America's airwaves are haunted by zombies again, as we dig into a decade of broadcasters leaving their hardware open to attack, giving hackers the chance to hijack TV shows, blast out fake emergency alerts, and even replace religious sermons with explicit furry podcasts.
Meanwhile, we look at how a worker at a cybersecurity firm allegedly leaked internal information to a hacking gang - raising big questions about insider threats.
Plus: Frankenstein on Netflix, Vine nostalgia, and why Barney the Dinosaur may be the true criminal mastermind behind it all.
All this and more is discussed in episode 445 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Dan Raywood.
EPISODE LINKS:
- Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix - Acronis.
- Tokyo Court Finds Cloudflare Liable For Manga Piracy in Long-Running Lawsuit - TorrentFreak.
- Former Google chief accused of spying on employees through account ‘backdoor’ - LA Times.
- Bogus zombie apocalypse warnings undermine US emergency alert system - Ars Technica.
- 2013 EAS Zombie Hoax - Emergency Alert System Wiki.
- The 1987 Max Headroom incident - YouTube.
- Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings - Ars Technica.
- ESPN 97.5 Houston Victim Of Barix Hack - Radio Insight.
- ESPN Houston apologises to viewers - Facebook.
- CrowdStrike fires ‘suspicious insider’ who passed information to hackers - TechCrunch.
- Frankenstein official trailer - YouTube.
- Frankenstein - Netflix.
- Vine: Six Seconds that changed the world - Global Player.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
SPONSORS:
- Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.
- Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!
FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
ENJOYED THE SHOW?
Make sure to check out our sister podcast, "The AI Fix".
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
UNKNOWN. In a technique which no hacker has ever used before or since, the hackers were using default passwords that were listed in user manuals, manuals that were helpfully published in public. Smashing Security, Episode 445: The Hack That Brought Back the Zombie Apocalypse. With Graham Cluley and special guest Dan Raywood. Hello, hello, and welcome to Smashing Security episode 445. My name's Graham Cluley.
DAN RAYWOOD. And I'm Dan Raywood.
GRAHAM CLULEY. Dan, welcome back to the show after many, many years. You have joined us once again. Good to have you here.
DAN RAYWOOD. Yeah, it's good to be back. 7 years since I did my last appearance. So is it really? I look forward to coming back.
Yeah, yeah, 2018 it was. This sort of time, I think Halloween-ish, October 2018.
GRAHAM CLULEY. It's funny how I think of you come Halloween, isn't it?
DAN RAYWOOD. Almost a month on now, and I'm actually probably the ghost of Christmas past. I don't know.
GRAHAM CLULEY. Okay, well, let's not leave it another 7 years, certainly. But for those people who don't know you, how can you describe what you are, why you're here, what you get up to?
DAN RAYWOOD. Well, in a couple of months, January 8th, it'll be 25 years since I had my first ever professional journalism job. So—
GRAHAM CLULEY. Oh my goodness.
DAN RAYWOOD. I'll be having a private party. It wasn't until 2008 when I started writing about cyber.
So I've been doing cyber now for about 17 years. I worked for a bunch of magazines, including SC Magazine, Infosecurity, Dark Reading.
I've been an analyst, been a marketer. Now, I work mainly for a great company called BORA, who do content creation, all sorts of stuff, really, really great clients.
I'm also a bit of a freelance hired gun on the side, do some speaking, do some moderating, and occasionally take a few podcast appearances, which are really nice.
GRAHAM CLULEY. Ah, well, it's fantastic to have you here today. Before we kick off, let's thank this week's wonderful sponsors, Vanta, Action One, and Horizon 3 AI.
We'll be hearing more about them later on in the podcast. This week on Smashing Security, we won't be talking about how fake adult websites are pushing a hyper-realistic but fake Windows Update popup to install malware.
You'll hear no discussion of how a Japanese court has found Cloudflare liable for ignoring takedown requests and aiding and protecting a manga piracy site. And we won't even mention how a former romantic partner of ex-Google chairman Eric Schmidt has accused him of hacking her email and PC to spy on her and steal business secrets.
So Dan, what are you going to be talking about this week?
DAN RAYWOOD. Well, I'm going to be looking at how CrowdStrike, that noted security vendor, took action against a significant threat.
GRAHAM CLULEY. And I'm going to be speaking about how America's airwaves are under attack. All this and much more coming up on this episode of Smashing Security.
Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days? Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you.
That is Vanta. It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously.
Vanta automates all of that. It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess. So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing.
And if you use that link, you'll get $1,000 off. So don't forget vanta.com/smashing.
And thanks to Vanta for sponsoring this week's episode. On with the show.
Now, Dan, what were you doing in 2013? Do you remember?
