This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Did it involve a steamroller?

---

CAROLE THERIAULT. No! Oh my God!

---

GRAHAM CLULEY. An accident with a trouser press?

---

CAROLE THERIAULT. Is that how you think I should die? I should get squished?

---

GRAHAM CLULEY. I don't know.

---

CAROLE THERIAULT. Squished?

---

GRAHAM CLULEY. Could be a grand piano falling out of the first floor window. There's all sorts of possibilities.

---

CAROLE THERIAULT. I could die in my sleep, really peacefully and fine.

---

GRAHAM CLULEY. Can't really see you going that way.

---

CAROLE THERIAULT. Wow!

---

UNKNOWN. Smashing Security, Episode 360. Ransomware, darkbit locked out, and funeral Facebook scams with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 360. My name is Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. 360. Actually, you know what? I've got it mixed up because it's 180 that they say on the darts, isn't it? And this is 360. So it's not quite as exciting as I imagined.

---

CAROLE THERIAULT. I don't know. It's a whole circle. Right?

---

GRAHAM CLULEY. It's how many minutes there are in a something or other.

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. 6 hours.

---

CAROLE THERIAULT. Yeah. Before we kick off though, let's thank this week's wonderful sponsors, Kolide, BlackBerry, and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be talking about bad vulnerability management by the cybercriminals.

---

CAROLE THERIAULT. Ooh, okay. And I'm going to be doing something I'm calling Facebook, Funerals, and Fraud. Plus, today we get to hear from BlackBerry VP Keiron Holyome, who is going to talk to us about AI for good and AI for bad. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Well, chums, huge news in the world of ransomware. Very exciting, because the FBI and the NCA— that's the UK's National Crime Agency— have made an announcement on the day of recording that they have delivered a catastrophic blow against the LockBit ransomware group and its affiliates after a massive multi-year investigation, which they have called Operation Kronos.

---

KEIRON HOLYOME. Kronos.

---

GRAHAM CLULEY. Don't you love these sort of butch sort of Avengers-style names that they give their investigations? They don't call it Operation Lumpy Trousers.

---

CAROLE THERIAULT. Do you know what? The day they have Operation Barbie or something, I'm gonna celebrate.

---

GRAHAM CLULEY. They might have to get permission from Mattel for that one, maybe. Well, LockBit, as I'm sure many of our listeners know, is one of the most notorious ransomware operations out there. It's had lots of high-profile targets like Foxconn, the tech manufacturer who make your Apple iPhones and Samsung phones, IT giant Accenture, and the UK Royal Mail. Overseas deliveries of packages were being delayed a lot because they got hit by the ransomware.

---

CAROLE THERIAULT. When did they get hit? Last year, Royal Mail?

---

GRAHAM CLULEY. Yeah, last year. That's right. Last year they got hit.

---

CAROLE THERIAULT. I felt it. We seriously felt it. Did you not? Because we have a lot of things like The Economist delivered or Private Eye.

---

GRAHAM CLULEY. I think it was affecting deliveries going overseas rather than coming into the UK. I think what you may be experiencing is just the general decline of the British Royal Mail.

---

CAROLE THERIAULT. Yes, maybe.

---

GRAHAM CLULEY. Which now takes weeks to deliver a postcard.

---

CAROLE THERIAULT. Okay, crack on.

---

GRAHAM CLULEY. Well, anyway, LockBit are run like a major organisation. Some have even called them the Walmart of ransomware. It's quite a good little quote, isn't it? A good little soundbite there. The Walmart of ransomware, because they dwarfed all the other ransomware groups in terms of market share. They were the leader by quite a long way. Very organized, very professional.

---

CAROLE THERIAULT. If someone said, oh my God, your fashion is so Walmart, would you feel flattered?

---

GRAHAM CLULEY. I potentially not know. Potentially. Maybe they would think that I'm just someone who's, you know, careful with my cash. You know, because, well, what does it matter? As long as you're clothed, as long as the essential parts are covered, does it matter who's made them? I don't know.

---

CAROLE THERIAULT. Well, hopefully not little children in countries where, you know what I mean?

---

GRAHAM CLULEY. Ah, good point. Yes. Okay. Fair enough. Yes. You don't want it done by sweatshops. Now it's important to realize that a ransomware operation like LockBit isn't being run by just one guy launching the attacks from his back bedroom, surrounded by pizza boxes.

LockBit takes this familiar form now, which we're seeing more and more with ransomware gangs, of a ransomware-as-a-service operation, meaning that other criminals are paying to be affiliates. They are launching attacks, they're sharing a percentage of their criminal earnings with the original gang.

---

CAROLE THERIAULT. Hmm.

---

GRAHAM CLULEY. And so identifying, charging one LockBit suspect doesn't necessarily mean the downfall of the entire criminal operation.

---

CAROLE THERIAULT. I suppose it depends who it is, right? If it's the person who's making the tea, probably not. If it's the person who's in charge of all the passwords, maybe?

---

GRAHAM CLULEY. Well, what has happened on this occasion is the authorities have seized complete control, it appears, over LockBit's infrastructure.

---

CAROLE THERIAULT. Oh wow. Yeah.

---

GRAHAM CLULEY. So, for instance, if you are currently a LockBit affiliate, if you're one of these other hackers who works with LockBit, hacking into companies, launching ransomware attacks, and planned to share a percentage with them and using their infrastructure. When you go to your LockBit control panel right now, you don't see the normal interface for launching attacks and stealing the information.

