JAMES BALL
What's the security analogy? It's a Swiss cheese. The idea being that Swiss cheese has holes in it, but you get more and more layers of it in the hopes that the holes won't line up.
This is like 4 layers of Swiss cheese lining up and just something dropping straight through, isn't it?
Unknown
Smashing Security, episode 465. Smashing Security 465. This developer wanted to cheat at Roblox.
JAMES BALL
It cost millions.
Unknown
With Graham Cluley and special guest James Ball. Hello, hello, and welcome to Smashing Security episode 465. My name's Graham Cluley.
JAMES BALL
And I'm James Ball.
GRAHAM CLULEY
James, welcome back on the show. Lovely to have you on yet again. What have you been up to?
JAMES BALL
I've been running around all over the place. I spend about half my week being a political journalist and the other half working on tech. And the political half is really creeping up.
It's not staying contained at the moment. And so I'd like to put it on the record, I am the greatest victim of the world's political situation right now.
GRAHAM CLULEY
It's a crazy world politically.
You know, I had some feedback from a listener just in the last couple of days actually saying, you love the podcast, been listening to the podcast forever, but oh my God, Graham, can you stop talking about politics?
And my reaction was, look, thank you very much for listening and all the rest of it, but it feels to me that technology and politics are more intertwined than ever before.
You can't really extract them from each other, can you?
JAMES BALL
I mean, horribly so. It feels a bit like a monkey's paw thing. You know, I've been interested in tech since I was a kid.
I've sort of always gone, I wish people would pay more attention to this. This is transformative. I sort of came of age with the internet.
You're kind of going, no, we need to look at this. This is really huge.
And now tech and politics have merged so much and are in the discourse so much and are crashing together in so many ways. It's I was really stupid to want this.
Why can't this go back to being in its nice own lovely corner where I can just think about how the technology works or, you know, the principles of it instead of what stupid way is this going to be used to upend our politics yet again?
GRAHAM CLULEY
And the world of technology has become so huge that the people in charge of these technological companies have an enormous amount of influence over our politicians.
How can you extricate them? I don't know that you can.
JAMES BALL
I mean, we haven't had this kind of dominance really since you look back at the Gilded Age.
It's when the railway monopolies were there or the early oil monopolies, because the biggest companies and the biggest tech companies is synonymous.
9 of the world's 10 biggest listed companies are tech companies. Essentially, this domination by one sector is pretty much unheard of in either of our lifetimes.
And so politics is going to be weird until tech is kind of normal again. And that might be bad for someone who reports on and covers tech, but might be good for the world.
It might be good for our blood pressure and it might be good for your listener. I promise I haven't brought a load of political things this week.
Well, not very political, small p political.
GRAHAM CLULEY
One thing I will say to any other listeners who are concerned about this as well is if they're doing the wrong thing, I'm gonna have a go at them regardless of what side of the political chamber they might be on.
Well, before we kick off, let's thank this week's wonderful sponsors, CoreView, Elastic, and Vanta. We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we won't be talking about how home security firm ADT has been burgled by the Shiny Hunters gang.
You'll hear no discussion of how ransomware negotiator has pleaded guilty to helping hackers by leaking victims' insurance details.
And we won't even mention how Elon Musk's Grok chatbot told researchers pretending to be delusional that there was indeed a doppelganger in their mirror and they should drive an iron nail through the glass while reciting a psalm backwards.
So James, what are you going to be talking about this week?
JAMES BALL
So this week I want to talk about how wronguns are still tracking us on our mobile phones and why this is proving so intractably difficult to sort out.
GRAHAM CLULEY
And I'm going to be talking about a corporate hack that all started because someone wanted to cheat at Roblox. Plus, we're going to be talking to Rob Edmondson of CoreView.
He'll be joining us as we take a look at how hackers have been turning essential tools like Microsoft 365 against their targets and what you can do to lock down your environments before it's too late.
All this and much more coming up on this episode of Smashing Security.
JOE
This episode of Smashing Security is brought to you with support from CoreView.
GRAHAM CLULEY
Now, Joe, quick question.
If someone broke into your Microsoft 365 tenant right now and quietly disabled your conditional access policies, grabbed global admin rights, turned off Bitdefender, would you even notice?
GRAHAM CLULEY
Well, that's the spirit, Joe.
GRAHAM CLULEY
But here's the uncomfortable reality. 63% of Microsoft 365 tenants hand out admin rights like they're going out of fashion.
One compromised account and an attacker can quietly reshape your entire tenant.
No alerts, no noise, just someone systematically dismantling your defenses while you're none the wiser.
JOE
So wait, restore from backup doesn't fix that?
GRAHAM CLULEY
No, no, no. Backups protect your data. They don't restore tenant-level configurations. There's no native rollback for that.
You could be rebuilding your tenant settings from scratch for weeks.
JOE
And who's doing that?
GRAHAM CLULEY
Exactly. Who wants to do that? Well, CoreView have written a white paper called Total Tenant Takeover: The Microsoft 365 Disaster No One's Ready For.
It's actually a really practical read.
It covers how these attacks unfold step by step, where your existing tools are leaving gaps, and what it actually takes to recover control once it's been lost.
JOE
So less detect and panic, more here's how to actually get your tenant back.
GRAHAM CLULEY
That's it. Exactly. And you can download this paper for free right now.
You can learn more at smashingsecurity.com/coreview and maybe do it before someone else does something bad to your organization.
JOE
That's smashingsecurity.com/coreview. And thanks to Coreview for supporting the show.
GRAHAM CLULEY
So James, I want to tell you a story today. It's a story about a cloud software company called Vercel, which I imagine many people won't have heard of.
They are at the heart of all kinds of stuff which is going on on the internet. Hundreds of thousands of organizations use them because they're a cloud company.
You know, they're a properly grown-up company. And on the 19th of April, Vercel put out a security bulletin. I'll summarize it.
They basically said, we've been hacked, customer data has gone missing.
We'd quite like to tell you about it before the Russian hackers selling it on a darkweb forum get there before us. So we're going to get out there ahead of the bad news.
JAMES BALL
So we will give them some points for that, you know.
JAMES BALL
Proactive disclosure, tick. I mean, better not to get hacked, but if you're going to, yeah, I don't know where this is going, but I'm giving marks out early. You know, that's a win.
GRAHAM CLULEY
Yeah, I would say so. I mean, obviously a bad situation, but they're trying to respond appropriately.
Now, normally at this point, I'll be telling you about a clever zero-day vulnerability or sophisticated nation-state campaign or even a simple phishing email, right?
Normally, that's the kind of thing which I'm— not this week, however. No, this week, James, the story really begins with someone wanting to play Roblox.
