Brits face empty shelves and suspended meal deals as cybercriminals hit major high street retailers, and a terminated Disney employee gets revenge with a little help with Wingdings. Plus Graham challenges Carole to a game of "Malware or metal?", and we wonder just happens when you have sex on top of a piano?
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Plus! Don't miss our featured interview with Jon Cho of Dashlane.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Why is the M&S cyber attack chaos taking so long to resolve? - BBC News.
- M&S 'had no plan' for cyber attacks, insider claims, with 'staff left sleeping in the office amid paranoia and chaos' - Sky News.
- Hackers target the Co-op as police probe M&S cyber attack - BBC News.
- Harrods latest retailer to be hit by cyber attack - BBC News.
- Alleged ‘Scattered Spider’ Member Extradited to US - Krebs on Security.
- British 'ringleader' of hacking group 'behind M&S cyber attack' fled his home after 'masked thugs burst in and threatened him with blowtorches' - Daily Mail.
- Incidents impacting retailers – recommendations - NCSC.
- Ex-Disney employee gets 3 years in the clink for goofy attacks on mousey menus - The Register.
- United States of America V Michael Sheuer - Plea Agreement - US District Court PDF.
- The Tall Guy - IMDB.
- At 99, David Attenborough shares strongest message for the ocean - Oceanographic magazine.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Dashlane - Protect against the #1 cause of data breaches - poor password habits. Save 25% off a new business plan, or 35% off a personal Premium plan!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Material - Email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
UNKNOWN. These names of these ransomware gangs, sometimes it's hard to know, is it a ransomware gang or is it some sort of Eurovision death metal group? Smashing Security, Episode 416: High Street Hacks and Disney's Winding Swirl with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 416. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. What's coming up on the show this week, Carole?
CAROLE THERIAULT. Well, before we kick off, let's thank this week's wonderful sponsors, Dashlane, Material, and Fanta. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm taking a walk down the high street looking for hackers.
CAROLE THERIAULT. And I'm heading to Disney to find out what happens if you get terminated.
GRAHAM CLULEY. And I'm speaking to the folks at Dashlane all about the impact AI is having on password security and how its new AI-powered Omnic service is helping security teams.
CAROLE THERIAULT. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, I don't know if you've noticed, Cybersecurity Awareness Month has come early this year.
CAROLE THERIAULT. Is it?
GRAHAM CLULEY. Yeah, normally it's in October, but it turns out it's right now, Carole, at least for British retailers. Because there's been a bit of a revelation that some of the country's most well-known stores have been hit by cybercriminals.
CAROLE THERIAULT. Can I admit something? I have been doing this big art show thing, and I've literally read only the headlines and all this, and I know no details. So I'm so glad you're covering this.
GRAHAM CLULEY. Well, maybe I will be able to shed some light on the latest developments here, because first up we had Marks & Spencer. Everyone loves Marks & Spencer.
It's the place where your gran goes to buy her knickers. It's where Carole—
CAROLE THERIAULT. Buy my jam-filled doughnuts from the bakery. Delicious.
GRAHAM CLULEY. Is that right?
CAROLE THERIAULT. Oh, they're the best. They're the best ones in all the supermarkets.
GRAHAM CLULEY. I will sometimes walk out with an overpriced prawn sandwich and a packet of Percy Pigs. But they got hit by a cyberattack, and it has led to empty shelves in some of their stores.
Now, Marks & Spencer, they're part of the British establishment, for goodness' sake. Hackers can't attack them.
CAROLE THERIAULT. It feels like an affront. It's like turning off The Archers on Radio 4.
GRAHAM CLULEY. M&S, as they're known, is allegedly losing more than £40 million a week due to a fall in clothing and food sales as a result of this cyberattack.
CAROLE THERIAULT. Oh, wow.
GRAHAM CLULEY. Yep, it's pretty substantial. They've suspended all of their online orders.
My local Marks & Spencer doesn't seem to believe anyone in my town who is male wants to buy a shirt. They've got plenty of clothes for women.
CAROLE THERIAULT. They have no male shirts. So if I want to buy a shirt from Marks & Spencer, I need to go to their website to order it.
So they bring it in, say, oh, this is very unusual. We've got a man who'd walk around when he isn't bare-chested.
GRAHAM CLULEY. But right now I can't do that. Because they've suspended all their online orders due to this cyberattack.
CAROLE THERIAULT. Never have I been so glad that I don't live very close to you at all.
GRAHAM CLULEY. Worst of all, Marks & Spencer has been forced to suspend several of its rather popular meal deal offers due to this attack. Now, the company says it is working day and night to address this cyberattack. It's not looking great, to be honest.
One insider says that M&S had no plan to deal with an attack of this nature. There are claims that staff resorted to using WhatsApp on their personal phones.
They're sleeping in the offices. It's generally descended into something a bit like The Hunger Games.
CAROLE THERIAULT. If you believe what Graham has read, yeah.
GRAHAM CLULEY. Well, that's what the insiders—
CAROLE THERIAULT. The insiders. Sounds like you're writing for the Daily Mail.
GRAHAM CLULEY. Well, this is what they're saying. Now, I tend to be a little bit more sympathetic, I think, to the people who work in these companies who are protecting the systems. You know, it's a pretty thankless job, to be honest.
CAROLE THERIAULT. Than whom? You're saying you're more sympathetic than whom?
GRAHAM CLULEY. Well, there's some people who are just slagging them off, saying, well, you know, you should have had better protection. But I think any company these days has the potential to be hacked.