Instead, what you have is a message from law enforcement. It says, "We have the source code. We've got details of the victims you've attacked, the amount of money you've extorted, the data stolen, the chats, much, much more, and we may be in touch with you very soon. Have a nice day," the police are adding at the end of this message. So imagine that. Imagine being a LockBit affiliate right now, and you've just had a message from the cops saying, "We're watching. We've seen what you've done. We've got all the information."

---

CAROLE THERIAULT. If you were arrogant, you would think, "Yeah, yeah, they're just sending this automatically. They have no idea. It's going to take them ages to process the data. They'll never get to us. We'll disappear before then." Maybe you're right.

---

GRAHAM CLULEY. Maybe you're thinking they're just bluffing. Maybe you're thinking, yeah, I shouldn't be so worried about that. Whereupon you go to LockBit's website on the darkweb where they normally publish their leaks.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And what you see there is that the police authorities are now dripping out information about how the gang operated and will carry on over the coming days. In fact, and this is really brilliant, if you fire up your Tor browser right now and go to the LockBitLeaks website on the darkweb, you'll see what appears at first to be their regular catalog of hacked companies.

So what they do is they have a little gallery of different companies up there, and there's a countdown on it as to when they are going to release the information about those companies. That's what they normally have.

---

CAROLE THERIAULT. That's so gross.

---

GRAHAM CLULEY. Right. So that has now been replaced.

Because when you read the words, what you actually find is now that gallery, the actual content on them, is actually a list of posts announcing what law enforcement agencies have done. And some of them have countdowns on them where they say, "We're not telling you this yet, but we're gonna be releasing this in the next two days," or something like this.

---

CAROLE THERIAULT. This is when, this is why marketing is important, people. You may have really, really, really interesting data, but they've obviously combined with people to come up with this idea, right? There's a lot of different brains being involved in here, don't you think?

---

GRAHAM CLULEY. Well, they are capturing the imagination of people online. You know, they are exploiting social media.

They're posting up little things videos. So this is the information they're going to be releasing: sensitive information on LockBit's cryptocurrency operations and their financing, their affiliate infrastructure, detailed analysis of future iterations of LockBit.

They're doing that in association with a cybersecurity vendor. Information about the exfiltration tool used to steal the data, sanctions that are going to be taken against the group, a decryption tool which has been developed by Japanese police.

They've got information about 5 people have been charged in the States, including 2 Russian nationals.

---

CAROLE THERIAULT. Jesus.

---

GRAHAM CLULEY. 2 of them— That's quite sexy.

---

CAROLE THERIAULT. Let me just cross and uncross my legs. Thank you, Sharon.

---

GRAHAM CLULEY. So 2 of them, 2 of these people are now in custody. Another 2 have just been arrested in Ukraine and Poland.

More arrests seem likely, and they're even dripping information, saying they're going to reveal the identity of the LockBit gang's administrator. He's called LockBitSup, and they're saying we're going to reveal that in a couple of days.

And they published screenshots of LockBit's source code, its backend admin panel, redacted images of negotiations that have taken place with victims. They've frozen over 200 cryptocurrency accounts.

---

CAROLE THERIAULT. This is fighting fire with fire. Right? And it's also slapping you back in the face with the same shit you've been torturing everyone else with.

It's really interesting.

---

GRAHAM CLULEY. Well, LockBit's credibility is now in the drain, isn't it?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And people are wondering, well, how did the police manage to do this?

---

CAROLE THERIAULT. That's what I'm wondering. That's exactly right.

---

GRAHAM CLULEY. Well, it appears the authorities were able to breach LockBit's infrastructure because they had a vulnerability in PHP, which they hadn't patched. So they hadn't applied this darkweb patch.

---

CAROLE THERIAULT. We all have a fail soft spot, even the bad guys. Wow.

---

GRAHAM CLULEY. It's very similar to, of course, what the gang does to break into companies to launch their ransomware in the first place.

---

CAROLE THERIAULT. That's embarrassing, isn't it, guys?

---

GRAHAM CLULEY. Very embarrassing.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. So if you've been hit by LockBit, folks, you don't need— you definitely don't need to pay a ransom anymore. Yeah. The authorities can help you decrypt your data. They've created this tool. If you are a victim in the UK, you can email the NCA at .

---

CAROLE THERIAULT. Gorgeous.

---

GRAHAM CLULEY. If you're in the United States, I'll put links in the show notes. If you're in the United States, go to a site called lockbitvictims.ic3.gov. And anywhere else in the world, go to nomoreransomware.org where you can download a tool as well. So it's all really, really good news. You know, normally we have bad news, don't we, on the Smashing Security podcast?

---

CAROLE THERIAULT. Well, you often do. And I'm— Me? I'm just really thrilled that you're covering this story.

---

GRAHAM CLULEY. I mean, there is a slight, you know— Uh-oh.

---

CAROLE THERIAULT. Uh-oh. Okay.

---

GRAHAM CLULEY. Because of course, this isn't the end of ransomware. Someone else is going to fill this vacuum. Someone else is going to move in there, we can imagine. And some of those criminals will probably carry on pursuing ransomware operations too. So you should continue to tread carefully, but also the ransomware gangs should tread carefully as well because they never know when law enforcement might pull the rug from beneath them, just like they appear to have done with the LockBit gang as well.

---

CAROLE THERIAULT. Yeah. Amazing. Well done.