DAN RAYWOOD. Well, that's the year I left SC Magazine and joined IT Security Guru, which is still going strong. My friend Andy got married, 'cause I remember being at the wedding.
GRAHAM CLULEY. Okay.
DAN RAYWOOD. You don't know him, do you?
GRAHAM CLULEY. No.
DAN RAYWOOD. Yeah, Andy and Helen had a great wedding, a scout camp in Mill Hill. Otherwise, not a lot stands out. My big thing was my changing career.
GRAHAM CLULEY. All right, well, there's some really memorable things which happened in 2013. It was, of course, the year Beyoncé performed at the Super Bowl. I think there was a slight reunion of Destiny's Child briefly up on the stage.
DAN RAYWOOD. That was the one, the power blue. Oh, it was in New Orleans and the power went out.
Quick story. My wife and I normally stay up and watch the Super Bowl. That year she had a work thing, so we recorded it and watched it on the Monday afternoon, which is brilliant because we were able to fast forward through all the power when the TV company went down for about an hour. Quite a notable Super Bowl, 2013.
GRAHAM CLULEY. 2013 was famous for other things as well. Miley Cyrus twerked at the VMAs. And I don't suppose you have any taping of that, do you? At least not one that you've dared admit to to your wife.
DAN RAYWOOD. I remember it. Who was the guy she was dancing with? There's that guy in the Blurred Lines. Robin Thicke. Thicke, yes. Robin Thicke, yes. I remember them.
GRAHAM CLULEY. And everyone was obsessed with Flappy Bird, weren't they? Wonderful game, Flappy Bird. It's one of the best.
But what you may have missed was the zombie uprising, Dan. Because there was an uprising of zombies. On February 11th, 2013, fans of the Steve Wilkos syndicated TV show in Montana— you may know Steve. He was Steve the security guard on the Jerry Springer Show.
He was popular for breaking up fistfights between cousins and generally being muscly and bald and big and a bit of a bruiser. It was his show. That people were watching when this happened.
DAN RAYWOOD. Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.
GRAHAM CLULEY. I repeat, civil authorities have reported that the bodies of the dead are rising from their graves and attacking the living. That's right, the zombie apocalypse was announced during daytime TV.
This was an emergency alert system which kicked in and warned people, not just in Montana, but also in Michigan, where viewers got their undead warning during Barney and Friends. Barney's pretty upsetting in itself, I'd say, actually.
DAN RAYWOOD. Yes.
GRAHAM CLULEY. You know, camp purple dinosaur on one hand, flesh-eating corpse on the other.
DAN RAYWOOD. I'm not sure which one I prefer, but yeah, which side do you run to?
GRAHAM CLULEY. Now the thing is this, Dan, it wasn't true. I hate to burst your bubble right now.
There wasn't actually a zombie uprising, and this may shock you, but hackers had actually gained access to the broadcasting system and the broadcast, as it turned out, in a technique which no hacker has ever used before or since. The hackers were using default passwords that were listed in user manuals, manuals that were helpfully published in public so anyone could find out what the passwords were and then access these systems and mess with a TV broadcast. It's bonkers, isn't it, this sort of thing happens?
DAN RAYWOOD. It is. I don't know if you're going to get to this.
A couple of things in history. What about the Max Headroom incident? Have you ever seen that?
GRAHAM CLULEY. Yes. Was it on PBS?
It was during an episode of Doctor Who showing in America. Yes, The Horror of Fang Rock, as I remember.
DAN RAYWOOD. I can't do the episode. Is it a Thom Baker one, actually?
GRAHAM CLULEY. It's a Thom Baker one with Leela in a lighthouse. Yeah, it's a great story, The Horror of Fang Rock.
But yeah, it was interrupted by Max Headroom. And I don't think they ever worked out who was responsible for that hack or what the purpose was?
DAN RAYWOOD. Oh, it's a great, I think I found it on a Reddit or a Wikipedia, a whole story about, you know, how they did it, but no one ever admitted to it. You know, I got caught.
How do you catch someone? They tried to forensically identify someone's hand using a fly spotter, didn't they?
GRAHAM CLULEY. Well, in this particular case, I'll say what they were doing with it, but yeah, in this particular case, it was default passwords which had been published. The authorities had to tell grown adults running TV stations, because this was back in 2013 when it was adults running TV stations rather than the dystopian toxic hell pit we live in today.
They had to tell them to change their passwords. And that always seems to me a little bit telling an air steward not to forget to close the door before takeoff. It's fairly elementary stuff, you would to think.
So that was the great zombie panic of 2013. You've spoken about the Max Headroom incident. You'd think stations would learn from these kind of things, but you're wrong.
Because if you fast forward to 2016, and there was an incident involving furries, Dan. Are you familiar with furries at all?
