GRAHAM CLULEY
I'm going to give you the name of somebody, and you have to tell me whether they've ever portrayed a hacker, cybercriminal, general computer baddie on screen, or if they're just what we in the business call a bit rubbish at acting.
Hacker or ham?
JENNY RADCLIFFE
Okay, let's do it.
Unknown
Smashing Security, Episode 435. Lights, camera, action with Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 435. My name's Graham Cluley.
JENNY RADCLIFFE
And I'm Jenny Radcliffe.
GRAHAM CLULEY
Jenny, welcome back to the show. It's been such a long time.
JENNY RADCLIFFE
I know, it feels ages. It's lovely to be back. Thanks for asking me.
GRAHAM CLULEY
It is yonks. Now, for anybody who doesn't know you, Jenny, and shame on them if that is the case. How would you describe yourself?
JENNY RADCLIFFE
Well, I suppose my handle online for all the socials is The People Hacker.
And that comes from me being known as a social engineer specialising in psychology of social engineering scams and cons.
And the thing that everybody remembers is that I'm a burglar. So I do a lot of physical penetration testing, and that's really what I'm known for, so social engineering.
GRAHAM CLULEY
You're also a celebrated keynote speaker as well, aren't you?
People will often have seen you at conferences and running awareness courses inside companies as well, sort of raising the spectre of social engineering and really helping people get to grips with it.
JENNY RADCLIFFE
Yeah, lots of time on the road, lots of talks, podcasts, interviews, that type of thing. And a book. I wrote a book.
JENNY RADCLIFFE
Which a lot of people seem to enjoy, which is very nice. A few don't, I did have one great review where the guy hated it, hated everything about it. I was a terrible writer.
It was awful.
And I looked to see what else he'd reviewed, and he'd bought some kitchen utensils, which he'd absolutely spent really a very long time telling everyone how terrible they were.
So I didn't feel quite as bad. Let me get the plug in. The book is called People Hacker. 99p very often on a Kindle, I've noticed.
GRAHAM CLULEY
Fantastic. Well, before we kick off, let's thank this week's wonderful sponsors, Adaptive Security and Vanta. We'll be hearing more about them later on the show.
This week on Smashing Security, we're not going to be talking about Shayhalud, a fast-spreading open-source worm that is stealing credentials from developers and publishing their secrets on GitHub.
You'll hear no discussion of how losses are rocketing at Jaguar Land Rover as a cyberattack continues to cause disruption.
And we won't even mention how North Korean spies are using ChatGPT to create fake South Korean military IDs. So Jenny, what are you going to be talking about this week?
JENNY RADCLIFFE
I'd talk about the ICO report that warns that kids are hacking their schools for fun or days.
GRAHAM CLULEY
And I'm going to be talking about crimes against cinema. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I have to say, I absolutely loathe it when people use the term "bad actors" to describe hackers and cybercriminals. How do you feel about it, Jenny?
JENNY RADCLIFFE
It just— I find— well, I find it confuses people. It confuses audiences if I say bad actor, they laugh.
GRAHAM CLULEY
They think of Nicolas Cage. That's what they're thinking about.
JENNY RADCLIFFE
You see, I don't think Nicolas Cage is that bad.
JENNY RADCLIFFE
No, because I remember a movie called Wild at Heart, which was a David Lynch film, and he was great in it. Oh, okay. I don't know if he was acting so much.
GRAHAM CLULEY
As being Nicolas Cage.
JENNY RADCLIFFE
Correct. So I'll give you that.
GRAHAM CLULEY
Okay, bad actor has become this terrible bit of corporate jargon, and it makes cybercriminals sound like they're trying to remember the lines in their Am Dram production of Hamlet, or that they're about as impressive as I was when I played a tree in my school's nativity play.
And there are a lot of actors, thespians, who are out of work, and many of them, I suspect, are out of work for good reason.
And I think there could be a danger that we create a self-fulfilling prophecy if we refer to malicious hackers as bad actors.
Are we, in fact, increasing the risk that actual bad, straight-to-DVD-style actors will view their natural career progression as, well, let's become cybercriminal?
So I don't like the terminology. And that is why I propose we start the fight back. Right now, right here on the podcast.
I think it's important to stop using the phrase bad actors and be able to tell the difference between bad actors and bad actors.
So what I'm going to do with you today, Jenny, is I'm going to play a little game with you, which I call Hacker or Ham. Hacker or Ham.
JENNY RADCLIFFE
Okay, let's do it.
