Listen early, and ad-free!

208: Hidden treasure, COVID tracker trauma, and happy holidays with IoT

With , , ,
December 9, 2020
Read the transcript

Was hidden treasure found with help from a hack? What security lessons can be learnt from a controversial police raid in Florida? And are you ready for safer online get-togethers this Christmas?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.

And don't miss our special featured interview with Mimecast's Max Linscott.

Visit https://www.smashingsecurity.com/208 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Anna Brading and Max Linscott.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. All right. Hi everybody, Carole Theriault here from Smashing Security. Something a little different this week. We have had quite the year. So Graham Cluley and I have decided that any monies we receive via Patreon during the month of December 2020 will go directly to our local food bank. We're doing this because there are a lot of people that are hungry and it's getting cold out there and it's Christmas. If you're not a Patreon Patreon supporter, which is totally fine, I do urge you to look at your communities to see how you might be able to help bring a little bit more joy this season to those that are having a hard time. And lastly, just a huge thank you for all your support this year. It has meant the world to us. Now let's get this show on the road.

GRAHAM CLULEY. Now Anna, tell me, do you feel some sort of empathy for this woman who's in this situation where she was involved in a project and then suddenly she's no longer involved in the project. Maybe a new team have been brought in to take over. Is that something you can identify with at all? Sticky pickles?

ANNA BRADING. Well, oh, sticky pickles. I actually thought you were talking about something else. Oh.

ROBOT. Episode 208: Hidden Treasure, COVID Tracker Trauma, and Happy Holidays with IoT with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 208. My name's Graham Cluley.

CAROLE THERIAULT. I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we're joined this week by a special guest.

CAROLE THERIAULT. Oh, a very special guest.

ANNA BRADING. Hello.

CAROLE THERIAULT. Hi, Anna Brading.

ANNA BRADING. Hello, how are you?

CAROLE THERIAULT. Have we spoken since you left Sticky Pickles? I don't know.

ANNA BRADING. Well, there was a smear against my name, Carole. You did spread vicious rumours and I'm not happy about it. You've denied that I'm indeed pregnant.

CAROLE THERIAULT. Well, thank God for COVID. Occasionally it works out.

ANNA BRADING. Yes, thank God for COVID.

CAROLE THERIAULT. You can't beat me up.

ANNA BRADING. Anyway, lovely to be here.

GRAHAM CLULEY. So Anna, your ex Sticky Pickles, I don't know the details of why you fell out with Carole. Dry Pickle now. No longer doing the show and she's replaced you with someone else. Are you going to be, Are you going to be attending the Smashing Security live Christmas party on the 17th of December?

ANNA BRADING. Well, if I'm invited, I'd love to.

GRAHAM CLULEY. The whole world is invited.

ANNA BRADING. The whole world. Oh, well, yes, definitely.

GRAHAM CLULEY. 8 PM is a live stream. All you've got to do is go to smashingsecurity.com/live.

ANNA BRADING. Well, I will be there. Yep.

CAROLE THERIAULT. 8 o'clock UK time.

GRAHAM CLULEY. 3 PM Eastern time.

CAROLE THERIAULT. And 12 noon. Pacific Standard Time.

ANNA BRADING. What time is that in Singapore?

CAROLE THERIAULT. It's going to be 9 AM.

GRAHAM CLULEY. I wouldn't bank on— I don't know if that's true.

CAROLE THERIAULT. 11 hours, I was thinking.

GRAHAM CLULEY. No, I don't think that's true at all. It's not 9 AM. I don't think it is. Someone will find out.

CAROLE THERIAULT. Okay, well, I just wish you did it at work, Graham.

GRAHAM CLULEY. Well, okay, Carole, what's coming up on the show this week?

CAROLE THERIAULT. Well, first, let's thank this week's sponsors, Mimecast, Culture AI, and LastPass. Their support helps us give you this show for free. Now, coming up in today's show, Graham goes on the hunt for some hidden treasure in the Rockies. Anna tells us of a crazy police raid in Florida, and I'll share tips on avoiding cyber hell this holiday. And we have our featured interview with the rather informed Max Linscott of Mimecast. So all this and loads more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums. Do you love the thrill of the chase? Anna, you're heavily pregnant at the moment, so I imagine your partner loves the thrill of the chase.

ANNA BRADING. I don't know. I mean, you haven't seen me, Graham.

GRAHAM CLULEY. Maybe you're not that hard to chase at the moment.

ANNA BRADING. There's not much chasing to do.

CAROLE THERIAULT. Just to reach out an arm, grabs hold of her.

GRAHAM CLULEY. Carole, the thrill of the chase?

CAROLE THERIAULT. Well, I don't know what— I mean, it can mean a lot of things, and I know that you like putting us into little traps. So I don't know what you mean.

GRAHAM CLULEY. Smashing, like a bear trap. Well, someone who does love the thrill of the chase is a woman called Barbara Anderson. She is a middle-aged— Barb's! —attorney based out of Chicago. But in recent years, she's been spending lots of time with her border collie Cupcake in New Mexico, sleeping in her SUV. Okay, so she's gone from being an attorney to sleeping in her car by choice. By choice. I think she still is an attorney. She's still practicing.

CAROLE THERIAULT. Yes, but— A mobile office?

GRAHAM CLULEY. She speaks to the judge and she says, look, we've got this I've got this really important thing to do down in New Mexico. Can you give me a bit of time off? Let's rearrange some of the cases. And you may be wondering, why is she doing this?

CAROLE THERIAULT. Chicago and New Mexico are really rather far apart, Graham.

GRAHAM CLULEY. Well, she has a good reason because she is obsessed with a treasure hunt. Oh! This is a treasure hunt which was started by a chap called Forrest Fenn 10 years ago. Fenn, he was an art dealer, and he wrote his autobiography back in 2010 at the age, the grand old age of 80 years old, thinking that he didn't have much time left. And he thought, well, I better write a book. And he's had worries about his mortality before. Back in 1988, in fact, he was diagnosed with cancer and was told it was likely terminal. And one of the things he did while he was dealing with that news was he went, walking around in the Rocky Mountains. Okay. And he thought, well, wouldn't it be fun if I could sort of leave something for other people after I've gone? And his idea was to hide a treasure chest somewhere in the great outdoors. And he thought he had found the perfect spot, the location which was very special to him, where he thought would be his ideal resting space if he was just to lie down. Now, thankfully, he actually recovered from his cancer diagnosis. But when he came to write his autobiography years later, he remembered his idea of a treasure hunt and a treasure chest with clues. And so what he did was he put into his autobiography a poem, a cryptic poem. I don't think—

CAROLE THERIAULT. are we taking part in this story at all? Or— I'm just going to go for it. Keep going.