And sure enough, then it was the turn of The Co-op, also known as The Coop. They're another supermarket. They're not quite as highbrow as Marks & Spencer.
CAROLE THERIAULT. I love the Co-op.
GRAHAM CLULEY. You will leave with a more disappointing meal deal, I would say, than Marks & Spencer, but the cheaper one.
CAROLE THERIAULT. The After Eights is my secret passion.
GRAHAM CLULEY. After Eight chocolates?
CAROLE THERIAULT. Yeah. You know, if I'm having a bad day and I need a little sweet, I will dash over to the local Co-op and get myself a box of After Eights, and I'm so glad they're available all year.
GRAHAM CLULEY. Very nice. Very nice.
Well, Co-op's internal systems were disrupted by the cyberattack that they suffered. And crucially, customer data was exposed.
Oh. Now, initially they said there was no evidence of any customer data loss in the first days after the attack. And that appears— that was technically true when they said that. They didn't have any evidence of it.
But since then, the situation has changed because now the attackers, the ransomware gang, they've proved that data was taken and the Co-op has shifted in the nature of its transparency. It's issued a letter from its CEO.
There's a press statement confirming the data breach and providing details of what sorts of Co-op member information has been taken. It's not financial information. It's names, email addresses, phone numbers, the kind of data that can really fuel a phishing attack.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Not great. So both of these well-known British high street shops—
CAROLE THERIAULT. Trusted, trusted shops.
GRAHAM CLULEY. Trusted. They've suffered a ransomware attack. And just when you thought it couldn't get any worse, Carole, Harrods was targeted as well.
CAROLE THERIAULT. A not-so-loved British established company.
GRAHAM CLULEY. You find them in Knightsbridge, London. They're sort of— it's like a gold-leafed temple. It's where oligarchs buy their caviar and £200 candles.
CAROLE THERIAULT. Yeah, if you wanted an umbrella holder in the shape of a leopard with some diamante finish. That's where you would go.
GRAHAM CLULEY. Now, most of us, if we popped into Harrods, would probably leave with a, well, with a sense of inferiority, I think. Well, they haven't said that they fell foul of ransomware, but they do say they suffered an incident which has resulted in them—
CAROLE THERIAULT. That's posh for we're fucked.
GRAHAM CLULEY. It's resulted in them restricting all internet access across its operations. No customer data at the moment appears to have leaked. So that's something that the billionaires who go there are going to be okay.
But going back to this Marks & Spencer attack, there are reports about what actually happened, which I thought were worth sharing in case it could impact other people listening to the show as well. So the hackers apparently impersonated current employees of Marks & Spencer, and they rang up the company's internal IT help desk, asking them to reset passwords. And because of that, they were able to waltz straight into internal systems.
CAROLE THERIAULT. See, that's quite clever because I, in my old days, would regularly forget my password and have to contact IT to help me get back into some— because we had a number of different applications that we had to use in order to work for said company. Anyway, things were tough back then, kids. They were tough.
GRAHAM CLULEY. People like to be helpful, don't they? People on IT help desks think, oh, you know, you're obviously having a bad day. You know, you're going to get in trouble with the big boss. You've got to log in and do your work.
CAROLE THERIAULT. Maybe some of our IT people out there listening could tell us what percentage of their requests are about password resets, because I bet it's much higher than we even imagine.
GRAHAM CLULEY. So the bad guys deployed their ransomware, they brought operations to a grinding halt. Shelves are empty, meal deals suspended, Brits have been left wondering how on earth they're gonna survive a Wednesday night without a dine-in for two.
So what to do? Well, there is advice right now from the National Cyber Security Centre here in the UK, the NCSC. They say they have insights into the three attacks, but they're not in a position yet to say if they are linked or not, or part of a concerted campaign, but they have warned that hackers are using social engineering tactics to exploit IT help desks in order to reset passwords and multifactor authentication.
So that's what you have to be wise to. They've offered a whole bunch of advice. We will link to it in the show notes.
The advice includes giving special attention to high-level accounts which have access to all the really powerful things, and telling organizations they should review their help desk processes when it comes to password resets. And they're saying that criminal activity online right now is rampant. That is their word, Carole, rampant.
CAROLE THERIAULT. Yeah, well, maybe we should just— you see, that's hard. If I say, oh, maybe we should just stop buying stuff online, every retailer out there will loathe me, right?
GRAHAM CLULEY. Well, it's having real-world impact as well. Physically, it's not just the online sales, but, you know, some of the shelves are empty as a result.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So which ransomware group is responsible for this? The one which has been named the most often is one called Scattered Spider. Have you heard of them before, Carole?
CAROLE THERIAULT. Yeah, no, I just, I saw the headline Scattered Spider. I saw someone had an interview with them.
GRAHAM CLULEY. Oh, really?
CAROLE THERIAULT. Oh, I saw that, but I had, yeah, but I didn't read it.
GRAHAM CLULEY. Well, they've been previously linked to a number of high-profile attacks, including the 2023 hack of some Las Vegas casinos, Caesars Palace and MGM Resorts. Some of the alleged members of the gang were arrested last year. But you notice the name is Scattered Spider. That's because they are a group which is spread about. There are potentially scores of them around the world.
CAROLE THERIAULT. And they don't necessarily know, right, who everybody is.