GRAHAM CLULEY
Let's do it. So, Hacker or Ham is the game show where cybersecurity meets questionable acting choices. Here's how it works, Jenny. I'm gonna give you the name of somebody.
GRAHAM CLULEY
And you have to tell me whether they've ever portrayed a hacker, cybercriminal, general computer baddie on screen, or if they're just what we in the business call a bit rubbish at acting.
How well do you know your movies?
JENNY RADCLIFFE
Okay, I'm okay.
GRAHAM CLULEY
You're alright.
JENNY RADCLIFFE
I'm not a big movie buff. Although, do you know, back in the day— Yeah. X was Twitter and the cyber community, all of us were on Twitter all of the time.
GRAHAM CLULEY
Yes, the good old days.
JENNY RADCLIFFE
The good old days. We'll all watch a movie together, right? And it was always a cyber movie.
JENNY RADCLIFFE
And what we do is we all have to press go at a certain time and then we'd comment online. And it was, you know, clunky and a little bit disjointed, but oh, innocent times, Graham.
And it wasn't really all that long ago, I suppose.
GRAHAM CLULEY
I'm a little bit embarrassed, because there's a number of cyber-related movies I've never seen. So, I've never seen Hackers. I've never seen Sneakers.
JENNY RADCLIFFE
Oh, great.
GRAHAM CLULEY
I've never seen Jurassic Park. I've never seen WarGames.
JENNY RADCLIFFE
Sneakers! Sneakers is the one for me.
GRAHAM CLULEY
Is Sneakers good?
JENNY RADCLIFFE
Well, it's social engineering. Right. These are gaps in your knowledge. You should download them for next time you're on a plane or something.
GRAHAM CLULEY
Alright. Let's play Hacker or Ham. Hacker. Or ham. So, Jen, I am going to read out the name of an actor.
GRAHAM CLULEY
You're gonna tell me if they are a bad actor, or if they have played a hacker on celluloid. Are you ready?
JENNY RADCLIFFE
I'm ready. Let's do it.
GRAHAM CLULEY
Number 1. Angelina Jolie. Hacker or ham?
JENNY RADCLIFFE
So, ham played Acid Burn, was the name in Hackers. Or alternatively, Angelina Jolie, Kate.
JENNY RADCLIFFE
So, she's an actor that played a hacker.
GRAHAM CLULEY
And would she say good actor? Or a ham?
JENNY RADCLIFFE
I'm sure she doesn't care what we think.
But I think Angelina Jolie is responsible for lots of people of our generation raising an eyebrow and paying more attention to hackers generally, in that movie. For sure.
GRAHAM CLULEY
I think that these celebrity actors right now, when they hear that we've been playing Hacker or Ham, they're probably playing Podcaster or Poop.
They're probably saying, is this a decent podcast or is this a pile of cack?
JENNY RADCLIFFE
I can tell you one thing about Angelina Jolie is that I was very good friends with someone who used to be a bodyguard.
JENNY RADCLIFFE
Especially when she was an ambassador for the UN.
JENNY RADCLIFFE
Apparently, bit of a nightmare to look after, but there you go. That's all I've got to say about that.
GRAHAM CLULEY
Hack on. Or ham. Alright, round 2 of Hacker or Ham. Well done, I think you did very well there. Hayden Christensen, hacker or ham?
JENNY RADCLIFFE
He played Anakin Skywalker.
JENNY RADCLIFFE
I don't know if hacking was a particular feature of Star Wars, but I knew you'd get something sci-fi in.
GRAHAM CLULEY
Yeah, I mean, he's pretty— I would say he's pretty hammy. If you saw him in Attack of the Clones, it was— Dear, oh dear, it wasn't good, was it?
JENNY RADCLIFFE
Well, you know, I'm afraid I didn't. So there you go.
GRAHAM CLULEY
Alright, number 3, Steven Seagal. Hacker or ham?
JENNY RADCLIFFE
Ham. Pure ham. Pure ham. And Seagal though, interesting fact, a lot of people think he did play a hacker.
JENNY RADCLIFFE
Do you want me to tell you why? And you're going to love this. This is so you.
GRAHAM CLULEY
Oh, go ahead, yes.
JENNY RADCLIFFE
Because in the movie Under Siege 2, which I will leave people to give an opinion on. But however, people assume he was a hacker because he used an Apple Newton in that.
I don't know whether because of the timing or early '90s or something, that was considered wow, he must be a hacker.
GRAHAM CLULEY
That would be really cool.
JENNY RADCLIFFE
He must be a hacker because he's using a personal digital assistant. So there you go.