GRAHAM CLULEY. You're doing great.

ANNA BRADING. I'm excited what's going to happen next.

CAROLE THERIAULT. I feel like we're at bedtime, Rik, you know, and we've told this story.

GRAHAM CLULEY. Have you got any questions so far, Carole?

CAROLE THERIAULT. No, no, no. Hey, so I just— okay, so we have Forrest Fenn, who's 80. He had cancer, and while he had cancer, he walked around the Rockies in New Mexico and decided to put a treasure box somewhere.

GRAHAM CLULEY. Put a treasure box somewhere.

CAROLE THERIAULT. And thought he found the perfect spot.

GRAHAM CLULEY. Found the perfect spot. Wrote his autobiography. Wrote a poem. I can read out some of the poem to you if you want. Oh, please do. As I have gone alone in there, and with my treasures bold, I can keep my secret where, and hint of riches new and old. Begin it where warm waters halt and take it to the canyon down. Not far, but too far to walk. Put it in below the home of Brown. And it carries on for a few more verses.

CAROLE THERIAULT. Yeah, copyright though. Right?

GRAHAM CLULEY. So, okay. So, he has written this poem and it got published in the book. And it was describing where he had hidden a treasure chest containing gold nuggets. Gold coins, gemstones, and jewelry. Ooh. So that's what's in his treasure box.

CAROLE THERIAULT. Mm-hmm. That's what's in it. Gold nuggets, gold coins, gemstones, jewelry. We have no idea about how much value.

GRAHAM CLULEY. Well, it's estimated about $1 million.

CAROLE THERIAULT. Million bucks?

GRAHAM CLULEY. At the point where he hid it, yeah.

ANNA BRADING. I can see why she's into this treasure hunt.

CAROLE THERIAULT. Yeah. Yeah. You'd be into it?

ANNA BRADING. You would take a 5-hour flight? Certainly not at the moment, Carole. I can barely get up off the sofa.

CAROLE THERIAULT. Bring me the treasure box.

ANNA BRADING. You know, with COVID I don't want to go over there. It's difficult. But it's really hard. But I can see that she would be interested in the million dollars.

GRAHAM CLULEY. Yeah, Barbara Anderson was one of many people who became obsessed with solving the riddle and devoted themselves to finding the treasure. So people were going into the Rocky Mountains in New Mexico, Colorado, Wyoming, Montana, hoping to find it.

CAROLE THERIAULT. Because they read the book and they're like, they had enough hints to think where they might find it.

GRAHAM CLULEY. And it wasn't necessarily a safe thing to do. In fact, in the last 10 years since the book got published, at least 5 people have died hunting for the treasure.

CAROLE THERIAULT. Well, more people have died crossing a road, Clue. I don't know.

GRAHAM CLULEY. Yes, but these are people who've gone out there saying, "I'm going to find the treasure," and got on a raft or whatever, and have ended up at the bottom of a lake or whatever. Now, from the research I've done, All the people have died. All the 5? Of the 5, they were all men. And often with wives and families who said that they'd become a bit nuts. It ruined their lives. Some of the wives even said, I'm sure it's a hoax, but, you know, he has to go hunting every weekend, or he goes off for weeks on end looking for this damn thing.

CAROLE THERIAULT. Maybe he just had a girlfriend.

ANNA BRADING. Maybe he was with his girlfriend. Hey, that's an idea, isn't it?

GRAHAM CLULEY. You say that you're going off treasure hunting.

ANNA BRADING. Once I get this baby out, that's what I'm doing.

GRAHAM CLULEY. And you know, one thought which came to my mind is people are dying and things. Who's to say there ever was any treasure hidden? And there was no proof that Forrest Fenn ever actually hid anything in the Rocky Mountains other than he wrote a book. He could be some nutter. And then in June of this year, June 2020, there was an announcement. Forrest Fenn posted on his website that the treasure had been found. Oh? And he wouldn't say where, and he wouldn't say who had found it. All he'd say is that some guy who wanted to remain anonymous, some guy back east, he said, had found the treasure. Which raises all kinds of questions. Because was that even true? Was Forrest Fenn saying it'd been found to stop nutters going out into the Rocky Mountains looking for it?

CAROLE THERIAULT. Well, he'd probably be nervous for his life thinking, you know, a million quids worth of stuff. Maybe someone's going to find Forrest Fenn and go, "Tell me where you put the box or else!" Well, I believe his house had been burgled before.

GRAHAM CLULEY. And yeah, maybe there were— I think there were a lot of obsessive types involved. The other possibility, of course, was maybe Forrest Fenn had told someone where the treasure was in order to bring the hunt to a close. And who cares?

CAROLE THERIAULT. It's his own treasure. Who gives a shit? He can do what he wants.

GRAHAM CLULEY. Well, it matters, Carole. It matters to Carole, to the people who've devoted their lives to the hunt for the treasure, including— Babs. The now really pissed off Barbara. Yes, Babs. Really pissed off Babs. Barbara Babs Anderson, attorney of law.

CAROLE THERIAULT. Can you imagine if she represented you and she tried to— Sorry, sorry, I really would love to hear more about your saga, but I must dash. I just had a thought. Thought of where the treasure might be. Bye!

GRAHAM CLULEY. She had been living all this time in a shitty, broken-down Lincoln MKZ, regularly visiting Santa Fe. She decided that the treasure must be in Santa Fe, New Mexico, because she was certain of that because she said there was a clue about mildew contained in a picture Forrest Fenn had posted where he had a hole in his hat, and the hat was in the shape of the state of New Mexico. The hole in the hat was.

CAROLE THERIAULT. So she was driving back and forth is what you're saying, right? In her shitty car? Yes. Okay, I'm just going I can tell you how long a drive that is between Chicago, Illinois and Santa Fe, New Mexico. It's 19.5 hours driving. Is she single?

GRAHAM CLULEY. So, I just— So Barbara's upset, right? Barbara was certain that she was close to finding the treasure, and she believed it had been stolen under her nose because she says that someone had been taunting her.

CAROLE THERIAULT. Babs is bonkers.