DAN RAYWOOD. Talk some more and I'll let you know.
GRAHAM CLULEY. Okay, well, let me tell you, first of all, how it happened. So, multiple stations were hijacked through their unsecured Barrix STL devices.
Those are little internet boxes that send audio from a radio station studio to the transmitter. And the hackers aired an episode of a podcast, a podcast called The Furcast, which is all about— well, put it this way.
I did an internet search for FurCast to find out if I could listen or view any of the episodes. And I found a bunch of men sat around a table dressed up as foxes and pandas and all kinds of furry gear. I mean, if that's your thing, fair enough, or maybe fur enough.
DAN RAYWOOD. Very good. Very good. Yeah.
GRAHAM CLULEY. I'm not going to shame anyone. But anyway, so again, what they did was they put out an explicit podcast rather than the regular programming. Well, let's move on again. Have things got any better in 2017?
And Donald Trump has been inaugurated for his first of what I think is likely to be about 17 stints inside the White House. I'm sure he's not going to stop at 2 or 3. And you think, surely we've learned by now.
Nope, because during Trump's inauguration, stations started blasting out a hip-hop song called FDT by some fellows called YG and Nipsey Hussle. Now, I know you really like your music, Dan. You're really big on music, aren't you?
Have you ever heard of YG and Nipsey Hussle and their song FDT?
DAN RAYWOOD. No, I can't say I've ever heard. I wonder what YG stands for. Young Graham?
GRAHAM CLULEY. Oi, oi, oi, oi! Not me! Certainly not me.
I wondered what FDT stood for. I thought maybe it's Furious Doughnut Thrower or furry disastrous transmission or frequently delusional tweets, but apparently it's fuck Donald Trump. And if you listen to the song, that is one of many words which I would have to bleep out if I include it inside this podcast.
Fuck Donald Trump. Yeah, fuck Donald Trump. Yeah, fuck Donald Trump. Yeah.
So the president of a radio station in Louisville, WCHQ, they admitted it was their fault. They said other stations that this happened to have contacted me. We all use the same device.
None of us had set a password on the device. And they said, my bad. I'd done other security measures at the transmission tower and the studio, but I failed to password protect this device.
I like that. My bad. Wouldn't it be great if every time there's an organization which suffers a data breach, it just says, my bad, oops, whoopsie, whoopsie daisy.
DAN RAYWOOD. Yeah, sorry.
GRAHAM CLULEY. Rather than we take your security seriously.
DAN RAYWOOD. We say that together, we've probably said that many times, haven't we?
GRAHAM CLULEY. Yeah. You say whoops or my bad when you forget to bring potato salad to the barbecue, not when you let hackers turn your classic hit station into some sort of uncensored political diatribe.
So here we are now, Dan. It's 2025. We're 12 years after, not quite 28 years after, the zombie incident.
And ESPN Houston has just been hijacked during its coverage of a game between the Philadelphia Eagles and the Dallas Cowboys. I think they're American footballers.
DAN RAYWOOD. Yeah. Yeah.
GRAHAM CLULEY. And apparently listeners' ears were assaulted with racist songs and again, fake emergency alerts. It's almost just like you have these gold radio stations which play the oldies.
The hackers are actually doing the same kind of thing. They're still playing emergency alerts over hacked radio stations, just like they were back in 2013. It's been over 10 years.
And radio stations and TV stations still being hacked due to their IP addresses being included on the Shodan database. Shodan, for those who don't know, is basically Google for hackable devices. Tells you where all devices are, which are open to the public and not being configured properly to avoid unauthorized access.
So it's really easy for these unsecured devices to be found and to be exploited by the hackers, isn't it?
DAN RAYWOOD. I think honestly, we do see this situation where default passwords aren't changed. It's probably because you think about the IoT stuff.
You get some new thing and you're like, oh, does it work? I mean, Christmas is, as we record, literally a month away, people getting some sort of internet-connected toy, Bluetooth-enabled, whatever. And it's like, is your first priority going to be, oh, is it going to be secure?
Now, a kid's toy versus some sort of thing you're going to be using in workplace are very different things, but you think that if it's going to be used for all that time, there'd be some sort of audit.
GRAHAM CLULEY. You'd like to think so, wouldn't you? But I guess radio stations, they're probably running on a tight budget. Cybersecurity probably isn't their top thing that they're worried about.
Unfortunately, there probably isn't very much budget for that. It's a problem.
So this happened, and one station, they received a call from a listener because they heard obscene lyrics instead of the religious teachings from Pastor Doug Batchelor. You can imagine how that phone call may have gone.
But these aren't really sophisticated hacks. They literally are just checking if you changed the password from admin admin to something else.