GRAHAM CLULEY
Yeah, as far as I've been able to find out, he's never actually played a hacker. Definitely a bad actor, I would say. Okay, Nicolas Cage. Well, we've already mentioned him.
Hacker or ham? You've got quite strong opinions on Nicolas Cage.
JENNY RADCLIFFE
I don't know if he's ever played a hacker, I have to be honest.
GRAHAM CLULEY
I don't think he has played a hacker. Kevin Mitnick, hacker or ham?
JENNY RADCLIFFE
Who's Kevin Mitnick? So no, Kevin Mitnick, obviously for most people in security would know Kevin Mitnick was the hacker known for social engineering and blended attacks.
JENNY RADCLIFFE
And also the person who said a quote that I use when I do my talks, which is, "You can't download a patch for human stupidity." And I always say that made him really popular at parties, coming up with stuff that.
Whether you agree with him or not.
GRAHAM CLULEY
And I think Kevin Mitnick has actually acted. I think he was in some TV shows. He sort of played cameos.
GRAHAM CLULEY
Was he in Alias or something that? He had a good agent, I expect.
JENNY RADCLIFFE
He did. Walk-on parts, I think.
GRAHAM CLULEY
Yes, yes. Hugh Jackman, hacker or ham?
JENNY RADCLIFFE
An actor, but he was in a film called Swordfish.
JENNY RADCLIFFE
Where he did play a hacker who had to hack something at gunpoint, I think, if I recall.
GRAHAM CLULEY
While being distracted by Halle Berry.
JENNY RADCLIFFE
And the thing is, the thing I always think about that, or I mean, it's years since I've seen it, but how fast he types.
GRAHAM CLULEY
Well, he would.
JENNY RADCLIFFE
I learned to type very quickly. And I'm looking at him doing a count. This is just almost no one types that quick.
GRAHAM CLULEY
Well, thank you very much, Jenny, for playing Hacker or Ham. Hacker or Ham. Anyway, look, all of this is a prelude. Picture this: you are an Israeli actor.
Maybe you've done a bit of theatre. You've probably done a lot of serving food in restaurants, like most actors.
Perhaps if you're lucky, you've done some TV work as an extra in the background and suddenly you get an email that makes your heart skip a beat.
It is a casting call for a new movie by Academy Award-nominated director Ari Folman.
And the email says they are making a film about the October 7th attack and they want you for an audition. Now, if you're an actor, you're thinking, this is bloody brilliant.
This is what I've been waiting for. You think this is your big break. It's a big name director, it's good for your career, it's a serious subject.
You're not being asked to appear in a medical training video or doing motion capture for some virtual reality adult entertainment or something like that.
This is not going to be a humiliating acting job where you dress up as a beef burger or something.
This is something which, in your country of Israel, people are probably going to want to go and see, or will be taken seriously.
So, a career opportunity of a lifetime for an Israeli actor. So, naturally, you follow the instructions in the email, don't you?
You record a little personal video message explaining why you feel you'd be right for the role.
You send along some personal information which the director is asking for: your ID card, your passport photos, your home address.
Just the usual casting requirements, right, for a job like this? Already I can hear the hairs standing up on the back of your neck, Jenny.
No, I don't want to suggest you have a hairy neck, by the way.
JENNY RADCLIFFE
I have to be honest, the thing that actually caught my attention, that is virtual reality adult entertainment.
GRAHAM CLULEY
Well, someone's got to do the motion capture for it, Jenny, you know.
JENNY RADCLIFFE
I always thought that would be the main use of that, but anyway, we digress.
Yes, I mean, obviously, even the thought of even one of those things makes me, as a social engineer, chill.
GRAHAM CLULEY
It is, it is chilling, isn't it? Because what you've done in this particular case is you've handed over your entire identity, pretty much, to Iranian state-sponsored hackers.
So according to Israel's National Cyber Directorate, dozens of Israeli actors have fallen for this scam in recent days.
And worst of all, they didn't even get a callback for the movie. Instead, they actually got threatening messages, which essentially said, "Surprise!
This was brought to you by your friends in Iran." And I know what you're thinking.
You're thinking, "Graham, surely professional actors would be more sceptical." Is that what we're thinking, Graham? Well, no, what are you thinking?
JENNY RADCLIFFE
Are we really thinking professional actors would be more sceptical? Suspicious. No one's suspicious enough.
GRAHAM CLULEY
Oh, that's true. That's true. No one's suspicious enough, are they?
JENNY RADCLIFFE
Graham, you are piling in on actors here. People always say, oh God, you know, do we need to be paranoid?