GRAHAM CLULEY. Via text message for a while. Oh. And then she started to claim that her emails had been hacked. And whoever had found the treasure had stolen clues that she had found and information which she was storing in her email.

CAROLE THERIAULT. And there's the tangential security link. All right.

GRAHAM CLULEY. So she's American and she's an attorney, a dangerous combination. So of course, she filed in court against Forrest Fenn and the mystery finder.

CAROLE THERIAULT. Why? Why? Why can't he just say, I say, who cares?

ANNA BRADING. A million dollars, Carole. Yeah, but it doesn't belong to anyone.

CAROLE THERIAULT. You know, he writes about it in a book, and did he taunt people to go try and find it?

GRAHAM CLULEY. Well, she says that this is highly unfair, and there's been some kind of fraud taking place, and she wants to know where was the treasure hidden, and who was it who found it? Now, since she filed the case, Forrest Fenn, sadly, about, I think it was about a month or two after the find was made, passed away at the age of 90.

CAROLE THERIAULT. At the age of 90. So he's just, just passed away.

GRAHAM CLULEY. That's right. He passed away in maybe September or something like that.

CAROLE THERIAULT. So RIP, Forrest Fenn. And I'm glad you don't have to see this disgusting behaviour happening here, because you did something cute.

GRAHAM CLULEY. But his descendants, including his grandson— Oh, God. What? They know who the finder was. And they've been compelled by court to reveal his identity publicly. And that's how we now know the person who ended up claiming to find the treasure is a former BuzzFeed journalist and medical student, 32-year-old Jack Stewart. Oh, I bet he's pissed off now. Who wanted to remain anonymous. He claims that his family are now in hiding. He says that he searched for the treasure for two years, analysing every single interview that Forrest Fenn ever gave, for any clues or way that he spoke. And he was been hunting around the Rocky Mountains before finally coming across the treasure. But to the annoyance of all these other hunters, he won't say where the location was or how he solved the riddle. And I think that's what's made everyone go bonkers. 'Cause they just want him to prove that he had some method of finding the treasure, which wasn't dodgy.

CAROLE THERIAULT. I think they should just all calm the fuck down, but treat him as a magician. The guy found it, and who cares how? You lucked out. Bad luck. Deal with it.

GRAHAM CLULEY. Hang on. Well, what if he did hack other people's accounts?

CAROLE THERIAULT. What if? Show me proof. What's the evidence?

GRAHAM CLULEY. Yeah. God, conspiracy theory, Graham. I imagine Barbara Anderson will present her evidence. Oh, I'm sure she will. When this eventually comes to court.

CAROLE THERIAULT. I hope that's on TV or something. Court TV.

GRAHAM CLULEY. So Jack Stuart, the guy who found the treasure, he says that he wants to preserve the mystery of the location because he doesn't want to make it a tourist site. He says he's very close to Forrest Fenn, although he only ever met him once. That he formed a relationship with him after he found the treasure. He obviously denies the hacking claims. But if you're really obsessed with something, might you be tempted to break into the account of others?

CAROLE THERIAULT. You're like Fox News. You are. What? You have no proof of any of this at all. You're just basically tempting the— Oh, don't like it.

GRAHAM CLULEY. I'm not saying he did do any of the hacking. I'm just saying he's been accused of it.

CAROLE THERIAULT. Do you think if I had a treasure in my house worth £1,000, you would break into my house to come get it? You think the average person would want to do that?

GRAHAM CLULEY. No, I'm not saying that. But if lots of people independently were searching for treasure—

CAROLE THERIAULT. How many is lots?

GRAHAM CLULEY. Like what, 50? Oh, come on, Carole. 5 people have died. There must be hundreds and thousands of people who've been searching for this.

ANNA BRADING. If it's $1 million, there's going to be quite a few people that are looking for it. Really? Yeah. What does that get you though?

CAROLE THERIAULT. These days?

ANNA BRADING. Well, armed guards, for— The journalists. Probably burn through that in a few days.

CAROLE THERIAULT. Well, good luck to Babs.

GRAHAM CLULEY. Yes, and maybe she wants to install two-factor authentication if she's worried about her accounts being hacked.

CAROLE THERIAULT. Yeah, what's her password? Hmm. Yeah, who knows?

GRAHAM CLULEY. I think it's a very interesting story, this. And I hope we will get to the bottom of it. But what a fascinating treasure hunt anyway. If anyone else wants to, Well, there's no point anymore if this really has been found, but maybe you can work out the location and reveal that to the world.

CAROLE THERIAULT. I just can't believe you can't admit how pissed off you'd be. If you decide to do this, right? You have cancer, you decide, oh, I'm going to leave some great treasure somewhere for someone. And then everyone who gets wind of it starts scrapping amongst each other because someone won it. It's like, well, how did he win it? What exactly happened? How did he— did he rip me?

ANNA BRADING. He must have robbed me.

CAROLE THERIAULT. That's what happened.

ANNA BRADING. And I'm going to take him to court. Like, it's just—

CAROLE THERIAULT. it just God, poor— yeah, anyway, Forrest Fenn is probably rolling in his grave, embarrassed for humanity.

ANNA BRADING. Although his actions did lead to the deaths of 5 people.

GRAHAM CLULEY. Exactly. Was what he did—

CAROLE THERIAULT. oh, he's responsible for that too? Because some idiots went out—

GRAHAM CLULEY. no, because he could have stopped it much earlier.

CAROLE THERIAULT. They went out in their flip-flops and forgot their suntan lotion.

ANNA BRADING. He didn't have to put it there, did he? He could have put it somewhere a little bit safer, like in a mall, a supermarket, in a park or something.

CAROLE THERIAULT. Yeah, it's behind the diapers.

GRAHAM CLULEY. Then you'd be in, Anna.

ANNA BRADING. Then you'd Yeah, I would.

GRAHAM CLULEY. That's true. Anna, what's your story for us this week?

ANNA BRADING. Well, I think we can all agree that the world has gone to shit in 2020. I'm loving it. Oh, are you? Great. Well, we have spent most of it locked inside. What do you guys miss the most?

CAROLE THERIAULT. Hugging people that I like. Oh, I know. I had to add that I like just in case.

ANNA BRADING. I haven't hugged you all year, Carole. I know.

GRAHAM CLULEY. No one would be able to hug you at the moment. How would they get their arms around you?

ANNA BRADING. Pat me on the shoulder.

CAROLE THERIAULT. Anna, please.

