Listen early, and ad-free!

350: Think before you shrink! And our guest is faked

With , , ,
November 29, 2023
Read the transcript

Don't minimise your Teams Meeting video call too hastily, you might reveal your dirty secrets! Would you be prepared to pay for Facebook and Instagram? And who is being faked to promote cryptocurrency scams?

All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Jane Wakefield.

Plus - don't miss our featured interview with Push Security founder and CEO Adam Bateman.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Push Security - Monitor and secure your entire identity attack surface, including non-SSO identities. Get notified in real-time to vulnerabilities across all your internet-facing identities, and have your staff guided to fix simple issues.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
  • Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Oh, here we fucking go. What a daft fucking question. Smashing Security, let me tell you, it's not the best trendy club in the city if that's what you're thinking. No, it's a podcast, you daft ballbag. It's when the techie podcast go on about computer security and that, the toot caboot, cybercrime and all that scary shit. Makes you want to barricade yourself in your house. Anyway, go on, it's playing.

UNKNOWN. Smashing Security, episode 350. Think before you shrink and Our guest is faked with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 350. My name is Graham Cluley.

CAROLE THERIAULT. 350, oh my God. I'm Carole Theriault.

GRAHAM CLULEY. Are you gonna speak that the whole show? I think so.

CAROLE THERIAULT. No, I'm over it.

GRAHAM CLULEY. And this week we're joined by a special guest, someone who's never been on the show before. Please, ladies and gentlemen, put your hands together for tech journalist Jane Wakefield. Hello, Jane.

JANE WAKEFIELD. Hello. I am slightly disappointed that you say I've only made it on the show for the 350th episode. What's going on there?

ADAM BATEMAN. I know.

CAROLE THERIAULT. Well, we didn't know you. We only invite people we know personally on the show, so we had to have that happen, right, Jane?

GRAHAM CLULEY. I've been speaking to Jane for years.

CAROLE THERIAULT. Oh geez, he has. Okay, well then, Graham, naughty naughty. Jane, welcome.

JANE WAKEFIELD. This is very awkward, basically, isn't it, Graham? But I'll forgive you. I'm a forgiving person.

GRAHAM CLULEY. Jane is a— well, you were at the BBC for many years. Yes, I was. Talking lots of things tech there. And now I think you're freelance, aren't you? You're doing podcasts for other people and sometimes I see you popping up on the BBC News site as well, still talking about tech things.

JANE WAKEFIELD. Yes, I'm trying on many, many hats as well as freelance writing. I'm podcasting for UKTN and I'm doing some conference hosting and corporate writing, lots and lots of different things really.

GRAHAM CLULEY. Marvellous stuff.

CAROLE THERIAULT. Should we kick the show off, guys?

GRAHAM CLULEY. Go ahead.

CAROLE THERIAULT. But before we kick it off, let's just thank this week's sponsors. That's Smashing Security, and Vanta. It's their support to help us give you this show for free. So coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about the importance of keeping your desktop neat and tidy, nice and clean.

CAROLE THERIAULT. Okay. And what about you, Jane?

JANE WAKEFIELD. Well, I'm going to be talking about fakes in various guises.

CAROLE THERIAULT. Excellent. And I'm going to be talking about whether to pay Meta or not to pay Meta. That is the question. Plus, we have a featured interview with Adam Bateman, co-founder and CEO of Push Security, and we talk shadow identities and why organizations need to get them under control. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, by the way, it was pointed out to me I forgot to say chums, chums last week. First time in many, many months.

CAROLE THERIAULT. I didn't even notice.

GRAHAM CLULEY. You didn't know this? Oh, well, yeah, there's people paying attention and taking notes. Chums, chums, there you are. You got an extra special one there. I'm going to start talking today the story of a chap called Mohammed Monirazaman, and he was a software engineer at a company called Valeo. Have you heard of Valeo? V-A-L-E-O? Probably not, I'm guessing. Well, from my research, they do some pretty cool things regarding automobiles, regarding cars. In 1991, Valeo were the chaps who came up with, you know how when you're reversing into a wall it goes beep beep, beep, beep, beep, beep, beep beep. It sort of really goes over.

CAROLE THERIAULT. She reversed into a wall.

GRAHAM CLULEY. But have you not ever reversed into a bollard or anything like that? No. Jane, how's your driving?

JANE WAKEFIELD. Yeah, I mean I am one of those people that cannot wait to have a self drive car because I don't really like driving. But I do find with those beeps these days that people just ignore them anyway, don't they?

GRAHAM CLULEY. Yeah, well, some people do. I quite like a beeping car. My car beeps at me a great deal.

ADAM BATEMAN. Yeah.

GRAHAM CLULEY. I find it reassuring to know that it's—

CAROLE THERIAULT. Never drive with Graham, people. Never.

JANE WAKEFIELD. You like to be nagged when you're driving into a wall.

CAROLE THERIAULT. Yes, I think he does.

GRAHAM CLULEY. Well, that beep beep beep beep beep beep, that's done by ultrasonics. And in 1991, Valeo were the company who apparently came up with that. They did all the research and they worked it. Now, of course, it's built into so many modern cars, isn't it?

A few years ago, they came up with this other really cool thing, which I found out about online, called the XtraVue trailer. Now, my first concern was that Xtra was spelt without an E and Vue was V-U-E. But other than that, XtraVue trailer. What it does is— I don't know if either of you have ever driven a car with a trailer or a caravan. I haven't done that.

CAROLE THERIAULT. I have, but not for— Yeah, in Canada, I've done that, but not for a long time, not for a decade, really. So it's hard. It's weird.

GRAHAM CLULEY. I bet it's hard. I bet it's hard. I bet reversing is pretty— a car parking space is tricky as well.

But one of the challenges with driving along with a trailer or a caravan is you can't see what's going on behind you. And what Valeo came up with was this special trailer, which somehow allowed you to see through the trailer or caravan that you were towing from the driver's seat.

CAROLE THERIAULT. Yeah, it's called a camera in the back of the caravan, Graham.

GRAHAM CLULEY. Well, this is it.

CAROLE THERIAULT. It's revolutionary.

GRAHAM CLULEY. But they actually projected it onto the back of the— or the front maybe of the trailer. And so it perfectly matches. I've got some pictures and things I'll link to a video in the show notes as well. So you can see this actually in operation. It's quite remarkable what they've done. So I thought that was very clever.

Anyway, they apparently have invested billions, they claim, of dollars doing very cool work in all these areas of parking assistance and blind spot detection and lane departure warning systems. And you can imagine that can be a huge money earner, because if you can sell that tech, if you can get car companies to build it into their cars, you've got the potential to make a huge amount of money.

CAROLE THERIAULT. Absolutely. Totally. If they all— if one buys in, right, and it pays off, they're all going to— yep.