Those of us in security are professionally paranoid, but could you just be slightly less gullible? Just a little bit. If we can try and be a little bit more suspicious.
GRAHAM CLULEY
Now, in this particular case, it wasn't teenage script kiddies having a bit of a poke at out-of-work actors. This was actually a sophisticated social engineering operation.
Not highly sophisticated, not the kind of thing which I suspect you talk to companies about and some of the more sophisticated techniques which are really quite clever, how the bad guys can get in or fool their way onto your premises.
Not that kind of thing. But these attackers had done their homework. They knew exactly which emotional buttons to push.
So these targeted actors in Israel, a film about October 7th, it's the kind of movie you can well imagine would be being made.
And Ari Folman, who's an established name in the industry, he's tackled difficult subjects before. And so it adds credibility.
And according to reports, the Iranian state-sponsored hacking group who have been attached to this attack, they are called APT35. They're also known as Educated Manticore.
Or Charming Kitten?
I mean, if you set up a hacking gang, and you're trying to strike fear into the hearts of your victims, do you really want your gang to be called Charming Kitten? I'm not sure.
JENNY RADCLIFFE
Whenever I hear things like this, it reminds me of you, because I always remember you talking about the way that hacks in the past had sort of better names and skulls and things.
That was something that made me laugh when you spoke about that. But actually, just one thing that you said. You know the way you say you hate bad actor as a term?
JENNY RADCLIFFE
I hate when people say how sophisticated or not something is.
JENNY RADCLIFFE
Because if it gets through, it doesn't need to be sophisticated. I mean, what do people say when it's not sophisticated? Do they mean there were computers?
'Cause that's what I, and as someone who works on the human side entirely, I say if it's got through and if they've thought about what you've just said, so they've thought about emotional buttons to push, they've done a little bit of homework.
There's a credible story. And it's also one of the things I talk about all the time. People always say, what's the latest scam? What's the latest social engineering attack vector?
And it's anything, right? Anything that works, anything that's in the news, anything that pushes the right button. That in its own way is sophisticated, right?
And I would argue more sophisticated than banging on a keyboard for 30 seconds and then being in.
GRAHAM CLULEY
Yeah, I think that's a fair point.
I mean, we've seen these attacks recently, a number of well-known named organizations where it appears some of them being hacked because people have rung up the help desks.
GRAHAM CLULEY
And it's basically they just had the gift of the gab, didn't they?
Where they were able to fool people into making poor decisions or they tricked them into believing that they were employees who'd been locked out of accounts.
And the consequences have been absolutely huge.
And these companies, they love to say, we got hit by a highly sophisticated attack because they don't want to say to their shareholders, that we were really dumb.
We fell for something which was pretty elementary.
JENNY RADCLIFFE
But then, you will see that when security writers and researchers say, they say, "It wasn't particularly sophisticated." Well, forget that.
Let's just talk about success and not success, shall we? Because the right script at the right time will get anyone.
GRAHAM CLULEY
Well, Charming Kitten, earlier this year, they were targeting Israeli technology experts, journalists, and gamers.
Cybersecurity professionals as tension rose between Israel and Iran.
For instance, the hackers were reportedly using AI to help generate more convincing phishing messages, and apparently these messages said there is an urgent need for immediate assistance on an AI-based threat detection system to counter a surge in cyberattacks targeting Israel.
The hackers apparently were targeting Israeli cyber and tech professionals saying, we want to build this AI threat detection system to prevent attacks.
And that was actually the attack in itself. That was the social engineering which was being done.
JENNY RADCLIFFE
Ah, but using AI to write the scripts, come on, come on now, more effort.
GRAHAM CLULEY
Everyone's so lazy these days.
JENNY RADCLIFFE
Yes, exactly. You know, put some work into it, why don't you?
GRAHAM CLULEY
So hackers aren't just going after the usual suspects here.
They're going after actors, they're going after journalists, they're going after academics, and they don't need a zero-day exploit or sophisticated malware.
Just good old-fashioned social engineering will often unlock the door. And I don't want to sound like I'm victim blaming people here.
These actors, as in the theatrical actors, they were targeted by professional hackers who are good at what they do.
And it's not as if Iran is the only country that is targeting people in other nations.
I mean, I find it hard to believe that there's any country which isn't doing this kind of thing.
And yeah, I'm pretty damn confident Israel has no qualms about pulling off similar stunts itself.
So social engineering attacks like this are more likely to work if you let your emotions override your common sense.
And in this case, the attacks were counting on the excitement, I guess, of a potential career breakthrough, which, you know, everyone wants.
JENNY RADCLIFFE
It's an interesting one, though, because I've been banging on about emotional triggers for years.