JAMES BALL
I mean, look, I sympathize. It's not quite my favorite game, but it's quite diverting. I can see why they might want to go.
GRAHAM CLULEY
Have you ever played Roblox?
JAMES BALL
I've gone into it basically to try it out because I was going to write about it, and I try not to write about a game I haven't played.
I am less terrible at Roblox than I am at Minecraft. I think really it's not for adults, it's for teenagers. It's kind of even for tweens, really.
JAMES BALL
You know, I think if you're over 18, you'll rot your brain there.
GRAHAM CLULEY
And of course, there have been concerns in the past that people might be grooming young people via Roblox.
JAMES BALL
Yeah, I mean, any platform that's got kids, that's a risk.
I'm sure there are adults who enjoy Roblox completely legitimately, but it has been slower to act on those concerns than almost any other platform as well.
I hear they have improved of late.
GRAHAM CLULEY
Anyway, as I said, so Roblox is part of this story. Someone wanted to play Roblox and I'm going to explain exactly what happened. So there is a small AI startup called Context AI.
They're not the Context AI which was acquired by OpenAI.
It's a different Context AI, which I think really suggests that, you know, maybe people shouldn't have relied upon AI to dream up their company name.
JAMES BALL
I mean, Googling before you name it, I think is pretty much crucial, isn't it?
Clearly they were using an old version of a model there because that is quite important context, ironically.
GRAHAM CLULEY
Yes. So Context AI, they flog an AI office suite.
So it's something which plugs into your Google Workspace and you grant it sweeping permissions and it can go ahead and read your email and your documents, helpfully does all kinds of wonderful AI things to them.
It sounds absolutely gorgeous. You know the kind of thing, people get it all the time. A consent screen will pop up.
You know, a sensible person reading the terms and conditions go, ha ha ha ha ha, no way. Eh, eh, it's a big fat no.
But many people will just hit the approve button instead in order to allow it to do that.
And apparently one of Context AI's own employees, someone who works at the company, a company which has asked its customers to trust them with the keys to their corporate Google accounts, effectively, they, on apparently a work laptop, decided what they really needed in their life was a Roblox auto-farming script.
Are you familiar with auto?
JAMES BALL
Oh no. So I should say, genuinely, my head as it went further and further in my hand as Graham just kept talking there, just because I grimly see where this would go.
I mean, just the fact anyone working in any tech-related sector would do this. Gaming add-ons are notorious. You know, approved add-ons, fine, great.
I've modded almost every game I've ever played. That's the fun of it.
You know, Baldur's Gate 3, absolute delight and amazing mods on that and some slightly horrifying ones involving Withers that I won't get into. If you've played the game, you know.
But any mod that sort of claims to let you do something a bit against the rules tends to be incredibly dodgy because they never go through the official stores, which means—
GRAHAM CLULEY
They've never been checked.
JAMES BALL
Yeah, it's basically just typing in illegal music downloads into Google and clicking the first link you see.
Or, you know, trustworthy.exe from a Nigerian prince, Derby Dragons stuff.
GRAHAM CLULEY
So for anyone who doesn't know, an auto-farming script is a cheat which helps you rack up in-game currency without any of that tedious business of actually playing the game.
But you'll get the in-game currency so you can then buy things, you know, add-ons and so forth. And it's dodgy software, as you said, James, downloaded from dodgy websites.
But people have already decided the rules don't apply to them and they're encouraging it.
JAMES BALL
Yeah, and of course, this means that you're more vulnerable. You know that you have to look out of the store. You know that you don't really want to have to admit it.
I mean, it always sounds daft getting something to play the game for you, but any sort of massively multiplayer game has bits that basically involve grinding.
You know, it's a bit if you could pay someone to go to the gym for you and you got the results, which, you know, the dream.
I mean, look, no company IT server setup should ever have let someone be able to install this, really, should they? I mean, this is a bit of a disaster.
You know, the user is stupid here, let us stress, but they shouldn't have been able to make this mistake, should they?
GRAHAM CLULEY
They shouldn't have been able to do it.
And unfortunately, this particular script came bundled with the Lumma, I believe it's pronounced, Info Stealer, which rifles through your browser, grabs your passwords, every cookie, every session token, every OAuth credential it can find.
Bundles it up, sends it to a complete stranger afterwards. So in February, this guy downloaded this Roblox cheat. He got infected.
Lumma quietly stealthed its way into the browser, grabbed the database of information, including Google Workspace credentials, including the keys to Context AI's AWS environment, including— and this is the crucial part, really, I suppose— including the OAuth tokens belonging to Context AI's customers.
JAMES BALL
Ah, yeah. I mean, we're really stacking problem on problem here, aren't we? You know, this is all sort of, well, this shouldn't have been able to happen.
Well, this certainly shouldn't have been able to happen. Oh, oh, this is great.
I mean, this is sort of building an incredibly elaborate safe door with all of this sort of stuff and then just leaving the code on a Post-it on it, isn't it?
Graham, this is not great.
GRAHAM CLULEY
It's not great. Very good. That is the headline I can imagine you writing. Breach not great, says James Ball.
JAMES BALL
This is why I don't work for The Register, isn't it?
GRAHAM CLULEY
They're very good at headlines, aren't they?
JAMES BALL
They're much better than I am, yes.
GRAHAM CLULEY
So for anyone who doesn't know, OAuth tokens, they're like those little keycards you get in hotels. They let you in.
So when you click allow, you are giving an app, for instance, access to your Google account. They don't need your password. They don't trigger your two-factor authentication.
And once a thief has your OAuth token, they don't need to break in because as far as Google's concerned, they are you.
And the scary thing, I think, for many people, and they don't realize this, is if they actually check their Google account right now and have a look at what apps they have granted access to their account over the years, they're probably going to be surprised.
There's probably things in there that you don't remember doing, or you may have just done on one particular day, and you've granted them access to stuff, and you should revoke it.
JAMES BALL
Yeah, I think that's quite alarming because you sort of see things that were old social media add-ons or this kind of stuff.
You know, I think there were several on Twitter, as it was back in the day, that would give you a score for your social standing or your clout.
But these old apps that you'd granted access to for one purpose would get bought by someone else or the domain would get taken over and they could hijack the thing.
And so even things that were completely sensible to grant access to, suddenly became terrible.
GRAHAM CLULEY
And lots of people can get— I mean, I'm going to put my hands up, right? I've suffered because of this.
I remember back in the days of when I was on Twitter, as was, there was a third-party app or something or service which I think was doing some kind of ego-stroking examination of my followers, right?
So I could think I was doing really, really well in terms of Twitter followers.
And what happened was that particular service got hacked which means the hackers then had access to my Twitter account, not just me, but also Justin Bieber and whoever else.