GRAHAM CLULEY. They may only know the handle of someone else. They won't know their true identity or where they're based in the world. Now, that illustrious and well-regarded news outlet, the Daily Mail, has named a young chap called Tyler Buchanan who they claim is the suspected boss of the Scattered Spider gang.
CAROLE THERIAULT. Their high-tech cybersecurity investigative journalism broke the story. Really?
GRAHAM CLULEY. Wow. Now, this chap, Tyler Buchanan, he allegedly fled to Mallorca. He's only about 19 or 20 or something like that. After a masked gang descended on his mum's house in Dundee, Scotland, last year with blowtorches.
Oh. I know. Demanding they hand over passwords to his cryptocurrency accounts.
Now, he's since been arrested out in Mallorca. He's been extradited at the end of last month to the United States to answer some cybercrime incidents over there, which they're investigating.
Now, Carole, before I go, I mentioned Scattered Spider.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And one thing which occurred to me is these names of these ransomware gangs. Sometimes it's hard to know, is it a ransomware gang or is it some sort of Eurovision death metal group?
It's tricky, isn't it? Scattered Spider does sound like it could be some kind of heavy metal gang, couldn't it?
CAROLE THERIAULT. Do you know, I haven't given a lot of thought to him.
GRAHAM CLULEY. You haven't? Well, maybe now is the time to, Carole, because I'd like to introduce a very quick little game for you.
Called Metal or Malware. Metal or malware.
I am going to name either a heavy metal group or a ransomware gang. You are to tell me, is it metal or malware?
Are you ready to begin?
CAROLE THERIAULT. Alright, I am very ready. Let's go.
GRAHAM CLULEY. Okay, let's begin. Mayhem.
What is Mayhem? Is that a ransomware gang or a heavy metal group?
CAROLE THERIAULT. It's a heavy metal group.
GRAHAM CLULEY. Bing! Absolutely correct.
They are Norway's most notorious black metal band, infamous for— it says here— murder, arson, and inventing corpse paint. Ugh.
Okay. All right. So you got one right.
Phobos. Is that ransomware?
CAROLE THERIAULT. Phobos. Ransomware.
GRAHAM CLULEY. Absolutely correct. Named after Mars's moon for reasons I don't quite understand.
All right, let's have another one. Gojira.
Gojira.
CAROLE THERIAULT. I'm going to say ransomware.
GRAHAM CLULEY. It is a French metal band named after the Japanese god—
CAROLE THERIAULT. I love how you're taking international metal bands just because. Yeah, yeah.
GRAHAM CLULEY. All right. All right. Okay.
You're doing all right. You're doing all right.
Moon Sorrow. Moon Sorrow.
Ransomware or heavy metal?
CAROLE THERIAULT. Oh, I really want it to be a heavy metal band.
GRAHAM CLULEY. Bing! You are correct.
They are a Finnish folk metal band.
CAROLE THERIAULT. Fantastic. Fantastic.
That's perfect. I love that.
GRAHAM CLULEY. They specialise in 10-minute slabs of sadness, it says here. Right, Deadbolt.
What about Deadbolt?
CAROLE THERIAULT. Ransomware.
GRAHAM CLULEY. Absolutely right. They target NAS devices and hit your backups.
What about Obituary?
CAROLE THERIAULT. Band, music.
GRAHAM CLULEY. Yes, it's a Florida death metal group. What about Dark Funeral?
CAROLE THERIAULT. Music.
GRAHAM CLULEY. Absolutely right. They are from Sweden.
What about Cradle of Filth?
CAROLE THERIAULT. Music.
GRAHAM CLULEY. Yes, absolutely. You are on a roll.
And finally, let's see if you can do this. Ministry.
Is Ministry a ransomware gang?
CAROLE THERIAULT. Music.
GRAHAM CLULEY. Carole, you know your music.
CAROLE THERIAULT. Thank you very much.
GRAHAM CLULEY. Very, very good.
CAROLE THERIAULT. I'm not talking about my past.
GRAHAM CLULEY. So, what have we learnt? Social engineering still works terrifyingly well. Big brands aren't infallible to cyberattack. And you may want to stock up on your meal deals while you still can.
And Carole really knows her heavy metal. Well done, Carole.
CAROLE THERIAULT. Thank you very much.
GRAHAM CLULEY. What story have you got for us this week?
CAROLE THERIAULT. Well, we're gonna head to Disney. You wanna hear a weird fact about Disney Florida?
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. There are two specialist paint colors used in the parks.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Which are solely used for distraction. So Go Away Green and No See Gray.
GRAHAM CLULEY. What?
CAROLE THERIAULT. Are both dull shades designed to make your eyes slide over certain objects and places so they don't distract from all the beauty.
GRAHAM CLULEY. Oh, so I guess that occasionally they have things which are in sight, but aren't necessarily attractive.
CAROLE THERIAULT. A bin. You don't necessarily wanna see a bin, right?
GRAHAM CLULEY. Well, hmm, you want to see it if you're looking for a bin.
CAROLE THERIAULT. Okay, I have another one. You actually could tell me if this is true or not. Did the Beatles officially break up at Disneyland or Disney World, whatever one it is? I don't even know.
GRAHAM CLULEY. What do you mean by officially break up?
CAROLE THERIAULT. I don't know. This is one of the weird facts about Disney that was there. And I was gonna ask Graham.
GRAHAM CLULEY. Well, no, I don't think they did, no. Ah, we see.
CAROLE THERIAULT. People are talking shit on the internet. I can't believe it. Okay. But imagine working at Disney. Imagine working there.