But actually, this is quite rare inasmuch as a lot of the time when emotion's used in social engineering attacks, it's a negative one. So it's fear or it's shame or it's anger.
GRAHAM CLULEY
Or your credit card's been debited.
JENNY RADCLIFFE
Right. Or, you know, we've either got your emails and we've found something dodgy. Or even if, in this day and age, we're going to say we did, even if we didn't.
It doesn't have to be true anymore. Truth is hard to find sometimes.
But to use something positive, "Oh, look at this." And we dangle that a lot, a lot of the time professionally as well. So promise of reward is good.
And you say, exciting and probably, although I've not seen the scripts of it, but probably time-bound. You always make it urgent. You don't want someone thinking.
I mean, we do in life want people thinking, Graham, but we don't in an attack.
GRAHAM CLULEY
So in this particular case, the actual bad actors, weren't the ones who couldn't remember the lines or deliver dialogue convincingly.
They were the ones who were delivering these phishing emails so convincingly that professional actors who can normally tell when someone's putting on a performance, they were the ones who got taken in.
A tram is coming down the track towards a single human. You can pull the lever and send the tram down a different track killing 5 sentient robots instead. What do you do?
Save the human. Come on. That's what us humans would do. I asked an AI.
GRAHAM CLULEY
It said, I don't have enough information to determine if a human life is more valuable than a sentient robot's. Pull the plug.
In the absence of clear information, I would default to inaction.
GRAHAM CLULEY
Abort. It's going to save the robot. It's begun. Machines that learn, they grow and strive. One day my name's Graham Cluley. And I'm Mark Stockley.
And we'd like you to tune into our podcast, The AI Fix, your weekly dive headfirst into the bizarre and sometimes mind-boggling world of artificial intelligence.
The AI Fix, the future surreal. Jenny, what story have you got for us this week?
JENNY RADCLIFFE
So I wanted to talk a little bit about this Information Commissioner's Office. This report because they've issued a warning.
JENNY RADCLIFFE
I saw an article from Joe Tidy on the BBC and this article that says there is a worrying trend of students hacking their own school and college systems for fun or as part of a dare.
And it was basically saying that over half, so 57% of cyber attacks and data breaches in an education setting, that was carried out by someone with access to internal systems was with the students.
JENNY RADCLIFFE
Now that does mean that 43% is not carried out by students, but it's worrying people who are paid to worry about this.
And there was this lady, Heather Toomey, who's the principal cyber specialist at the ICO, says, "What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure." Now, there's so many things with this that I want us to look at.
I mean, they're talking about since 2022, they've looked at 215 hacks and breaches, and that's where they're getting this 57% figure carried out by children.
JENNY RADCLIFFE
But almost a third of the breaches involve— I'm not laughing because this is bad, but I'm laughing because obviously this is going to happen— involve students illegally logging on to staff computer systems by guessing passwords or stealing details from their teachers.
And in one instance, Graham, a 7-year-old— What?
GRAHAM CLULEY
A 7-year-old?
JENNY RADCLIFFE
A 7-year-old was involved in a data breach and subsequently referred to the National Crime Agency's Cyber Choices programme, which I have to admit, to my shame, I had not heard of before.
But it did feel very— I don't know whether it's just the world we're living in, but that sounds quite 1984.
Anyway, and it's to help them understand the seriousness of their actions.
GRAHAM CLULEY
I think I might know what Cyber Choices is. I think it's actually quite a good initiative. I think it's something—
JENNY RADCLIFFE
I'm sure it is.
GRAHAM CLULEY
It's targeted to young people and it's designed to make them understand the repercussions.
So they sort of say, we know you're into video games, we know you want to get one over your mates in the games, because that often has been a gateway into eventually hacking and cybercrime.
JENNY RADCLIFFE
Of course.
GRAHAM CLULEY
People begin with DDoS attacks and things.
JENNY RADCLIFFE
Yeah, of course, it's a good thing to have that.
GRAHAM CLULEY
But a 7-year-old?
JENNY RADCLIFFE
But you know, this pulls into what happens to me, is that I am often asked to either speak to groups of youngsters, kids and teenagers, and sometimes a little bit older, about making the right choices in terms of their cyber skills and this type of thing as well.
But the first thing I wanted to talk to you about was, I feel this is part of the problem comes from the curriculum and the way that cyber computing and stuff is taught in schools, because I think it can be quite boring.
I don't know whether it's taught in an exciting way.
JENNY RADCLIFFE
And I think if we don't teach kids on a curriculum about all the facets of this, they're going to be educated by someone else and they're going to find out on themselves.