ANNA BRADING. So, Graham, do you want to volunteer anything? No, thank you. Chess is online, isn't it?

GRAHAM CLULEY. Yes. You can still do that. I've been fine. I've been absolutely fine, yeah.

ANNA BRADING. Anyway, in the first few months of the pandemic, obviously a lot of us were locked up, and many US states were under shelter-in-place orders, which is— Good for saving people's lives from COVID-19, not so good for the economy, as we all know. So over in Florida, data scientist Rebecca Jones was working for the state, and she was heading up a team who created and ran the COVID-19 dashboard for the state. So, you know, we've all been glued to the dashboards. But this one was a particularly good dashboard and had been—

GRAHAM CLULEY. So what do you mean a dashboard?

ANNA BRADING. What does that mean? So it's got all the stuff like cases per day, total cases, deaths, testing information, vaccine—

GRAHAM CLULEY. It's like a webpage? With all the latest data.

CAROLE THERIAULT. Yeah, with lots of stats, right? Like who died, who has it, how many, numbers, numbers, going up, going down. Yes.

ANNA BRADING. And this is for Florida. Now in particular, Florida's one was a good dashboard apparently, and it had been praised by White House officials for its transparency and accessibility. And it was used by researchers. They had plugged in to use the data, and media, and the public. It was a good dashboard anyway. Oh, cool.

CAROLE THERIAULT. And it came out very early, didn't it? Yes, it did. During the whole pandemic stuff, yeah.

ANNA BRADING. Yeah, and I think everybody was kind of thinking, "Her and her team are doing a great job." Mm-hmm. So a bit further into the pandemic. I can't believe it's been going on for 9 months now, certainly here, a bit longer. I can. It feels like it to you.

CAROLE THERIAULT. Oh wait, and you're pregnant. Oh! I'm just doing the math.

GRAHAM CLULEY. Got a bit boring at the beginning, didn't it?

ANNA BRADING. So anyway, when states were told that they could start opening back up, they were said that they could do that as long as they met certain criteria. Mm-hmm. And Florida obviously wanted to reopen. But the numbers that Jones and her team were publishing still looked a little bit shaky. So, and this is according to Jones, leadership at the Florida Department of Health where she worked asked her to sort of massage the numbers.

CAROLE THERIAULT. Like lie, basically.

ANNA BRADING. Well, yeah, I think they wanted her to remove some of the regions where the— Yes. Yeah, remove some of the deaths. Just lower down some of the numbers just so that they could meet some criteria.

GRAHAM CLULEY. Which is a reasonable request, isn't it? Yeah, just— I mean, if the stats aren't helpful, and they clearly weren't helpful, then there's two ways of fixing the situation.

CAROLE THERIAULT. Just shave off a zero. Okay.

GRAHAM CLULEY. We can either do something to prevent there being so many infections and deaths, or we can change the numbers, right? Well, exactly. One is easier to do than the other.

ANNA BRADING. And if you start preventing the deaths, then you have to shut things down again, and that's not good for the economy, right? So yeah. Right, okay. Let's sort the numbers out. So Jones, because of her, you know, the fact that she'd been praised for the transparency and everything, she wasn't happy about the fact that these things had to change. So first of all, she said no, back and forth. And then she took down some of the numbers from the dashboard. But then obviously that broke all the links that had been published to the dashboard. So she said she was asked to put it back up again. But then the next day, she was told she no longer had a job.

GRAHAM CLULEY. So she took the dashboard down in a bit of a huff?

ANNA BRADING. No, no, no. She removed parts of it because they didn't want to publish all the data. But then that was obviously— any news site that had referenced that, obviously it broke all the links. And then they were like, "Oh, shit." And they had to put it back up.

GRAHAM CLULEY. So, in their eyes, she'd been a bit of a nuisance. Yes. And had caused quite a lot of kerfuffle. And so they thought, "Well, you're going to have to go, Miss Rebecca Jenkins." Well, they brought in a different team to manage it.

ANNA BRADING. She says that she was removed because she refused to comply with their orders fully. But they say it was because she exhibited a repeated course of insubordination during her time with the department.

GRAHAM CLULEY. Now, Anna, tell me, do you feel some sort of empathy for this woman who's in this situation where she was involved in a project and then suddenly she's no longer involved in the project? Maybe a new team have been brought in to take over. Is that something you can identify with at all? Sticky pickles? Well, sticky pickles.

ANNA BRADING. I actually thought you were talking about something else. Oh, cybersecurity? I can't talk about one of them because I've signed stuff. The other one, yes, very much so. I feel like I was pushed out because I was pregnant, Graham. I feel like Ziggy Pickles pushed me out.

GRAHAM CLULEY. You might want to hire a Chicago attorney to deal with that, maybe. Yeah.

ANNA BRADING. Oh, yes. Well, she sounds like she's, you know, she sounds quite feisty. I like her. Yeah. Totally sane as well. Yeah, exactly. So back to my story. Jones now is publishing her own coronavirus dashboard, which she says the numbers are higher, but, and she says they're more accurate.

CAROLE THERIAULT. So she's doing an independent— basically she's done all this work, may as well do it independently. She knows how to do it.

ANNA BRADING. Exactly. So look at that one, not the other one, if you want to know the real numbers, she says. So then fast forward a few months to November. Mm-hmm. And on the 10th, somebody sent a message on an official emergency communications channel that they shouldn't have done. So it was sent to the State Emergency Response Team members, who are the guys responsible for coordinating public health and medical response in Florida. So, like, the urgent stuff.

CAROLE THERIAULT. And what were they sent?

ANNA BRADING. It said, "Speak up before another 17,000 people are dead. You know this is wrong. You don't have to be a part of this. Be a hero.

GRAHAM CLULEY. Speak out before it's too late." So this was an emergency alert sent to people who were working—

ANNA BRADING. Yeah, working there. And it went to around 1,750 accounts before they intervened and shut it down. Right. And so, who could have sent it? We don't know. But on the 7th of December, so earlier this week, at 8:30 in the morning, state police raided Rebecca Jones's home. So they took her phone and her computer.

CAROLE THERIAULT. So they— the cops actually show up at her house?

ANNA BRADING. Yes. So she took to Twitter, as everybody does, posting video footage which shows police asking her who was at home. She opens the door, they say, who's at home? And then they enter with their guns drawn. And she's already told them that upstairs are where her husband and kids are, and they're pointing them the stairs, so it's pretty scary. In the house, man. My two children and my husband.