GRAHAM CLULEY. Everyone else wants the bells and whistles. Other car companies are going to say, well, we've got to have that as well now, because Graham wants a car which beeps at him.

CAROLE THERIAULT. Yeah, you're not on your own, it seems, but it's not my favorite.

GRAHAM CLULEY. It's not just me. It's not just me.

So, you can imagine that the 5,000 or so R&D staff that Valeo employ, like Mohammad Moniruzzaman, are pretty clever guys. And the other companies in the automotive space, they want to partner up with Valeo, right? They want to get a handle on some of that technology and, you know, maybe work together, collaborate on some things in order for everyone to fill their pockets.

CAROLE THERIAULT. Okay.

ADAM BATEMAN. So.

CAROLE THERIAULT. So.

GRAHAM CLULEY. This point of the story, we enter another company, which is NVIDIA. Jane, what do you know about NVIDIA?

JANE WAKEFIELD. Well, they're a very big company, aren't they? Doing lots of very exciting things with chips. I think in the last few years, their price has gone through the roof, right?

GRAHAM CLULEY. Yeah, because they are the people who make those graphic card chips. The GPUs for gaming PCs and for— well, they're also used as well in crypto mining. You know, people will set up these great big crypto mining rigs. So they've been making loads of money, but they've been looking in recent years to branch out into other fields. I guess they've got so much money, they don't know what to do with it.

CAROLE THERIAULT. They're bathing in it and they're like, okay, this is boring. Maybe we should invest in something.

GRAHAM CLULEY. Exactly. They've got the ball pit in the office. They've got the slide going down from the third floor. They've got all the— no, they turn the car park into a beach or an ice rink. It's like, what can we do with our money now? Let's get into advanced automotive technology. And NVIDIA, they won this big contract to work with a major firm in the automotive space, developing advanced parking and driving technology.

So they actually bid for a contract and they managed to get it. And the previous company who had this contract was Valeo. And their nose must have been put out of joint a bit, you know, because they had this big contract, they'd lost it to these gaming dudes who are going to take over now. They still had a— Valeo still had a piece of the action, but not as large a slice as before. They were asked, just work on the ultrasonic sensors, all the other cool stuff we're going to go to NVIDIA for.

Now, Mohammad Monirazaman, he's the Valeo engineer. He realized that his skill set would be very desirable to NVIDIA.

CAROLE THERIAULT. Jump ship.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Jump ship. Jump ship.

GRAHAM CLULEY. It's like, oh, hang on.

CAROLE THERIAULT. Out of the contract.

GRAHAM CLULEY. They're going to want some expertise. And so he got himself a job at NVIDIA in August 2021.

JANE WAKEFIELD. Was it the beach in the car park that attracted him first to the billionaire company NVIDIA?

GRAHAM CLULEY. It could have been. It could have been. It could have been there. Maybe there are donuts being served up by the canteen. Who knows what it is?

CAROLE THERIAULT. That's the best thing, the croissants. That's where you want to— Yeah.

GRAHAM CLULEY. So it's going to be some perk club. That is, to be honest, the reason why people jump ship, isn't it? Sometimes it can be something very, very trivial like that. The quality of the loo paper in the toilets, that sort of thing.

So what people didn't know, however, when this chap, Mohammad Monirazaman, left Valeo to go to NVIDIA, that he hadn't just upped and left. He'd also taken tens of thousands of files and over 6 gigabytes of source code with him because it had been in a Google Drive which belonged to Valeo that he had personal access to as well. So he snaffled it all up.

Scores of Word documents, PowerPoint presentations, PDF files, technical documentation, Excel spreadsheets, as well as the source code.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. And you have to assume that that was information which he took for a reason. And maybe he thought it would be kind of useful in his new job at NVIDIA, working on the same project he had previously been working on for Valeo.

CAROLE THERIAULT. That's so interesting because you're going to kind of think, oh, you know, you guys should lock your files down better so employees can't do this. But honestly, the employees being naughty, like, this is—

GRAHAM CLULEY. Oh yeah.

CAROLE THERIAULT. You know, this is not good.

GRAHAM CLULEY. And they'd allowed their employees to have access to these corporate Google Drives from their personal accounts.

CAROLE THERIAULT. So let's not forget COVID happened and no one was really ready, right? So a lot of that happened and then a lot of people didn't go clean up afterwards. So companies listening, pay attention, go clean up now.

GRAHAM CLULEY. That's a definite possibility. Well, about 6 months after Moniruzzaman started working at NVIDIA, he was on a Microsoft Teams call, poor fella, with, who would have guessed it, his old colleagues at Valeo, right? Because part of the contract for the project they were both working on meant that Valeo and NVIDIA had to have online meetings so that NVIDIA could ask Valeo questions about the hardware, and so forth.

CAROLE THERIAULT. And Mohammed, you know everything, you'll know if they're lying, you VPN on this? Forget the conflict of interest here.

JANE WAKEFIELD. Yeah.

GRAHAM CLULEY. Oh, and there were questions for the things they were developing. He obviously knew these guys could work with them, but this is where everything went terribly wrong because he was on this video conference call with his old teammates and he was sharing his screen and he made the mistake of minimising his PowerPoint presentation. And when he did that, what does everyone else on the call see? Source code from Valeo open on his screen.

JANE WAKEFIELD. Oh dear.

CAROLE THERIAULT. Damn it.

JANE WAKEFIELD. Rookie error.

CAROLE THERIAULT. Rookie error, Mohammed.

GRAHAM CLULEY. And the Valeo people on the call realised what they were looking at and they took screenshots before it could be removed. It's like, what? Oh, hello. You know, and these files, apparently, you could even see the folder that it was in and it was called Valeo Docs.

JANE WAKEFIELD. Oh no.

GRAHAM CLULEY. In this tree structure.

JANE WAKEFIELD. That's the equivalent of a robber having a bag with swag written on it, right?

GRAHAM CLULEY. So Mohammed Moniruzzaman, his house was searched by investigators. I don't think from Valeo. I imagine from German law enforcement, because that's where he was based. And they found files on his computer, on his NVIDIA laptop. And they even found Valeo documentation pinned up on the walls of his office. So while he was working from home, there were all these documents around him pinned up.

CAROLE THERIAULT. Like a little obsession wall.

GRAHAM CLULEY. He's pleaded guilty to the theft, stealing this software. He's been fined €14,400, about $16,000, which, you know, in the grand scheme of things isn't a huge amount of money for how much that software must have been worth.

CAROLE THERIAULT. But I'm guessing, what was the second company, Valeo?

GRAHAM CLULEY. The software that he's now working for NVIDIA. He came from—

CAROLE THERIAULT. Yeah, sorry. Yeah. So NVIDIA can't use Valeo software. There's gonna, you know, so it's moot whether he stole it, but he didn't make any money out of it. Well, or future lawsuits will tell.

