Booking.com got hacked five years ago, and didn't tell its customers... but now we know who might have been behind it. Bossware rears its ugly head again in the workplace, spying on employees. And did you receive a warning email from the FBI?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the "Power Corrupts" podcast.
Plus we have a featured interview with Perimeter 81 co-founder and CEO Amit Bareket.
Visit https://www.smashingsecurity.com/252 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Amit Bareket and Brian Klaas.
Sponsored By:
- Perimeter 81: Perimeter 81 is the first-ever Cybersecurity Experience Platform, designed around Instant Deployment, Unified Management, Integrated Security, and Full Visibility.
- Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
- Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as Zero Trust Network Access, Firewall as a Service, Device Posture Check, and more.
- Learn more and request a demo at perimeter81.com
- Qualys: Qualys was one of the first SaaS security companies, and delivers continuous, critical security intelligence via its Qualys Cloud Platform and integrated Cloud Apps.
- Its powerful solutions empower organisations to streamline and consolidate their security and compliance solutions in a single platform and achieve greater business agility, better outcomes and substantial cost savings.
- Qualys recently announced three new solutions designed to address today’s challenges faced by enterprises: Ransomware Risk Assessment, Cybersecurity Asset Management, and Zero Touch Patch Management.
- Learn more at qualys.com
- 1Password: 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system.
- From Dark Mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
- Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
- 1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before.
- Find out more and try 1Password free for 14 days at 1Password.com
Links:
- American spy hacked Booking.com, company stayed silent — NRC.
- Booking.com was reportedly hacked by a US intel agency but never told customers — Ars Technica.
- Dutch newspaper links Booking.com break-in to US spy groups — The Register.
- Belgium’s largest telecoms company says it was hacked — Graham Cluley.
- GCHQ “infected Belgium’s largest telecom company with spyware” — Graham Cluley.
- Is your company secretly monitoring your work at home? — Los Angeles Times.
- School janitor says she was fired for not installing smartphone tracking app — Graham Cluley.
- Hawaii’s ballistic missile false alarm and a user interface failure — Graham Cluley.
- FBI system hacked to email 'urgent' warning about fake cyberattacks — Bleeping Computer.
- Hoax Email Blast Abused Poor Coding in FBI Website — Krebs on Security.
- Vinny Troia's website.
- FBI Statement on Incident Involving Fake Emails — FBI.
- What is Trailmakers? — YouTube.
- Trailmakers - Build vehicles and explore the world.
- "Apologies to My Censor" by Mitch Moxley.
- "I Hate Suzie" trailer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
BRIAN KLAAS. He's a journalist and he dresses up as various things to do undercover journalism to expose people. So he once dressed up like a rock, which I absolutely love. It's like this sandstone.
GRAHAM CLULEY. And not like The Rock, not like Dwayne Johnson.
BRIAN KLAAS. Like literally a piece of sandstone that has two eye holes in it. It's hilarious, right?
UNKNOWN. Smashing Security, episode 252. Ransomware, doxing, phishing, malware, ransomware, doxing, hotel hacks, workplace spies, and the FBI with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 252. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we are joined this week by a returning guest. It's Brian Klaas of the Power Corrupts podcast. Hello, Brian.
BRIAN KLAAS. Hello.
CAROLE THERIAULT. The very wonderful Power Corrupts podcast. I'm on episode 5 at the moment of season 2. I love it, love it, love it, Brian. Love it.
BRIAN KLAAS. Oh, thank you so much. That's very nice of you. Glad to have you in my ranks of listeners.
CAROLE THERIAULT. Oh, well, I am. I'm a big cheerleader for it.
GRAHAM CLULEY. But it's not just a podcast you've got up your sleeve, is it? You've also got a brand new book out.
BRIAN KLAAS. I do. Yes, indeed. Just came out. It's called Corruptible: Who Gets Power and How It Changes Us. Shall I give you the very brief pitch of it?
GRAHAM CLULEY. Go on. Yes, please.
BRIAN KLAAS. Okay. So basically, I studied dictators and authoritarian leaders mostly in my career. And I started at one point to think, wait a minute, I've recognized these people who I've met in palaces actually in mid-level management and in homeowners associations. I think we all have this experience of the dictatorial personality. So I sort of started to think, is the name of my podcast actually true? Is it actually the case that power corrupts? And the book draws on 500 interviews that I did with all sorts of awful people around the world, and then also brings in neuroscience, psychology, evolutionary biology, political science, all sorts of studies, and it completely flipped my view of power. So it was a fascinating project, and I hope people will check it out.
CAROLE THERIAULT. Are you power hungry now? Did it rub off on you?
BRIAN KLAAS. I don't think so, but I've managed to squeak in a lot of the interviews and fly around before the pandemic struck. One of the ones I was going to do that got scratched because it was going to happen in April of 2020, was I was going to get my brain scanned to see if there was any traces of psychopathy inside there.
CAROLE THERIAULT. Wow.
BRIAN KLAAS. Being a psychopath, because they can actually, you know, look at it. So I was curious, and, uh, didn't happen. But I think, I think I'm on the right side of that divide, hopefully. Yeah.
CAROLE THERIAULT. Well, I'm buying this book for my dad, uh, for Christmas, so there you go. So that's happening. If I can get a signed copy, let's talk later.
BRIAN KLAAS. What is it? What does it tell you about him?
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. Well, Thanks to this week's sponsors, 1Password, Perimeter 81, and Qualys. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. Well, I'm going to be returning to an old data breach that you may not have heard of.
CAROLE THERIAULT. Ooh, and what about you, Brian?
BRIAN KLAAS. I'm going to talk about workplace surveillance and how companies are spying on people without their knowledge.
CAROLE THERIAULT. And I am going to be talking about an FBI snafu. Plus, we have a featured interview with Amit Bareket. He's the CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. So all this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Brian, you were just telling me that you interviewed 500 horrible people, you said.
BRIAN KLAAS. I did, yes, indeed.
GRAHAM CLULEY. You say you've interviewed 500 horrible people. Does that mean if someone gets a request from you that you want to interview them, you've kind of tipped them off in advance, they may be rather vile?
BRIAN KLAAS. Well, I will say that some of them were actually really lovely people. Most of them had no business being in power, but there were some exceptions.
GRAHAM CLULEY. Well, your travels, they must have taken you all around the world. Moscow, Berlin, Paris, London, Tokyo, Slough, you know, some of the most glamorous places on the planet, beloved by the jet set and glitterati. You must have loved checking into luxurious hotels, hot and cold running water, playing around with the trouser press. Wasn't it great filling yourself up to the neck with complimentary room service? Carole, you like to stuff yourself, don't you, with a macaroon if you're on holiday or travelling?
CAROLE THERIAULT. A macaron, please, please say it properly. It's not a— macaroon's a completely different thing.
GRAHAM CLULEY. Well, maybe, maybe when you've been travelling around, maybe you've booked your stay via a website like Booking.com. You heard of Booking.com, you two?
CAROLE THERIAULT. Yes.
BRIAN KLAAS. Of course.