So Barix, who are the makers of these station-to-transmitter devices, they say that they now have better security on their gizmos. They say they now come with unique passwords already set because broadcasters can't be trusted with the complex task of actually typing in a new password.
And there apparently are currently 600 to 650 publicly accessible Barix devices around the world, around 300 of them in the USA. Many of them will be these older devices which don't have unique passwords.
All of them are waiting for a bored teenager to find them.
DAN RAYWOOD. And you wonder if this will have the Streisand effect of now it's been done by one or two, by the same one with the Donald Trump thing, one with this Pastor Batchelor. The question is, is it gonna spur others into action and thinking, are we running this?
But you mentioned the budget thing. There was a great piece on John Oliver's show a couple weeks ago about PBS and funding.
And it's some of these places are running on absolute shoestrings. So is there actually gonna be any sort of priority for essentially what we call cybersecurity versus trying to keep, you know, the lights on essentially.
GRAHAM CLULEY. Yeah, absolutely. Keeping the lights on, keeping the transmitter going, you know, it's just about having power and they're probably struggling to get the advertising and sponsorship to keep their station alive.
It's a problem. By the way, this zombie incident was particularly amusing because a disc jockey actually played a tape of the zombie EAS alert.
So he was telling the story to his listeners. He played the tape, which included this digital tone which plays, and that happens before the emergency alert.
And apparently, playing that tone across the radio triggers more alerts downstream. It's a domino effect.
This chaos unfolds. So, it's a bit saying, "Alexa," on a podcast, because those type of devices are going to hear it.
And then will trigger actions. So machines can't necessarily tell the difference between a real emergency alert and someone playing a recording of a fake emergency alert, which is pretty understandable, I think.
DAN RAYWOOD. Well, it must be Kevin Mitnick whistling down the phone line.
GRAHAM CLULEY. Yes.
DAN RAYWOOD. Sort of a bit that, isn't it? You know, in this case, you know, all the phone lines belong to him essentially, you know, so yeah.
GRAHAM CLULEY. So in response to this, the Michigan Association of Broadcasters, they've written up some tutorials on how to lock down systems. But I was speaking to someone the other day and they said to me, frankly, your nephew's Minecraft server is probably more secure than some organizations.
They're more likely to have locked it down. I certainly think that's probably the case with these radio stations.
So my advice to broadcasters is imagine your broadcasting equipment is a bit like your teenager. You wouldn't leave them unsupervised overnight in the house over the weekend with the drinks cabinet unlocked.
Because before you know it, your house is going to be overrun full of other teenagers having a house party, general havoc occurring. So treat your professional broadcasting equipment with the same level of concern you would give stopping your kid from going on a bender.
And I think that's advice which we can all probably take into our workplaces and into our homes as well, is really, really concentrate on securing those devices and making it as hard as possible for your accounts and your devices to be accessed by unauthorized users.
DAN RAYWOOD. And we all talk about crown jewels and critical to your business running and operating. I've been doing a few things recently on operational resilience, as it's now being called.
And essentially part of that is understand what you need to keep your business running and secure. We think after the first one's happened in what, 2013 was it with Barney the dinosaur?
You think they'll spur them into action? I don't really know. Maybe just it's not the priority that we often feel it should be.
GRAHAM CLULEY. I've just had a thought. Do you think it could be Barney the Dinosaur who's responsible for this?
He tries to give across a sort of harmless image, but I think behind that face, maybe there's an evil criminal mastermind at work.
DAN RAYWOOD. I've not seen or heard of Barney in years. I don't know if it's still on.
GRAHAM CLULEY. Hey, if Barney has hit hard times, if he hasn't got any money in his pocket, he could well have turned to hacking. It's something to consider.
I'm just asking the questions. Right then, we've got time for a quick word now about one of our sponsors today, Action1.
Now, most security breaches still happen because of unpatched vulnerabilities. And the worst part? Many already have fixes available for them.
But patching can be a real pain, right? If staying up at night worrying about the next cyberattack headline sounds familiar, it's time to try Action1, the patch management platform that just works.
You can start updating Windows, Mac, and third-party apps in under 5 minutes. And Linux support is coming very soon.
The best part? Well, your first 200 endpoints are free forever with no functional limits.
This isn't a disguised free trial. There's no credit card required, no hidden limits, no tricks.
All you have to do is visit smashingsecurity.com/action1 and get started today. So if you're looking to automate patching and save weeks or even months doing it, go to smashingsecurity.com/action1 and sign up for patching that just works.
And thanks to Action1 for supporting the show. Dan, what have you got for us this week?
DAN RAYWOOD. Well, an interesting one around CrowdStrike. Now, we of course remember CrowdStrike from last year.
They had a particularly nasty incident which sort of put most of the world offline for several hours.
GRAHAM CLULEY. They pushed out a bad update, didn't they?