And my account started posting Nazi spam to people. And you just think, oh no, no, no, I don't, you know, I don't want this. So it can happen to everyone.
You always need to look and revoke permissions wherever possible.
So one of Vercel's employees had at some point signed up for the Context AI office suite using their Vercel Enterprise Google Workspace account.
And when the permission screen came up, they clicked on Allow All.
So now our hacker, our attacker, who started his day off poisoning Roblox hacks, is sitting on an OAuth token that gives him read access to a Vercel employee's entire Enterprise Google Workspace.
So you've got different companies here, but it has cascaded through to grant a huge amount of permission to access data.
JAMES BALL
This is sort of the nightmare, isn't it? What's the security analogy? Is it the Swiss cheese? Yes.
JAMES BALL
And the idea being that Swiss cheese has holes in it, but you get more and more layers of it in the hopes that the holes won't line up.
This is like 4 layers of Swiss cheese lining up and just something dropping straight through, isn't it? Have you not come across this analogy? I didn't just make it up. I haven't.
GRAHAM CLULEY
I like that. Yeah.
JAMES BALL
Yeah. Because every slice of Swiss cheese will have a hole in, you know, you'll never get rid of those.
And so you just get more and more of them on top of each other and you reduce the chance of them lining up. This is like a hole through 5 slices, just straight there. Bumpf.
GRAHAM CLULEY
So the hacker was able to pivot into Vercel's internal systems, help themselves to secrets and API keys that Vercel customers store on their platform to make their websites work, which meant database credentials, cloud keys, source control tokens, all of this stuff was now grabbed.
Now, Vercel says that some of these were marked as sensitive and therefore protected, but the ones which weren't marked as sensitive, which apparently were most of them, because that wasn't the default, duh, once again, they've changed that default now, by the way, funny that.
GRAHAM CLULEY
So this hacker claims to be a member of the infamous Shiny Hunters hacking group, although the actual Shiny Hunters say it wasn't anything to do with them, which is a typical story on the net, isn't it?
Yeah. Regardless, this data is now listed for sale for $2 million, all because someone at Context AI wanted to cheat at Roblox, downloaded malware, the malware stole the tokens.
Those tokens belonged to a Vercel employee who had secured his unsanctioned AI tool to their corporate Google account and clicked allow all.
JAMES BALL
I mean, did he at least manage to run his auto farmer? You know, did he get his Roblox bucks?
GRAHAM CLULEY
Let's hope he got his Robux at the end of it all.
JAMES BALL
I hope he got a lot of them because I can't imagine he kept his job after this.
GRAHAM CLULEY
No, well, I don't know what the conversion rate is from Robux into genuine dollars.
I doubt he's managed to create himself $2 million though to go and buy the data for himself to prevent it falling into the hands of anybody else.
JAMES BALL
No, but wouldn't it be lovely if he had?
JOE
Time for a quick word from one of our sponsors today, Elastic.
GRAHAM CLULEY
So here's a familiar scenario: something suspicious hits your network. You need answers fast.
So your team logs into tool 1 and then maybe tool 2, then into the thing that doesn't quite talk to either of them. By which point, whatever was happening has—
JOE
Elastic unifies your security data so analysts can focus on detecting and responding to threats, not herding dashboards, which is probably why over half of Fortune 500 companies use them.
GRAHAM CLULEY
Find out more at smashingsecurity.com/elastic, because security should secure, not tax your team.
JOE
And thanks to Elastic for supporting the show.
GRAHAM CLULEY
James, what have you got for us this week?
JAMES BALL
So I've got mobile phone security, but this is very much the other end of it.
And CitizenLab, they're a sort of Canadian-based, not-for-profit research grouping, and they do some really impressive work on security and surveillance.
And they've had quite a long interest in people who expose phone networks.
So this isn't the News of the World hacking your phone, but this also isn't some of the Black Cube or the Israeli-type security companies hacking your individual handset so much.
This is about people using the actual architecture of phone networks to track your location, to track your SIM card, sometimes to try and put tools on your device.
And one of the key ways they're doing this is basically either posing as a mobile phone company and getting access to the towers that way, or working with some unscrupulous mobile phone companies to sort of get in.
JAMES BALL
And the UK famously has a bit of a vulnerability on this through Jersey. Jersey's telecoms are, I'm going to be blunt, not very well regulated, but get you inside the +44 space.
GRAHAM CLULEY
Oh, really?
JAMES BALL
And so you can start requesting information.
And this is an absolute bugbear to— so for most people, this is not, you know, your mobile phone location data isn't super interesting.
GRAHAM CLULEY
How dare you?
JAMES BALL
But really bad things have happened to people because of it.
JAMES BALL
So the famous case is an Emirati princess had essentially managed to escape from her father and from her country and was tracked down via a private intelligence company using this kind of exploit, using the mobile phone networks.
And they managed to get her phone geolocated and raided the boat she was on and recaptured her. And she's basically never been seen in public since.
JAMES BALL
This was through a private security company and through international mobile phone networks. And so activists get tracked. Journalists can get tracked.
People sort of look at political enemies and exiles overseas. It is quite bad. And there's always talk about regulating the companies that do it.
But the reason it irritates me so much, and the reason that I brought it, is because I commissioned an investigation on this years ago when I worked at the Bureau of Investigative Journalism.
There's a guy called Crofton Black who has been doing reporting on this for more than a decade now. Look up his work, look up Citizen Lab. They are the experts here.
And I should stress, I am not an expert on mobile phone infrastructure, so please take mine as a hopefully roughly correct explanation of this.
And if people want the proper stuff, look at the Citizen Lab report because they are much better than me.
GRAHAM CLULEY
Yeah, we'll link to it in the show notes so people can read more about this.
JAMES BALL
Basically, we have more modern 4G and 5G architecture that phones use, and it has some security awareness built into it from the get-go.
But when that's not available or you have low signal, your phone reverts to 2G or 3G.
And you may have found that sometimes if you're out in the sticks or frankly sometimes in central London, you don't get data, but you can make a phone call or you can get a text.
JAMES BALL
And that's because the old network is still running. And that's a protocol called SS7. And SS7 is absolutely hopeless for security.
It basically assumes pretty much anyone who's got a tower, who's in that backend network is trusted. And it will let people hand over metadata, let people take location information.
It will let them query this stuff and pull it through with absolutely minimal security.
This protocol is, I think, about 30 years old, and it was set up for when phone networks were quite basic, when they were quite early.
This is the classic story of internet protocols not being secure by design. Look at Border Gateway Protocol, look at until fairly recently, DNS, look at whatever you like.
It is very much from that tradition.
But the issue is because global rollout of 4G and 5G has been quite slow, because people need fallbacks for things like emergency access, emergency numbers for disaster recovery efforts, SS7 is still built into almost everything.