GRAHAM CLULEY. Well, here's the thing. So there is now a lawsuit. Valeo is suing NVIDIA. They say that they've used Valeo's stolen trade secrets. They say they've saved millions of dollars, maybe hundreds of millions of dollars in development costs. They generate profits which they didn't properly earn, is their argument, and which they weren't entitled to. NVIDIA says, we didn't know anything about this. We didn't condone the theft of the source code. We've got no interest in the source code. Moniruzzaman says that the code was only stored on his laptop, wasn't shared with other people at NVIDIA. But regardless, if he was sharing his expertise, if he was able to refer to the previous source code when building NVIDIA's code, it possibly—

CAROLE THERIAULT. Come on.

GRAHAM CLULEY. But no, but they could, even if they haven't copied it line for line, they could still have benefited enormously.

CAROLE THERIAULT. Okay, imagine if you have perfect recollection, right? So you know every single line of code you've ever written for everybody. You just have that.

GRAHAM CLULEY. Thank you very much.

JANE WAKEFIELD. Right?

CAROLE THERIAULT. And then you go to a new company, you're like, well, I did write code like that once before. I did this and this, this and this and this and this, and they just type it on. Da da da da da. Is that stealing?

JANE WAKEFIELD. Well, I think it's stealing if you've got a hard drive, if you've got a kind of a file with all the information on. I think he's bang to rights, no?

CAROLE THERIAULT. You see, we need Jane.

GRAHAM CLULEY. But this was the other thing on that screenshot which they took when he showed up his source code. Apparently during the conversation they'd been talking about some variables in the API or something, and they actually found that when his source code came up behind him, the Valeo source code, he'd actually done a search during the call and it had highlighted something. So he was referring to it during the call, their source code. At least that's what Valeo are saying.

CAROLE THERIAULT. No, naughty, naughty.

JANE WAKEFIELD. I think they've got a fairly decent case, I would think. It kind of reminds me of the case that ZeniMax brought against Oculus, which was owned by then Facebook, now Meta. Palmer Luckey, do you remember this case?

GRAHAM CLULEY. No, what happened there?

JANE WAKEFIELD. Well, just that he— Palmer Luckey had done the same thing. He'd taken a load of IP from one company he'd worked at and was using it for another company. Yeah, I think Facebook were fined $500 million for that, and then there was an appeal and a settlement that followed it. But yeah, this stuff is dangerous, right? You know, it's not a lot that— in a world in which we can all access information at our fingertips, there's not a lot that companies can do.

You have to have access to information to do your job, right? And then if you can find a way to squirrel it away and take it to your next job, then what can a company do? But if you get caught having done that, then I think—

CAROLE THERIAULT. I honestly think it goes on way more often than we think.

GRAHAM CLULEY. I'm sure.

CAROLE THERIAULT. I think, you know, if you're made redundant or if you're pushed out of your job or you're leaving for a better job, I bet so many people are just sitting there snarfling up some data to benefit them. And I think this is a lesson to everybody: be careful when you do that because it's breaking the law.

JANE WAKEFIELD. I mean, you could argue that it's part of your development as a person, isn't it? You know, if you work for a company and then a big company wants to employ you. They want to employ you for your expertise and your knowledge that you had in that previous company.

GRAHAM CLULEY. It's all very well being hired for your expertise. It's a bit different if you've grabbed 6 gigabytes worth of data.

JANE WAKEFIELD. Yeah, exactly. I think that's where it gets slightly problematic. But I mean, if he contributed to that code, then I guess in some ways he's got some ownership of it. But again, the business really owns it, doesn't it?

CAROLE THERIAULT. So.

GRAHAM CLULEY. I think most companies would say, you know, under the terms of your employment, you cannot take intellectual property like that with you.

JANE WAKEFIELD. No, oh gosh, no, you can't take that.

GRAHAM CLULEY. Even if you contributed to it.

JANE WAKEFIELD. Yeah, no, no, definitely, no, that would—

GRAHAM CLULEY. So the other lesson, of course, is to be really careful when you're sharing your screen. You know, if you've got any tabs, I mean, there've been cases in the past where people have had tabs open to porn sites or other embarrassing things. So close your windows, clean up your desktops, and don't steal code.

CAROLE THERIAULT. Can you hire people to do that?

JANE WAKEFIELD. Because it's a bit like the bookcases behind us during Zoom calls, isn't it? During lockdown when everybody was checking everybody's— because the thing is, people are naturally curious, aren't they? You know, whenever you're on a Zoom call, you're actually— oh yeah, the paintings that someone has on their wall or the books that are on their bookshelves. And this is the same thing. What's on your desktop?

CAROLE THERIAULT. Oh, I'm just looking at my desktop now and I can see some of my art, a headshot, and a picture of Twisted Sister. So, you know, there you go.

JANE WAKEFIELD. Well, that could be interpreted in many ways, I guess.

GRAHAM CLULEY. Jane, what have you got for us this week?

JANE WAKEFIELD. Yeah, well, actually, I've sort of got a bit of a personal tale to tell, Graham, which is around the fact that obviously now I don't work for the BBC, and I don't anymore, but what I do do a lot now is go on LinkedIn and network, which I have to confess I didn't spend a lot of time on when I was working at BBC, other than to sort of slightly cyberstalk people who I might be going to interview. Now I'm on it quite a lot, and I've had loads and loads of messages recently asking me if a story that they've come across on Twitter— X, as it's now known— which is basically an interview with a celebrity called Emma Willis, who's a presenter on the TV, seemingly conducted by me, in a BBC template, and basically the upshot of the interview with her is to recommend some crypto investment. And people are asking me, did you write this? Did you write this? Is this yours? And I have to respond to them all going, no, I absolutely did not write this.

CAROLE THERIAULT. And you know, this is completely fake article and your name's on it, right? It's penned by you, it says that on the thing, but it's not.

JANE WAKEFIELD. It says it's got my byline on it, right? It's in what looks like a quite convincing BBC template, and then the content is, well, absolute drivel. I mean, anybody who knows anybody that writes for the BBC would be able to see within seconds that, you know, it's not real. But that hasn't stopped people, quite respectable business people, asking me if it is. So it's obviously good enough to fool people. So it's a bit disconcerting on a personal level because obviously I don't want my name associated with scam crypto investments. I certainly don't want people thinking I'm recommending a particular product.

CAROLE THERIAULT. Yeah.

JANE WAKEFIELD. And therefore going off and investing in it. You know, there's all kinds of things that are problematic about this. But it's also quite problematic because I'm not entirely sure what I do about it. I no longer work at the BBC. I have contacted somebody that I knew at the BBC to tell them about it. And in anticipation of coming and talking about it on your show, I did a bit of research and found out that actually scam ads— and you might remember that Martin Lewis was— took up the issue with exactly the same thing, that he was being used to endorse crypto ads. And this was popping up on places like Facebook, and he wasn't really not very happy about this at all.