It wouldn't be very fun wearing the whole Disney costume. Greeting wonderful, wonderful children and families, right? But imagine the sweltering heat of Florida and the kids grabbing and tugging at you because, of course, you're literally their hero.
GRAHAM CLULEY. Yeah. I would be Goofy, probably. That's who I'm imagining I'd be.
CAROLE THERIAULT. You're not tall enough to be Goofy.
GRAHAM CLULEY. No, but it's the costume that does it, Carole. It's all the scaffolding. It would be heavy. It would be hard, hot work.
CAROLE THERIAULT. But we're here to talk about Michael Schur. Now, Michael works at Disney, but he works as a menu production manager.
GRAHAM CLULEY. A menu production manager.
CAROLE THERIAULT. Yeah. So I'm going to get into that, but probably air-conditioned office space somewhere. Probably not, you know, on the sweltering streets.
So Michael was responsible for the creation and publishing of menus for the entire Disney restaurant portfolio.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So he works with a third party who provides this software app. And then he's the one who manages all this, you know? So there's managing pricing, what's on the menu, inventory, all that.
GRAHAM CLULEY. Okay.
JON CHO. Yeah.
CAROLE THERIAULT. So Michael would obviously have an intimate knowledge of the architecture of the system, all the processing, potential vulnerabilities, all that stuff.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Because he was the menu production manager at Disney. And all things, all was well until it wasn't well.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So somehow something turned rather sour for Michael. It appears that it was due to some misconduct on his part. And he ended up getting fired from Disney. This was in June last year.
GRAHAM CLULEY. Right. Okay.
CAROLE THERIAULT. Now, it seems the termination did not go smoothly. There were no flowers. There were no $50 gift cards.
GRAHAM CLULEY. There was no collection.
CAROLE THERIAULT. Yeah, there was no high five from the CEO. Nothing that.
GRAHAM CLULEY. I think you'll find Mickey Mouse, he hasn't got 5 digits on his hand.
CAROLE THERIAULT. Yes, you just said that.
GRAHAM CLULEY. It'd be a high 4, wouldn't it?
CAROLE THERIAULT. A high 4. The words that I saw describe the scene was "not considered to be amicable," quote unquote.
GRAHAM CLULEY. Oh, that's true.
CAROLE THERIAULT. And it was so not amicable that Michael must have been left with a sour taste in his mouth. You know, that kind of taste that makes you just—
GRAHAM CLULEY. The kind of taste you might get if you were to have a soda or something at one of his restaurant resorts inside Disney, maybe. Sticky syrup.
CAROLE THERIAULT. No, but— the taste of revenge.
GRAHAM CLULEY. Oh dear. Oh dear, dear, dear.
CAROLE THERIAULT. Okay. But how could one possibly take revenge on a giant like Disney without getting caught? I mean, what would you do? You know, you wouldn't want to step on the premises. People who work there know that your termination wasn't all rainbows and unicorns.
GRAHAM CLULEY. No, no.
CAROLE THERIAULT. So you put yourself in Mikey's position and you keep thinking up your dirty plans for fictitious revenge on Disney. And I'll crack on with the story.
GRAHAM CLULEY. Okay, I've got some thoughts.
CAROLE THERIAULT. Okay, good, good, good. So, rather coincidentally, Disney becomes the victim of multiple computer intrusions.
And not only that, but these specific intrusions have all been associated with this menu creator program he uses.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. And it looks like someone might have manipulated the menus of restaurants owned and operated by Disney. So employees started to notice that the fonts in their menu app that they used were changing.
They couldn't recognize them because—
GRAHAM CLULEY. The font.
CAROLE THERIAULT. The font, whether you're using Arial or Helvetica or whatever the proprietary Disney font is, I'm sure they've got their own.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. But they were replaced with something that looks more like symbols. Fonts, also known as Wingdings.
Now we all know what Wingdings are, don't we?
GRAHAM CLULEY. Yes, Wingdings is the ultimate form of encryption. It is, it is.
CAROLE THERIAULT. I wonder if someone could read Wingdings. I bet there's somebody that can read it.
GRAHAM CLULEY. There's some strange people out there. I'm sure some people could read it on the fly.
CAROLE THERIAULT. A weird mistake, you might think. Why would all this be turning into Wingdings?
But the fonts you see were renamed to maintain the name of the original font. These are on screens.
You know when you go to McDonald's and you'll have a kind of screen that—
GRAHAM CLULEY. Oh, yes. Yes, yes.
CAROLE THERIAULT. Those type of screens were now showing Wingdings. So Wingdings on the menu, kind of hilarious.
Hilarious.
JON CHO. Ha ha ha ha ha.
CAROLE THERIAULT. But apparently this change was so substantial that it effectively doxxed this menu app. Because I guess they have a lot of menus, right?
So Disney was forced to take this app offline while they reverted to backups to regain ability to operate. And apparently this was offline for a week.
GRAHAM CLULEY. Oh, dear.
CAROLE THERIAULT. Disney also noticed something else around this time. They found that menus that were printed had alternate allergen information and price changes.
So whoever was behind this little charade even added notations to menu items indicating that they were safe for people to eat, even if they had specific allergies.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Which I don't need to tell you is not very cool.
GRAHAM CLULEY. No, it's not very cool, is it, Carole? It's not.
It wouldn't be very cool, for instance, to feed someone something which contained peanuts if they didn't like peanuts.