---

GRAHAM CLULEY. Super news. Some happy news from the world of Tech. Krow, give us some similarly uplifting, cheery news from the world of cybersecurity, please.

---

CAROLE THERIAULT. I think the way I'm going to tell you this tale is to imagine that I have passed away. Oh, I want you to imagine there's a very sad day that happened, right? And I've met my maker.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And do you want to know how I met my maker?

---

GRAHAM CLULEY. Was it— did it involve a steamroller?

---

CAROLE THERIAULT. No. Oh my God.

---

GRAHAM CLULEY. An accident with a trouser press?

---

CAROLE THERIAULT. Is that how you think I should die? I should get squished.

---

GRAHAM CLULEY. I don't know.

---

CAROLE THERIAULT. Squished.

---

GRAHAM CLULEY. Could be a grand piano falling out of the first floor window. There's all sorts of possibilities.

---

CAROLE THERIAULT. I could die in my sleep really peacefully and fine. That's what I was thinking.

---

GRAHAM CLULEY. I can't really see you going that way. Is that where you expect to go? Wow.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Oh, okay. All right then. I'll be okay.

---

CAROLE THERIAULT. You think a piano is going to fall on my head? Okay, thanks. That's so great. Okay, moving on. Okay.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Despite me not being on the socials, my people are, you know, people that like me, maybe even a listener or two.

---

GRAHAM CLULEY. Yeah. Yeah.

---

CAROLE THERIAULT. And they're sharing details on what happened and they're sharing lovely stories about my life. Oh, she was so funny and she was so patient with Graham.

---

GRAHAM CLULEY. Well, Carole, I certainly would have a few stories I'd be very, very willing to share on social media in the event of your death. In fact, there's some things—

---

CAROLE THERIAULT. What would you say? What would you say? What would you say?

---

GRAHAM CLULEY. Well, Carole, there's some things that I frankly am not prepared to share while you're still alive and able to charge me with slander. But once you're dead, then I reckon it's a free-for-all. Then there's various videos, audio clips, various things. But finally, I can unleash everything. You want to know what she was like? Let me show you.

---

CAROLE THERIAULT. Okay, okay. So you're online doing all this sharing stuff, sharing all the videos, all the most embarrassing things I've ever said that's happened to me. And at one point, someone, maybe you, you're going to ask, you know, when and where's the funeral, right? Because you want to pay your respects, even if despite your grief, you want to honor.

---

GRAHAM CLULEY. I want to make sure you're dead in case you call the lawyers. So I've said all these things just based upon a report. Thought that you've died.

---

CAROLE THERIAULT. I was just thinking, you know, a very important co-host has played an important role in your pod life.

---

GRAHAM CLULEY. Very important. Yes.

---

CAROLE THERIAULT. Important. Alas, the funeral, unfortunately, Graham, is on a day that you're just unavailable to—

---

GRAHAM CLULEY. I'm washing my hair.

---

CAROLE THERIAULT. Exactly. You have a meeting. Okay, let's say it's a diarrhea moment. It's a moment that everyone can understand. Maybe you go on socials and you're like, sorry, and you do the little emoji.

---

GRAHAM CLULEY. I'm planning to have diarrhea that day, so I can't go to Carole's. I think it might improve your funeral, to be honest. Give everyone something else to think about.

---

CAROLE THERIAULT. I think it would be a good reason to not attend my funeral, okay?

---

GRAHAM CLULEY. Okay, all right, I'm back.

---

CAROLE THERIAULT. But you wanna be there, you wanna be there. It's complicated for you. You've got this poo issue, you wanna pay your respects, but wait, you see in your feed, alongside a picture of me smiling from when I was about 32, right? Details of my funeral. Of an online streaming of my kick-ass funeral.

---

GRAHAM CLULEY. Oh, perfect. So while I'm streaming, I can watch the funeral streaming on my laptop.

---

CAROLE THERIAULT. You could be in your restroom, or loo, depending on where you live, right? And you could sit there with your iPad on your lap.

---

GRAHAM CLULEY. Yeah, maybe prop it up somewhere rather than have it that close to me.

---

CAROLE THERIAULT. A lot of people have white bathrooms. I might wanna put a black curtain around stuff. Just to somber it up a bit. Maybe turn the lights off.

---

GRAHAM CLULEY. Turn the lights off, yes.

---

CAROLE THERIAULT. Turn the lights off. Put the mute button on, because if you're on the loo, you know.

---

GRAHAM CLULEY. Well, I wasn't going to have my video camera on either. I was planning just to watch.

---

CAROLE THERIAULT. Why wouldn't you? To show your respects. To say, I'm here, present. I'm not sitting there doing the dishes while I'm listening to your funeral.

---

GRAHAM CLULEY. Okay. I suppose it's important for me to be seen to be mourning your loss, isn't it? Because that'd be good for my image.

---

CAROLE THERIAULT. And you are important in my life. I hate to say this. But it would matter, I think.

---

GRAHAM CLULEY. Okay, well, not to you any longer.

---

CAROLE THERIAULT. Maybe, who knows? Who knows? I could haunt you if you don't show up. I'm just saying.

---

GRAHAM CLULEY. Right, okay. Who knows?

---

CAROLE THERIAULT. You know, so you see this picture of me, you see this streaming my funeral, you're thinking this is great. And it says, please like, share, you know, with family and friends, right? And there's my mug, my face. You're thinking, I gotta do this, right? So you maybe share at this point with all our podcast listeners.