GRAHAM CLULEY. Where's your husband?

CAROLE THERIAULT. Call him down. Call him down.

ANNA BRADING. You want the children down? Call them all down.

CAROLE THERIAULT. Mr. Jones, come down the stairs now. Police, come down now. My children.

ANNA BRADING. Hang on, let me clear my house. He just pointed a gun at my children.

GRAHAM CLULEY. Yes, but in Florida, it's quite possible your husband and kids will be armed. Shot with submachine guns or something like that. So it doesn't really make any difference that your kids are upstairs, does it?

ANNA BRADING. Oh my God. Yeah, but I guess as a parent, I wouldn't like to think that my son would have a gun in his face. No, no, I guess not.

CAROLE THERIAULT. And you don't even know why, right? You're running your own independent data centre, presumably, and she's just, you know, tick-a-da-da-da-da-da-da. She doesn't know anything about the emergency and, you know.

GRAHAM CLULEY. But even if she was responsible for sending that emergency alert, it does seem a little bit over the top to have guns around the place. Oh, do you think? You think?

ANNA BRADING. Oh. Wow, okay. Yes, so they're saying they took evidence to prove she was the one who sent the message accessing the system she wasn't allowed to. Um, obviously she denies any wrongdoing.

CAROLE THERIAULT. So they think she's the one who hacked the system and gave the message. So they went to her house, they stole all their stuff with guns and the whole thing, and okay, gotcha.

ANNA BRADING. Yes, so the message that was sent, um, so the people that received it, they're known as ESF-8, which are, um, the emergency team, as I said, and they are in employees of Florida Department of Health, and some also work for other government agencies. But once these people leave, they are told they're no longer authorized to access the group. Fair enough, understandable. Yeah. So it should be relatively easy to track who sent the messages because presumably they all have a user account and they can just have a look.

CAROLE THERIAULT. Oh, so they think it's an inside job? They think it's someone—

ANNA BRADING. Yeah, they think it's an inside job. They think it's someone that was on that group. But they all share the same username and password.

CAROLE THERIAULT. Of course they fucking do.

GRAHAM CLULEY. Well, that's transparency for you, isn't it?

ANNA BRADING. There you are. It's true. It's a very efficient system. Yes. Yeah. So, yeah, a little bit harder because who knows? So the special agent who was investigating all of this said he found the IP address of whoever sent the text. He checked the logs and it was traced back to her house. Her house, which is why they searched her house. I mean, we have no idea what the truth is. I'm sure it'll come out. But why do they all share the same username and password? And also, why wasn't it changed when she was fired? Yeah. And she was fired in May. So it's like, what is it, December now? That's a long time. It's not gonna take long to change one username and password, is it?

GRAHAM CLULEY. Carole, have you changed the passwords on the Sticky Pickles podcast since there was a change in the staff? Did you?

ANNA BRADING. I haven't tried to log in.

CAROLE THERIAULT. I blocked her on everything. You're dead to me.

GRAHAM CLULEY. Carole, what's your story for us this week?

CAROLE THERIAULT. Okay, so if you listen to us week in, week out, you probably know most of the stuff I'm going to talk about, so you can go make a cup of tea. All right, bye. Bye. See ya. There's one thing we all have in common, right? We all have to help out family members or friends and neighbors with computer device drama, internet dramas, the routers, routers, the whole thing. But if you're a first-timer to the show, first, a very warm welcome. And maybe you'll just learn a few tricks on being safer online. So the holidays are coming, right? We've got Christmas, Hanukkah, New Year's Eve coming. And normally we all get together and now we can't. I mean, it's been flipping freezing outside. So the whole idea of meeting in the garden with your parents doesn't feel ideal, does it? Unless you got a fire pit or something like the fancy people Do you have a fire pit, Graham?

GRAHAM CLULEY. I don't have a fire pit. I do have a barbecue. Oh, hey!

ANNA BRADING. Oh! Yeah. I don't want to boast or anything, but I've got a barbecue and a fire pit.

CAROLE THERIAULT. Well, I look forward to having a toasty, toasty night.

ANNA BRADING. You're not invited. Wow.

CAROLE THERIAULT. Okay, so how are we going to make up for all this isolation, right? These— I'm thinking we're going to do frequent video calls, online shopping, e-cards, all that. Malarkey. And, um, the plan is hopefully they'll make us feel less apart, but they are all reliant on technology. So I've pulled together a smattering of tips which should help us sidestep the pesky little online potholes so we can avoid cyber hell.

GRAHAM CLULEY. Sorry, are you seriously saying that an e-card is a good replacement for getting together with the rest of your family?

CAROLE THERIAULT. No, no, no. My question is, what are you gonna do if you can't see your extended family? Are you gonna have a video call?

GRAHAM CLULEY. Yeah, maybe. Yeah, I suppose so. Oh, you're not sure? I'm not sure. I, you know, it depends how bored I get. I mean, it depends what's on TV. Yeah, maybe. Yes, why not?

ANNA BRADING. A Zoom quiz.

GRAHAM CLULEY. Oh no, they're quite fun. Yes, exactly.

CAROLE THERIAULT. You know, and you're going to be sitting there cooing at someone's tree decorations or all that kind of stuff. So tips to make sure the experience is a happy one. Okay, number 1, make sure your service is end-to-end encrypted. So FaceTime is, WhatsApp is, I think Zoom is now, and there's loads of others that are, but there's loads that are not. And end-to-end encryption is really important because it makes sure that the service provider, Zoom or Apple, whoever it is, can't decrypt the content of your conversations when they're in transit. Mm-hmm. Okay. Yeah. I want both of you to come up with a good Wi-Fi or video call tip. Oh, what? Okay, I've got 3 here. Okay. Okay. Okay, second one, obviously check your settings, your passwords, make sure the organizer can control who's allowed in and out. This is obviously to avoid things like Zoom bombing. I mean, there's, uh, it's not every grandma that takes kindly to someone wagging their Graham Cluleys in the webcam. So I did that just for you, Anna. Just to make you laugh.

GRAHAM CLULEY. Sorry, is that rhyme? Is that rhyming slang? Waving their Graham Cluleys? Are they called Grahams now? The Guleys?

ANNA BRADING. That's what I refer to them as.