CAROLE THERIAULT. No, no, no, we're not talking about like.
GRAHAM CLULEY. That could be very dangerous, Carole. That could be dangerous, couldn't it, Carole?
CAROLE THERIAULT. It's not about like. It's not about Graham. It's about allergies.
GRAHAM CLULEY. Because I think you did something that to me once, didn't you, Carole?
CAROLE THERIAULT. I want to carry on with my story, Graham. There was also a denial of service attack intended to prevent Disney employees from logging into their enterprise accounts. And this automated attack script made more than 100,000 incorrect login attempts in an effort to have accounts locked down.
GRAHAM CLULEY. So this was a way for legitimate employees to log in remotely. But what he did was he bombarded it with so many dodgy attempts to log in to lock out all these people's accounts. Everyone got locked out.
CAROLE THERIAULT. Only 14 people got locked out. But it was an attempt. It was an attempt.
GRAHAM CLULEY. Okay. Yeah.
CAROLE THERIAULT. And the last thing that I saw, which I thought was worth noting, is that there was wine regions being changed to areas associated with mass shootings and the addition of graphics including a swastika. So there's all this kind of, I don't know, gross graffiti going on.
There's doxxing, there's wingdings, there's changing menus, and Disney are scratching their heads. Oh, who, who, who could be responsible?
Okay, that's a lie. Of course they knew who it was. It was the guy who left in a really, really bad way after getting in trouble.
So 3 months after he was terminated, the FBI searched Michael's residence to look for evidence. He denied any involvement and said that Disney was attempting to frame him because they were worried about him and the conditions under which he was terminated.
But agents report finding various virtual machines used to conduct the attacks and a doxxing file containing personal information on 5 Disney employees and the mother of one of these workers. And according to The Register, this is where I got the story and you can read more about it there, Ashur was able to attack the app in 3 ways.
One, by using the administrative account, right? Accessing it through a commercial VPN called Mullvad.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And two, using a URL-based access mechanism that was made available to contractors.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. A third approach involved targeting SFTP servers maintained by the supplier to store the menu files, you know, ready for printing or display on the screen. And during an initial intrusion, Michael gained administrative access on the SFTP server.
So after he was locked out of the app, because Disney, when they noticed, they just locked down the app, right? They kind of said, yeah, yeah, go away, go away.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Able to use that server to alter the menus stored there.
GRAHAM CLULEY. Ah, ah, crafty.
CAROLE THERIAULT. So this ex-Disney World staffer was charged with breaking America's Computer Fraud and Abuse Act for accessing Disney's IT systems and aggravated identity theft. He's been found guilty of hacking into the company's computer system and changing all the stuff that he did.
Earlier this week, he was sentenced to 3 years in prison. Ordered to forfeit his computer and pay something just shy of $700,000 in restitution.
GRAHAM CLULEY. Ouch.
CAROLE THERIAULT. So I don't think— I think you and I can agree that Michael did not handle this revenge very well.
GRAHAM CLULEY. Not very well, no.
CAROLE THERIAULT. His attacks were a bit dirty. He left a lot of fingerprints everywhere. He had motive coming out the yin yang.
GRAHAM CLULEY. It's quite criminal, in fact.
CAROLE THERIAULT. Quite criminal. So there might be better ways to do this. Do you have any? Do you have any that you'd share?
GRAHAM CLULEY. Well, I've got a couple up my sleeve, Carole. So I'm imagining I was a former Disney employee who's a bit miffed because I've been booted out, right?
CAROLE THERIAULT. Right.
GRAHAM CLULEY. The first and most obvious, although perhaps slightly unlikely to succeed, approach would be to set up a rival theme park next door, which I'd call something like Dursleyland, and try and get people to go there instead of Disneyland. Maybe I'll make it a little bit cheaper.
I don't know what kind of rides I'd have at Dursley Land, but you know that. And also, of course, I'd have to buy the land. To be honest, it would be quite an endeavour to do that.
CAROLE THERIAULT. I really hope that at Dursley Land you could have your big face, a big papier-mâché of your face, and you have to open up your mouth and then we go inside.
GRAHAM CLULEY. That sounds terrifying, but also rather brilliant. So that's one idea I've got, but that sounds quite a lot of effort.
The other idea I have is, you know, all these Disney mascots that people dress up in, you know, which they're going around. I'm thinking, what happens to them? What happens to them after a while? And I'm thinking, wouldn't it be great if retired Disney mascots set up an OnlyFans account?
CAROLE THERIAULT. In their outfits.
GRAHAM CLULEY. I'm thinking I could buy some secondhand. And then create an OnlyFans account and show these favourite Disney characters from years past in compromising positions which could do damage to their brand. And they wouldn't be able to recognise that it was me dressed up in them.
CAROLE THERIAULT. Yeah, I think we should go to ads right now.
GRAHAM CLULEY. Because—
CAROLE THERIAULT. I think we should go to ads right now. Yep.
JON CHO. Yep.
GRAHAM CLULEY. Yep. Stolen credentials are the number one cause of data breaches. And well, there's a better way to solve that password problem. And that's with Dashlane.
CAROLE THERIAULT. Dashlane is doing what others aren't: providing complete credentials and password management, preventing employees from adopting poor password habits, streamlining secure access, and simplifying workflows.
GRAHAM CLULEY. And with Dashlane, you get real-time phishing alerts to stop employees from taking the bait, and you're protecting your data with patented security and the very strongest encryption available.