GRAHAM CLULEY. In his case, they even deepfaked him, didn't they? They made a deepfake video. Yeah, yeah, yeah, yeah, yeah.

JANE WAKEFIELD. I mean, it was getting horrendous for him. And he has written that this issue is being dealt with in the Online Safety Act, at least the Online Safety Act, which has just gone into become an Act of Parliament, does now say that online platforms have a legal duty to take down scam ads.

I'm not sure that's going to solve the problem because, as we all know, just telling somebody they have to do something, especially in the world of big tech, doesn't necessarily mean that they are going to do it, but it's great that that's in there. But how does that apply to scam articles, which aren't ads as such?

Would that still apply for what's going on with me?

CAROLE THERIAULT. Where are the articles, Jane?

JANE WAKEFIELD. So they're popping up on X, on Twitter.

CAROLE THERIAULT. Right, right, right.

JANE WAKEFIELD. Twitter.

GRAHAM CLULEY. Are they images? Are they linking to websites?

JANE WAKEFIELD. They're linking to websites. They're linking to websites that seems— I mean, if you looked at the URL, it's clearly not the BBC, and I think that it might be kind of a malware-laden website that it's taking you to.

So I wouldn't want to share any of the links, but yeah, it looks in terms of the article itself as if it's quite convincing in terms— it's got all the BBC logos on it and it's written as a BBC article will be written, with pictures, etc. So yeah, it's really bizarre.

GRAHAM CLULEY. It sounds to me like there's a very simple thing you can do, which is contact Twitter's safety and security team, and they will pounce into action and— oh, hang on a minute. Do they still exist?

I'm not sure. Are there any?

JANE WAKEFIELD. Well, this is the problem, because I was thinking if I was still a BBC journalist, I would contact their PR team, but they don't have a PR team now, do they? Because Elon Musk doesn't believe in PR.

GRAHAM CLULEY. In fact, when you email Twitter's PR department, don't you get replied with a poop emoji?

JANE WAKEFIELD. You do, yes. In the grown-up, mature world of Elon Musk, that seems like a good idea.

CAROLE THERIAULT. I just wonder though whether or not they could be eventually sued for defamation for hosting this material if they don't take it down in time. Not in the States, I don't think, because you've got Section 230, but in the EU.

GRAHAM CLULEY. Yeah, but Jane may not have the resources or the desire to spend months and months.

CAROLE THERIAULT. No, no, someone would though. So, because someone who's going to be quite the celeb is going to be used and abused in this way, in a way that will be frustrating and it won't be taken down.

JANE WAKEFIELD. It's the same with any scam, isn't it? You can sort of try and stop it, but enough of it will have got through to convince a few people to do what the whole point of the scam is, which is to invest in this dodgy cryptocurrency that they're basically advertising.

So trying to put the stopper on that is much harder. One of the things that I did read when I was looking at how this is now gone into law by the Online Safety Act is that your first port of call I suppose, with this sort of stuff should be Action Fraud.

So I may well send them an email pointing out that lots of people are getting in touch with me and saying they've seen this and see what their—

CAROLE THERIAULT. No, no, I think that's a great idea. I know Graham's going to poo-poo it, but I think you should because they can't do anything if they don't have the reports.

JANE WAKEFIELD. Exactly.

GRAHAM CLULEY. Oh yeah, I think it's a good idea to report it. I do agree with that. I do hear varying stories regarding how Action Fraud responds to things. There have been some revelations over the years that maybe they're not doing such a great job. But I mean, clearly, the NCSC, I think, also could play a part in this as well because they have been successful at shutting down scam websites when these sort of things are being seen.

It's pretty annoying though that it's your image and your reputation because even if I don't fall for the scam, I might think, oh, for goodness' sake, Jane, why didn't you ask them some more difficult questions? Why are you believing all this bullshit.

JANE WAKEFIELD. Well, exactly. It's a terrible interview if we're just talking from a purely journalistic point of view. It's really, really badly written, and that's quite insulting to me too.

GRAHAM CLULEY. That's the real offense.

CAROLE THERIAULT. No, but Graham, you would hate this. You would hate this if this were you.

GRAHAM CLULEY. I would.

CAROLE THERIAULT. You would.

GRAHAM CLULEY. You're right. I would be very annoyed.

JANE WAKEFIELD. And I think now as well, seeing as I'm freelance, it sort of feels even more potentially damaging to reputation if people are going, oh, now she's writing about dodgy crypto scams.

CAROLE THERIAULT. Yeah. Oh, I'm so sorry, Jane.

JANE WAKEFIELD. Oh, it's a tricky one.

CAROLE THERIAULT. So Graham, what can people do?

GRAHAM CLULEY. Well, I can think of things Twitter could do, but I don't think Twitter has any desire to do them.

JANE WAKEFIELD. Oh, I mean, Twitter these days, X, as we've got to call it now and keep forgetting.

GRAHAM CLULEY. No, we don't. No, we don't.

JANE WAKEFIELD. Okay.

GRAHAM CLULEY. We don't have to call it that.

JANE WAKEFIELD. Yeah, it's just a mess, isn't it? I was never a huge fan of Twitter. I'm even less of a fan these days, I have to say.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. So for this story, we started about a month ago when Facebook published a blog post about changes to its service for about 400 million and change users in Europe. And the post started with this paragraph. It said, to comply with evolving European regulations, we are introducing a new subscription option in the EU, EEA, and Switzerland.

So to rephrase, right, we don't really want to do this, but you know, the bloody EU with its ever-changing rules have forced our hand.

GRAHAM CLULEY. Yeah, Europe, it's been the bane of our lives, hasn't it?

CAROLE THERIAULT. Only people could just not pay attention to what we do, everything would be fine. They continue in the blog post, so in November we will be offering people who use Facebook or Instagram and reside in these regions, the EU, EEA, and Switzerland, the choice to continue using these personalized services for free with ads or subscribe to stop seeing ads.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. The cost, depending on whether you purchase it for your computer, for the web, it would be €10 a month, or for any iOS or Android would be €13 a month. So that's basically €155 per year for mobile users. And in the EU, I did a little recon, that's equivalent to roughly 27 Big Macs using the Big Mac Index.

GRAHAM CLULEY. Oh, well done. Yes. With cheese or not?

CAROLE THERIAULT. I like the Big Mac Index. No, no, no. It's a plain Big Mac. It's a wonderful thing.

So in short, this is kind of like, look, I know this looks a little bit expensive, but pinky swear, it's a deal. Facebook are saying, "We're doing this. We're forced to do this. And this is a good choice. If you want to give us your information, you can carry on for free. If you want to pay, you won't see any ads." So thoughts on this? What are your immediate reactions?