CAROLE THERIAULT. Graham Cluley's out my face. I'm crying. So basically, you need to have control on those things, you know, and keep the, keep the link private. You can even have a password. Only those that are in the know get into the party. Yes, of course. And finally, my last one on this one is just assume the call's being recorded. So like the story about how you drop the milk in the supermarket and the whole thing explodes. Codes all over you is fair game, right? But your private stuff like your phone numbers are— I can't believe they guessed my password, it's— they start telling you.

ANNA BRADING. It's like, no, no, no, no, no, no.

CAROLE THERIAULT. So banking details, things like that, just stick to random stories, not stories that have personally identifiable information in them. And this goes especially for saucy calls and videos that some of you might have, right? Being careful, especially with those Graham Cluleys. Noted.

GRAHAM CLULEY. Can we not make that a thing?

CAROLE THERIAULT. I don't know. It's too late now, Graham.

ANNA BRADING. Too late now. It's already a thing.

CAROLE THERIAULT. Loweney, from you guys?

GRAHAM CLULEY. I was going to say, be careful about what's in your background. So, you know, if you've opened any intimate presents during the festive season—

CAROLE THERIAULT. If you have a big dildo behind it on the table.

GRAHAM CLULEY. And you've left it on the table, you don't necessarily want to share that with the in-laws, do you?

ANNA BRADING. Yeah, don't write your password on a flip chart and then, you know, in your background in your house. Yeah.

GRAHAM CLULEY. Do you have a flip chart in your house?

ANNA BRADING. Yeah, I do, Graham, with all my passwords. She loves lists.

CAROLE THERIAULT. Oh, I've got another one. Don't— okay, this is a great one actually. Don't complain just before or after the call because some of these services have been known to have a longer lag time during termination. So say you've had a difficult conversation with with Uncle Bob, don't immediately flip them the bird once the call's over and call them a you-know-what because—

ANNA BRADING. Don't bitch until it's gone.

GRAHAM CLULEY. Yeah. I find this when I'm on a, I don't know what, maybe it's Zoom or whatever it is, you hit the quit button.

CAROLE THERIAULT. I know, Graham.

GRAHAM CLULEY. Oh. And then it kind of says, are you really sure? So you think you've quit and you're kind of going, Jesus, thank God. That's a— oh, you have to hit it again.

ANNA BRADING. Or you have to have that forced smile. Just a full smile kind of for ages while you're waiting for it to quit. So those are pretty good tips, right? They're great tips, Carole.

CAROLE THERIAULT. Okay, I'm gonna do one more, just one more set, okay, on IoT because no matter how much I say don't buy IoT and keep the crap out of your house, people are gonna buy it because the kids are screaming for it or partners are screaming for it or you just think they're cool or it makes your life easier or whatever. So my advice on this front, but please, throw yours in, would be one, stay away from version 1, you know, the alpha smart IoT. Let the boffins who are tech mad and know what they're doing test it out and report their findings. Do you agree with that, guys?

GRAHAM CLULEY. Yeah, and I'd also suggest, I think some of these smart speakers, for instance, now, they're beginning to introduce technology whereby they'll do more of the processing on the device rather than sending it up to the cloud. So if you don't want someone to be analyzing what you're saying. And you can also have, on some of these devices, a hardware switch where you can actually turn it off and tell it to stop listening, and then you can decide when you want to turn it on again.

CAROLE THERIAULT. Yeah, hard switch is a really cool thing. That's a great one. Don't believe the blurb on the website or on the Amazon or Walmart page. I know, read the terms and conditions. This is the only place that firms have to think twice before they BS you. You. Okay, that's the, that's the issue. That's why you're looking. And all you're looking for is what data they collect from you, where do they store it, and who are they sharing it with. And Ctrl+F, or finding stuff through— you don't have to read every single word in it. You can look for keywords to find out what they say about that stuff. And if I think Jack Reesider is the one who told us about tosdr.org, Terms of Service Didn't Read. Um, so that's a website where it kind of shrinks down the information, try and put it into clear English if you're finding it a little bit Crazy.

ANNA BRADING. That's handy because I can't see people that aren't interested in security but want, you know, an Alexa or whatever in their house. I can't see them reading all the terms and conditions, but that's good. So I was going to ask if there was anything like that. So that sounds quite good.

CAROLE THERIAULT. But I'm obsessed with them now, and I keep kind of going to these online services going, oh, this sounds cool. And then I go read their terms. I'm like, oh right, I'm giving you all rights to everything I load on your site ever for from now on.

GRAHAM CLULEY. See, it's funny how you're obsessed with that, but you're not obsessed with a treasure hunt in the in the Rocky Mountains, which could make your money.

ANNA BRADING. We've all got our own interests, Graham. Carole Theriault.

CAROLE THERIAULT. And for any smart device you buy, first check if there've been any previous security problems. That's not to say if they have had a security problem, you do not buy it, but what you wanna look at is how they handled it. So for example, if it turned out that they left a database open and they closed it publicly, no one had landed on it, they still told everybody about it, I kind of think they get a pass. But if they were found out because some unauthorized party got in and then they tried to hide it, I, and the company denies it, I think walk away, right? So you want to know who your partner is. These guys are business partners of yours as an individual. These, you know, that's what you have to see them as. And if you don't want to do business with them, if you don't like the way they work. And lastly, this was one that was said by one of our guests, set up a Google alert for your smart IoT devices. LastPass. Ah, yeah. Your router, your phones, your tablets, your Roomba, because then if there's this big security problem, you'll get it, you'll get a little info on it, and you'll be able to be pre-informed, which gives you a bit more time to do something about it. Good tip. Good tip. Do you want to add any, guys? Um. Did I cover everything to do with IoT? Graham, you already had some good ones.

GRAHAM CLULEY. I did, thank you.

CAROLE THERIAULT. Anna? Oh yeah, she's pregnant.

GRAHAM CLULEY. So pressure off me. God, how dare I.

ANNA BRADING. Don't pick on me. I'm not.

CAROLE THERIAULT. You're amazing. I think—

ANNA BRADING. I feel like you've covered it all. I'm sorry.

CAROLE THERIAULT. Well, thanks. No, let's not be sorry. That just means I'm perfect. Thanks. Oh, you are. Well, you are. So there you go, right? Um, amazing. A few tips to help you and your loved ones sidestep cyber hell this holiday.