DAN RAYWOOD. A bad update. And at the time, I was actually working for SC UK and it was a fun one. It was a Friday morning. We had no knowledge of what was going on. And I wrote a story based on what I could find on X and Reddit, which aren't the greatest sources, but there wasn't very much information.
But yeah, CrowdStrike, I mean, they recovered and still remain an absolute huge cybersecurity company and do some great research. But they haven't really failed to keep out of the headlines.
Now, that was a bit of a bad incident, a bit of a one-off. But in the past few days, a report has come out where it confirmed that it fired what they call a suspicious insider in October for allegedly sharing internal information with a hacking collective.
GRAHAM CLULEY. Right.
DAN RAYWOOD. But essentially what they are saying is that some hacking group was able to access CrowdStrike by exploiting data and basically was able to share pictures of the computer screen leading to immediate termination for this employee. So we'll get to insider threats in a bit, but yeah, what essentially CrowdStrike is saying is that someone shared information with an outsider.
And that outsider then, through various means, was able to then try and access CrowdStrike. And screenshots posted on a public Telegram channel appear to show insider-level access to CrowdStrike systems, including an employee's Okta dashboard.
Now, of course, Okta is the single sign-on.
GRAHAM CLULEY. Yes.
DAN RAYWOOD. You can use that to get into all sorts of applications. I've used it myself in a previous job.
It's really, really handy. The screenshots were shared by the Scattered Spider Lapsus Hunters.
Now, not only for being a really silly long one, remember LulzSec? How easy was that to write?
Oh yes, they could write 3 words, you know. I'm reading Joe Tidy's book, and what would they call them?
Hack the Planet, HTP. That's 3 letters.
Why don't they just Scattered Spider Lapsus Hunters? Seriously.
Anyway, but they combine Shiny Hunters, Scattered Spider, and Lapsus$ with a dollar. So those 3 groups all kind of came together a little while ago.
So they claimed the access of CrowdStrike exploiting data from the Gainsight. Now that's a CRM platform used by Salesforce, and then presumably it's then used by CrowdStrike as well.
And they were able to exploit that data and apparently get in. Now, we don't know how much of that is true, but what I think we're looking at here is a bit like with our friend Joe Tidy, who the other month had the situation where some hackers said to him, we give you loads of money, give us access to your network.
Do you remember that one?
GRAHAM CLULEY. Yes, I do. And the hackers obviously hadn't twigged that he was actually their cybercrime correspondent.
So maybe he wasn't the best person to approach.
DAN RAYWOOD. Well, also you're thinking, well, you know, he works for the BBC. He might offer him a free TV license or anything like that.
They can give him lots of money, but it's an interesting one again, because this situation shows that if you go for the sort of the weak link, now we don't like to think of humans as the weak link, 'cause that just creates arguments, doesn't it really? But if you go for someone internally and say, hey, give me information, give me access, and for whatever reason, whether they're blackmailing them, whether they're giving them money like with Joe's situation, but CrowdStrike said the insider simply shared pictures of the computer screen externally, so it's external source.
That led to immediate termination. Now you'd probably argue that's probably the right action to take.
I'm presuming that the DLP was switched on to max for that particular employee's output, however they were trying to send out from their computer. In other words, did they take the screenshots with them on a secure USB, put it in their Google Drive, whatever?
GRAHAM CLULEY. I hope they haven't just fired this guy. I hope they've also reported him to the authorities, because if they're claiming he somehow assisted a group of malicious hackers or shared sensitive information, that is something the police need to investigate, isn't it?
DAN RAYWOOD. Well, absolutely, because talking about a potential, well, I mean, what does it fall under? I think insider threats are particularly worrisome.
You've got the situation where the insider, I guess, is leaking information. If you worked for a bank and sort of said, here's all the PIN numbers for a million people, that's a crime. It's data theft, essentially.
GRAHAM CLULEY. To be honest though, Dan, in fairness, when it comes to PIN numbers, I could probably give you everybody's PIN number. I mean, I could give you a list.
It starts at 0000 and goes up to 9999. So, you know, it's different, of course, if you have names associated with the PIN numbers, but the numbers themselves, that shouldn't be something which is an arrestable offense, I think.
DAN RAYWOOD. Well, yeah, true, but I've done a really bad analogy. I can't think of another one off the top of my head.
But yeah, but in situations where someone steals something internally, let's say, you know, if you run off with a laptop, for example, okay, you can brick that. Or if you run off with the coffee machine, good luck getting that up your jumper.
But so shared pictures of the computer screen, this was what they got immediately terminated for. Now, CrowdStrike have rejected the claim that actually data was stolen, which the hackers claim they did.
But CrowdStrike reject that claim saying systems were never compromised and customers were always protected. Now, as we were saying earlier on, we take security seriously.