CAROLE THERIAULT. So what are you waiting for? Give Dashlane a try today at your work or at home. There are versions of Dashlane for both personal home use for personal use and business use.
And by being a listener to Smashing Security, you get savings off both. Save 25% off a new business plan or 35% off a new personal premium plan by visiting smashingsecurity.com/dashlane. That's smashingsecurity.com/dashlane.
GRAHAM CLULEY. And thanks to Dashlane for supporting the show.
CAROLE THERIAULT. Google Workspace and Microsoft 365 are critical to business. But they're also a headache for security teams.
Constant phishing alerts, endless manual remediation of misconfigurations, and a flood of user reports about suspicious emails. Teams are stuck between two bad options: letting things slip or becoming the department of no.
GRAHAM CLULEY. Instead of hoping you catch every single attack, Material.security protects your most sensitive data, even if an account is compromised. So when attackers inevitably get in, they still can't touch the stuff that matters without additional verification.
It's having a tireless security analyst who handles the routines and frees your team to focus on real threats. And for cloud workspaces, Material.security has your back. Misconfigurations, shadow IT, constant policy changes. Material not only monitors everything continuously, it fixes the simple stuff automatically.
CAROLE THERIAULT. So if you're ready to stop drowning in alerts and start getting ahead of threats, check out Material.security. That's Material.security.
GRAHAM CLULEY. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
GRAHAM CLULEY. You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.
CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta. Vanta.com/smashing. And thanks to Vanta for sponsoring Smashing Security.
GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website. Or an app, whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week is not security-related. My pick of the week is a movie, a movie I watched this week, or rather rewatched this week.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Because I last watched it about 35 years ago.
CAROLE THERIAULT. 35 years ago?
GRAHAM CLULEY. Yes, about that. And I was watching Laura Kuenssberg on the TV over the weekend. And she had a little interview with this actor, a man who I believe is quite close to your heart, Carole. And it reminded me of this movie. The man she was speaking to was none other than Geoff Goldblum.
CAROLE THERIAULT. Oh, yeah.
GRAHAM CLULEY. He is a charismatic fella.
CAROLE THERIAULT. Yeah, I had a bit of a penchant for that boy.
GRAHAM CLULEY. In 1989, Geoff Goldblum was in a movie, a romantic comedy called—
CAROLE THERIAULT. The Fly?
GRAHAM CLULEY. No. Called The Tall Guy.
CAROLE THERIAULT. Oh, The Tall Guy. Great movie.
GRAHAM CLULEY. Written by Richard Curtis, directed by Mel Smith. I think it was the first movie for both of them. And it stars Geoff Goldblum as an actor in London. Emma Thompson is his love interest. Rowan Atkinson is a self-absorbed comedian. And Geoff Goldblum's career, or the character he's playing, it's on the skids, as is his love life. He's trying to get his hay fever sorted out, and he falls in love with a nurse played by the gorgeous Emma Thompson. Sparks fly. Geoff gets a starring part in a musical about the Elephant Man. Drama unfolds. It's romantic, it's funny. Emma Thompson is gorgeous. And it has the best sex scene, I would argue, of any movie ever. Do you not remember the sex scene in The Tall Guy?
CAROLE THERIAULT. No, I don't at all. If you—
GRAHAM CLULEY. Did I mention that Emma Thompson is gorgeous? Yes, she is.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. If you've ever wanted to see Emma Thompson and Geoff Goldblum have sex on top of a piano, This is the movie for you.
CAROLE THERIAULT. Oh yeah.
GRAHAM CLULEY. Do you remember it now?
CAROLE THERIAULT. Yes, yes, yes.
GRAHAM CLULEY. It's wonderful. And it is my pick of the week. The Tall Guy.
CAROLE THERIAULT. Good one.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. I did have a pick of the week all selected for this week, but then at lunchtime I was looking at the papers and I, because I haven't read anything of importance this weekend.
GRAHAM CLULEY. You've been very busy with your auction.
CAROLE THERIAULT. I've been very, very busy.
GRAHAM CLULEY. Very busy.
CAROLE THERIAULT. And I thought I would make my pick of the week, David Attenborough. Oh! Sorry, Sir David Attenborough, who was 99 this past Saturday.
GRAHAM CLULEY. 99! They should give him a flake and stick it in his head or something, shouldn't they?
CAROLE THERIAULT. Come on, 99! And he's done so many amazing things.
GRAHAM CLULEY. That is something.
CAROLE THERIAULT. I looked up favorite Attenborough moments.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Do you remember him observing a lyrebird mimicking various noises? He does a chainsaw and does the sound of different motorbikes and stuff.
GRAHAM CLULEY. I remember him sitting in a gorilla's lap or something like that.
JON CHO. Yes.
GRAHAM CLULEY. Yes. You remember that one?
CAROLE THERIAULT. That's number 2, a close encounter with a mountain gorilla in Rwanda in Life on Earth.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. He watches a blue whale surface alongside his boat in Life of Mammals. He is definitely just an incredible, incredible person and we adore him in the UK. I don't think anyone has anything bad to say about him.
GRAHAM CLULEY. No, no, he's wonderful.
CAROLE THERIAULT. We would just slap him if they said it. We'd just say, shut up. So this is to David Attenborough. Happy, happy birthday, sir. And that is my pick of the week, just being an absolute brilliant person, an educator, and just environmentalist and everything.
GRAHAM CLULEY. Oh, wonderful.