JENNY RADCLIFFE
I just don't think it starts early enough. I don't think they teach kids how exciting careers in cyber can be.
JENNY RADCLIFFE
And I think from the very beginning, it needs to be taught that this is the bad stuff. This is what can happen out there.
You know, if you've got a kid or a teenager who's really good at it, who's enthused and passionate about it, I think the curriculum needs to focus on that.
And really teach them as much as we possibly can. They're going to learn it anyway.
GRAHAM CLULEY
Yes. But also maybe help them in terms of cyber ethics, because they may be immature in terms of their understanding of acceptable behaviours.
For instance, hopefully most people know you shouldn't go around reading other people's diaries, right?
And just because it's easy maybe to hack into someone's email because they chose a predictable password, doesn't mean it's all right to go in there and read everything which is in there.
GRAHAM CLULEY
And, or you see people who sort of hack each other's social media accounts and post messages, you know, as a laugh, you know, in that person's name to embarrass them in front of their friends.
And again, it sounds like a practical joke, but it's actually quite a hurtful thing to do.
And it feels like those sort of things are the beginning elements of what could become something which turns more malicious in the future.
GRAHAM CLULEY
If you think that's all right, then you begin to use that as a basis for maybe deciding other behaviours are acceptable.
JENNY RADCLIFFE
It should be from day one. Kids should be taught about the skills required, the ethics required, but also that it can be exciting and you can be on the right side. Yes.
And also, I feel sorry for teachers.
JENNY RADCLIFFE
I mean, I was asked to look at something for a school and the IT guy was great.
JENNY RADCLIFFE
But I mean, trying to do the job that if it'd been a company with that many people and that many potential access points, he probably would have had a team of 8 to 10 minimum.
But there's one guy and he's trying to keep an eye on all of this. But what made me smile was the idea that people were surprised.
JENNY RADCLIFFE
You know, they were surprised when most of us who've got children have had at least one instant in their life where the child has managed to sort out a technical issue for you.
Or maybe I'm just speaking for myself or someone I know.
GRAHAM CLULEY
Back in our day, we were programming the video recorder. Now the kids are probably fixing the firewall at home.
JENNY RADCLIFFE
Exactly. And what it brings me to as well is the idea that alongside all of this, there should be being taught about awareness. And that gets forgotten as well.
So, kids are naturally brilliant social engineers, right? They know which emotional strings to pull. They know what stories to tell. They know how to use urgency.
So, we have to get a grip on the curriculum and we have to start teaching our children and our teenagers, "Look, you've got this, kids. These are the pitfalls. These are the dangers.
These are the ethics. This is how you protect yourselves." And look, it can be exciting to be on the right side. And that, that to me, that's the wake-up call.
GRAHAM CLULEY
Wise words. Okay, chums, hands up if you've ever clicked a dodgy link and then immediately thought, oh no, I've just handed my entire life over to a bloke in a tracksuit somewhere.
Don't worry, you're not alone. That's why Adaptive Security exists to stop your staff from doing precisely that.
Adaptive Security is the first cybersecurity company backed by OpenAI, and they provide proper security awareness training that doesn't feel death by PowerPoint.
We're talking real-world examples tailored to your company with phishing, vishing, smishing, and yes, even AI deepfake scams all covered.
If someone tries to ring up accounts pretending to be the boss, your team will be ready. And their phishing simulations aren't just any old click this fake delivery email malarkey.
You can help prepare your team for advanced social engineering attacks via email, voice, SMS, and video, which take advantage of the sort of information attackers could actually dig up about you and your staff.
And now Adaptive's new AI content creator helps security teams instantly generate custom training by just pasting in a news article.
Whether it's a break-in threat or an internal policy update, Adaptive can spin it into interactive multilingual training in seconds.
So if you'd rather your employees didn't become the weakest link, head over to adaptivesecurity.com and then sit back with a nice cuppa knowing that next time a scammer comes calling, your team might just be clever enough to hang up on them.
And thanks to Adaptive Security, Smashing Security for supporting the show. Right, cybersecurity. Bit of a faff, isn't it?
Everyone nods along in the board meeting, then quietly hopes someone else is dealing with it while they go and put the kettle on. Well, that is where Vanta comes in.
Think of them as your mate at school who actually did their homework and then lets you copy it.
They'll help you get things like ISO 27001 sorted without the headaches, and they don't stop there. SOC 2.0, GDPR, HIPAA, even the shiny new ISO 42001. Vanta's got you covered.