GRAHAM CLULEY. Well, I mean, in some ways, I think it's quite good because it raises awareness amongst people as to just how valuable their data is to the likes of Facebook, TikTok, if they think they can make that sort of money out of you over the course of a year with their advertisers. And as a consequence, they want you to pay if you're not going to let them share it and do things with it.

JANE WAKEFIELD. It's a strange one, isn't it, data? I think we get very complacent about what we share these days. It's just so much easier, isn't it, to just click on things and share everything.

But that idea that we've sort of lived with for a long time, which is that your data is very valuable to you, you know, the data is the new oil, that still exists. And I don't think anybody has sort of come up with a convincing way of making money out of it that sort of really empowers users.

And I've interviewed lots of people over the years when I was a journalist who had kind of ideas in that sphere, but nothing seems to have quite taken off. I look at my children who kind of know where each other are on Snapchat and share very personal data about their location and completely happy for me to track them, you know, on my iPhone, which is quite handy for me because it means I know where they are and I don't have to worry.

It feels like a real cultural shift in how we care about information, which I think is really interesting. Paying for no ads is definitely something that would appeal to a lot of people, I guess, wouldn't it?

GRAHAM CLULEY. I mean, if I could pay money to a social media company and stop seeing all these bloody interviews by Jane Wakefield of cryptocurrency people—

JANE WAKEFIELD. All these scam adverts—

GRAHAM CLULEY. Yeah, it would be wonderful. They're filling up my timeline.

CAROLE THERIAULT. But it's kind of like privacy if you can afford it, right? So the average wage is just over €2,000 a month, right?

And some people are arguing that this is a big chunk of change. So if we fast forward to today, the day of recording, Tuesday, 28th, many articles were reporting that an Austrian privacy group, NOYB, is filing a complaint against Meta for this new pay or okay.

That's their strapline, not mine.

JANE WAKEFIELD. That's Max Schrems, isn't it? And he's basically the bête noire of Facebook and Meta, has been suing them over their data for years and years and years.

GRAHAM CLULEY. He's been a thorn in their side, hasn't he?

CAROLE THERIAULT. Yes, well, he got a lot of headlines this morning because he has issued a complaint. NOYB contends that the cost of the subscription is out of proportion to the value that Meta derives from tracking users in the region.

So they cited that the average revenue per user in Europe during the last 12 months was $16.79, which is much less than what they're suggesting, right? So he says that figure would equate to €63 a year rather than the €120 to €160 that they're suggesting.

And they're doing this on behalf of an individual that is experiencing financial distress, receives unemployment assistance, and indicates he cannot afford to splash out so much money to protect his privacy. Thoughts?

GRAHAM CLULEY. Well, okay, I can sympathize with that, but you have to ask yourself, is access to Facebook a human right? Is this something that we have to have access to?

It's like, can I afford Disney+ and Netflix and Apple+ and whatever other ones there are, Amazon Prime and all these other things? You know, there are lots of subscriptions out there which people spend a lot of money on every month. And surely this is just another thing to add to the equation of whether you want to do that or not.

And it's not as though they aren't giving you a service which is — and I'm going to put this in quotes — "free." So you have a method of paying if you want to, if you really have to have access to it and you cannot afford it, then there is a way still to access Facebook and Instagram under these rules.

CAROLE THERIAULT. But do you not think that they kind of gave the illusion they were giving something away for nothing, pretending it was free for decades? And then when people cottoned on to the fact that they were, you know, Facebook and Meta and all the fat cats, they were getting disgustingly rich and powerful by selling their users' private info.

And then when they start crying when they're told they can't do it anymore, so they say they're going to charge money for it.

GRAHAM CLULEY. So what's your preference? Are you saying that they should stop offering the quote "free" version?

CAROLE THERIAULT. No, I think they should say, you know what, you guys are absolutely right. We have made gazillions off you for absolutely nothing.

And you know what, we're going to use the freemium model where we're not going to take your information at all. You can use it for free and a few people will get extra features, Twizzlers and whatever, and they can pay for that.

GRAHAM CLULEY. Okay, Turkey Twizzlers all round.

CAROLE THERIAULT. Yeah, exactly. Anyone who has got a fat wallet can go and pay for it, but the average user, because maybe it is a human right now, maybe it is, you can argue that. It's a digisphere, don't you think?

GRAHAM CLULEY. I don't know. I'd just rather people didn't have a Facebook account, I think. That's my preference.

JANE WAKEFIELD. Yeah, I mean, I think you vote with your feet, don't you, on these things? I'm definitely using Facebook far, far less.

I haven't quite brought myself to delete it because my natural curiosity about everybody else's lives keeps me flicking through it. But in terms of my own life, I'm not really interested in posting anything on Facebook anymore.

GRAHAM CLULEY. You're too busy on TikTok and Snapchat.

JANE WAKEFIELD. No, I'm far too old for those, Graham, as you know. I leave that to my children.

CAROLE THERIAULT. Now listen, there's one weird thing. So Meta made this statement and it just hit me weirdly.

It's something like, while you're paying for the subscription, your info will not be used for ad purposes. Which got me thinking that they're probably still collecting it whilst you're paying for the subscription, but maybe not collating it and sharing it.

And as soon as you miss a month or decide, you know, eating is more important, they just dump it all into the ad profiling pot. Obviously, this is just complete conjecture on my part, but—

GRAHAM CLULEY. You're so cynical. You're so cynical. How can you imagine that the gorgeous, glorious Mark Zuckerberg would dream up such a devilish scheme?

CAROLE THERIAULT. But then, you know, if that's the case, it's moot to pay, right? And the whole ruling's a bit of a joke.

But at its heart, I think it's meant to be really good. I applaud the EU for trying to be at the forefront of demanding online privacy.

Really, it's a hurrah moment. But I think maybe there was a little bit of a slalom dance, maybe. Anyway, I don't know, to pay or not to pay, I don't have the answer. Good luck, everyone.

GRAHAM CLULEY. Now you've probably noticed the uptick in identity-based attacks recently hitting the headlines. If you're working like crazy to get everything behind SSO and make sure everyone's using strong passwords and MFA, then Push Security is for you.

Push Security helps you to monitor and secure your entire identity attack surface, including non-SSO identities. Get notified in real time to vulnerabilities across all your internet-facing identities.

What's more, Push Security then guides your employees to fix simple issues so your team can carry on fixing everything else. Want to check it out?

Well, head over to pushsecurity.com/smashing. That's pushsecurity.com/smashing, and thanks to them for supporting the show.

CAROLE THERIAULT. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation.

Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.

From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta.

Just go to vanta.com/smashing. That's vanta.com/smashing.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common.

It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials.

But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.

Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.

You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.

Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show?

The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

JANE WAKEFIELD. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.

It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. It's about a year ago that ChatGPT sort of really hit the headlines. Everyone gave it a go and thought, oh my giddy aunt, this is extraordinary. Obviously terrifying as well, but what an incredible thing this appears to be. But it's not been, you know, that wasn't the final step of evolution because I can announce to you that there is now the world's first Scottish artificial intelligence chatbot.