CAROLE THERIAULT. Now, Graham, you have been chatting with Jon at Dashlane.
GRAHAM CLULEY. That's right. All about the impact AI is having on password security. Let's give it a listen. So, Smashing Security listeners, this week's episode of the podcast is sponsored by the experts at Dashlane. Now, as I'm sure most of our listeners know, Dashlane is a long-established security firm that provides everything you need to manage your credentials and passwords. And I am delighted to be joined today by Jon Cho, a senior vice president at Dashlane, who can tell us more about what they are seeing out there. Jon, welcome to the show.
JON CHO. Well, thank you for having me.
GRAHAM CLULEY. It's a real pleasure to have you here. You've got decades of experience in product and business development. And as I said, you're one of the experts over there at Dashlane. One of the biggest things which has, I think, changed all of technology and IT, particularly in the last few years, has been this enormous development with AI, and one of the things I'm really interested in is how AI is changing things when it comes to credential and password management. Can you give us some feelings for how AI has transformed credential security? Maybe both the positive as well as the negative.
JON CHO. Absolutely. And, you know, with everything else, AI, it has transformed the landscape of credential security overall. You know, it's really been a game changer on both sides. So on one hand, for security teams, they're able to analyze the risks faster, being able to actually automate their responses as well to really quickly address any kind of risk or needs there. And then also, with all the information that it takes in, it's able to actually identify patterns that people may miss, right? And so all of this is actually beneficial in terms of improving your credential security posture.
GRAHAM CLULEY. Right.
JON CHO. Now, on the flip side of it, though, the attackers are just using AI just as effectively. So right now, it's really super easy and cheap to actually launch personalized, targeted, large-scale phishing campaigns, right? And these are incredibly convincing today. And then the other thing is that it's enabled people to just get AI-powered phishing kits off the shelf. And so people can actually go and really quickly create these attacks for individuals. It increases the volume substantially of the number of attacks and the number of people who are conducting these attacks as well.
GRAHAM CLULEY. So that's what it feels like to me from the attacker's side of things. It's kind of democratized these attacks, hasn't it? Because you don't have to be a cybercriminal expert to launch a phishing attack. I mean, you never had to be anyway, did you? Judging by the number of poorly spelled phishing emails we used to see in the past. But now, you can use this technology to create more convincing phishing attacks and create them at a much greater scale.
JON CHO. That's absolutely true. So it's not only about the number of people can do it, it just makes it easier for more people to do it, but it also makes it more effective. And that just increases the vulnerability for pretty much everybody in every aspect of our security. And so if anything, threats are continuously on the rise and we have to be very vigilant against those.
GRAHAM CLULEY. Okay, so one of the things that is of interest to me is you speak about how AI can make phishing more effective. How is it more effective? What are they, are they learning more about the victims or what could trick a victim?
JON CHO. That's 100% correct. So just being able to get more data points, they can actually better target individuals, so using things like deepfake, generative content, but also knowing what company, maybe even some meetings that you may be in when you're traveling, or even mimicking your CEO's voice, being able to do voice phishing attacks as well. And so all these things become more targeted, become much more real, and that really creates a more convincing attack for these individuals.
GRAHAM CLULEY. It's almost like a new breed of phishing attack, isn't it?
JON CHO. 100%. And it's dubbed in some areas of phishing 2.0 because it's just much more subtle and it can be actually very personalized, and you can have individuals understand the context, but also the tone using specific jargon. And it just makes everything much more believable to the potential user.
GRAHAM CLULEY. Because I think a lot of people think of phishing, for instance, that they think, oh, it's been around for 20, 30-odd years. How can that still be a threat? But it really is a significant problem to this day, isn't it?
JON CHO. Yes, absolutely. And it continues to be one of the top successful attack vectors for bad actors overall. So if anything, it's just continued to become more sophisticated. You eliminate issues such as bad grammar or weird formatting and tortuous images or the things that are just obvious.
GRAHAM CLULEY. And I suppose as well, it's removed the language barrier, not only the spelling, but you could launch a phishing. I mean, for instance, I don't speak Italian, but I could use AI to convincingly convert my phishing to an Italian-speaking phish if I were to target someone who was based in Italy and was used to communicating with people in Italian. Have you seen anything like that occurring?
JON CHO. Yeah, you'll see exactly that where you can use GenAI. And it just eliminates all the grammar issues, and actually can adapt to things like specific jargon, just the way that people talk on an everyday basis. So, it makes it much more effective and real.
GRAHAM CLULEY. Right. Now, we've spoken a fair bit there about how AI is being used by the bad guys. Earlier, you described that AI is also being used for security as well, and you mentioned how AI can detect patterns. Could you elaborate a little bit more around that and how that can actually help better protect organizations from attack?
JON CHO. Yeah, absolutely. So what happens is that there's a lot of different data points that are out there, not only what people are using, but things like the sites that they're going to visit or the way a particular page is formatted. And so using AI, you can actually ingest all these different data points and then quickly identify whether something is a potential bad website or a bad device that's coming from the wrong location. So really continues to enhance what already exists, but able to do it faster and take in more data points to really raise that red flag and say, hey, there might be an issue here.
GRAHAM CLULEY. And is that work happening in the cloud? Is it on servers? Is it on users' desktops and mobile devices? Where is that work happening, or is it a variety of those?