CAROLE THERIAULT. And I have booked via Booking.com.
BRIAN KLAAS. I have too, because they allow you to cancel last minute.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Ah, okay. Well, one of the world's leading online travel companies, it's where you can book flights, hotel stays, car rentals. What possible reason would someone want to hack Booking.com. Any theories? Why would you want to hack Booking.com?
CAROLE THERIAULT. Steal data, put the ransomware on their bikes.
GRAHAM CLULEY. Right, yeah. Steal payment details.
CAROLE THERIAULT. Yeah, yeah.
GRAHAM CLULEY. I'm thinking, I'm trying to be a little bit more imaginative. What about defacing hotel listings to say the bed was full of cockroaches or slag off competing hotels?
CAROLE THERIAULT. I was thinking, I thought you meant you'd like, you know, screw around with the pictures and put little cockroaches in them.
GRAHAM CLULEY. Oh, you could.
CAROLE THERIAULT. Pictures going across the bed.
GRAHAM CLULEY. If you managed to hack the site or hack accounts. Maybe you could do that.
BRIAN KLAAS. Some sort of power-hungry bed and breakfast kingpin could do this, I think.
GRAHAM CLULEY. That's what I aspire to be. Yes, that sort of power-hungry. Now, that wouldn't have been your motivation if you were the hacker who is said to have broken into Booking.com systems in 2016. Yes, I am going back 5 years, actually to early 2016, so nearly 6 years. I like to keep things topical.
CAROLE THERIAULT. It's okay. Short-term memory goes away as you get older, Graham. It makes sense you have to go back to the old days.
GRAHAM CLULEY. Well, this hacker who broke into Booking.com servers, he stole details of thousands of hotel reservations in countries in the Middle East.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And Booking.com's IT security team realised they had a serious problem, and they began to investigate the breach alongside the Dutch intelligence service. I think Booking.com is one of those companies, I think it was founded in Dutchland. But is also half American. So it's sort of a Dutch company. And they determined that the culprit, they did lots of investigation with the Dutch intelligence service, and they determined that the culprit was a hacker called Andrew.
UNKNOWN GUEST. Oh God.
GRAHAM CLULEY. Not that useful really. Instantly made me think of a certain Andrew who's rather famous here in Blighty, famous for not sweating very much, but enjoying the Pizza Express facilities. But not him as far as I know. Now, do you remember reading the news stories about Booking.com at the time back in 2016?
CAROLE THERIAULT. No.
GRAHAM CLULEY. No, you don't, do you?
CAROLE THERIAULT. Well, no, but I wouldn't remember probably.
GRAHAM CLULEY. You probably wouldn't remember.
CAROLE THERIAULT. I don't even remember what story I did last week.
GRAHAM CLULEY. No, you're probably too addled. You don't remember anything. Well, you probably wouldn't remember because it didn't become public knowledge.
BRIAN KLAAS. Ah.
GRAHAM CLULEY. Now, according to 3 Dutch journalists, who wrote a book about the hack. Their book is called 'De Machine in de Bann van Booking.com', which in English translates to 'The Machine Under the Spell of Booking.com'.
CAROLE THERIAULT. OK.
GRAHAM CLULEY. They say that the site was dissuaded from informing customers or even the Dutch Data Protection Authority about the hack.
CAROLE THERIAULT. They were dissuaded? Yes. By whom?
BRIAN KLAAS. Hmm.
GRAHAM CLULEY. Yeah. Who could possibly have a reason to want it to be hushed up and to withhold details of the hack from thousands of their victims.
CAROLE THERIAULT. The board, the board investors.
GRAHAM CLULEY. Well, yeah, exactly. The bosses. The bosses ultimately made the decision. And the argument that's been given is that Booking.com checked with its London-based lawyers and was told that it was not legally required to tell the authorities or individuals affected because, quote, no sensitive of financial information was accessed. And so they didn't.
CAROLE THERIAULT. So sensitive, so like no names? Is that—
GRAHAM CLULEY. Oh no, names were taken.
CAROLE THERIAULT. Email?
GRAHAM CLULEY. Names were taken. Some details, yeah. And as where people were staying as well, but no sensitive info. This is before GDPR came into force. And according to Booking.com, it abided by all the laws and they were not required. They could quite happily 'Keep stum.' Now, of course, some people knew about this hack, but weren't very happy about this plan not to tell anyone, which included the IT experts who'd actually investigated, the people who actually worked inside Booking.com. But under privacy laws at the time, Booking.com says that it was only required to notify people affected by the data theft if it would likely have adverse effect on their private lives.
CAROLE THERIAULT. There's a lot of words here that have a lot of meaning. Like, it could mean— what does that mean, adverse effect?
GRAHAM CLULEY. Right. It's open to interpretation.
CAROLE THERIAULT. They get murdered? Oh, yeah, no, that had an adverse effect.
GRAHAM CLULEY. Because I would argue that it was sensitive information because thousands of hotel reservations accessed involving countries such as Saudi Arabia, Qatar, the United Arab Emirates, names, travel plans, reservation details were in the hands of this mysterious hacker Andrew. And according to these journalists who've investigated, they say that the Dutch intelligence service determined that Andrew was working for a US-based company that often did work for US intelligence agencies.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. In other words, It was US spies, it appears, who hacked this Dutch company in order to steal information about some of their customers, ones who were in the Middle East.
CAROLE THERIAULT. And did they also lean on the legal team saying, hush, hush, guys, if you know what's good for you?
GRAHAM CLULEY. Well, it's, it's, I don't know. It's a simple answer, but you know, you do begin to worry a little bit, don't you? It feels like a lot of power that these guys had, right, Brian?
BRIAN KLAAS. Indeed, yes. And I do think it is— it's obviously private information. Yeah.
GRAHAM CLULEY. So if the journalist's book is accurate, the spying was carried out by the US against foreign diplomats and other people of interest in the Middle East. And the theory goes that if the United States knew which hotels people of interest were staying at, they could cross-check it against their list of hotels who they've already determined are fairly easy to exploit, to plant surveillance equipment in or gather other information. So intelligence agencies around the world, there are some hotels which they're going to find easier to spy upon than others. They may have people on the inside. They may have influence over those companies. They may be able to sneak in. They may already have systems in place to snoop on people. And it appears that's what's happening. So, it's rather astonishing that this huge website involved in travel and booking was breached. It didn't tell anyone, it kept it all quiet. And furthermore, that it was actually hacked by what you would normally feel was a friendly country, rather than, you know, someone else.
CAROLE THERIAULT. I'm playing devil's advocate, but how many other companies and corporations did also stage strum, right? Pre-GDPR. I mean, that's part of the reason GDPR is here because it was just going, it was rife. So I get that. And it's hard, you know, 2020, you know, going back now and saying, how dare they? What's annoying is like the loose language, you know, the skirting around the truth and what is sensitive and what isn't it. And I think we have that definition now. You know, it's been defined.