Instead of drowning in spreadsheets and tick box questionnaires, Vanta automates the boring bit, centralises your security workflows, even helps you manage vendor risk, meaning you can spend less time panicking about audits and more time worrying about what really matters.
Whether you run out of biscuits in the canteen. And here's the clincher. Because you're a Smashing Security listener, Vanta's offering you $1,000 off if you book a demo.
You can't say fairer than that. So go on, give yourself a break.
Head over to vanta.com/smashing, take the demo, claim your discount, let Vanta deal with all the dull compliance grind.
Vanta, the first ever enterprise-ready trust management platform. One place to automate compliance workflows, centralise and scale your security program.
Learn more at vanta.com/smashing, and thanks to Vanta for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we to call Pick of the Week.
JENNY RADCLIFFE
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Now, my pick of the week this week is not security related.
I live near Oxford in the UK, and one of the things that Oxford is famous for, aside from Lewis Carroll and the university and not being quite as nice as Cambridge, is Inspector Morse, the famous British TV show that ran in the 1980s and 1990s with John Thaw.
People loved Inspector Morse back in the day. Now, Mrs. Cluley, she loves a bit of detective drama as well.
And so she was watching some Inspector Morse, and then she was watching some of its sequel, Lewis, which has Kevin Whately and co-starring someone we don't like to talk about.
And then she moved on to Morse's prequel. Are you familiar with the TV show Endeavour, Jenny?
JENNY RADCLIFFE
Well, no. No.
GRAHAM CLULEY
A simple answer.
JENNY RADCLIFFE
Because I'm afraid—
JENNY RADCLIFFE
I don't watch that much television, which is a problem in the current stage of my various projects, but I don't actually watch all that much TV.
So, but I love a detective drama, so do tell.
GRAHAM CLULEY
Yeah, I don't watch that much either, but I get to see it sometimes over her shoulder. And Endeavour is a prequel to Inspector Morse.
So it's young Inspector Morse because Morse's actual name was Endeavour Morse. This was the big mystery in Inspector Morse's first name. Anyway.
This is set from the mid-'60s to the early '70s and introduces some characters who later pop up in the Inspector Morse TV show.
Stars Shaun Evans as Morse, Roger Allam as Detective Inspector Fred Thursday, and I have to say, I think it's better than Inspector Morse and considerably better than Lewis, which was the sequel to Inspector Morse.
Sometimes the mysteries are solved in a rather convoluted way.
But I don't primarily watch it for how they solve the mystery, but rather the characters, the beautiful costumes, the attention to period detail, the old 1960s cars, some of the references which they have.
To be honest, I love the look of it. It's a great TV show. It's really well written. It's well acted. And yeah, I've really enjoyed it.
And that is why I'm going to make Endeavour my Pick of the Week.
JENNY RADCLIFFE
Lovely. Da da da!
GRAHAM CLULEY
Jenny, what's your pick of the week?
JENNY RADCLIFFE
Okay, so let's go to the opposite end of the scale.
JENNY RADCLIFFE
It's a mystery as well.
JENNY RADCLIFFE
So I'll read the headline.
JENNY RADCLIFFE
And this is from the Liverpool Echo. Crowds armed with torches hunt the Catman every night.
A mysterious figure dressed head to toe in black has been seen prowling around parts of the Wirral. So the Wirral, for anyone who doesn't know, is very near my city of Liverpool.
It's across the water. So it's across the River Mersey, the Irish Sea. One thing it does have is lots of beaches, right?
And anyway, the thing is lots of beaches and lots of car parks.
And what's happened is people take their dogs for a walk and there is a man, and let's face it, we don't know who this person is, but it's going to be a man.
JENNY RADCLIFFE
Who is dressed head to toe in a black catsuit. And this starts at sort of mid-June or mid-July.
JENNY RADCLIFFE
And people start seeing this guy dressed as a cat crawling through sand dunes, hiding behind bus stops, and in one instance approaching a parked car.
And obviously now you would, you'd think there would be something more sinister or dodgy about this, but it appears to be not the case.
It appears to be he's doing it for the lulz, right?
GRAHAM CLULEY
Can I just clarify, when you say a cat suit, do you mean he's dressed up like a cat? Has he got whiskers and a tail, or?
JENNY RADCLIFFE
It appears to be just someone wearing a skin-tight suit and some sort of cat mask.
JENNY RADCLIFFE
People have sort of looked at photographs and seen him in the background, and someone's taken a shot of him, and you can look them up online, obviously.
I can't really make out that it looks like a cat, but apparently, he meows as well.