It's only now being deprecated anywhere. And so at a protocol level, mobile phones are just fundamentally insecure.
And everyone in this very niche world has known about this for at least 10 years.
JAMES BALL
And no one has really been putting any urgency on doing anything about it. It's sort of very slowly getting fixed, but no one— this is the opposite complaint to earlier.
There's no political attention on it. There's very little media attention on it. It's quite complicated. And it kind of only affects particular people who would be targeted.
But it puts all of us at risk. It is incredibly dumb. And I do not know why it's been tolerated for so long.
GRAHAM CLULEY
That's what I'm wondering, because SS7, it's been practically a laughingstock, hasn't it, in terms of security for telecoms for at least a decade.
GRAHAM CLULEY
Why on earth is it still the backbone of how our phones talk to each other now in 2026?
JAMES BALL
I mean, I'd love to ask you that question. I mean, the honest answer is it's hard to replace for a bunch of reasons.
And it's because everyone likes having that 2G, 3G layer to fall back on. Because it's not used very much, it's reliable, it's basic, it's dependable.
It can work on much lower levels of signal than some of the modern ones. It's been quite useful to have it sitting there for things like reliability, for emergency, for fallback.
And rather than replace or fix it or go, well, why don't we use this spectrum but with a better protocol? People have just gone, well, obviously, you know, we can't fix SS7.
Why pay attention to that? Why don't we look at 6G? Why don't we look at, you know, 5G+ et cetera?
And so everyone acknowledges it should be fixed, but I don't think anyone thinks it's their job to fix it. Or this has been my impression.
There's been very little political or regulatory pressure on it. There have been a lot of actors who want to exploit and use it.
And it's not been the top of anyone's agenda because ministers want to say, "I'm going to get you ultra-fast, you know, new mobile broadband, and that will boost GDP." No one wants to go, "Hey, that creaking old bit of the phone network that no one's heard of, I fixed that." No, not so sexy, is it?
GRAHAM CLULEY
You know when someone wants to break into a building, they put on a high-vis jacket and hold a clipboard walk around looking important, you know, it's like, I can't be interrupted.
JAMES BALL
I think for legal reasons, I have to say no, I had no idea anyone—
GRAHAM CLULEY
But it feels to me that what CitizenLab are describing with these sort of ghost surveillance vendors, they're dressing themselves up as legitimate telecoms companies to sneak in as well.
I mean, you've already mentioned this sort of Jersey way of breaking into +44. Which is the UK's country code.
JAMES BALL
And there's a bunch of these, and this is a little bit different. So, there's lots of ways people pose like that in mobile phones.
I think people listening to this have probably heard of Stingrays.
JAMES BALL
Which are a sort of surveillance tool where you sort of bring a van along and it pretends to be a phone mast, and it collects lots of location information that way.
That's the kind of technical way of pretending to be a phone mast. This is like a business way of pretending. You sort of say, hey, I'm a new virtual mobile phone provider.
I'm a new virtual network. I'm going to have phone customers.
And you sort of team up with a real phone network to get their infrastructure, and they have to data share so that you could work a network.
And then they actually use it to make these inquiries that they shouldn't be doing.
And I think one of the issues that came up was very few people actually log how people were using these queries and whether they were restricting them only to their own customers, et cetera, because it never occurred to them to put it in, you know, and I think it was possible to audit this for various reasons.
You just can't fix SS7 as a protocol.
It's not like you could just do a patch, but this you could have done and just gone, well, if anyone's querying more than X times a day relative to their customer numbers, you know, we cut them off or we investigate.
I think you could have put quite a lot of exceptions in. And I think that's what the bigger companies do. I think that's why you need these little backdoors.
But for as long as there are little jurisdictions that can get you into bigger ones, as long as there are smaller phone companies that don't care very much, this will remain very vulnerable.
And this is quite bad. There is a roaring trade in exploiting this. You know, there are security companies getting quite rich off this.
JAMES BALL
People don't pay a lot of money to track this stuff unless they're using it.
You know, the fact that there is a roaring trade in this tells you that there is a vulnerability and tells you that there is a problem here.
If this was just academic, companies wouldn't be trading off it in this way, you know?
And as I say, the getting snatched off a boat while trying to escape your dictatorial father is the extreme limit.
JAMES BALL
But we know, you know, in the early days of the Syrian Civil War, when people were still trying to overthrow through activism, we know that mobile phone geolocation was used to sort of target opposition activists and either kill them with bombs or get them raided by the secret police.
You know, we know the ways that this stuff can be exploited and it can be absolutely brutal. And so it's fairly unforgivable that it's not been fixed in so long.
Sorry, this is a lot less fun than your topic.
GRAHAM CLULEY
No, no, no, that's right.
I mean, it feels like there's quite a contrast here between this and spyware like Pegasus, which impacts individual phones, because this is surveillance you're talking about happening at a network level, meaning even a perfectly secure handset can be tracked, one that's properly locked down.
JAMES BALL
Certainly to an extent, because this is about what the network is doing and not what you are doing. Right. And that's worrying.
I mean, especially, I don't know where you quite land on Mythos, but I sort of land to thinking ultimately it's going to be a defensive advantage because we've known that everything's had zero days in it since forever.
JAMES BALL
When the NSA or GCHQ discover one, they are as likely to not tell us so they can exploit it as they are so we could use it to defend.
JAMES BALL
This is going to change that equilibrium because they're all much easier to expose and they will all be exposed quite quickly.
I think you actually got to get a defensive equilibrium. I think things like Pegasus are going to suffer in the Mythos era.
JAMES BALL
But that means that people will be looking for these network exploitations that can't just be patched, that aren't just about finding and getting rid of zero days that have gone missing for years.
And so it's going to become more urgent to address these things. And that's a shame because we could have done this at any point in the last 10, 15 years.
GRAHAM CLULEY
Yeah, we've heard that story before, haven't we? I'm just wondering, for the average listener, their biggest threat is probably their nan rather than Mossad.
Should they actually care about this? Is this really only a problem if you're a journalist or a dissident or a high-profile target? What's your feeling on that?
JAMES BALL
It kind of is only really a problem if you're a high-profile target, but you might be mistaken for a high-profile target. Yes.
There are some people who have had some very unpleasant emails or some odd things because they have the same name as me.
And I have at various times been tracked and surveilled by various governments for my sins.
And if you happen to be called James Ball and you've done nothing wrong in your life and suddenly you're exploited because of this, that's not great.
So mistaken identity can get you.
GRAHAM CLULEY
No, hang on, James. It feels to me like you are actually the problem there. You're a troublemaker.
JAMES BALL
My fault for having a very common name as well. There are thousands of us.