GRAHAM CLULEY. Today's show is sponsored by Mimecast, the number one cloud email security solution for Microsoft Microsoft 365. Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploitation protection service. It's a layer of email security defense that picks up where Microsoft security leaves off. Mimecast's innovative service blocks brand attacks before they can launch, stops live cyberattacks in their tracks, and gives you visibility into anyone using your domains without your authorization. Start today by downloading a free copy of the State of Email Security report at smashingsecurity.com/mimecasthub. Security training sucks. It's boring. Users hate it. They aren't paying attention. Doesn't work. For security training to actually work, you'd have to find out what each person in the company is doing that's risky, send them phishing emails, monitor logs, check for passwords and how they're being pwned, and then you'd have to train them in a way that doesn't send them to sleep, try and track what they're doing to see if it worked.

CAROLE THERIAULT. Who's got time for any of that? Culture AI do. What? Culture AI. They make this amazing software that plugs into your company, runs your phishing campaigns, integrates with Slack, tests if your users accept phony MFA requests— that's a biggie— and pulls in tons of other behavioral metrics from your existing apps. It basically figures out what everyone needs to know and then creates personalized training that is not boring. And it even checks that it's working, and it's all done automagically. And they've got a deal just for our listeners. Sign up at culture.ai/smashing and your first 50 employees are free for life. Cool. More information, culture.ai/smashing. Stop your whining, Graham.

GRAHAM CLULEY. This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week, I was perusing one of my favorite periodicals, the Jerusalem Post. Wow, mine too. I came across an interesting story, which is a little admission which has come out actually from the former space security chief of Israel. He held the position for many years, and he's recently come out and said, um, oh, by the way, he says, aliens exist. And in fact, a galactic federation, his words, has been in contact with Israel and the United States for years, but they are By the way, I don't know why we're not leading with this story. Why have we hidden this away in Pick of the Week? Because this is pretty packed.

ANNA BRADING. Yeah, it would be better than the treasure hunt one. Because it's a conspiracy theory.

CAROLE THERIAULT. I'm like thinking, where have you done your research on this?

GRAHAM CLULEY. The Jerusalem Post is where I will put links in the show notes where you can see this is reported. So he's come out and said this. He says a galactic federation has been in contact with the United States and Israel for years, but they are avoiding revealing themselves to the public. Panic, because I think not only will there be a panic— can you imagine the whole world in a panic in 2020? They think not only would there be a panic, but humanity is not ready yet. Now, I don't know what you think about this revelation. I am leaning towards it being poppycock, because I think if the United States really was aware of this, then I think we can be fairly confident the president of the United States would be aware of this Galactic Federation. And I find it very hard to believe that he wouldn't have tweeted about it. So that is my evidence, if circumstantial, as to that this may not actually have occurred and the former space security chief of Israel may be wrong. But you should go and check out the story because if this is true, it could be pretty big news. Could be pretty big news, Anna. Yeah.

CAROLE THERIAULT. You know where Graham got it, guys? Graham got it from the Daily Mail. Of course he did. What? I can see it and I know that you follow it. Yes, you read it in the Daily Mail. No, I did not. Okay, then yes.

GRAHAM CLULEY. I did not find it.

ANNA BRADING. Are we worried that this is going to be next year's pandemic? Well, thanks to people like Graham to spread this information. It's not going to be. Exactly. Maybe they brought COVID, those aliens.

GRAHAM CLULEY. This has been widely reported already. This revelation, whether it is nonsense or not, this is something which is spreading around the world. This is a breaking news story as we record this show. And I saw it and I was quite interested. Apparently, the Jerusalem Post say that they've attempted to get into contact with the Galactic Federation, but have not had a response. Oh. I think, yeah, okay.

CAROLE THERIAULT. I'm just putting my, hmm, I'm gonna do more research before I listen to any of that stuff.

GRAHAM CLULEY. Thanks. You can find out more.

CAROLE THERIAULT. Yeah, check out the Daily Mail.

GRAHAM CLULEY. In Professor Haim Eshed's book, The Universe Beyond the Horizon. He's the chap who has made this claim, and he says that aliens have prevented nuclear apocalypses. And he'd say, yeah, it's available right now. Go and check it out.

ANNA BRADING. Do we know how they've prevented nuclear apocalypses?

GRAHAM CLULEY. I think we'd have to read the book. The book's only just come out. Oh, I see. It's a teaser.

CAROLE THERIAULT. Do you say they look a bit like blood-sucking lizards?

GRAHAM CLULEY. I don't know if he's said anything Eichian like that. Did he take a photo? I don't think he's saying that he's met—

CAROLE THERIAULT. Only stream live to Twitter.

ANNA BRADING. Oh, for goodness' sake. Don't get the Kindle edition.

GRAHAM CLULEY. I'm not suggesting he's met the aliens. He is just saying that the aliens have been in contact with the United States and Israel, the Galactic Federation. And we have not passed the test to join. It's a bit like the European Union. It's just, it's basically Brexit. Oh dear. Right? The Galactic Federation is not letting us join. Oh, and that is my pick of the week. Happy Christmas, almost. Anna, do you have a pick of the week?

ANNA BRADING. I do. And I thought, you know, because it's Christmas, I would take you back to Christmas 2009. Oh, one of my favourite Christmas. Now we were all working together then. Were we? At an undisclosed site. Company. And let me show you a photo. Does anyone want to describe what's going on here?

GRAHAM CLULEY. Ah! Oh, look at that!

CAROLE THERIAULT. What a really wonderful office setup, eh? I know! God, it was so beautiful.

GRAHAM CLULEY. We're gathered around a Christmas tree, and we have Anna, Carole, myself looking very trim, and our friend Yogi. And we also have some Doctor Who cutouts for some reason. Yeah. Around the Christmas tree. We've got David Tennant and Dalek and a Cyberman. Look at that. No idea why. No, I don't know why either. Oh, I know why.

CAROLE THERIAULT. I know why, because you had a birthday party and you got them for your birthday party. Then your wife said, get these out of the house, thanks. So you brought them into the office.

ANNA BRADING. Yes. And what happened to them after you left Sophos?

GRAHAM CLULEY. I do not know.

CAROLE THERIAULT. I cannot answer that question.

ANNA BRADING. He probably has them all wrapped around his neck. I bet he's still got them. Anyway, it's not about Doctor Who. So we were trying to organise a little work do because it was Christmas, but we didn't work in sales. So our budget was about £25 per head, I think. We thought, Carole and I, because Graham wasn't interested in getting involved in this kind of party planning, thought we would have a buffet at work and then go ice skating, which may I say, Graham, you were fabulous at.