---

GRAHAM CLULEY. Yeah, I could share it with others. Yeah, yeah, yeah.

---

CAROLE THERIAULT. You might even be generous and go Sticky Pickles dudes and Art Musings dudes. You might do that at this point too, right? Get all the podcast people, a trifecta.

---

GRAHAM CLULEY. Do you think the streaming service can cope with that volume of people watching at the same time?

---

CAROLE THERIAULT. I don't know, Graham. I don't know. It won't be my problem. You might even record it for a future episode, maybe give you a bump in listens at a time where you don't need to share any spoils.

---

GRAHAM CLULEY. That's good.

---

CAROLE THERIAULT. Am I right?

---

GRAHAM CLULEY. That's a great idea, actually. I like that idea. Yeah. Yeah.

---

CAROLE THERIAULT. The day has come. You slap on a black t-shirt, black joggers just in case.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. And you click through to the livestream and you click through and it says, oh, you got to register first. Right. And then you'll get the link. You know, we don't want— we don't want no scammers. They're scammers, dudes. They're scammers. And you're thinking, yeah, you know, I know all about that stuff.

---

GRAHAM CLULEY. So I have to log in as a legitimate mourner, I suppose.

---

CAROLE THERIAULT. And you're probably just going, sheesh, Jesus Christ, why did Carole choose this? Was this in her funeral requirements or this? Is this her Yeti?

---

GRAHAM CLULEY. Yeah, exactly. Her partner has actually monetized her funeral. He's probably getting a kickback.

---

CAROLE THERIAULT. You just have to register.

---

GRAHAM CLULEY. Oh, okay. Okay. All right.

---

CAROLE THERIAULT. But you're right. I would like to monetize. So you're thinking ahead. You go through and it's like, you know, right, the livestream's about to start.

---

GRAHAM CLULEY. Okay. Yes.

---

CAROLE THERIAULT. There's the whole livestream of Carole's funeral. And there's a video player, like a streaming service. And there's a little loading, loading, loading. And then it loads. And then there's a big button that says watch live now.

---

GRAHAM CLULEY. Here it is, finally. Yeah. Playing some emotional Canadian music.

---

CAROLE THERIAULT. Maybe, maybe Bryan Adams in Summer of '69 is bombing out.

---

GRAHAM CLULEY. Bit of a Loverboy.

---

CAROLE THERIAULT. And you press the button, right? Watch live now.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And you sit tall, 'cause you're on video on the loo, as we said earlier. So camera's very carefully angled. You then have to enter your credit card information to watch my funeral. And you're thinking, of course, that's why! Carole's trying to make a buck after she's dead!

---

GRAHAM CLULEY. Making money out of it once again.

---

CAROLE THERIAULT. And you'd be wrong, Cluley, because the whole thing—

---

GRAHAM CLULEY. No, it's your partner making a buck. You're not going to make any money out of it. Carole, have you not worked out how death actually works? You don't get to keep your bank account.

---

CAROLE THERIAULT. Oh, you're right. Well, the whole thing is not true. It's a whole nasty, disgusting scam making the rounds with increased ferociousness.

---

GRAHAM CLULEY. You mean you're not really dead?

---

CAROLE THERIAULT. Well, no, actually, I am really dead. So it's targeting people that have deceased, finding their information in public forums. Yes. And this is all according to Joe Cox from 404 Media. Yeah. So these scummy douchebags are grabbing information and the mugshot of the person who's passed.

---

GRAHAM CLULEY. Your mugshot is pretty shocking. So I mean, that is— I think mugshot is a good word.

---

CAROLE THERIAULT. And then they're populating pages, right, of the grieving with offers of an online streaming option for the funeral.

---

GRAHAM CLULEY. Wow. For people who can't be bothered to get there.

---

CAROLE THERIAULT. Well, or people that live 10,000 miles away or 2,000 miles away or have 8 kids or whatever.

---

GRAHAM CLULEY. Fair enough. Yeah.

---

CAROLE THERIAULT. And you're thinking, I want to show my respects.

---

GRAHAM CLULEY. Yeah, that's fair.

---

CAROLE THERIAULT. You click on it.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And you're actually going down a nefarious path run by jerks who are trying to get your credit card information and information from you, your registration information. And what's more even confusing is in some cases, yeah, these funerals are being live streamed.

And this is how the information is being passed along through word of mouth, through groups. According to 404 Media, Facebook is awash with scams that direct visitors to fake live streams of funeral services preying on relatives and friends of the deceased.

---

GRAHAM CLULEY. Whoa, whoa, whoa. Are you saying Facebook is doing a bad job of policing something that's going on on its network?

---

CAROLE THERIAULT. Just wait, these words. Tell me what you think.

Just give me two paragraphs and then tell me what you think. Okay.

There have been pockets of media coverage of these funeral scams over the last year or so, but the scam appears to have ramped up, says 404 Media. Beyond the US outlets, Australia, the UK, and Ireland as recently as last week have all reported on the scams.

And this Irish one is particularly stomach-churning because the deceased person was 6 years old. Oh, it's just so 404 Media sent a specific Facebook account that was peddling such bogus funeral streaming services to Meta, right?

The parent company of Facebook.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And a spokesperson responded in an email. Are you ready?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Quote, we don't allow this content on our platform and removed the page brought to our attention.

---

GRAHAM CLULEY. Oh, good.