It's called GlasgowGPT. And in its write-up, it says, unlike almost most all other AI chatbots, GlasgowGPT has strong opinions about the world and isn't afraid to share them. And it will tell you exactly what it thinks. So I've been playing. All you have to do is go to glasgowgpt.com.

Oh, it's so much fun. I did, for instance, ask it, well, what is Smashing Security? And it's written in the Scottish dialect. So I will try, I'll do my best to do Scottish.

So it goes, oh, here we fucking go. What a fucking daft question. Smashing Security. Let me tell you, it's not the best trendy club in the city, if that's what you're thinking. No, it's a podcast, you daft ballbag.

It's when the techie podcasts go on about computer security and that, they talk about cybercrime and all that scary shite. Makes you want to barricade yourself in your house. Anyway, guys, on it.

JANE WAKEFIELD. That was quite an interesting Glaswegian accent, I have to say.

CAROLE THERIAULT. Didn't you think? He's quite proud of it.

GRAHAM CLULEY. Oh, oh, hang on, hang on. Well, no, we've got a professional here. We've got a freelancer. Could you freelance a Glaswegian accent for us? I mean, if—

CAROLE THERIAULT. How much are you paying, Graham?

GRAHAM CLULEY. How's that for a response, you cheeky wee shite? Got any other pointless questions? It says. Anyway, it's a real hoot. It's a bonnie hoots McGonagall, in fact, is GlasgowGPT, and that is why it is my Pick of the Week.

CAROLE THERIAULT. Have fun, listeners.

GRAHAM CLULEY. Jane, what's your Pick of the Week?

JANE WAKEFIELD. Well, I don't quite know how to follow that really, but my Pick of the Week doesn't require me putting on a Glaswegian accent, which I'm very pleased about. It's a story that was reported in The Register and some other places about a conference, a tech conference that has collapsed.

It was due to happen online in December. It's not taking place at all now because it's emerged that the organisers had put some fake presenters in the lineup. And of course, these fake presenters were women because they didn't feel that it was diverse enough.

Unsurprisingly, they've kind of been caught out doing this. So the conference has now sort of been canceled, although they're saying it's for other reasons that it's been canceled. So yeah, it's a really interesting one, isn't it?

I know that you and I go to a lot of these tech conferences.

GRAHAM CLULEY. Yes.

JANE WAKEFIELD. There is, I think, now a real attempt to make the lineups of such things very, very diverse and equal. So they've got the same number of men as women speaking, and, you know, not having a panel without a woman on. But to put fake people in a lineup makes me question, you know, what were they going to do when it actually came to their turn to speak?

Were they going to try and get away with it as a speaker as well? I guess AI has reached the stage now where it's so convincing that perhaps we might have fallen for it, but I don't know. It's just a very weird story.

GRAHAM CLULEY. And this conference, it's called DevTernity, wasn't it?

JANE WAKEFIELD. Yes. I'd not heard of it. Have you heard of it?

GRAHAM CLULEY. No, I haven't heard of it before, but when they listed their speakers, they also said what companies they claimed they worked for. And this chap who's sort of unearthed all this subterfuge contacted these companies and they said, "Doesn't work here. Nothing to do with us." They have no footprint on, you know, whether they've used AI pictures or—

CAROLE THERIAULT. This is awful.

JANE WAKEFIELD. It's a really, really bizarre story, I think. And the serious point is that there is a problem with diversity at these tech conferences. I quite like the quote from a guy who was due to speak at it, somebody from Microsoft who was due to speak at it and was obviously withdrawn, and now it's not happening anyway.

And he said, you know, look, I can give you a list of hundreds of people that could speak at this conference encompassing, you know, all kinds of genders and races. And, you know, I think that probably was the best answer to the problem. But yeah, don't make people up, it's a really bad idea.

I've heard anecdotally as well of companies who've got kind of lists of people on their websites, putting a few fake, deepfake people on there to sort of make it look a bit more diverse. It just seems such a crazy idea, you know. What are people thinking when they do that? Because it only takes a kind of journalist or somebody else to start digging into it to reveal it, and then it's all very embarrassing.

GRAHAM CLULEY. There's an associated issue with this diversity issue at tech conferences as well. I saw a LinkedIn post, I think it's by Eliza Austin the other day, where she said she keeps on being invited to conferences and she's got all these conferences booked up for next year, but all they want her to talk about is diversity or being a female CEO.

And she's saying, you know, that's not actually what this is, you know, that isn't why you should be asking me to speak. You should be asking me to speak. It's not like you get guys who are asked, oh, come and speak about being a man in the tech industry. Maybe you could just ask me about something technical instead, which I can give a talk about.

JANE WAKEFIELD. Missing the point, right? I actually quite want to go to a deepfake conference. I think that would be fascinating, getting a load of deepfake AI-generated speakers, maybe using ChatGPT, maybe even using Glaswegian ChatGPT to come up with the plan of what they say and just letting AI take over. I think that would be fascinating.

GRAHAM CLULEY. Maybe have all AI bots in the audience as well, completely remove all human interaction. Wouldn't that be fantastic?

JANE WAKEFIELD. No human was used in the making of this.

GRAHAM CLULEY. Keeps them busy from taking over the world.

JANE WAKEFIELD. That would have probably been what they should have done for the AI Summit. That would have been a better use of their time than taking lots of pictures of politicians nodding wisely about a topic they don't understand at all.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Mine is a brand new TV series currently airing on BBC iPlayer. So my pick of the week is called Boat Story. Have any of you hoovered it up over the last week?

GRAHAM CLULEY. No, no, no.

JANE WAKEFIELD. Oh, is this the thing about people who decided to become cocaine salespeople because they found— Yay! I haven't seen it.

CAROLE THERIAULT. I've read about it. Oh, it's fab. It's fab. It's fab. So, it's written by the brothers Jack and Harry Williams, okay? And you have Daisy Haggard. She's from Episodes. She stars alongside Patterson Joseph in the show, Boat Story. It's a 6-part series.

GRAHAM CLULEY. 3s.

CAROLE THERIAULT. Fresh, quirky, human, clever, dark.

JANE WAKEFIELD. Dog.

CAROLE THERIAULT. So, in this story, they're on the northern coastline, and they're going for a walk with the dog in the morning, and the coastline is riddled with bricks of cocaine. Now, cocaine, that would be a difficult one for me because how do you go change that into cash if you desperately need cash? But maybe for some characters, the world is throwing you a bone there. So, what do you do now?

So the story carries on from that. They get involved, it gets crazy. It's wonderful though. It's so fresh. I've not seen anything before. It explores things class differences and moral obligations and infatuation with a middle-aged pasty maker.

GRAHAM CLULEY. We've all been there.