JON CHO. It really is a variety of those. And really, if you look at different services, different firms will offer different types of solutions. So for us, we were able to make this huge investment in confidential computing. So what we were able to do is really maintain and fortify our zero-knowledge architecture and extend it beyond the device into the cloud. And so what we're able to do is, with a number of our services, take a bunch of this data and then process it and identify potential issues that companies or users may have. So you're leveraging AI to do a bunch of that work today.
GRAHAM CLULEY. Okay. So it sounds like some really cool things are going on at Dashlane in terms of protecting organizations. And I've heard, and this is pretty hot off the press, that Dashlane has just introduced something called Omnix that — well, can you describe to me what this Omnix thing is, how it's different and how it's going to help organizations?
JON CHO. So Omnix is a new platform offering that we have. And really, when we look at it, if you take a step back, what we want to do is actually provide services to actually protect the entirety of the company — so every single user. And Omnix really provides a solution to that. So we start with the first module, which is password management, which is where we got our start. But what we did is we introduced this new component called credential protection. And really what it does is it enables organizations to actually provide visibility to the credential risk, not for those individuals only using the password manager, but across every single user in the organization as well.
GRAHAM CLULEY. Right.
JON CHO. And so with this, what we call credential risk detection, what we're able to do is collect information, actually identify when somebody's actually logging into a site, and actually notify, provide reports to the IT admin or the security personnel and saying, hey, you have these risks. The second bit of it, though, which is just as important, is really, all right, now that I know this information, what do I do about it?
And so we actually use this capability really to automate responses to prompt the user to actually change their password and really trying to reduce the time frame from when you actually see an issue to when a user actually is prompted to correct that issue as well. And then the last bit, and we kind of touched upon it a little indirectly is really around, all right, how do I get ahead of it?
And so as a particular user goes to a website, just to give alerts that, hey, you might be going to this site, which is not what you think it is. So really kind of a phishing alert.
And so when we talk about AI power, that is something that we're currently investing in, and we're very excited about that. So in the credential protection, being able to detect and then being able to automate responses and then actually getting ahead of it before it becomes an issue with these phishing alerts.
That's something that will empower companies to really fortify their credential security. And again, this is for every single employee, not just for those who are actively using a password manager.
GRAHAM CLULEY. It sounds fantastic, but if I put my cynical IT security manager hat on for a moment, I'm going to say, okay, okay, you've told us this is brilliant and everything. How easy is this going to be to deploy to all of my users? How is that managed?
JON CHO. So really what we're doing is actually a single deployment of the extension that we currently have in the browser itself. So it's just a basic script that every IT admin can actually go run and deploy. And we've had a number of customers already do this as well. Very quick, very simple and easy to go do.
GRAHAM CLULEY. So it just plugs into Chrome or Edge or Firefox and off you go.
JON CHO. Absolutely. And you can start seeing results pretty quickly, you know, within an hour or two as people are actively using their browsers.
GRAHAM CLULEY. Sounds pretty cool. Okey-dokey. Well, we're coming towards the end of the chat, but I'd be remiss if I didn't ask you a couple of questions, which would be really helpful for everyone. So for businesses who are still relying on traditional password-based systems, and we know there's plenty of them out there, what would be your top 3 recommendations for improving credential security right now?
JON CHO. I think just looking at credential security overall, obviously you mentioned it, just use a password manager, right? And it's just really one of those easiest wins. The other is really enabling multifactor authentication wherever possible, right?
And then always being vigilant to actually check messages or the sites that you're going into before you enter your credentials. But I think really augmenting all of this with continuous training, develop the right kind of mindset and behaviors to be always vigilant against those type of potential bad actors and bad activities as well.
GRAHAM CLULEY. And is there anything you should be saying to your employees?
JON CHO. They are paramount to remaining vigilant, and I think there's a natural tension here because every single employee is looking to be productive, to get their work done, and they're looking for the tools to do it and to really remove friction in all their day-to-day work. And so with that though, security is at the other end because a lot of times there's a lot of conditions or things that they need to do in order to do it.
And so I think there's a healthy balance and understanding of being vigilant while you're still trying to get your job done. So if something seems weird to you, if something feels weird to you, then just take the extra couple seconds or minute to just check it out to make sure that you're protected and there's nothing fishy going on there.
GRAHAM CLULEY. Well, that's great advice. Now, on Smashing Security, as listeners know, we talk about credential security so often. It absolutely appears to be the number one thing which leads to data breaches and security problems and the bad guys getting in.
So it really is important to deal with this. And we can offer something quite exclusive to Smashing Security listeners.
All they have to do is visit smashingsecurity.com/dashlane to take advantage of some fabulous offers. You can save 35% on a Dashlane Premium Personal plan or 25% on a Business Protection plan if you take it out before August 1st.
You can't say fairer than that. Very generous indeed. What an offer.
SmashingSecurity.com/Dashlane. D-A-S-H-L-A-N-E. So make sure to go and check it out now, whether you are a personal user or a business.
And Jon Cho, thank you so much for joining us on Smashing Security today. It's been terrific having you here and sharing your expertise.
JON CHO. Thank you very much, Graham. I very much appreciate the opportunity to chat with you today.
GRAHAM CLULEY. It's been good fun. Cheers, Jon.
CAROLE THERIAULT. Good stuff.
GRAHAM CLULEY. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And massive shout out to our episode sponsors, Dashlane, Vanta, and Material. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 415 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time. Cheerio.
CAROLE THERIAULT. Bye.
-- TRANSCRIPT ENDS --