---

CAROLE THERIAULT. Okay. So that says to me they are being reactive in their process as opposed to proactive, don't you think? They're saying, you tell me about it, we'll take it down.

Otherwise, you know, we're busy.

---

GRAHAM CLULEY. That, I'm afraid, is their approach, isn't it?

---

CAROLE THERIAULT. It's not good enough.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. When 404 Media asked for comment from Meta, that request includes the specific question of whether Facebook proactively searches for accounts involved in this sort of scam. Meta did not answer the question directly and instead said it encourages people to report the content to the company and to the police.

---

GRAHAM CLULEY. I think they have answered the question there, haven't they?

---

CAROLE THERIAULT. So there's no proactive stuff.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. It sounds to me, pardon mon anglais, horseshit.

---

GRAHAM CLULEY. Cheval poop.

---

CAROLE THERIAULT. Cheval poop. Exactly.

Any of you who are in this situation where you're having— you're facing someone who's in this situation, be very careful about online. Go to the main website of the funeral home is what I think I'd say at this point.

No social media.

---

GRAHAM CLULEY. Maybe leave explicit instructions in your will that you do not want to be livestreamed, or you don't want anyone who has a Facebook account being invited to your funeral.

---

CAROLE THERIAULT. What's the problem with the funeral being livestreamed? My family's all around the world, right?

My family and my good friends, and they may not be able— if I die at a ripe old age, they're all good, and they're alive, they're going to be in their 80s and 90s.

---

GRAHAM CLULEY. I suppose if they couldn't get a visa or something, yeah, okay. I can understand why people would pay to watch, you know. It's going to cost me so much petrol driving half an hour to go to Carole's funeral, or I could pay a fiver and stay at home and watch it in my undies.

With Silence AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market, and that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses, supporting endpoints seamlessly.

Now, many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Silence AI, you'll find out how long before—and it can be months or years—it has already protected its customers. Staying one step ahead is central to everything BlackBerry does.

And in fact, it's your 24/7 AI-driven security partner. So visit smashingsecurity.com/blackberry to find out more. And thanks to them for supporting the show.

---

CAROLE THERIAULT. This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization? Ransomware-infected applications, SaaS apps, and other resources?

Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out.

Welcome to Kolide, a world where access is only given to approved, secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard.

Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment. Kolide is the device trust solution for companies with Okta.

Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing.

That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide for sponsoring the show.

Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming.

Enter Vanta. Vanta gives you one place to centralize and scale your security program.

Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.

Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.

All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.com/smashing.

And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

Pick of the Week.

---

CAROLE THERIAULT. And Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.

It doesn't have to be security-related necessarily. Better not be.

Well, my pick of the week this week is not a pick of the week. It's a nitpick of the week.

Do you remember last week when I spoke about subtitles? And I said that I was very annoyed about the subtitles on One Day on Netflix, because every time one of the lead characters happened to go, like that, do a little mouth click.

It would say "clicks mouth." And I'm afraid my nitpick of the week this week, Carole, is you and a few Smashing Security listeners.

Because after that episode was broadcast, some Smashing Security listeners got in touch. Matthew G., for instance.

Hi, Matthew. I've got a nitpick with him.

And I've also got a nitpick with someone who called themselves Insane in the Brain.

---

CAROLE THERIAULT. Yeah, I don't have any problem with them either.

---

GRAHAM CLULEY. They suggested I might have goofed up the settings in my Netflix app, and that's why it was saying things like, "Bright instrumental music is playing," and "Clicks mouth." What they were suggesting is that you had also audio description stuff on.

---

CAROLE THERIAULT. So not just the translation or the subtitles, but also the audio descriptions. Yes.

---

GRAHAM CLULEY. Okay. Right. Thank you very much. You have just hanged yourself. I was explaining it for everyone else.

---

CAROLE THERIAULT. I know you're very angry. Agree, so maybe.

---

GRAHAM CLULEY. Well, you have now, I'm afraid, given me all the evidence I needed. And furthermore, I saw you reply to some of these people gleefully agreeing with them.

And saying you should have picked me up at the time. But no, I spent some time investigating this issue.

I've gone back and I have checked. And on Netflix, on One Day in English, there are no subtitle options available.

Other than the ones which also tell you irrelevant information about keys jangling and lips smacking.

---

CAROLE THERIAULT. How many of you are right now hitting your keyboard to show that Graham is wrong?

---

GRAHAM CLULEY. Meanwhile, I have also learned— so I went back and I watched an episode or a little part of an episode, and sure enough, it came up and I looked at all the subtitle options and there's nothing there. Meanwhile, I have learned the difference between subtitles and closed captions and audio descriptions.

Very good. Would you like to know what the difference is, Carole?

---

CAROLE THERIAULT. Yes, we would. All of us would.

---

GRAHAM CLULEY. I'll also put a link in the show notes because you, during this very section, have demonstrated that you don't properly know what the difference is. Because you have referred to audio descriptions.

Let me tell you right now, audio descriptions are for people who can't see. So audio descriptions are not displayed as captions on the screen.

---

CAROLE THERIAULT. Yes, they're said out loud. You're absolutely right. Yes, they are said out loud.

---

GRAHAM CLULEY. So you'll have someone saying— well, they won't.

---

CAROLE THERIAULT. They'll say, "Someone appears." "The guy has a gun at her head." Right.

---

GRAHAM CLULEY. Yes, exactly. Now, so that's fairly easy to understand. But what's the difference between closed captions and subtitles, you're wondering? Not really. Because we tend to say as a generic term, subtitles. It turns out that subtitles are translations. Only if it's translated is it actually technically a subtitle.