GRAHAM CLULEY. It certainly seems that more and more companies now are going public about having been hacked. It's not, of course, completely without precedent for one country to hack a company in another friendly country in order to find out information about its customers in the Middle East. This happened in 2013 with Belgacom, now known as Proximus. They're Belgium's largest telecoms company. They're multinational, but they're based in Belgium. They were hit by spyware, and that spyware came from our very own GCHQ, Her Majesty's Government Communications Interception Headquarters, because there were people of interest again.
CAROLE THERIAULT. Sealed with a kiss from the Queen.
GRAHAM CLULEY. Exactly. Well, I don't know. I mean, I imagine—
CAROLE THERIAULT. No, I'm sure not.
GRAHAM CLULEY. Come on. I'm sure she wouldn't— It wasn't the royal internet that's been used. I think it was a dodgy LinkedIn invitation which happened. Anyway, so what is Booking.com's response to these revelations? Well, what they've said to this new book is, "Data security is a top priority for us." We are continually innovating the robust processes and systems we have in place to protect our customers and partners.
CAROLE THERIAULT. Okay. Yeah, yeah, yeah.
GRAHAM CLULEY. So I hope you're satisfied with that. There's continual innovation going on.
CAROLE THERIAULT. Is there any like, we're sorries?
GRAHAM CLULEY. No, but the people who run the hotels have decided that there was no sensitive or financial information which was accessed. So by their determination, they're saying under the laws which were in place at the time, They say nothing sensitive was taken, therefore it doesn't need to be looked into anymore. Thank you very much. Please shut the book.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. Don't investigate any further.
CAROLE THERIAULT. Or STFU, basically.
GRAHAM CLULEY. Yeah, basically. And I don't know how I feel about this. Well, I do know how I feel about this. I just kind of feel, well, Booking.com, you've sort of blotted your copybook, even if it was 6 years ago. You're not even saying now, we're really sorry that this happened.
CAROLE THERIAULT. So Graham, are you going to never book from Booking.com?
GRAHAM CLULEY. I don't know that I have ever used Booking.com, but this is the thing, is that other travel companies, chances are that they've been hacked as well from time to time. You know, if intelligence agencies want to get into one, they probably want to get into others too. So, so who do I go to?
CAROLE THERIAULT. That's a very wise statement, Graham. That's very wise.
GRAHAM CLULEY. Thank you very much. I feel rather nervous now you said that. Brian, what do you want to talk to us about this week? Week.
BRIAN KLAAS. I want to talk to you about companies that are surveilling their employees without them knowing. So there's a story out today in the Los Angeles Times that, that cites various research. One of them is by Teramind, a Miami-based provider of employee monitoring software, and it said that basically about 70% of its sales came from companies concerned about security before the pandemic, and 30% that used to be concerned about worker productivity. And now after the pandemic has struck, that relationship is completely flipped. So it's mostly about surveillance and less about security. And when they've looked at the actual amount of companies that are using surveillance software, they say that about 60% of companies are doing it, double what it was early on in 2020. And the rub here is that a lot of people aren't aware that this is happening to them. It can be done through webcams. It can be done through keystroke logging if it's company computers and so on. This also relates to— I can't miss an opportunity to make the link to the book that came out last week of my own, which is that I think that there is a systematic problem that we have in diagnosing who is worth watching. What I mean by that is I have a chapter where I talk about how powerful oversight is for producing accountability in human behavior. And I draw on a whole bunch of different studies from neuroscience to behavioral economics and so on. But one of the things that I think we're getting wrong is that when you look at these corporate scandals or you look at abuse of power by big fish, the real problem's happening at the top. It's happening in the boardrooms, it's happening behind closed doors in corner offices. The companies like Enron aren't getting brought down by the person who's stealing 10 minutes on their lunch break or takes a paperclip home with them.
CAROLE THERIAULT. It has an extra long poop, right?
BRIAN KLAAS. It's by the people at the top.
GRAHAM CLULEY. Yeah.
BRIAN KLAAS. So I think, you know, we have this weird relationship with power in our society where powerful people design systems to relentlessly observe and surveil powerless people. And in fact, most of the damage is being done by the people who are watching, not the people who are watched. And so, you know, I think that this needs to be inverted. Now, it's not to say that we want to have a surveillance state by any means. And I think that in general, this general trend is bad. But I think that if you're going to have surveillance software, maybe some of it should be looking at what people who are actually moving millions of dollars around, what they're up to.
CAROLE THERIAULT. 24-hour video cam for CEOs.
BRIAN KLAAS. Love it.
CAROLE THERIAULT. Webcam their houses, their mansions.
GRAHAM CLULEY. Webcam up the politicians. Isn't that what happened to Matt Hancock, I think? Isn't that how we discovered he was snogging his aide? Yeah.
BRIAN KLAAS. Yeah, and I, you know, I think— but I think this, it gets to something more profound about the sort of power imbalances that come with tech. And I think it's something about our own behavior where we have to think about who's actually doing the damage. Most, most people who are working from home are actually trying to get their work done. You know, they might not do it on the clock in the exact same way that the, the employer wants them to, but as long as they get the work done, it's not going to bring the company down.
CAROLE THERIAULT. I think, yeah, on the other hand, there's a lot of people in the higher echelons of these various positions who actually can bring the companies down and have Over time, I've read about like bossware is what the kind of colloquial term is, um, you know, but they'll take pictures every 15 seconds to make sure that said employee or student is sitting with their butt on the seat looking at the screen.
BRIAN KLAAS. Worse than that, I mean, when I was doing research for this, um, there are even chairs that exist— this is in the before times, in the, in the actual physical office— but there are chairs that have pressure sensors to tell whether you're actually sitting in it.
CAROLE THERIAULT. Oh my God.
BRIAN KLAAS. And there are, there are companies in the U.S. that have, uh, a requirement that employees download GPS tracking software.
GRAHAM CLULEY. Yeah.
BRIAN KLAAS. And this isn't turned off when they leave the office.
CAROLE THERIAULT. Yeah.
BRIAN KLAAS. Right? So, I mean, one of the big takeaways I have from the book, one of the big points I make is how we have a very weird view of, you know, who does damage in society. Of course, the book talks about a million other things, but this is one small section of how the feeling of being watched actually moderates our behavior in some ways. But that's quite counterproductive if it's the feeling of being constantly surveilled when you're just doing your job. And I think the lessons that we should learn— there's also, I talk about in the book, this amazing story, a guy I interviewed, one of the good ones actually, not of the 500 people, he's one of the good ones. He's a journalist in Ghana, and he dresses up as various things to do undercover journalism to expose people. So there's two things I think that are important about him. One is he once dressed up like a rock, which I absolutely love. It's like this— not like The Rock, not like Dwayne Johnson, like literally a piece of sandstone that has two eye holes in it. It's hilarious, right? But the thing that I also love about him— I spoke to him on Skype, you know, this is, uh, two years ago before Zoom was a big thing, and, uh, I couldn't see his face because he covers it with these beads. And the reason he does that is because he wants everybody in society who's powerful to think anybody could be him, right? So he never reveals his identity. He's a secret figure who's known as Anas, but no one knows who he is, with the idea that anytime Anas could be watching you. Now, that's a very powerful and productive thing for oversight of politicians, judges. He's exposed massive corruption scandals. But it's not a good thing if we don't know if our webcam is watching whether we're having a tea break that's 1 minute too long. I think that's the point that I wanted to make.