GRAHAM CLULEY
Could you not rename yourself by deed poll, James Troublemaker Ball, just to protect the innocent James Balls which are out there?
JAMES BALL
Why don't I go for a name like Graham Cluley? But the other thing is, a lot of people who become activists didn't plan to.
A pal of mine, Hassan Akkad, was a schoolteacher in Syria, and he taught English in schools until the civil war started, and he started seeing people get disappeared and tortured.
And he started filming that, and he was then himself detained and tortured and managed to escape. He's a British citizen these days. I've even seen him streak at cricket.
How's that for naturalisation?
GRAHAM CLULEY
Naturalisation, I think you'll find.
JAMES BALL
Yes, there's context, I promise. Yeah, he was sort of saying it's not like he spent years training and preparing for how to be an activist and how to do it right.
He had a very normal middle-class life in Syria until he suddenly didn't. And we sort of see how the world is changing and all these things are happening.
And yeah, this stuff is all very far away from you until very suddenly it isn't.
And so look, for most people listening to this, the thing you should worry about is actually, have you done the software update?
On your phone, because if your apps are up to date and your software is up to date, that is way better than anything else you can do.
JAMES BALL
But suddenly the world can shift. Hopefully it never becomes a problem for anyone listening, but it could.
GRAHAM CLULEY
Well, we've got time now to talk about one of today's sponsors, Vanta. Joe, what keeps you up at 2 o'clock in the morning?
JOE
The dog next door, mostly.
GRAHAM CLULEY
Oh, right. Well, yeah, but I'm talking professionally. What keeps you up?
JOE
Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
GRAHAM CLULEY
Exactly, which is where today's sponsor comes in. It's Vanta.
JOE
Fanta, the fizzy orange drink. How can this possibly be true?
GRAHAM CLULEY
No, no, Joe, it's Vanta with a V. It's a trust management platform. It's not a drink full of sugar.
It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
JOE
Lush, I hate questionnaires.
GRAHAM CLULEY
Well, who doesn't? Vanta continuously monitors your systems. It centralises your security data. It keeps your program audit ready all of the time.
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
JOE
So basically it handles the boring stuff so we can focus on the interesting stuff. Exactly.
GRAHAM CLULEY
Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep. $1,000. Head to vanta.com/smashing That's vanta.com/smashing and get started today.
JOE
And maybe get a decent night's sleep for once. Oh, and unlike fizzy drinks, Vanta isn't bad for you. That was a fruit twist.
GRAHAM CLULEY
And welcome back, and you join us at our favourite part of the show, the part of the show that we to call Pick of the Week.
JAMES BALL
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Now, James, do you remember a TV show called Name That Tune?
JAMES BALL
I don't think I do. Am I too young for this?
GRAHAM CLULEY
You're such a child.
JAMES BALL
Am I too old for this?
GRAHAM CLULEY
No, no. I think it's from my youth. Anyway, you had battling contestants and they'd be given a clue about a song.
And they'd have to bet in how few notes, you know, plonked out on the piano, they would be able to name that tune in.
JAMES BALL
Oh, so like the intros around at a pub quiz?
GRAHAM CLULEY
Exactly so. And it was always very exciting because sometimes someone would say, I can name that tune in one. And it's like, ooh, it's going to be really exciting now.
And someone goes, donk, and they'd say it's whatever it is, you know. Now, James, I know that you love people sharing their musical tastes on social media.
JAMES BALL
It's my absolute favourite thing. I love nothing more.
GRAHAM CLULEY
You love a Spotify Wrapped, don't you? I was reading one of your articles on the New World, where you basically say you couldn't give a fuck about people's Spotify Wrapped.
JAMES BALL
I should say in my own defence, we have an unofficial Christmas tradition at the New World where I ruin something that people love.
And so one year I did why I hate It's a Wonderful Life.
JAMES BALL
Because George should have died in prison. And Pottersville was much nicer in his town.
And I'm sorry, your wife becoming a librarian and having a career is not a fate worse than death. But that was one year.
And I think this was last Christmas I did, "Your Spotify rap is not interesting, so please shut up about it." So yeah, every Christmas I try and ruin something.
GRAHAM CLULEY
Well, it's my show, James, so I'm gonna have some fun.
Now, listeners know I'm a bit of a fan of the Beatles, and they released 213 tracks during their active career during those seven years.
JAMES BALL
Sorry, the Beatles, were they that band that competed against Oasis?
GRAHAM CLULEY
I thought you were going to out yourself as an Osmonds fan for a second there or something like that.
JAMES BALL
I've seen the Rolling Stones. Actually, I've seen McCartney as well. So yeah, fine, fine.
GRAHAM CLULEY
Okay, okay. So I reckon I can name just about every Beatles song based upon only the first second of the track.
And hence, I have been having a lot of fun playing a game online called Think for Yourself at thinkforyourself.live.
And I thought, James, I don't know if you know any Beatles tunes at all.
JAMES BALL
Maybe about three.
GRAHAM CLULEY
Maybe about three. Okay, so I'll do this game. I'm going to do it right now. I'm going to put myself to the test live. So I'm going to run this, thinkforyourself.live.
Okay, and I'm going to play a second and see if I can name the songs just to demonstrate. And hopefully also won't be copyright infringing.
JAMES BALL
I think one second counts as fair use.
GRAHAM CLULEY
Okay, all right, we're going to try it. Okay, what's it going to do? Oh, did you hear that?
GRAHAM CLULEY
I'm going to play it again. Okay, it's definitely a George Harrison one.
JAMES BALL
It's not early, is it? I mean, that's later.
GRAHAM CLULEY
No. Da da da da. No, it's not The Inner Light. It's not Within You Without You.
GRAHAM CLULEY
It's not, oh, oh, oh, oh, oh. I think it's Love U Too. I think it's called Love U Too from Revolver. Let's see. I have to type in the name and it'll tell me if I got it correct.
JAMES BALL
Correct. Well done.
JAMES BALL
I was going to say, you ought to get that paused fast.
GRAHAM CLULEY
Oh, yes. Okay, next one. Next one. Oh, that's easy.
GRAHAM CLULEY
Everyone knows that. Strawberry Fields Forever.
JAMES BALL
I was going to say Strawberry Fields, isn't it?
GRAHAM CLULEY
So identifiable. Okay. Next. Yeah. Okay. And let's move on.
GRAHAM CLULEY
Ah, she's not. Now that is the opening line of a song on The White Album called Happiness Is a Warm Gun. The line is, she's not a girl who misses much. Oh, press confirm.
JAMES BALL
She's not a girl who misses much. There we go.
GRAHAM CLULEY
This is fun, guys. Now, I could carry on for a while, but should we do one more?
JAMES BALL
Go on. Go on. One more.