So if you're watching a French movie, for instance, you can't speak French, it would put up the subtitles in English, right? But if you are watching something where you can't hear it properly, then you put on closed captions, which will put up in the same language.

That's super interesting, Mr. Cluley. Very interesting. Yes. It does not however explain why Netflix are calling what I was seeing subtitles.

And anyway, I'm a bit annoyed. I think there's a number of issues with Netflix. In his defense, Matthew G did point out that kids' profiles on Netflix can reset the caption settings on other profiles, although that wasn't happening in my case because I looked into it.

And also in defense of Insane in the Brain, he wasn't quite as brusque as Matthew Gee, who tut-tutted at me for being a dumbo. So I think, well, I think I am vindicated.

---

CAROLE THERIAULT. He's not wrong.

---

GRAHAM CLULEY. Well, I think I am vindicated. Netflix, sort it out. And that continues to be my nitpick of the two weeks. Thank you.

---

CAROLE THERIAULT. Cruel. Yeah. No, it's fun for me. It's so fun for me every week. It's so fun for me.

---

GRAHAM CLULEY. Carole, do you have a pick of the week?

---

CAROLE THERIAULT. I do have a pick of the week. And, you know, sometimes I have them and I'm thinking, this is not his bag, right? I think it might be some listeners' bags, but I don't think it's your bag.

But this one, I think it's in your wheelhouse. I think it's up your street. I think, you know.

---

GRAHAM CLULEY. All right. Well, let's see.

---

CAROLE THERIAULT. Okay. It's a movie called Fingernails. I would refer to it as an eccentric sci-fi romance with a teeny tiny dark underbelly and comedic bits.

So, you know, you and your partner are happy, right? You're in a happy place. That's all good. You might even use the term in love. Yes. Absolutely. Right. Perfect.

Okay, good, good, good. Now, what if there was a love institute in downtown Oxford? Right. Where you could certify scientifically through the state of analysis and biosamples, whether you were really, really, really in love and she was really, really, really in love with you.

---

GRAHAM CLULEY. Would you want to be tested? It sounds like an episode of Black Mirror. It sounds absolutely horrific.

---

CAROLE THERIAULT. I think that is a very good thing to think, right? So, in the movie Fingernails, this is by Krzysztof Niku, we find the glorious, and she is really glorious, Jessie Buckley. She plays Hannah, teacher, right? In a committed but unexciting relationship with this guy, Ryan, who's played by Jeremy Allen-White.

Now, this relationship has been certified by the Love Institute, right? Which means it is scientifically, truly big-time real in love. Fantastic. For both of them. Yeah. Fantastic.

The test— you want to know what the test is? What is the test? Both partners have to submit to the agonizing process of having a fingernail extracted from the root for analysis.

What? Why would you do that? To know if you're in love or not. Maybe you're lying to yourself. Maybe your partner's lying to you and you don't believe them.

---

GRAHAM CLULEY. Well, I might not love someone if they've had their fingernail pulled off. Maybe I really love their fingernails.

---

CAROLE THERIAULT. Well, it depends which one. What if you love their index one but not their pinky one? You might go, hey, go for it.

---

GRAHAM CLULEY. Good point. Get rid of that manky one. Could you— could I offer them a toenail instead? That's what I asked.

---

CAROLE THERIAULT. You see, much easier. So this is all happening. There's a love triangle thingy, which I'm not going to ruin for anyone. It crops up and the drama ensues. Miss Buckley is terrific. I really thought she was fantastic.

It's one of those things that could have been extended into a whole series, and it really just has a movie's worth. It's sweet and quirky. You can find it on Apple TV+, and it's called Fingernails. And that is my pick of the week.

---

GRAHAM CLULEY. Carole, can I ask a question about Fingernails?

---

CAROLE THERIAULT. Yes, you may.

---

GRAHAM CLULEY. Did you watch it with the closed captions on? Notice I didn't say subtitles.

---

CAROLE THERIAULT. No, I did not. Could you do that before I decide to watch it? Just so I don't get annoyed?

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. I have boundaries now. I'm not taking on any of your garbage.

---

GRAHAM CLULEY. Deal with it. Well, it sounds an interesting pick of the week. Now you've been chatting to the folks at BlackBerry this week, haven't you?

---

CAROLE THERIAULT. I have. Keiron Holyome, he's a VP at BlackBerry and he talks to us about AI from the professional defensive side and also from the attacker side. Check it out.

All right. So today we welcome Keiron Holyome to Smashing Security. Keiron is a vice president of cybersecurity at BlackBerry, looking after the UK, Ireland, and emerging markets. It's a big job. So welcome to the show, Keiron.

---

KEIRON HOLYOME. Thanks, Carole. Lovely to be here.

---

CAROLE THERIAULT. Yeah, well, I'm so glad you're here because we are talking artificial intelligence. And I personally would really to better understand how AI is used in threats from your point of view at BlackBerry, but also in defense.

So it's amazing to have an expert in the room. So thank you so much for being here. So first, can you tell me a little bit about you so our listeners can understand, how did you end up looking after cybersecurity at BlackBerry?

---

KEIRON HOLYOME. I've been working in the IT industry for about 25 years, helping customers and organizations solve problems with technology. And about, I don't know, 10 years ago, 12 years ago, I decided to sort of jump into the dark side, if you, and come across the cybersecurity information technology sphere.