UNKNOWN GUEST. Yeah.
GRAHAM CLULEY. And not good if you've got a bad back and you want to stand at your desk, you know, if you have to keep your butt in the chair, the chair starts having an alarm, right?
BRIAN KLAAS. Maybe they have standing mats for those people. Who knows?
GRAHAM CLULEY. It is.
CAROLE THERIAULT. I would have a dictionary if people, you know, you wouldn't know if your chair has these sensors, right? So anyone who's going to go for an extra long bathroom break, make sure you bring a dictionary and slap it on the seat. You'd have to weigh equivalent.
BRIAN KLAAS. What if you're really, really small?
GRAHAM CLULEY. Is there a particular book that you could put on your stool, if we want to use the phrase stool?
CAROLE THERIAULT. Oh yes, Brian.
GRAHAM CLULEY. How heavy is your book, Brian?
BRIAN KLAAS. You know, it's 270 pages or so. So it's not massive.
GRAHAM CLULEY. They're gonna have to buy 3 copies.
CAROLE THERIAULT. Definitely buy hardbacks. 3 hardbacks.
GRAHAM CLULEY. Yeah.
BRIAN KLAAS. Yeah, I think so. I think you're gonna have to get the— it's got on the COVID it's got sort of gold foil. I think you'd need actual gold for it to work.
GRAHAM CLULEY. Probably. Carole, what have you got for us this week?
CAROLE THERIAULT. Okay, so we're gonna imagine it's November 12th and you guys are IT administrators.
GRAHAM CLULEY. Yes, I am.
CAROLE THERIAULT. And you're sitting around, you know, feet on your desk, definitely with butt in chair, so there's no alarms.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And you get an email with the subject saying, "Urgent threat actor in systems." Now this isn't in your quarantine or spam folder, but sitting right there in your mainstream mail.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. What's your first do then? Do you just get up, get a sandwich, ignore it, open it up? What do you do?
GRAHAM CLULEY. Well, I'd probably open— I wouldn't open the attachment, or if there was an attachment, or click on any links. Maybe I'd look at the actual message and see who it's come in from.
CAROLE THERIAULT. Yes, let's check the sender.
GRAHAM CLULEY. Yeah, yeah.
CAROLE THERIAULT. Okay, so the email is sent to you by— from the official email address of the FBI, so eims.jcfbi.gov. And you look this up, and it's a totally legit address. It's part of the FBI's Law Enforcement Enterprise Portal, or something called LEAP. This is like a one-stop shop to share intel across different departments. And maybe you check the IP address, and indeed, it is the FBI's IP address.
GRAHAM CLULEY. And this isn't an accidental message that's been sent. You remember in Hawaii, they accidentally sent a message to everyone there saying that—
CAROLE THERIAULT. Oh, yes. And then later, oops, sorry.
GRAHAM CLULEY. Saying North Korea launched a missile towards Hawaii caused slight panic.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Nothing, so it's not a test that's gone wrong or something like that.
CAROLE THERIAULT. Should we read the email?
GRAHAM CLULEY. Okay, go on, yeah, tell me what the email says.
CAROLE THERIAULT. Okay, we're gonna go sentence by sentence.
GRAHAM CLULEY. All right, okay.
CAROLE THERIAULT. So it says, our intelligent monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack.
GRAHAM CLULEY. Well, it's already lost me. It sounds quite technical.
CAROLE THERIAULT. It sounds quite technical. It sounds like, ooh, they know what they're talking about, the FBI.
BRIAN KLAAS. I don't know what half those words mean.
GRAHAM CLULEY. Exactly. Yeah, it sounds like they know more than I do about something. Yes, right.
CAROLE THERIAULT. Okay, so you'd probably want to read the next sentence.
GRAHAM CLULEY. Right, yes, yeah.
CAROLE THERIAULT. Okay, we tried to black hole the transit nodes used by this advanced persistent threat actor. However, there is a huge chance he will modify his attack with a fast flux technology, which he proxies through multiple global accelerators.
GRAHAM CLULEY. It sounds like those FBI guys really know what they're talking about now. And we're up against some serious hackers.
CAROLE THERIAULT. I mean, fast flux guys, fast flux.
GRAHAM CLULEY. Yeah.
BRIAN KLAAS. Where's the bank account to send the money to the Nigerian goods now?
CAROLE THERIAULT. We identified the threat actor to be Vinny Troia. Whom is believed to be affiliated with the extortion gang, the Dark Overlord.
GRAHAM CLULEY. Oh, my cousin Vinnie. Yeah. Okay. Vinnie. Yeah, well, Vinnie's an all right guy, right?
CAROLE THERIAULT. I think at this point, I think I'd be going, what? What? Why would you be telling me who the threat actor is? And what does this have to do with anything? And what you're telling me that your intelligence monitoring my virtualized clusters, tell me about them. Anyway, it says we highly recommend you check your systems and IDS monitoring.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And then it signs off with, "Stay safe. Okay, US Department of Homeland Security." Well, that does sound authentic.
GRAHAM CLULEY. I can imagine that the Department of Security would sign off with a "stay safe." Really? No, but that's the sort of— Yes, I can actually. I'm not joking. I'm not being sarcastic. No, they might. Well, what are they going to do? Say, "Yours sincerely"?
CAROLE THERIAULT. It's too cutesy, Brian. Brian, you've read loads of government documents, I'm sure, in your time. I'm sure you've read loads through your career.
BRIAN KLAAS. I think it depends what country it's coming from. I think that, you know, if it's American, they'd say like, have a good day or something like that.
GRAHAM CLULEY. Yeah. Stay safe. Yeah.
CAROLE THERIAULT. Okay. Okay. So, so, so what do you do at this point? Because there's no instructions, there's no attachments, there's no links.
GRAHAM CLULEY. Oh, so they're not up to any— so, so what's the point of this?
BRIAN KLAAS. How are they—
CAROLE THERIAULT. So what's the point of this? And what are you supposed to do? And what, you know, how do you check your virtualized clusters? Right? And what is that? And what the heck's going on here?
GRAHAM CLULEY. Right.
BRIAN KLAAS. I think I'd forward it to you.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Well, I don't think we'd help very much. I don't think we'd know either. So, so people were kind of, didn't know what to do. So what are the, what would you do? You maybe you'd call the FBI.
GRAHAM CLULEY. I would go onto Twitter. I would go onto Twitter and I'd see if other people have received something like this.
CAROLE THERIAULT. Right. Okay.
GRAHAM CLULEY. You wouldn't call the FBI immediately. That sounds like too much like effort. I would just go and have a look on Twitter.