GRAHAM CLULEY
See if you can get this one. Let's see what this is going to be.
JAMES BALL
Did you hear that?
GRAHAM CLULEY
Play it again.
GRAHAM CLULEY
This isn't a very well-known song, but I know what it is.
JAMES BALL
No, I'm not going to get that.
GRAHAM CLULEY
It's an instrumental from the Magical Mystery Tour EP called Fly.
JAMES BALL
It gave me "I am the Eggman, I am the walrus" vibe. I could have got you that far, but I knew it wasn't that song. You know where you're meh.
GRAHAM CLULEY
Anyway, if you're me, I love a pub quiz as well. And if you the Beatles and you want to put yourself to the test, you can give yourself more seconds if you need more seconds.
It's all good fun. thinkforyourself.live is my pick of the week. James, what's your pick of the week?
JAMES BALL
So, I feel obliged just to go, there's a new season of Taskmaster. I always feel quite happy when Taskmaster's on. It sparks joy. It's very formulaic.
It's very familiar, and I enjoy it a great deal when it's there. But I thought I would bring something else, and sadly, this one is visual rather than audio, but—
JAMES BALL
It's called nodesgame.com, and there's a little hyphen between nodes and game.
And if you ever played Vertex on New York Times, it's technically a puzzle, but it's almost a paint-by-numbers. I encourage you to open it, Graham, as I sort of say it.
GRAHAM CLULEY
I'm trying it now.
JAMES BALL
And you essentially get a dot puzzle, and it's not quite join the dots, it's form the triangles.
And if you make it right, the triangle colours in, and it tells you how many lines come from each dot.
And so each day there is one correct picture that you're drawing by joining up the dots correctly. And it is incredibly soothing.
I do it first thing in the morning or last thing at night as a bit of zen.
And they've got some little tutorials which are quite basic, but then the smallest puzzles you tend to see are about 200 lines.
GRAHAM CLULEY
Oh my goodness.
JAMES BALL
And the bigger ones are about 1,000. So it can take a good half hour.
But if you're just looking for something quite therapeutic and quite chill, it is one of the most enjoyable little phone sort of games that I play.
And there's only about 1,000 people a day do it. So it's quite niche.
GRAHAM CLULEY
I'm doing it right now. I mean, it is rather hard to describe to our audio listeners. And I seem to have done it wrong because I've now got stuck.
I have to work out how to reset or something.
JAMES BALL
So if you double-click a dot where you've got it wrong, it goes back.
GRAHAM CLULEY
Ah, thank you. Okay, now I'll do that.
GRAHAM CLULEY
Oh, I've created a diamond—okay, so I did a triangle and I've now created a diamond. Oh, this looks quite—yeah, okay. Oh, and there's an app as well.
You can get it for Android or iOS by the look of things.
JAMES BALL
It is much better on a touchscreen. Yes. The triangles sort of compound to make big pictures. So some of them are recreations of Renaissance art, etc.
Sometimes it's just a cute dog or something, or a plant. The plants are a nightmare because all of the stems are really hard to predict.
But it's just a very therapeutic little corner of the internet that I really enjoy.
I think I'm on a 130-day streak or something, which I try not to think about because the whole point is that it's quite restful and relaxing. And so I try not to care.
It's just, I haven't missed a day.
GRAHAM CLULEY
I'm looking right now at some of the images you can actually create with this. They're incredible.
JAMES BALL
They're genuinely quite pretty.
JAMES BALL
Today's, on the day we're recording, is a peacock and it's lovely. It also will let you produce a little vector video at the end of the order you solved it.
So you get to see a video of it drawing it exactly as you drew it, which again is just very charming.
GRAHAM CLULEY
It looks very nice.
JAMES BALL
By the way, I received no sponsorship from them for this. I pay them money, not the other way around.
GRAHAM CLULEY
It looks like it's free, but I guess it's ad-supported or something. So you can pay them some money to—
JAMES BALL
You can do the daily puzzle for free, or they've got hundreds in the archives. And to do those, you pay them, I think, about £3 a month.
JAMES BALL
But it's, I think it's one guy or two people, so.
GRAHAM CLULEY
Yeah, support them.
JAMES BALL
I chucked them some money on Patreon. Because it's lovely. It's nice. It's calm.
GRAHAM CLULEY
So the game you can find in your app stores, it's called Nodes: Connect Dots to Relax. Or you can go and check it out on the web at nodes-game.com. Very cool.
Well, Iranian hackers are actively targeting US critical infrastructure.
They're disrupting power and water systems, ransomware systems, and they're simultaneously going after Microsoft 365 environments that keep those type of organizations running.
They're doing all this at a moment when America's main cyber defense agency, CISA, is operating at reportedly just 40% capacity. So the timing could not be worse.
Here to talk about what energy and utilities companies need to do about it is Rob Edmondson from CoreView. Hello, Rob. Welcome back to the show, Joe.
ROB EDMONDSON
Hi, Graham. Always great to be with you. How you doing today?
GRAHAM CLULEY
I'm not too bad at all. Thanks for joining us. So 6 federal agencies have now confirmed that Iranian hackers are actively disrupting energy and water systems.
How alarmed do you think we should be about that?
ROB EDMONDSON
I think that it's a big deal. It's representative of a big strategy.
I think if you look at the Western economies, which components of those economies can you hit to have the biggest impact?
And the grid, our energy is a huge thing because the dominoes fall quite quickly if you can hit those.
So I think it might be a case of flexing on the one hand, right, to kind of say, this is what we're able to do, watch out. But if things progress, then that can progress as well.
It can escalate. And like I said, the dominoes can fall quite quickly when it comes to energy.
GRAHAM CLULEY
And the group which appears to be playing with those dominoes is this CyberAvengers group who've been linked to the Iranian state. They've been at this for a few years now.
There's been attacks on water authorities, there's been custom malware built for industrial control systems, Rockwell controllers. Where do you think this is gonna end?
ROB EDMONDSON
Gosh, it all depends on escalation, right?
But I think there is a possibility if things keep escalating, then we should assume that these energy companies will be hit and we absolutely shouldn't assume that it's gonna be small.
I think one of the things when it comes to nation-state cybersecurity is these countries will have people and have access ready to roll for situations when they need them.
We shouldn't assume that every single time North Korea, Iran, Russia gets inside your environment, they're gonna hit the button right away.
Actually having access ready to use in the moments when they want it is extremely useful.
So we should assume that there's been a lot of preparation for a moment like this to ensure that they've got leverage.
And the implications in terms of energy and the grid can be quite major. You know, if the grid goes down, things start to collapse pretty quickly.
GRAHAM CLULEY
And it's not just critical infrastructure we need to be worried about this. It's all kinds of business. These hackers are password spraying Microsoft 365 environments, aren't they?