And I call it the dark side because I think, you know, 10 years ago, security was seen as a bit of a blocker and a bit of a— they always say no to stuff. And, you know, that's certainly my experience. And I didn't understand why. So I thought I'd dip my toe into cybersecurity and get an understanding of what was exactly going on and why. And I've really, really enjoyed the past 10, 12 years in this part of the world of IT, especially as it's, you know, this understanding of how critical it is for organizations now to get the right cybersecurity posture. Because if you're not doing that, your business or organization is at significant risk, right?

---

CAROLE THERIAULT. It's true. And you're totally right about it being a bit of a blocker 10 years ago. I worked in the market for 15 years, and I remember traveling my first time out with my fully locked-down computer from the cybersecurity firm I worked at.

And I couldn't get access to the hotel no matter what I tried. We had three experts trying, ridiculous. So I'm glad times have changed. So we are here to talk about artificial intelligence, the big hot term of the day. And when people talk about AI today, they typically mean generative AI, ChatGPT and other language models. But artificial intelligence as a technology has lots of guises, right?

---

KEIRON HOLYOME. Yeah, I think it's a really important point. You know, as you say, there's a lot of talk about AI right now. But not all AI is created the same.

A lot of the models we see today that call themselves AI are really not AI, and they're not mature enough or good enough for today's challenges. You kind of see this by the outcomes that they produce.

So when we talk about generative AI, that's about the interaction and providing people with the information they need. From our side, we also talk about preventative AI, and that's really, really important.

And we feel that you can't really exist in the world of cybersecurity AI if you're not being able to do the preventative and the GenAI as well. I think a lot of leading cybersecurity companies talk about AI, and we, looking outwardly into the market, see models being used, and then we see how they fail or they're not able to do what they're supposed to be doing.

In fact, just recently, I think a couple of weeks ago, there was an imaginatively named new technique for hacking called Pool Party. I love the names.

Pool Party. Do you think they just sit around, you know, coming up with these names anyway?

Pool Party. And it was basically a new way of injection techniques that enable you to go in and trigger malicious code.

Now, we would have expected a lot of organizations out there that are using AI, inverted commas, to be able to detect and stop this from executing. In fact, the report that you can find online shows that leading EDR companies in the world were unable to detect and prevent Pool Party.

And that really is, is AI really AI at that point? Because if it's generative AI, it's not going to stop executing, right?

---

CAROLE THERIAULT. Okay, so that's what it is. So you're surprised that people that kind of wave the AI banner weren't able to stop this.

It makes it complicated though for us outside the market, I think.

---

KEIRON HOLYOME. Yeah, it's really complicated. I think we lose a lot of people along the way because we start talking in IT speak and cybersecurity speak. I think if the AI at a higher level, if the AI is really to be understood by the general public in organizations, we need to do that education piece as to what AI is and how it propagates and the good and bad.

You know, AI can be used for good. I think that's a really important topic as well. But from a being used for bad and how do you fend against it perspective, then not all AI is the same.

And how you apply different models is really important. AI will have a tremendous impact, not going, is having a tremendous impact on the future, right?

And that's especially true when we talk about cybersecurity from a defensive posture perspective. BlackBerry's been using AI for over a decade now.

And in a space as broad as cybersecurity, it's really important to recognize that, as you've just said, different models, AI models can be good at solving different problems. And when it comes to threat defense, from our side, two general categories, right?

As we've talked about predictive AI, where AI models can automatically stop threats. And automatic is the important point there, right?

They make their own decisions. So automatically stop and anticipate threats and zero-day activity before they happen.

So the predictive model effectively goes in very early in the kill chain or attack sequence, makes a high-confidence decision that that is a malicious activity, and then stops it and proactively stops the attack and shields the user organization from that threat. These predictive models don't converse with people.

They're not chatbots. They're not friendly.

They're math models that we all think of. But then on the other side, we've got this generative AI, as you mentioned.

Now, these models are designed to interact with people. And their purpose really is to make sense of large amounts of information.

And to give that individual they're interacting with or that organization they're interacting with the ability to speed up the understanding of the situation, give them the knowledge base, and then enable them to make better and informed decisions. But generative AI models, GenAI models, don't proactively stop attacks on their own.

---

CAROLE THERIAULT. So if we talk about the threats that you see at BlackBerry, do you have a category story that you now call artificial intelligence threats? Is that how— or is there more granularity in that?

---

KEIRON HOLYOME. I think if you look at the world of the threat actors right now, I would suggest every single one of them is using AI in one way, shape, or form. So it's not a case— and I guess the sophistication levels vary.

So if you've got nation state, then I would say they're heavily invested in AI. If you've got your backroom hackers, then they're probably using some form of AI to either make their attacks more frequent, i.e., speed them up, or speed to market, if you get them out there quicker, or secondly, make them more effective. So I do think that every attack really has probably these days got some form of AI in it.

---

CAROLE THERIAULT. Yeah, it makes sense too because I mean, I know lots of developers that when they write a little bit of code, well, the first thing they do is run it through some AI chatbot, you know, as you call it, interactive one to just see if there's any mistakes in it. Right, so why wouldn't the bad guys do that too?

And I guess to your point, they're also probably using, can I say penetrative AI as opposed to preventative? So they're using AI models to try and get in to bypass traditional security?