CAROLE THERIAULT. A lot of people decided to call and jam their lines. The problem was that the Federal Bureau of Investigation, the email servers were indeed hacked to distribute this spam email impersonating the FBI. And according to bleeping computer spam tracking nonprofit SpamHouse, noticed that this glut of messages were being delivered in two waves early on the 12th of November. And they said that the fake emails reached at least 100,000 mailboxes, though they feel this is very conservative. So Brian Krebs wrote on his blog that spam messages were being sent by abusing insecure code in the FBI online portals. Online portals are such a pain in the ass for people to administrate because you already have your website and everything, other devices that you have to administer across the company. And then all these marketing people and different communicators want online, special online portals to discuss things, you know, directly. Anyway, there are often issues in them. I'm interested in Vinny, right? I'm interested in Vinny, who was mentioned in the mail.
GRAHAM CLULEY. Well, I've heard of Vinny before.
CAROLE THERIAULT. Okay, talk to me about Vinny.
GRAHAM CLULEY. Well, Vinny's on the speaking circuit.
CAROLE THERIAULT. Yes, he is on the speaking circuit.
GRAHAM CLULEY. He's one of those sort of people who stand up on a stage and give talks about cybersecurity.
CAROLE THERIAULT. Blah, blah, blah.
GRAHAM CLULEY. Can you imagine how hopeless that is? No, no. That sort of person. Yeah, no, he's basically the competition for me, Carole.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. People like Vinny, yeah. But, you know, he's an author and, you know, he investigates cybercrime and things. So I'm a little bit surprised that he's now turned to the dark side and is now exfiltrating data from my network.
CAROLE THERIAULT. Graham, you identified him very well, 'cause I didn't know him, so I had to do a bit of looking in. So he's also head of security research at the darkweb intelligence company Night Lion and Shadowbyte.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Bleeping Computer got in touch with Vinny to ask him why he's being blamed in this email. And he says, "My best guess is Pom Pom Purin and his band of minions. These are the guys behind the incident." Pom Pom Purin? Pom Pom Purin.
GRAHAM CLULEY. That sounds a bit like Chim Chimerey, Chim Chimerey, Chim Chim Cheru. Well, what kind of name is that? What, is that a name of a hacker, is it?
CAROLE THERIAULT. Well, apparently Pom Pom Purin contacted Troia a few hours before the spam email campaign started and simply to say "enjoy" as a warning that something involving the research was about to happen. And apparently Pom Pomphiren messages them every time they start an attack to discredit Troya. So there's like a long-running feud apparently between the members of the Raid forums hacking community. Hmm. What? What are you saying?
GRAHAM CLULEY. Well, is it really doing that much damage to Vinnie Troya? I would imagine his name gets out there much, much more because—
CAROLE THERIAULT. Oh, are you in the market for someone to start badmouthing you in spam emails? Is that what you're looking for?
GRAHAM CLULEY. I've given people plenty of reason in the past. I don't think I'm important enough for them to bother.
BRIAN KLAAS. Well, Mark Gaddafi contacts me all the time, so— and he's dead.
CAROLE THERIAULT. Well, so I was like, "Pom-pom Purin, what is going on?" Right? So I went looking around and turns out Krebs got a missive from an actor claiming responsibility. And his first line is, "Hey, it's Pom-pom Purin. Check headers of the email. It's actually coming from FBI server. I'm contacting you today because we located a botnet being hosted on your forehead. Please take immediate action. Thanks.
GRAHAM CLULEY. Sorry, Brian Krebs has a botnet on his forehead.
UNKNOWN GUEST. Apparently.
CAROLE THERIAULT. I don't really know what that means. I thought I was going to ask you. You're a bit more geeky.
GRAHAM CLULEY. I think it's a comment on Brian's haircut, possibly. Maybe he doesn't have a big enough fringe to cover his forehead. Well, I think he looks perfectly fine, but maybe the hackers have got some sort of issue with how he looks. It sounds rather juvenile to me. Is that possible? A cybercriminal being juvenile?
CAROLE THERIAULT. He said— so speaking of Krebs, he said, I could have 1,000% used this to send more legit-looking emails, trick companies into handing over data, etc., and this would have never been found by anyone who would responsibly disclose due to the notice the feds have on their website. So that's interesting. He's basically saying that he could not responsibly disclose Because of some—
GRAHAM CLULEY. Some legalese.
CAROLE THERIAULT. Some legalese of the feds.
GRAHAM CLULEY. Right, saying you can't do this on our server if you find a bug. Well, couldn't the FBI now say, look, we're actually really grateful you found this. If you would like to apply, telling us your full name and address.
CAROLE THERIAULT. Pump, pump, you're in, Mr. Pump, pump, you're in.
GRAHAM CLULEY. We will send a special delegation round to your house "to deliver your bug bounty personally." And a couple of extra surprises.
CAROLE THERIAULT. [Speaker:KARA] The thing was, they did manage to hack this page, but none of the data that was on the Leap system was accessed. It was all grabbed by— from another— scraped from another database. So, it really was just a juvenile kind of trick, but it did cause some drama. You know, I think people would not have been as lazy as you, and they might have contacted the FBI and going, "What the fuck, guys?
GRAHAM CLULEY. WTF?" Well, clearly, yeah, clearly people did. Yeah. Even if they didn't lose any data, they still had a portal exploited by a mischievous little runt.
CAROLE THERIAULT. My final question. My final question. Do you think the FBI has apologized for their oversight on the website?
GRAHAM CLULEY. I think, yes, they have.
CAROLE THERIAULT. Okay. Brian?
BRIAN KLAAS. I would guess no.
CAROLE THERIAULT. Correct. Brian's right. No, not the first time. Okay.
GRAHAM CLULEY. Perimeter 81 is the first ever cybersecurity experience platform designed around instant deployment, unified management, integrated security, and full visibility. Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust robust tools to secure and manage your global network with one unified platform. Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as zero trust network access, firewall as a service, device posture check, and more. Learn more and request a demo at perimeter81.com. That's perimeter81.com.
CAROLE THERIAULT. We're also sponsored by Qualys, one of the pioneering providers of disruptive cloud-based IT. Qualys delivers continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps. And their powerful solutions empower organizations to streamline and consolidate their security and compliance solutions in a single platform, achieving greater business agility, better outcomes, and substantial cost savings. Qualys announces 3 solutions: ransomware risk assessment, cybersecurity asset management, and zero-touch patch management.
BRIAN KLAAS. Want to learn more?
CAROLE THERIAULT. Of course you do! Check out smashingsecurity.com/qualys. Q-U-A-L-Y-S. That's smashingsecurity.com/qualys. And thanks to Qualys for sponsoring the show.
GRAHAM CLULEY. 1Password 8 for Windows is out right now. 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system. From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life. Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11. 1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more. Try 1Password free for 14 days at 1Password.com/SmashingSecurity. Smashingsecurity.com. And thanks to the folks at 1Password for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
BRIAN KLAAS. Pick of the Week.
CAROLE THERIAULT. Perfect.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Now, in a slight change, I'm going to do a little bit of a shout-out because it was my niece Marlowe's birthday recently, and I sent her some little cupcakes, which was frankly a bit of a lazy gift. And—
CAROLE THERIAULT. Yeah, did you make them?
UNKNOWN GUEST. No.
GRAHAM CLULEY. No, no, no.