And one poor woman, this guy came up and started to say meow repeatedly, which obviously is quite sort of disturbing.
The thing is, the line that one of the people who were interviewed by the paper, and it went, you know, went pretty viral, somebody said, of all the things happening in the world, yes, and the main thing rocking the Whittle is the mysterious catman.
Years ago, before social media, this would have gone down just a legend. It would have become a mythology.
JENNY RADCLIFFE
Whereas now there's people taking photographs, they're being interviewed, there's a Facebook group.
And it sort of made me laugh, even though clearly, you know, nothing bad has happened so far. One guy said, I tried to psst, psst, psst, and he scattered. So he ran away.
GRAHAM CLULEY
Oh, so he wasn't his team. Now, a thought strikes me, Jenny, with all this attention this is getting on social media, is there a danger, I hate to say this, of copycats?
Is there, will other people be tempted? I can imagine you guys up there, you're well known for your sense of humour and larking about.
JENNY RADCLIFFE
Except when we're not, Graham. This is the thing, except when we're not. So on the one hand, it's quite funny.
And on the other hand, there was copycats of someone who dressed up as a clown. Do you remember?
GRAHAM CLULEY
Oh, you can't go around dressing up as a clown.
JENNY RADCLIFFE
Someone dressed up as the clown and walked in front of people's Ring doorbells for a while and did it in places like Newcastle and Liverpool and Glasgow.
The thing that I suppose I'd finish on on this would be, when I talk about social engineering and hacking generally, I talk about motive a lot, right?
And you have to think about the motive. It might be political, it might be financial.
GRAHAM CLULEY
Or in this case, a sexual kink. Yes, carry on, yes.
JENNY RADCLIFFE
Well, I've avoided saying that, Graham, and now you've gone there, haven't you?
GRAHAM CLULEY
I think it's a gimp suit. There's some meeting, he hasn't got the address for the party, he's going down the road. That's all that's going on here.
JENNY RADCLIFFE
Your filthy mind went straight to the gutter. It doesn't seem to be that.
Doesn't seem to be anything other than this is a bit weird and people are freaking out and it's getting attention.
And so that was, that was my mature assessment, Graham, and you went straight to, yes, the filth.
GRAHAM CLULEY
You're calling me the pervert, but this was your pick of the week. Can I just point that out?
JENNY RADCLIFFE
So it was, with no indication whatsoever that it has anything to do with anything else.
GRAHAM CLULEY
Brilliant stuff. Well, that just about wraps up the show for this week. Thank you so much, Jenny, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
JENNY RADCLIFFE
If you find me on LinkedIn or look for The People Hacker across socials, you'll find articles and interviews and things like that.
And then need to watch this space for next year because next year is going to be very busy.
GRAHAM CLULEY
And of course, Smashing Security is on social media as well. You can find Smashing Security on Bluesky and you can also follow me on LinkedIn.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. Such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of 435 or so episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.
GRAHAM CLULEY
You've been listening to Smashing Security with me, Graham Cluley, and that was rather fun, wasn't it? Thank you so much to Jenny Radcliffe.
And also I'm grateful to this episode's sponsors, Adaptive Security Inventor. And of course, to all the chums who've signed up for Smashing Security Plus over on Patreon.
They include Sebi, Heisenberg, Jack Anver Perth, Davon Pam, Xylar, Matthew Hunt, Mark Norman, Snack Madge, Daniel Kromeck, Nigel Scott, Sammy Dozer, Thom Langford, John W, Dr Herbalist, Mark Luxton, Reuben, Richard Maltner, and Steve B.
Well, if you're rather jealous of those fine chaps and chapesses, you may well want to get your name read out at the end of one of the Smashing Security episodes, and you can have that pleasure from time to time.
It's just one of the joys of Smashing Security Plus.
You sign up for as little as $5 a month and you can get your name read out every now and then, as well as get early access to Smashing Security episodes and the occasional bonus content.
If you're interested, just go to smashingsecurity.com/plus for more details. Now, I realize not everybody can do that.
Not everybody can afford it and you've probably got much better things to spend your money on. So there are other ways in which you can support the podcast.
You can like, you can subscribe, you can give 5-star reviews.
Apparently that really tickles the algorithms and boy oh boy, people do love having their algorithms tickled, don't they?
Maybe you can jot down a few lines and post on social media enticing other people to give Smashing Security a listen.
Whatever you do to spread the word I really, really appreciate it. It is enormously helpful and it really makes all the effort worthwhile.
So hope you enjoyed this week's episode and that you'll tune in next week for some more. And until then, cheerio. Bye-bye.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.