CrowdStrike, I really hope they do, and I'm sure they do as well. But they have handed the case to law enforcement for further investigation.
So that's where we're at at the moment. It's essentially someone got found out for apparently leaking data.
Maybe it's just screenshots of an Okta platform. And as a result, someone got fired and handed over to the police for it.
So that's what we know, but it's not, I don't say it's particularly uncommon, but I think it's probably unreported. Funny how this one got out to Zack and Lorenzo over at TechCrunch because Gainsight, again, the CRM system that we presume CrowdStrike was using, and the Hackers' Allegiance was the source of the breach, did not comment on either.
They're not going to turn around and go, yeah, we're the weak link, blame us, yeah, blame Gainsight. But what we do know is that Lapsus$, Shinyhunters, or whatever we call them, this collective, are known for using social engineering tactics to trick employees into giving access to systems.
Now, that's different from bribing, like we saw with Joe, and I'm sure others. They're actually trying to get people to give up things whether it's through, here's an email, here's clips of the Eagles-Cowboys game, or here's, did you read this about the zombie network takeover?
I'd probably read that, or the Black Hat incident.
GRAHAM CLULEY. There is a middle ground though, isn't there? Okay, so you can talk about an outright malicious actor inside your organization. So you've got a rogue employee who maybe has access to sensitive information, can take screenshots, can send them to a hacking gang who he may be working with.
And then of course, we are always hearing at the moment about these support lines being rung up by the hackers and they socially engineer information out them. They claim to be employees, for instance, saying that they've been locked out of their accounts.
I wonder about the middle ground though, where maybe someone who works in a call center for a particular organization has been nobbled by a hacking gang and the hackers say, look, and they don't say this during the course of the phone call, obviously, but outside of that, they say, "We'll be ringing you on Monday morning and we're going to do a bit of social engineering on you." And they say, "Yep, okay, I will fall for the social engineering and I will agree to unlock this account for you, or I'll make sure that the social engineering works."
So you could have this kind of hybrid effect. And then the employee, if it was determined who it was, who was tricked by— I put tricked in quotes— by the hackers, they could maybe have plausible deniability and say, "Oh, well, I was just socially engineered."
DAN RAYWOOD. Yeah, there is that middle ground of you know, I've worked for a company with a big call centre once upon a time, and you know, these are people with these very intense periods of working.
GRAHAM CLULEY. Yes.
DAN RAYWOOD. You've got the situation with people, are they just kind of being caught up because you catch them out and they're not paying attention? You can send it at 10 to 5 on a Friday. Who's going to really be caring at that stage?
Suddenly all of a sudden they're interested in you. If you really profile the person, what they're into, Doctor Who, for example, or you know, Philadelphia Eagles or Bitcoin, I probably wouldn't, I'm not really a fan, but it's actually a very, very simple way of doing things, but it takes time, and if you fail at it, then all that effort goes to waste from the hacker's perspective.
But apparently here, who knows, because CrowdStrike and GameSight both not commented and denied whatever. They're actually the ones coming out saying, you know, almost we're not to blame, but someone was to blame. Hmm.
GRAHAM CLULEY. I think the insider threat is largely underreported, isn't it? I think a lot of the cybersecurity companies love to talk about external hackers, and maybe their solutions are better at handling that kind of threat rather than the insider threat just as much.
The insiders who, of course, you've given your passwords to, you've allowed to access the databases and the sensitive information because they need it to do their job. But of course, there's always the potential that they will leak it, or even if they can't make a copy of it onto a USB drive, they can take a photograph of a screen, or just simply memorize a piece of information, which they take home with them and then later exploit in one fashion or another. It's a really significant problem.
DAN RAYWOOD. And I found some stats saying that the cost of insider threats in 2025 escalated to $17.4 million. And also organizations experience an average of 13.5 instances every year. That seems quite low to me.
GRAHAM CLULEY. It does.
DAN RAYWOOD. Yeah. That's just over one a month. These various incidents such as clicking on a link, actually, is that an insider threat? Is that just an accidental error? Yeah. To malicious intent such as we saw here, or apparently saw here, going out and actually putting information out there that people are looking for.
So if it covers that broad spectrum, I'd say the number's probably significantly higher than 13.5. But again, how many of these are actually reported? Do you go to your regulator? Do you say, oh yeah, we had someone do this and, you know, they clicked on the link and we got ransomware? Okay, and did you clean up? Yeah, we called in whichever consultancy or firms to come and sort it out. Great. Do you need to report that? I don't think you do. It's not like a data breach where you have to go to the ICO and say, this is what we lost, because if you didn't lose anything, it's a really tricky one to kind of determine.