CAROLE THERIAULT. Thank God. Lucky her.
GRAHAM CLULEY. Yeah, she should be grateful, shouldn't she?
CAROLE THERIAULT. She definitely.
GRAHAM CLULEY. But as a penance, she has asked me to give a bit of a shout-out on the podcast 2. And indeed, I'm going to dedicate my Pick of the Week suggestion to Paul Frost of Streatham and Clapham High School, London. He is the best computer science teacher within the Streatham and Clapham catchment area.
CAROLE THERIAULT. Ah!
GRAHAM CLULEY. As voted for by my two nieces, Mallory and Marlow. So Paul, congratulations. This Pick of the Week is for you. And hopefully I've got off any birthday shenanigans for another year. So my pick of the week this week is not security related. It is a video game called Trailmakers, which I've been playing with my son on the PlayStation, but it is also available on Steam and on the Xbox. It is a physics-based game where it's a bit like Lego. It's a bit like technical Lego where you can build cars and monster trucks and boats and submarines and tanks and aircraft and amphibious vehicles. All sorts of things. You can even build like an AT-AT from Star Wars or, you know, it's basically you're limited by your imagination, your imagination and your ability to make them aerodynamic or having a good center of gravity. Because it turns out, Carole, I don't know if you found this as well, Brian. It turns out it's quite hard to make a working helicopter or an aircraft and to actually get it to go up in the air and not crash. If you can get it to leave the ground at all. Turns out it's tricky.
CAROLE THERIAULT. You know, you're giving me a great idea for a game. Imagine you could scan your body and then say, how do I become aerodynamic? And you'd have to like lengthen your arms or, you know, whatever to kind of be weightless enough. And you could find out what length of arms you would require.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Yeah.
BRIAN KLAAS. Okay.
CAROLE THERIAULT. Listeners, someone run with it. It's yours.
GRAHAM CLULEY. Well, yeah. And anyway, so, and once having designed these things, you can share them online. You can, have other people download them and adapt them. My son and I, we've been doing little build challenges. And he came up with the idea of, how about we build some monster trucks, Dad, but let's make them look like dogs. And so we've been driving dogs around this island in a little sandbox island. Well, his drove around complete with a wagging head and tail. Mine just sort of fell over. It had the oddest way of steering you've ever seen in your life. But anyway, I've had great fun. The game is called Trailmakers. I will put some links in the show notes where you can check it out or check out the video as well. I think if your kids are going to play video games, this is a better kind of video game to play because you are creative. You're learning about physics, you're learning about engineering, and it was all good fun. So that is my pick of the week.
BRIAN KLAAS. Nice.
GRAHAM CLULEY. Yay. Brian, what's your pick of the week?
BRIAN KLAAS. All right, so my pick of the week is a book. It's not my book, but it's featured in my book.
CAROLE THERIAULT. So, oh, it should be your book. What's your name of the book again?
GRAHAM CLULEY. What's— have you got a book out, Brian? Have you ever written a book?
BRIAN KLAAS. Oh, right. Uh, it's funny you meant— you mentioned it. It's called Corruptible: Who Gets Power and How It Changes Us. But the book of the week that I'm going to— my pick of the week is actually a book that inspired a chapter, uh, and it's a book by a journalist called Mitch Moxley, one of the other good people in the 500 that I've interviewed. He's a journalist who spent a lot of time in China, and the book is Apologies to My Censor, as I say. Now, one of the things that I think is amazing about this book and where this story comes into my work is he gets this call while he's living in China. He's a freelancer. He's living on paycheck to paycheck, basically trying to get some sort of story published so he can buy food, pay rent. And one of his buddies calls him up and says, you know, we've got this job for you. Do you want to fly to this town called Dongying? And all you need to do is bring a suit. And Mitch Moxley says, okay, sure. It sounds like a story to me, so I'll do it. Now, what was amazing about this, and it's the beginning of this chapter, is called White Guy in a Tie. Is that what he was there to do was to pretend to inspect a factory that was being built. And local investors were told that a California parent company had come and was really interested in this factory. And he was given this knockoff vest that was supposed to be Dolce Gabbana, but was totally misspelled. And so he would go, and it was like a construction vest as well. So it makes no sense that it would be Dolce Gabbana. But like, he was like, he would go into this like room and they would put him in a suit. They'd have him in his suit and he would be reading magazines and then they'd say, okay, now you got to do your job. He'd look around and do quality control. And he's like, I have no idea what I'm actually looking for. I've never done this. They said, just look, it'll be fine. And then they had them go to the grand opening, which he still says, he's like, the factory was like half done. So I don't understand what we were doing. But one of his friends gave the speech at the grand opening. They handed him a thing to read and all he grammatical errors and so on. And, um, and he's part of this industry in China that, that he, he termed white guy in a tie, of lending a veneer of sort of international prestige to these, uh, Chinese enterprises. And the funniest one I came across was this filmmaker named David Borenstein, who, uh, he basically played the clarinet, and they, they introduced him at this grand opening as being part of America's most popular country band called Traveler, which they didn't know doesn't have clarinets involved in it. And the lead singer didn't speak English. She was from Spain and couldn't sing. So a few problems with their plan. But the reason I bring it up is because I use this as the introduction to a chapter that talks about how evolutionary processes have meant that we look at individuals when we're deciding who to give power to, and we make some very irrational calculations that are often superficial. So the book was fantastic. By Mitch Moxley, Apologies to My Censor, and it shaped my thinking a lot in trying to understand what I call the power delusion of why we give power to all the wrong people for the wrong reasons.
GRAHAM CLULEY. And just to be absolutely clear on this, because I think I've only just tweaked, this wasn't for a scam or anything. This is purely for prestige and kudos. It's just like, "Oh, look, we've got this man coming along who's involved." Exactly.
BRIAN KLAAS. There's actually a cottage industry. There are people who make their money in China who are expats, Basically, they're white, and they're brought in to give the veneer of legitimacy to Chinese operations to show that they have international appeal. So they sometimes will have attractive white women at the opening of bars to show that they're—
CAROLE THERIAULT. I've never seen a Western company do that ever.
BRIAN KLAAS. So it's an amazing— I mean, it's an amazing statement on race and power and all sorts of things, but it's a whole cottage industry apparently. Rich just stumbled across it and said, "This actually is something that a lot of people do and it's how they earn their money in modern China." Maybe there are actually agencies which have a variety of white men on their books you can choose from, maybe with a clarinet, maybe not. The funniest thing about this, I talked to him about this, and he was featured in the 100 hottest bachelors in China's Cosmo. Cosmopolitan magazine, and they hadn't seen a picture of him before they picked him. Now, he happens to be a good-looking guy, but it's just like, it's just a very funny thing where they like, they just picked like 100 white people and put them in this magazine. And it's just like, oh my God, how, how does this happen in like the 21st century? It's just so unbelievable.
CAROLE THERIAULT. Did he get paid well though?