CAROLE THERIAULT. Who runs a shop called Patsy's.

GRAHAM CLULEY. So P-A-T-S-Y. I think a Cornish pasty-making woman would be my ideal. That would be my dream.

CAROLE THERIAULT. Well, you can Netflix and chill with Boat Story then, Graham. Or whatever, iPlayer and chill. And the shots are great. Some people have talked about, there's reminiscent of Wes Anderson. So there's a lot of love and attention to the shots.

Gaggle of really wonderful characters. One of them has no fingers at all. Just a stump, and fascinating, you know. Yeah, anyway, crazy. And boats, boats feature at the beginning, at the end, so they top and tail the story so beautifully. So that is my pick of the week, Boat Story. Find it on BBC iPlayer. It's probably available other places, probably.

GRAHAM CLULEY. Don't know. Carole, you've been chatting to the founder of Push Security this week.

CAROLE THERIAULT. Yes, Adam Bateman, and we talked about shadow identities, why organizations need to get them under control, listen up. We are speaking with Adam Bateman, co-founder and CEO of Push Security. Now, Push Security has a straightforward business goal. It's to help you monitor and secure your identity attack surface.

So today we're going to explore why this might be key to improving your security posture. Adam Bateman, welcome to Smashing Security.

ADAM BATEMAN. Thanks, Carole. Great to be here.

CAROLE THERIAULT. So Adam, I've heard this phrase identity attack surface. Can you flesh that out for me?

ADAM BATEMAN. Sure. So when someone mentions identity attack surface, really they're talking about user accounts that exist in the cloud. So they could be on your SSO provider, so in your IDP, or they could be directly in different SaaS or cloud applications that employees are signing up to on their own outside of your SSO.

But all those user accounts together is the attack surface, a kind of a front door into that cloud infrastructure. I really see it as a new era or chapter that we're entering in the industry.

And the reason I see it that way is when I got into the industry initially as a pen tester in the 2000s, the whole job was to do with perimeter-based testing. So you would scan someone's public IP address range, look for open ports, and then find vulnerable services and exploit those to gain access to the company.

As an industry, we've done a pretty good job, I'd say, of preventing those sorts of attacks and making it much more difficult. It's still possible, but it's a lot harder.

So as the friction came up, what we started to do, and we saw adversaries do, is shift their focus to targeting endpoints. So spear phishing attacks against employees directly.

And you might remember at the time there was a really prevalent phrase that marked that chapter change. It was, the perimeter is dead.

It drew a line in the sand, really, saying that not that the first chapter was over, but we're certainly entering a new one. And at that time, it was literally like shooting fish in a barrel, but it has got a lot harder.

The friction has got a lot more. Even though it's possible to compromise via an endpoint, you at least think about it now.

You have to actually prepare and, you know, actually intentionally go to bypass an EDR. And you're starting to see much more novel ways of attackers exfiltrating data from networks and those sorts of things.

And so now this third era, you hear people say, you know, identities are the new perimeter. I've heard identities are the new endpoint, 2-factor authentication point, all these kinds of things, whatever you call it, it's really marking a shift in the fact that the friction has increased on identity-based attacks.

And so now people are starting to target this kind of identity perimeter. Really what we're talking about is organizations are shifting their infrastructure into the cloud, and so attackers are too.

And the new attack surface is user accounts spread across the cloud.

CAROLE THERIAULT. So we've seen this shift in the industry where everyone's moved everything to the cloud. Do you feel that it's a nascent technology?

In some sense, it doesn't feel like it is, but it is really nascent to us all. Do you feel that we're not doing a good enough job of protecting it, or do you feel it's just too messy, or what's your thoughts on that?

ADAM BATEMAN. I think the difficulty is that, in the same way that it was like shooting fish in a barrel when we first moved to the endpoint era, it's that again now. And it's that because people don't understand the attacks quite as well against this side, and attackers now can— they don't need to touch your network at all.

So a lot of the detection capability is on-prem, on our physical networks. But obviously these sorts of attacks go directly from wherever the attacker is located directly into a third party, and the detection capability there is much, much more limited.

So people often say that, you know, okay, identities or internet-facing identities have been an attack surface for a long time. But the difference really is I would say a couple of things.

Firstly, that an identity being compromised on your infrastructure you had control of, so you could actually do some kind of detection. You could enforce password policies.

It might be domain joined. But when we've actually outsourced that to the cloud, you're now really beholden to the third party about what logs they can give you and what visibility you can get there.

The other thing is, is that what we've noticed happen, particularly over the last decade, is the SaaS applications that can be accessed are far more powerful. So a lot of the attacks that you're seeing happen now are where people will compromise and log into the SSO provider and then access all the downstream applications.

If you think about the things that are in there, you've got things Slack and things Teams where you can phish people directly where people aren't expecting it. You've also seen attackers doing things actually leveraging people's EDR solutions and MDM solutions to deploy ransomware and execute code on endpoints.

So when I think about an identity attack surface, I think about it in two groups. There's SSO identities, ones that are sitting in your identity provider, and there's ones that are sitting outside of the identity provider.

And regardless of how— if you think of that as the whole attack surface, all of them, what they have in common is you're not exploiting, generally speaking, a bug that can be patched. It's really all the attacks are something that result in the attacker logging into the system.

But breaches MGM Resorts, they would target, you know, the actual SSO provider themselves. Really what you're seeing there is the attacks are password-based attacks of either trying to guess a password or trying to use stolen credentials or using phishing to actually take control of that account.

Once you're actually in Okta, you're using that then to access all the downstream applications that are connected at that point. And so some of the attacks against the SSO itself, you see some attacks which are quite basic, straightforward phishing attacks, but then you see much more kind of novel techniques.

So for example, everyone knows by now, hopefully, that you've, with your SSO, it's important to enable multifactor authentication. And once you do that, if you then phish an employee and you get their credentials, you need also access to that second factor.

But one of the more novel attacks that we started to see happen, what attackers were doing is they do something what you call a browser-in-browser attack. And so what happens there is you, it allows you to effectively intercept the MFA token as well.

So the way they do that is as an attacker, what I would do is I would set up my own server on the internet somewhere that I control. I then open up a web browser on that server and browse to the target's SSO provider, whether it's JumpCloud, Okta, Google Workspace, whatever it might be.

And put it in kiosk mode so it's full screen. Once that's available and it's full screen, I can from my local laptop remote desktop into that.

So I have a window into that remote desktop and I can see that open browser.

ADAM BATEMAN. But rather than running that remote desktop software on my desktop computer, you can actually run a JavaScript version called NoVNC, for example, which runs inside a browser window. And so what you can then do is I can set that up and then send that as a phishing link to an employee inside the organization.

Now, when they open up my web page, what they see is their SSO login page that they're familiar with. But what's actually happening is when they enter their credentials into it, because it's actually happening on my server, but they don't realize it, I can do whatever I like. So I can steal the session token.