GRAHAM CLULEY. Yep, it really is. Right, we've got a chance now to thank one of the supporters of this week's podcast, Horizon 3 AI.
You can't defend what you don't see, and that's why Horizon 3 AI created NodeZero to continuously test your network the same way real attackers would and built to help you prove your defenses work. Traditional pen tests happen once a year. They're manual, they're expensive, and they're outdated the moment they're done. NodeZero changes that by continuously testing your environment.
With over 170,000 pen tests completed, NodeZero doesn't just find vulnerabilities, it proves how they can be exploited safely. From Active Directory tripwires to AI-driven attack paths, you'll see your network the way an adversary does and before they do. Join thousands of organizations who've moved from reactive to continuous security because the best defense is understanding offense.
Visit horizon3.ai to get your autonomous pen test demo today. That's horizon3.ai. And thanks to Horizon 3 AI for supporting the show.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
DAN RAYWOOD. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.
DAN RAYWOOD. Better not be.
GRAHAM CLULEY. Ah, well, my pick of the week this week is not security-related. My pick of the week is a movie which I saw, and it is a modern movie. Yes, I haven't gone back to 1958 to choose some classic old movie that I've just discovered.
This is one that's fairly new out. It is Guillermo del Toro's version of Frankenstein. Have you seen it, Dan?
DAN RAYWOOD. No, I've heard of it, but I know Frankenstein, obviously, I know Guillermo del Toro, but I don't know this one.
GRAHAM CLULEY. Right, well, it's rather good, I think. It's obviously an adaptation of Mary Shelley's classic book, so it's drenched in atmosphere and stunning visuals, and in fact, it's more sort of heartbreaking than horrific, and I think it's all the better for that.
So we all know the story. We've got Dr. Frankenstein who wants to see if he can defeat death, whether he can bring people back to life by taking the parts of human beings who've deceased and putting some electricity through them. And it's really rather good.
I really enjoyed it much more than I was expecting. It's got some terrific performances from Oscar Isaac. He was Poe in the Star Wars: The Force Awakens trilogy.
He plays Victor Frankenstein. And Jacob Elordi is the creature itself. And it was briefly at the cinemas and is now available for anyone who subscribes to Netflix.
And I thought it was visually stunning.
DAN RAYWOOD. Nice.
GRAHAM CLULEY. And really good fun.
DAN RAYWOOD. I saw the one they did in the '70s or late '60s with— it might have been a Zeffirelli or something. The guy who played Romeo in Zeffirelli's Romeo and Juliet was playing Victor Frankenstein.
I saw that one.
GRAHAM CLULEY. Oh, yes.
DAN RAYWOOD. And I remember one from— God, this is the mid-'90s where Robert De Niro played the monster. God knows how he ended up in there.
He must have had a really quiet year.
GRAHAM CLULEY. Oh, he was in the Kenneth Branagh version, I think.
DAN RAYWOOD. Well, that's probably why he did it, yeah.
GRAHAM CLULEY. What's the '70s one? The one with David McCallum?
Oh, I remember that early '70s. There was a TV movie version.
DAN RAYWOOD. Probably that one, yeah. It was a two-parter, I think.
It was on one Christmas, mid-'90s.
GRAHAM CLULEY. This has aged us, hasn't it?
DAN RAYWOOD. Yeah, yes. Remember the '70s and the actor we can't name in a film we can barely remember, yeah.
I remember that one. I mean, it's a really interesting story, actually. I like Oscar Isaac. I saw him in the Star Wars films and a couple of other things as well. Yeah, sounds cool.
GRAHAM CLULEY. It was great. Anyway, that is my pick of the week, Frankenstein.
Go and check it out. Dan, what's your pick of the week?
DAN RAYWOOD. Well, as we go back to the 2010s, I'm going to do exactly the same thing once more with a podcast series I've just listened to recently called Vine: 6 Seconds That Changed the World.
GRAHAM CLULEY. Okay.
DAN RAYWOOD. Now, do you remember Vine?
GRAHAM CLULEY. It was the Twitter— it's when Twitter thought, you know, we've had enough of 140 characters. Let's see if we can do things with very short videos.
DAN RAYWOOD. Yeah, I'll give you the lowdown on the podcast series. I think it's about 8 episodes.
I whizzed through it. It was really, really interesting. It was a little app that could really, the whole thing was making 6-second videos. If you think 6 seconds, what can you achieve? And actually people got quite famous through this, but they got acquired by Twitter very, very soon after launch. And I think there was a feeling in the podcast, they'd almost sold up a little too early because Twitter didn't really seem to know what they were getting and how to embed these little Vines into tweets. They didn't have that sort of functionality. There was also when they tried to evolve it, they moved it from 6 seconds, which was kind of its USP really, to 140 seconds. Now, a lot of our favourite, The Beatles, some of their songs are barely 140 seconds. Some of their early stuff is 2 minutes. Now you could put a whole Beatles song in a Vine and just let it run. There's some Elvis stuff. But it got critically panned for that move. Spoilers here, people, but one of the reasons it really failed is because it didn't really have any monetization plan behind it because essentially, how do you make money out of a 6-second video? Can you do it for Google or Nickelodeon, for example? How do you do a 6-second video that's promotional for a company. So it didn't really have that monetization plan.