BRIAN KLAAS. I don't— I think he got paid like $1,000 and then got lodging, but he was in this like, you know, sort of backwater town. So I, I think he did it for the story. Because ultimately he wrote about this in The Atlantic and then I think an agent probably contacted him and he turned it into a book about all about his adventures in modern China.
GRAHAM CLULEY. Fantastic. So the book's called Apologies to My Censor by Mitch Moxley. That's right. Terrific. Crowe, what's your pick of the week?
CAROLE THERIAULT. Okay, we're heading to entertainment and culture. So Graham and I, we share some tastes actually, but we don't share everything. You hate nuts, for example, which is ironically nuts.
GRAHAM CLULEY. I don't like the clock on the wall in your living room.
CAROLE THERIAULT. Yes, which is an amazing clock. I should send a picture to our listeners and they will agree with me.
GRAHAM CLULEY. I don't think they'll like it either.
CAROLE THERIAULT. I think they will. But I think you're going to like this Pick of the Week. Actually, I should ask you first, do you like Billie Piper?
GRAHAM CLULEY. Billie Piper? Rose from Doctor Who. She's terrific.
CAROLE THERIAULT. She's terrific?
GRAHAM CLULEY. Yes. Secret Diaries of a Cool Girl?
CAROLE THERIAULT. Exactly. Okay, so have you heard of a series called I Hate Susie?
BRIAN KLAAS. I have not.
GRAHAM CLULEY. I think I have heard it. I haven't seen it.
CAROLE THERIAULT. I hadn't either, but friend of the show Dave Bittner sent me a message saying you should check it out. It was, you know, right up my street, and I obviously trust him because I had to purchase it because I don't have Sky or anything like that. So, so Billie Piper stars in it. She plays Susie Pickles, a former child screen star. And as the character, she has poor impulse control. She's utter, you know, she's irresponsible, she's high maintenance, but she also has a number of assholes in her life that don't help matters at all. But things get super complicated when a compromising sex scandal involving the married Pickles hits the papers, all thanks to a phone hack. Oh my God, that's kind of security related.
GRAHAM CLULEY. Oh, hello.
CAROLE THERIAULT. Apologies for that.
GRAHAM CLULEY. Her phone is hacked, eh?
CAROLE THERIAULT. Yeah, I'm sorry, guys. Yeah, yeah. Anyway, so it has a lot of references to things that have happened in the UK press over the last decade or so, two decades probably. And also, it probably follows a lot of tangents in her own career because she was a child star, right? A singer.
GRAHAM CLULEY. Yes, she was. Yeah.
CAROLE THERIAULT. Yeah. And the writing is very fresh. It's written by Lucy Prebble, who also wrote Secret Diary of a Call Girl. And it has the same gritty sadness. It's funny, it's lewd, it's a little wild, it's a little dangerous. But you just feel like you're on a roller coaster, and you think the thing's going to fly off the track at any point, and you just don't— you can't predict it. And that's hard to do in a story. So, this is definitely not for kids, but my pick of the week this week is a TV series called I Hate Suzie. Thanks, D-Dog Dave.
GRAHAM CLULEY. Oh, right. And where can people watch this?
CAROLE THERIAULT. I had to buy it. So you can get it on Sky in the UK. I purchased it off, you know, you can, you know, wherever you can buy series, TV series, right? So like Apple or Amazon or any of these.
GRAHAM CLULEY. Hmm. Oh, interesting.
UNKNOWN GUEST. Okay.
CAROLE THERIAULT. Check it out, Graham. It's worth it. You'll like it.
GRAHAM CLULEY. All right. Okay. Well, Carole, you've had a busy week, haven't you? You've been speaking to the folks at Perimeter 81.
CAROLE THERIAULT. Yes, I spoke with Amit. Interesting interview. Check it out. Okay, today we are speaking with Amit Bareket, CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. Welcome to the show, Amit.
UNKNOWN GUEST. Thank you very much. I'm happy to be here.
CAROLE THERIAULT. Now, you are the co-founder of Perimeter 81. Can you tell us a little bit about what drove you to launch this SaaS security platform? Like, was there a problem you wanted to fix, or what drove you?
UNKNOWN GUEST. Actually, it's a very deep question. I had my previous company, Sophos VPN, a consumer VPN company that me and my co-founder sold to a public company in the US. Back then in 2013, we've developed a consumer VPN solution, which was our first startup, our first company that we've incorporated together after I left my corporate job at IBM and Sergey at Siemens. Back then we wanted to develop cloud security solutions for consumers. But while we were working with our customers back then, the consumers, we've heard a lot of demand from the business side, from businesses, to consume security and networking from the cloud. And we, back then, fiber started and 5G, there were discussions about it, and internet became faster and faster. It was before COVID but we saw a trend where the internet is going to become the new corporate network. We thought, how can we utilize all knowledge and know-how, both on building SaaS solutions specifically for B2C, business-to-consumer, security solutions, to build a secure network for organizations to be delivered over the internet? So it doesn't matter where the employees are, when they open the laptop, they have the same security experience.
CAROLE THERIAULT. That's incredible because your timing is perfect in a way, considering the last few years that we went through where people were having to work from home for the first time in their lives in some cases.
UNKNOWN GUEST. That's right. It's absolutely correct. COVID really accelerated this trend overnight in February 2020. I remember that very clearly. For us, COVID accelerated this trend, which would anyway would happen, but instead of 10 years, everything shrunk into 2 years. So our product development and adoption, we strongly believe that it will only get stronger.
CAROLE THERIAULT. Yeah. You know, I've heard you guys refer to the cyber complexity trap. Can you tell me a bit about that?
UNKNOWN GUEST. Absolutely. So What we found out that not only employees are working from home and resources are moving to the cloud and the internet is the corporate network, but today there are many, many different cybersecurity solutions. Okay. And the average IT manager, and we've done a survey, manage about 20 different security solutions. Each one managed separately has its own setup installation, sometimes most of the times hardware management console. And that increase, the inflation of security solutions, it basically creates a paradox, a trap where there are dozens of tools to manage. Because of that, you don't see anything. So, and even you don't know which security solution you need to implement. So when you ask an IT manager, what is your current area of focus, right? Is confused. And it's also increased the ability to provide impact. That basically complexity, we call it the cybersecurity complexity trap, where employees are working from everywhere and the internet is now the corporate network. There are many devices, many resources, many hybrid environments, but there are dozens of tools to manage.
CAROLE THERIAULT. Yeah, the complexity for the IT professional and the CISO has just grown exponentially, I think, over the past maybe even 5 to 10 years. And yet But I'm not sure the resources have climbed with that. I wonder how many of them have actually pulled their hair out completely because of the new situation that they're facing.
UNKNOWN GUEST. So absolutely, I think that if two years ago, a year ago, during COVID right, the discussion was around how I'm going to secure my employees while they're working from home, how I'm going to secure my cloud environments, right? Today is how I'm going to deal with all those tools. This is a very hot topic because that inflation of different tools and solutions decreasing the impact on security. And what we found, that it's not only important to provide a tool to secure, to unify security and networking over the cloud, but also building an experience, okay, in order to deliver cybersecurity in a simple way and engineer the solution, right? Not only to, to answer the use cases, but rather put the people in the center and think and engineer, right? Invest many hours and days and weeks and years into and make a revolution, not evolution, in the way that cybersecurity is being consumed. This is one of the reasons why we launched the new category now. Which we call the Cybersecurity Experience Platform.