You can actually intercept the MFA and the password or whatever you like to do. So you're starting to see this cat and mouse game where these techniques build up over time. And I think it's just knowing about those sorts of attacks can happen and what they look like in this era.

CAROLE THERIAULT. In that scenario you've just described, there is no way you would expect your average employee or computer user to spot that, right? There's just no way.

ADAM BATEMAN. No, exactly that. And I think this is why it's very, very difficult. I mean, phishing has been a huge problem in the industry for a long, long time.

And you can solve it with awareness and it helps. But I think really it's more controls that need to go on, on the technical side. So this is why people are driving for more hardware-based authentication or phishing-resistant MFA methods that can't be stolen that way.

So things like YubiKeys and those sorts of things.

CAROLE THERIAULT. Should we talk a little bit about the different types of identities that are out there in terms of the identity attack surface?

ADAM BATEMAN. Yeah. So the ones we just spoke about there where you're targeting SSO directly, that's what I would say is one category of attack.

And that's what you saw with things like MGM Resorts, for example, where the attacker would go after the SSO provider and then access all the downstream critical systems and use that to steal sensitive data or do ransomware attacks or whatever it might be. But the other category that I see are, you know, what we refer to as shadow identities, which is an apt name for them because they're all the things that exist outside of SSO.

So I think it really clarifies what we mean about this being an era because it's not just the attackers shifting focus, but it's also the way that people want to work in security. We've always been very used to this centralized security enforcement model.

So for example, you have an SSO provider that gives you access to all your applications and you enforce all your strong security controls on that SSO so that you can prevent these sorts of attacks from happening. But the world is becoming increasingly self-service.

And, you know, you're getting now very powerful SaaS applications that don't have a book a demo button at the top, but they have a try it free button. And so employees are very used to just wanting to get their job done.

So they'll go directly to these online applications and they'll sign up to them and then they'll start putting company data in. You can start doing integrations back to your Google Workspace or Office 365 and everything else.

And so what you end up from these employees signing up is an identity sprawl issue and you end up with lots of other identities online which don't have the same security controls enforced on them. Now, those sorts of things are very easy for an attacker to discover.

And one such example, as we saw with 23andMe, is a credential stuffing attack where employee signs up with a password that they used previously that has now been a result of a prior breach, and the attacker can actually automatically take that and just spray it across every available SaaS application and then just pick off any accounts that employees own and use that to pivot back into the infrastructure.

CAROLE THERIAULT. And it's scary. And it seems like these shadow identities are kind of the Achilles heel of an organization.

ADAM BATEMAN. So, I mean, if you were just an individual level, people, and you were outside of an organization, recommend even just using the built-in browser-based password manager. So you can use that and have unique passwords per website is gonna make a big difference. And then all the normal things that you would expect, like just enabling MFA on those various accounts.

But from an organization perspective, it's really just about having visibility of what identities are out there. Because the thing to think about when it comes to shadow identities is the apps are a lot more powerful than people think. And people will say, okay, I've got this SaaS application behind SSO, but what if there are other tenants? You know, other teams have gone off and set up other instances of those SaaS applications which have sensitive data in as well.

And so yeah, just understanding what people are signing up to and actually getting visibility of which identity is being created is really where it starts. I think most people know how, you know, it's not rocket science to secure an identity. It's all the normal stuff that we've spoken about for decades in the industry.

It's strong passwords, it's MFA, phishing-resistant MFA. The challenge is less about what to do, it's getting it there and keeping it there, right?

You can't add a SaaS application onto SSO if you don't know it exists. So you have to have that visibility. And then once you've got everything on SSO and you have these strong authentication mechanisms set up, just life happens, you know, so normal business operation, someone makes an exception to a team for the weekend, they forget to turn it back on, or somebody enforces a strong MFA method, but they add a less secure backup alternative and the attacker can just effectively downgrade to the weaker MFA method and use those instead.

Right. So I think it all starts with just monitoring and making sure that you understand what the estate is and what identities are out there, and are they in the secure state that you think they are? Most of the people that we work with get a surprise about just how many identities are out there and where security controls aren't actually enforced where they thought they were.

CAROLE THERIAULT. So how would Push Security help organizations lock this down?

ADAM BATEMAN. So we're doing two things for the industry. I mean, from a technical perspective with our products, we use a browser extension, which we deploy into every employee browser, which then allows you to monitor any identity use. So whether one's being created through a signup form, or it's being logged in to, and we can actually flag those accounts back to a central dashboard. So you can see whether or not they have the appropriate security controls enabled.

But the other thing that we're doing is, because of the fact that the understanding of these types of attacks is not as high as it needs to be. And because of the fact that the detection capability and logging capability across these applications isn't where it needs to be, we're actually also maintaining what we call the SaaS attacks matrix. And this is basically a bit of research, whether it links to our product or not, we are continually and actively researching this area to stay out in front of attackers and understand what methods are available.

And so we were doing this internally to really guide our own thinking and to guide our own product. But we've now, as of a few months ago, actually put that online in a GitHub repository and we're working out in public and making that — we made that a community resource. So we've got contributions to it and it's basically a MITRE ATT&CK framework style grid which people can just use to understand the different attacks and track them as we add some over the time. So that's a freely available resource that we welcome for anyone to follow and/or contribute to.

CAROLE THERIAULT. That's brilliant. So we all obviously have probably in companies, our identities are everywhere. We can go to Sophos Security to get control of that. If you want to learn more about attack techniques and the risks that organizations are facing right now, you can check it out for free at Push Security by visiting pushsecurity.com/smashing. That's pushsecurity.com/smashing. And thank you, Adam Bateman, co-founder and CEO of Push Security. Thank you so, so much for your time.

ADAM BATEMAN. Brilliant.

GRAHAM CLULEY. Oh, thank you so much. Terrific stuff. Well, that just about wraps up the show for this week. Jane, I'm sure lots of our listeners would love to follow you online and what's the best way for folks to do that?

JANE WAKEFIELD. Well, I'm mainly to be found these days, very sadly, on LinkedIn, my new favorite social network. Yeah, find me there.

GRAHAM CLULEY. All right. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And we also have a Mastodon account if you want to check us out there. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

CAROLE THERIAULT. And high fives to our episode sponsors, Push Security, Vanta, and Kolide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 349 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

CAROLE THERIAULT. Bye-bye.

GRAHAM CLULEY. Bye.

JANE WAKEFIELD. Yay!

CAROLE THERIAULT. Thank you, Jane.

JANE WAKEFIELD. Okay, no worries. I will stop my recording and then I'll—

CAROLE THERIAULT. Yeah, that's perfect.

GRAHAM CLULEY. I really appreciate that. We will stitch it all together. All being well, this should be out at midnight tomorrow.

-- TRANSCRIPT ENDS --