GRAHAM CLULEY. Yes, I suppose if you had an advert, then the advert could well end up being 5 times longer than the video you're trying to watch. That would be irritating, wouldn't it?
DAN RAYWOOD. Well, the average TV advert, I believe, is about 30 seconds or something. Yeah.
The ones I see on YouTube feel they're a lot longer 'cause I'm waiting for the next clip to start. But it's, yeah, so 6 seconds doesn't give you a lot of time to sell something really. And the other real problem in monetization is that basically the creators held all the power. They're the ones who were getting the commissions from Google and whoever else to sort of make videos for them.
GRAHAM CLULEY. Yes.
DAN RAYWOOD. But that money went to the creators. Some of them ended up quite famous and Vine saw nothing of this. And some of its famous Vine users include Logan Paul, who went on to create the drink Prime.
He even went to YouTube. There's also a lot of others that get featured and it's all very much like, yeah, we did pretty well out of this, but Vine didn't. Once people realized they couldn't make any more out of them, they moved on to something else.
Right. Basically, the takeaway is that Vine walked so TikTok could run. Essentially, what we saw is people moved to probably YouTube first, then Instagram, now TikTok.
They make the money there, but they're the ones who hold all the power. And the platform in that case was just the conduit for where to be seen.
GRAHAM CLULEY. Are you on TikTok, Dan? Is that where you hang out? Are you doing TikTok dances?
DAN RAYWOOD. I'm not. I'm a late adopter of most tech as it goes.
I was last one on WhatsApp in my infosecurity team. I've never been on TikTok yet.
I joined Instagram late as well. Very wise.
I used to like looking at TikTok when it was a bit more open on the tube. It was quite fun during lockdown with all the sort of the NHS dances and all that sort of thing.
GRAHAM CLULEY. Well, it sounds like a great pick of the week. Thank you, Dan.
Vine, 6 seconds that changed the world. And that just about wraps up the show for this week.
Thank you so much, Dan, for joining us. I really appreciate it.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
DAN RAYWOOD. Yeah, so it's my name, Dan Raywood, R-A-Y- I'm mostly on LinkedIn more of the time, on X, Blue Sky, Mastodon apparently. I don't look very often, but yeah, LinkedIn's probably my best one to find me.
GRAHAM CLULEY. Okay, and of course, Smashing Security's on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Blue Sky.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Episode show notes, sponsorship info, guest lists, and the entire back catalog of 445 episodes, check out smashingsecurity.com. Until next time, cheerio.
Bye-bye.
DAN RAYWOOD. Bye-bye. Thanks for listening.
GRAHAM CLULEY. You've been listening to Smashing Security with me, Graham Cluley, and I'm really grateful this week to Dan Raywood for joining us, and also this episode's sponsors, Vanta, Action1, and Horizon3 AI. And of course, to all of you chums who've signed up for Smashing Security Plus over on Patreon.
They include Philip Dade, Sammy Dozer, Nate M, Andrew Davison, Bobby Hendrix, Richard Anand, MJ Lee, Florian Schwalme, Stephen Castle, Heisenberg, Matthew Hunt, Funky Duck, Christo V, Skadone, Marvin 71, and Dave and Pam. Well, wouldn't you like to hear your name read out at the end of the show from time to time?
All you've got to do is consider joining Smashing Security Plus. For as little as $5 a month, you will become part of our happy little troupe, and you'll get early access to episodes, without the annoying ads.
And you'll get that warm glow of feeling that you're helping me out, which I always appreciate. Thank you very much. Just head over to smashingsecurity.com/plus for more details.
Now, of course, I realize Patreon isn't for everybody, and that's perfectly fine. There's absolutely no pressure to become a member of Smashing Security Plus.
The truth is you can support the show in plenty of other ways which don't have to cost you anything really. You can just like, subscribe, leave a nice review up on Apple Podcasts, something like that.
You can tell your friends about the show. Just spread the word.
Maybe tattoo across your forehead, "I love Smashing Security," and slick back your hair so everyone can see it. Actually, don't do that.
That sounds like a really terrible idea. So I don't endorse it.
If you do do that, it's not my fault. But every little bit, apart from the tattoos, does help.
And so until next time, cheerio, bye-bye.
-- TRANSCRIPT ENDS --