CAROLE THERIAULT. Perfect. I really wanted to ask about that. So please tell us about that. Tell us about this new service.
UNKNOWN GUEST. So the Cybersecurity Experience Platform, what we've done along the way, and we've hearing from our customers that we managed to build a solution that is very simple. It increases productivity, it increases the impact on the organization, the ability to implement security solutions. That we basically build a radically simple cybersecurity solution. That's what we're hearing from our customers. As we continue to hear that, we'd like to double down on that, right? To invest more and to continue engineering a solution, right? To provide insights that will be an evolutionary step in cybersecurity for any businesses.
CAROLE THERIAULT. Is it, is it fair to say almost out of the box is what people really need right now because they, they don't want to spend too much time worrying about security. They want expert partners that are going to do that for them, right?
UNKNOWN GUEST. It's, uh, they want the minimal effort. We call it becoming a Sherpa, right? A partner. And where you basically give them solutions for today's needs, but also for tomorrow, and take them hand by hand throughout this journey to implement a modern cybersecurity posture within the organization, specifically in this new world where the internet is the new corporate network. Our platform includes a few positive tips to do it, like the deployment is instantly and you don't need to wait or order any hardware. Everything is being done via software. There is one management console that is unified and provides a lot of insights and data and extract the juice, right, the important thing to the IT managers and the security personnel in a very effective way. Integrations with all the important security solutions like identity provider and SIEM service in a very holistic way, not just like PR or blog post about integration, but really to drill down deeply into how we can be better together with using security services and to unify the experience, full visibility and partnership and guidance as well with our customers.
CAROLE THERIAULT. If you had a new customer who's listening to this and going, this sounds absolutely fantastic, one of the things that they often ask for versus like, what is the onboarding times? Like, from actually looking at it and getting it to actually having it up and running and protecting you?
UNKNOWN GUEST. [Speaker:AMIT_BAREKET] No, we made it very, very easy. And just like implementing Office 365 can be done very quickly, in an hour, sometimes some deployment a bit more. But it is important to stress that companies that are starting with us, not overnight, basically removing all their existing security solutions and appliances It's a, it's a process. It's, it's not rip and replace, but it's migrate, right? So as you move to the cloud, yes, we have integrations with all the existing security solutions, including all the firewalls out there, and allowing companies to do the migration in their phase, right? And we don't push them to do it in one day to completely change the way the IT and security is being delivered. But rather than join this journey, you can start with a small team, for example third parties. Okay, we have many larger enterprises that instead of moving their entire company to consume networking and security from the internet and the cloud using PREM 31, they choose to do it only with a third party. Okay, so any chain of supply, instead of giving them access to the legacy network of the organization, they provide them different network that is secured by Plan 31 and slowly, slowly adding more and more departments.
CAROLE THERIAULT. And so from what I'm getting, actually, this is a solution that is not just suitable for large enterprises or small businesses, but actually can accommodate across the whole spectrum of company sizes.
UNKNOWN GUEST. You can think about it like Gmail, right? Gmail can be for small company and very large enterprise.
CAROLE THERIAULT. Yeah, yeah. Um, is there anything that you'd like to add for our listeners?
UNKNOWN GUEST. Um, yes, I think that, uh, we are in a point of time that is revolutionary in matter of cybersecurity and networking infrastructure that is being developed, and we are here to help. I think that it's better to, to prepare ahead for this evolution. It will increase. I think we're just in the beginning. It will increase over the next few years. And it's very, very meaningful. We see all the attacks that are happening in the world. It's starting to double down on the security posture of the organization. And regardless to implementing Planetary One or not, we have a team and consultancy team team that helping through that journey and transformation that is happening today in the market. So feel free to reach out to us and, and ask us anything that you have in your mind.
CAROLE THERIAULT. I actually have one more question for you, if that's okay.
UNKNOWN GUEST. Sure.
CAROLE THERIAULT. I just was wondering your opinion on the plethora of cloud services out there that have default settings that that may not be necessarily in the best cybersecurity interest of the company. Have you seen that as well? Is that your experience?
UNKNOWN GUEST. Yeah, so that a lot. That is an area that we, Planetary One, would like to continue and develop as well within our platform. Definitely all that posture management of SaaS solutions. And it's a big topic now. Whether two-factor is enabled or not, right? How you can have visibility to all your SaaS applications. You have lots of different SaaS applications, and it's a very hot and relevant topic these days.
CAROLE THERIAULT. Yeah, absolutely. Well, Smashing Security listeners, you wonderful people can learn all about Perimeter 81 and its flagship cybersecurity experience platform, and you can even book a demo. So go to Perimeter 81, that is perimeter81.com. Amit Bareket, CEO and co-founder of Perimeter 81, thank you so much for coming on and speaking to us about cloud security.
UNKNOWN GUEST. Absolutely, it was a pleasure. Thank you so much.
GRAHAM CLULEY. Terrific. Well, that just about wraps up the show for this week. Brian, I'm sure lots of our listeners would love to follow you online, find out more about your book. What's the best way for folks to do that?
BRIAN KLAAS. Yeah, so, uh, my Twitter handle is Brian Klaas, which is Brian with an I and Klaas, K-L-A-A-S. Uh, and the podcast is Power Corrupts and the book is Corruptible: Who Gets Power and How It Changes Us.
CAROLE THERIAULT. Go out and buy it, people.
GRAHAM CLULEY. Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter and LastPass have a G, and we've also got a Smashing Security subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And finally, thanks to this episode's sponsor, 1Password, Qualys, and Perimeter 81, and to our wonderful Patreon community. It's thanks to them all this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 251 episodes, check out Smashing Security www.britishenglish.com.
BRIAN KLAAS. Until next time, cheerio, bye-bye.
GRAHAM CLULEY. Bye. Bye.
CAROLE THERIAULT. And actually, Brian, I have to ask this because I wasn't sure. Do you have a clip clip of Piers Morgan speaking in one of your Power Corrupt episodes. Do you remember?
BRIAN KLAAS. I don't think so. Uh, I can't remember.
CAROLE THERIAULT. Okay. Oh God. Okay, okay. Maybe it wasn't him. I was, I was just thinking it sounds like him. I can't remember even which one it was now. I was just listening to yesterday.
BRIAN KLAAS. It's, you know, it's, it's possible.
GRAHAM CLULEY. I—
BRIAN KLAAS. the thing is, like, I, I draw clips from all sorts of news things, so it's totally possible, but I don't remember him specifically.
CAROLE THERIAULT. Anyway, it was just because Graham has a bit of a love affair with him.
GRAHAM CLULEY. Oh, right. I think when you say love affair, what you actually mean is deep, deep hatred.
BRIAN KLAAS. I thought that that might be the case.
GRAHAM CLULEY. Yeah, sure.
-- TRANSCRIPT ENDS --