I mean, it feels like this is connected. This is a way in.
ROB EDMONDSON
Yeah, absolutely. You've obviously got the physical infrastructure, which is a great target. But then you've got the digital workspace and the sort of flip sides of the same coin.
Microsoft 365 has become this kind of central component to the work the economy is trying to do, right?
Every organization now relies on this platform and all of its small components to do everything.
So again, if you want to do a rug pull, focusing on that is a fantastic area to cause serious damage. You know, password spraying is going on all the time.
The fact that it's targeting Microsoft 365 is nothing new, but as things start to escalate, we should assume it's gonna happen more and more. So it's definitely concerning.
GRAHAM CLULEY
Now, the most recent high-profile victim of one of these attacks is one of the world's largest medical tech companies, a company called Stryker, and they make surgical equipment and all kinds of stuff like that.
It's supplied to hospitals worldwide. And this is a company with big resources, $25 billion of revenue, and they still got hit.
And what we've been reading in recent weeks is that it was Microsoft Intune, which was basically turned against itself.
And as a consequence, that admin tool effectively was used to wipe out 200,000 devices across that organization. So that's a bit of a wake-up call, isn't it?
ROB EDMONDSON
Yeah, it's a huge, huge wake-up call. Also, the way you framed it, I think, is so correct. It's this idea that the tools that we're relying on, right?
I'm using Intune to manage my devices. And thank goodness I have Intune because otherwise I wouldn't be able to do it.
But that same tool is turned against us now because the moment it's compromised, I can use that centralized control to cause mass mayhem.
And it's interesting because we tend to think of identity as this core layer, but actually these components of your Microsoft 365 environment, like Intune, they have such huge power, such huge centralized control.
So yes, 200,000 devices wiped and a lot of chaos. And I think it was 2 to 3 weeks before they felt they could say the business was getting back up to where it was.
So, you know, it's a long time.
GRAHAM CLULEY
Yeah. It is something I think which stops people in their tracks because it's not malware being used.
It's a legitimate program, which many organizations do use to manage not only their own devices, but sometimes there will be employees who've enrolled their own personal devices.
GRAHAM CLULEY
And they will have been wiped as well as a consequence.
ROB EDMONDSON
Yeah, that's a real nightmare, isn't it? It's this sort of entanglement of devices altogether. Even your own private property can be impacted.
I think one thing I found quite interesting was, like you said, there is no malware or ransomware involved here.
This wasn't some sort of sophisticated hacking in to get this or that.
One thing that was involved was they recently announced there was a malicious phishing, which is different to malware or ransomware, which was deployed in the environment, which was executing commands in a sort of a hidden way, which is quite interesting.
It's interesting for two reasons. Number one, when they first came out, they were very keen to say no malware, no ransomware.
Later on, as they did more investigations, they keep finding new things.
So, you know, every day when news comes out, we think we understand what's happened, but the company themselves have to keep updating what it is that they're saying.
So, you know, they don't necessarily have all the information on day one.
And so we're all constantly learning together, but that malicious file may well have been making changes in the environment, which went undetected, which is another issue.
Do we have visibility of all the changes that are going on in our environments? Because when cyber attackers attack, they want to make changes.
They want to change your security posture to suit their needs, so you need to have a way to detect that.
GRAHAM CLULEY
Yeah. And these configurations, they can over time drift, can't they? You know, things can become insecure without you noticing just through normal work.
It's sometimes hard to lock these things down. How fast does configuration drift actually happen?
ROB EDMONDSON
Well, it depends what kind of drift you're talking about, because, you know, there's loud configuration drift, which is just where someone makes a change and immediately everyone knows about it, right?
You know, you've been locked out of your tenant or you've opened the floodgates and suddenly you're surging with spam.
But then there's quiet configuration changes, and this goes back to the nation-state point.
When someone gets into your environment, whether it's the digital operation environment, whatever it is, if they're gonna try and just make a footprint and stay there, they're not gonna be making the loud configuration changes that you notice before it's too late.
It'll be the quiet ones in preparation for whatever it is that they're going to do.
So most people out there, when they hear about configuration tampering in this context may say, well, we're not experiencing that.
But the key thing is how many of your platforms are designed to tell you when it happens, right?
And if someone's in there making those quiet changes in preparation for something else, you know, do you have visibility over that?
So whether you're looking at your Microsoft 365 tenant or any other environment, being able to have visibility of how configurations change is critical because it does happen quite a lot, sometimes accidentally as well.
I mean, sometimes it'll be an administrator who accidentally makes a change, which leads to a breach, or it can even be Microsoft rolling out an update, which actually leads to your configuration state being changed because we live in the cloud now, right?
Microsoft rolls updates out and quite often there's an impact on that, which organizations just have to deal with.
GRAHAM CLULEY
And one of the issues is there are so many configuration settings, aren't there?
It's like you won't necessarily know what has and hasn't been changed and it might be easiest to go to a backup, you know, if you've got a backup of your configuration to roll it back.
But how easy is that to do?
ROB EDMONDSON
Yeah, it's a really good point.
I mean, there are so many configurations now across all of our environments and for good reason, because actually we need to be able to fine-tune these services to meet our own needs, right?
I want to be able to set things up so that I have enough openness so I can collaborate in the specific way my organization needs to.
But I also need to make sure it's secure despite that in a way that makes sense for my business.
And so for me to build that customized experience, there needs to be a lot of configurations. So monitoring them all is a nightmare. I can't just go in and check them every morning.
You know, we sometimes work with organizations, we'll go in there and they have a team of people who go in every couple of weeks.
They're going in and reviewing everything in detail for 2 to 3 weeks to have confidence. So this is a mammoth task.
And, you know, one of the biggest challenges they have when they first start doing this is they don't even know what their configuration state should be.
And so, this comes back to what you were saying, Graham. Do you have a record of what your ideal configuration state is? Could you even classify that as a backup?
And if it's a real backup, does that mean you can recover your configurations rapidly after an incident?
Those kinds of questions are questions we must be asking, given how high the stakes are right now, given that these cybercriminals aren't just attacking, you know, the grid, although some people listening may be working on the cybersecurity for various energy companies.
The general goal seems to be to demonstrate the leverage they have, the access they have to ensure that they can push negotiations in their favor.
We should assume that as negotiations proceed, there's going to be more and more of this kind of stuff happening to say, hey, look, actually we have a lot of leverage over you and it might be your organization that's targeted.
So configuration backups, configuration drift detection, these are going to be really important things.
GRAHAM CLULEY
So Rob, what can CoreView do about all this?
ROB EDMONDSON
Well, you know, given how much is going on, no one can solve everything.