---

KEIRON HOLYOME. 100%, yeah. I think certainly the most frequent attacks we're seeing are that generative pre-trained transformer. So we know that best as ChatGPT, but there are others out there like WormGPT, for example. And they're designed to do exactly what you just said, run some code through, do it as quickly as possible, get it out, test it, bring it back, do the same again, and just keep doing it until you hit the jackpot and get through and are able to ransomware someone.

So I think if you look at it on an axis of one is volume, one is efficacy, what GPT or AI gives you is the ability to do both quicker. So you can get more volume out there and have more efficacy. And that's the scary thing, the ability for organizations to be able to scale to that demand without using and deploying AI themselves is a real scary thought.

---

CAROLE THERIAULT. Yeah, and if you think about it, you were saying, BlackBerry's been in the AI space or working with artificial intelligence for at least a decade. How many technology firms out there have just jumped on the bandwagon, right?

So, okay, so tell me, how is BlackBerry able to harness the power of AI as a component of cybersecurity? Because without it, we're sitting ducks, I'm guessing, in this new world. So we need it.

---

KEIRON HOLYOME. I think we're sort of at an inflection point, really, that's going to have a profound impact on technology, security, and humanity as a whole. And as I've just talked about, I think AI can be good, and it should be seen as a whole good.

We can make some medical advances. We can make things easier and accessing services and things. That's all brilliant, right?

But fundamentally, we have to really get to grips with the security element underneath it. And I think the democratization, if you like, or the consumerization of AI, which is now easily available to everybody— previously, if you had the resources or the finances to go and buy it, you could, but now everyone can use it.

That lower barrier to entry is really going to start seeing in the market, in the world, the prevalence of AI in everything we do. And we're already seeing it.

Those AI, the various actors are using AI to get better and faster at phishing and social engineering and goodness knows what. And then we've got this other thing that hangs over us, which is polymorphic malware, which in itself scares me.

Its inherent ability, if those that don't know what it is, it has its inherent ability to mutate itself in its appearance, to continuously get around all of the security measures we put in place to deal with that. So we couple the AI as effectively a consumer, downloadable consumable, effectively polymorphic malware, and then we throw that at organizations that are still trying to do signature updates.

It really does scare me. So organizations must, must act now to make sure that they get AI in their vernacular, in their lexicon of cybersecurity defense. Otherwise, they're going to be outpaced, and unfortunately, they will suffer.

---

CAROLE THERIAULT. Are you able to give us a few things that people should look out for when— so imagine you're using traditional scanning methods. You realize it's not enough.

You want to up your game and get something that's going to help you that has AI involved, what things to look for? Because I'm sure there's some maybe less reputable or quality software out there, and maybe there's things they can look out for.

---

KEIRON HOLYOME. Clearly, I'd say come and talk to BlackBerry. That's my job. But I think outside of that is act now.

I think the few things that we need to do is act now. AI is here to stay. It is here. It is being used today to cause financial harm to organizations and individuals.

So act now. There is a lot of great stuff that the NCSC in the UK do around AI and what's coming and their judgments and all that sort of stuff.

Go and read that. And then reach out to organizations that have been doing this for a long time.

And the reason I say that deliberately is that the models that we talk about are very sophisticated, and they take time to learn and build on experiences. For years and years, we've been throwing billions of data points at our models for over 10 years.

And our models are exceptional at being able to prevent stuff. So go and talk to those organizations that have been doing this for a while.

Make sure that those organizations fit into your environment. And what I mean by that is it's very easy to go and buy from an organization that on paper is fantastic, but do they fit your culture and your organization's ability to move at the pace that you want to, for example?

So that's really important. But number one is act now.

Number two is make sure that the organization you're talking to is the right fit. And lastly, the last thing I would say is act now.

It's really, really important. I cannot stress that enough.

We are seeing daily activity whereby AI is being used. And if you're still relying on old data updates or signature-based scanning, you will get hacked.

It's not a case of when, it's just, yeah, you will get hacked. And I think the other phrase is, when will this attacking end?

Probably, right?

---

CAROLE THERIAULT. Yeah, this is definitely not the time to act like an ostrich and put your head in the sand. It's basically what I'm hearing here.

Act now. 100%. Act now.

Keiron Holyome, Vice President of Cybersecurity at BlackBerry. Thank you so, so much.

Listeners, you can learn more about artificial intelligence and how BlackBerry is harnessing its power and defending against its threats by visiting smashingsecurity.com/blackberry. That's smashingsecurity.com/blackberry.

Thanks so much. Awesome, thanks very much.

---

GRAHAM CLULEY. Very, very cool. And that just about wraps up the show for this week.

You can follow us on Twitter at SmashingSecurity, no G. Twitter now has to have a G.

We also have a Mastodon account. And don't forget to ensure you never miss another episode.

Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge thank yous to our episode sponsors. That's BlackBerry, Kolide, and Vanta.

And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 359 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye, bye.

---

CAROLE THERIAULT. Graham, I'm really sorry. My voice is still cracky.

---

GRAHAM CLULEY. Oh, do you think the end is near? They give me some warning.

---

CAROLE THERIAULT. I'm gonna croak. My voice is croak.

And yeah, no, I'm just apologizing to any listeners that have made this far. I'm sorry, my voice is not repaired yet.

---

GRAHAM CLULEY. Some people like that. Some people like it when a woman gargles with whiskey and razor blades.

It's like a sexy kind of sound, isn't it?

---

CAROLE THERIAULT. Some hate it though.

-- TRANSCRIPT ENDS --