up at smashingsecurity.com/qualyslasvegas to attend in person at Las Vegas or remotely via the powers of the internet.

That link again is smashingsecurity.com/qualyslasvegas. Sumedh Thakar, CEO and President of Qualys, thank you so, so much for your time today.

SUMEDH THAKAR. Thank you very much. It was a pleasure being with you, and I wish your listeners a great day.

GRAHAM CLULEY. Brilliant. Thank you. Terrific stuff. Well, that just about wraps it up for this week. Jess, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What's the best way for folks to do that?

JESSICA BARKER. You can find me on Twitter @DrJessicaBarker and check us out at sygenta.co.uk.

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter @smashingsecurity, and we are also up on the Smashing Security subreddit as well. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

CAROLE THERIAULT. And of course, thank you to this episode's sponsors, Qualys and 1Password, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 249 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye.

CAROLE THERIAULT. Bye for the 250th time.

CAROLE THERIAULT. Fun though.

CAROLE THERIAULT. Well, we're gonna do a few more. Are we gonna do a few more, Graham, before we throw in the towel?

JESSICA BARKER. You've got to get to 256. 256 and then 365. Okay, good point.

CAROLE THERIAULT. Yeah. Okay, 365 is giving us the strength to carry on.

GRAHAM CLULEY. 256, 512, 1024, 2048, 4096, 8192, 16384... Stop recording now.

-- TRANSCRIPT ENDS --