Okay, we're not going to make huge promises here, but there are certain things that we've described that you need certain types of capabilities to deal with them.
You know, the example you talked about there about Intune is huge.
ROB EDMONDSON
Because it points out that an organization can set up best practice endpoint management and everything's smooth and slick, but it's still overprivileged.
And by default in Microsoft 365, the privileged accounts that you use are extraordinarily privileged. And that's why that attack was able to happen.
So, we've all invested in the last 10 years in identity security, privileged access management.
Frankly, some of the people listening probably will have spent over 7 figures in terms of time, investment, software licenses. Some organizations have spent so much more than that.
And so, there's this question, which is, well, it's 2026, and you are telling me that one of my most important environments is still massively overprivileged despite the investments we've made.
There's a big issue here, which is the traditional tool sets are designed to manage privileges, not to reduce them. We need to be super clear about this.
A privileged access management tool, traditionally what it does is it takes that Intune account and it puts it in a vault.
And then, Graham, when it's time for you to do your administration, I force you to authenticate to get access to it.
And, you know, we've got a little audit trail showing that you're using it, et cetera.
The problem with that is, for all of its benefits, it doesn't drive down the amount of privilege that you have.
Which means that if someone with the wrong ideas, whether it's you or someone else, gets access to that power, it could be game over.
So what we need to do is we need to complement our existing identity and privilege plans with a true plan to reduce the amount of privileges associated with these accounts.
So in this case, if someone gets control of an Intune admin account, yeah, they could wipe the devices, but maybe it would only be 500 devices.
Yeah, because that admin account would be designed for that specific sub-region of the organization because the individual who uses it very rarely needs to manage 200,000 devices.
And if they do, they need to have a little holiday because it's too much work, right? This is, it's unnecessary. What you want to have is fine-grained privileges.
So CoreView can do something really cool here. What we do is we create a management layer for your Microsoft 365 tenant. So this is an enhanced interface, which is all in one place.
It's a CoreView, right? You don't have to jump between Intune, Azure, SharePoint, all these different things. It's one experience.
But what we do is we give you the ability to create virtual tenants and a virtual tenant. It's, it's, well, you know, Graham, you've just joined my IT team and I'm training you up.
I'm gonna give you access to 5 devices and 3 mailboxes or, you know, 2 identities, whatever it is.
I can basically drop those into the virtual tenant and then I can assign you to it and I can even then control your privileges further.
I can say, well, you can only do these sorts of things in this environment. What this does is it massively reduces the privilege associated with each administrator.
And the kicker here is once I've assigned you that admin access through the portal, I can deprovision the Intune or Entra or whatever account it was you were using before, which had those absurd levels of privileges.
Now you're still going to need some break glass accounts, which you can put in a vault and you can add rigorous levels of security to it.
So if anyone ever wants that incredibly powerful break glass account, you know, there's now extra levels of security and it's really highly monitored because there's only a few of them.
But day-to-day administration is done through this more least privileged framework.
So that's one area where if people have seen what's happened here and they're thinking, oh my gosh, we really can't let that happen to us.
We also have a massively overprivileged Intune or whatever part of the 365 tenant it is. There are ways you can actually achieve least privilege.
So it's no longer a pipe dream using CoreView, you can actually achieve true least privilege.
There's another component as well, which is sometimes people still need to manage those actual Microsoft 365 portals once in a while.
They want to go in, or even if they're not supposed to be in there and somehow they get in, what are they going to do?
Well, they're going to change configurations and do things, right?
So you need a mechanism that can detect when changes are occurring and allows you to get quick visibility and to determine whether or not those changes are okay.
So configuration drift detection, configuration tampering. And the other component here is, do you have your configurations backed up?
Are you able to rewind them after an incident as well?
Because as these attacks go on, one of the ways that cybercriminals can show their muscle is by deleting huge parts of your identity infrastructure, your distribution groups, changing all your configurations or deleting them, or taking your entire tenant away from you and forcing you to start again.
These are all things that we see happen at CoreView. We work with large organizations around the world. You would be blown away how often this stuff happens.
It's not announced in the press. It's not talked about in the media because people don't want to share quite how embarrassing the situation is.
But we should assume it's going to happen more because the native controls don't give you that visibility or backup.
GRAHAM CLULEY
Well, I'm sure you've piqued many people's interest today, and if people want to follow up, you can go and download Total Tenant Takeover, a whitepaper about The Microsoft 365 Disaster That No One Appears to Be Ready For.
To go and grab your copy, go to smashingsecurity.com/coreview. Well, thank you very much, Rob, for joining us today.
Fascinating as always, and we appreciate you coming on and sharing your expertise.
ROB EDMONDSON
Thanks, Graham. Always good to speak with you. See you again.
GRAHAM CLULEY
Excellent stuff. And that just about wraps up the show for this week. Thank you so much, James, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
JAMES BALL
So I am @JamesRBUK on X, but I very rarely post there. I'm @JamesBall.com on Bluesky, and I am around on LinkedIn and all the other various things under my real name.
GRAHAM CLULEY
Smashing. And you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky or Mastodon and all the usual places.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 465 episodes.
Check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
GRAHAM CLULEY
You've been listening to Smashing Security with me, Graham Cluley.
I'm ever so grateful to James Ball for joining us this week and to this episode's sponsors, Elastic, Vanta, and CoreView.
And also to the following fine folks: Matt, who spells it with one T, is therefore statistically unique in our Patreon list, which contains an alarming number of Matts with two Ts.
Philip Brannigan, a fine and upstanding name, I have to say. Robert Odegaard, a name I pronounce with great confidence and probably zero accuracy.
Corey Jason B., keeping his last name there redacted, very on brand. Orberus, sounds like an upmarket hair color. Maya McDonald.
Sonke von Repel, who not only has an umlaut in his name, he also has a von, therefore automatically the most aristocratic person on our Patreon.
Daniel Kromeck, and Dave Ellefson, who shares a name with the bassist from Megadeth. I really hope it's the same person. Anyway, thank you all so much. You are absolute stars.
Those are just a few members of Smashing Security Plus, which means that they get episodes ad-free earlier than the general public, and they can have their names pulled out at random to be mocked at the end of the show.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details.
You can become a patron, but you can also support the show in plenty of ways that don't cost a penny.
You can like, subscribe, leave a 5-star review wherever you listen, and tell your friends about the show. Simply spread the word. That's what I'd encourage you all to do.
Go on, tell someone, because every little bit helps, and it makes all the effort worthwhile.
Well, I hope you have enjoyed this week's show and you will tune in next week when we plan to have yet another spectacular guest join us to hear all about the crazy stories from the world of cybersecurity.
Until then, cheerio, bye-bye, toodle-oo.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.