GRAHAM CLULEY. I do remember the ice skating. That was quite traumatic.

ANNA BRADING. It was fantastic. So the buffet consisted of, if you look carefully at this photo, which maybe I can tweet.

GRAHAM CLULEY. Yeah, you tweet it and we'll retweet it from the Smashing Security account.

ANNA BRADING. Okay. It's where I discovered novelty Christmas crisps. Now Yogi, who's also in that picture, is also a fan of these novelty Christmas crisps.

CAROLE THERIAULT. How do you guys feel? I hate them. I'm the enemy of these. We've had a number of conversations about these.

GRAHAM CLULEY. I seem to remember they were pretty disgusting.

ANNA BRADING. Well, I think probably back then they weren't as sophisticated as they are now. But anyway, I thought because, you know, 2020, as we've talked about, isn't kind of anybody's top year, I would imagine. I thought my pick of the week would be Christmas novelty food. So I'm not talking about— can you tell I've moved house in the last week and I have done nothing apart from unpacking boxes? This is all I have. I've just eaten. So I'm not talking about Christmas dinner and sprouts and stuff. That's boring. But it's the novelty stuff, right? So a quick roundup of the good stuff. So Pret are doing a fantastic Christmas sandwich in both baguette form and run-of-the-mill sandwich bread. I did actually have the Christmas baguette for lunch.

GRAHAM CLULEY. Sorry, can I just clarify? Your pick of the week is a Pret à Manger baguette? Is what you're basically saying.

ANNA BRADING. That's what you've brought to the table. It's not just a prêt-à-manger baguette. What is your problem, Graham? I'm trying to bring a bit of festive cheer to the podcast. You've got aliens. All right, carry on. Marks Spencer's, let me tell you, have an excellent offering. There's a turkey feast sandwich, which we all expect. I mean, I don't want to go into a sandwich place without them offering me a turkey feast at this time of year. But they're also doing truffled egg and honey roast ham. Oh God. Perhaps you could try that with some pigs in blankets crisps or some Christmas tree tortilla chips.

CAROLE THERIAULT. You see, I like the holiday foods, not the crisp stuff, like the fake flavoured crisps.

ANNA BRADING. Why? It's so exciting. It's so exciting. Why don't you just dip a crisp in some cranberries or something?

CAROLE THERIAULT. Oh.

ANNA BRADING. No? No. Well, no. I think I'll have— My friend told me to stay away from their Christmas soup. Apparently not so good.

GRAHAM CLULEY. I think, and this may be a shock to many people listening, but I think I agree with Carole. And on that bombshell— Wait, I haven't finished. Oh, okay, sorry.

ANNA BRADING. Let me peek at the KFC gravy burger, which includes a chicken fillet, a slice of cheese, and a hollowed-out hash brown. With the side of gravy, which you pour into the hash brown. So it's an interactive experience, and then you eat it.

CAROLE THERIAULT. I've had that as well.

GRAHAM CLULEY. Are you just suggesting these things because you're pregnant and you've got cravings? Have you been eating coal or something like that as well? Is it just weird?

CAROLE THERIAULT. Didn't you say at the beginning of this section it could be anything you want? So exactly, you know, STFU, Clue. Give me a break.

ANNA BRADING. Just, just one last one. There's Pizza Hut's festive pizza. So what would you imagine would be on a festive pizza?

CAROLE THERIAULT. Oh, is it gonna be a cranberry and brie stuffed crust?

GRAHAM CLULEY. Is it a reindeer turd?

ANNA BRADING. Maybe. I should imagine a lot of these taste like reindeer turds. It's not turkey, 'cause maybe they're too hard to source throughout the whole festive period. I don't know. Maybe they're more expensive. But chicken, crispy bacon and stuffing with a red wine gravy base. Oh, so there you go. I'll send you some more, Graham, so you can try them all.

CAROLE THERIAULT. I think maybe anybody that comes to our Christmas party on Thursday, December 17th, perhaps wants to maybe want to bring a Christmas flair in their snacks. I'm going to have a few.

ANNA BRADING. I think that's a great idea. Maybe you could do a Christmas cook-along, Carole.

CAROLE THERIAULT. My other half bought already two bags of festive crisps, so he's in your camp. He loves it.

ANNA BRADING. Yes. Yeah, I don't know which ones you got.

CAROLE THERIAULT. I'll send a pic over and we can put it on Twitter, Graham. Please do. All right.

GRAHAM CLULEY. Okay, that'd be great. Everyone can't wait to see that. Carole, what's your pick of the week?

CAROLE THERIAULT. Yeah, because your stories were so great. Okay, my pick of the week— you guys both know my pick of the week because as you're my two bud buds that love podcasts as much as I do, or almost as much as I do, I threw them your way after lolliping through the first episode only. And this podcast is called Brian and Roger. And I'll just give the premise, and then you guys just jump in because it's just— So, this is created by Harry Peacock and Dan Skinner. They're the brains and voices behind the characters, Brian and Roger. And Brian and Roger met at a divorced men's support group about a year ago. And they're really codependent. And the problem is that one of them's quite a nice guy, right? A good guy. But the other guy is not such a good guy. And— And every week they inch towards like a horror show of a sticky pickle. And the outcomes are truly disturbing, wonderful, horrible, delicious, awful.

GRAHAM CLULEY. The whole podcast is a series of voicemails which they leave each other. So they never have a conversation. Yes, that's true. They leave a voicemail for each other and then the other one replies to it. And I have to say, after you told me about this, Carole, I listened and I kept listening. I must have listened to about 20 episodes. I know, I think you're ahead of me now.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. I'm halfway through season 2 at the moment. I have really enjoyed it. I mean, it is the same joke over and over again, but it has— It is not the same joke. That isn't true. But it doesn't matter, 'cause it is brilliantly done.

CAROLE THERIAULT. The joke is that one is nasty to the other person. That's not a joke.

GRAHAM CLULEY. Well, no, the format of the show is basically there's a guy who's very agreeable, and even when asked to do ridiculous things, keeps on saying, well, initially he puts up some sort of objection, which gets overridden, and then he finds himself doing this thing, and then it all turns to shit. It's much, much worse.

CAROLE THERIAULT. We should warn, it's not for the faint-hearted, okay? They do talk about things like pussy scrotums, right? They talk about jazz cigarettes, uh, they intimate that an 82-year-old deaf woman is kind of a sex fiend.

GRAHAM CLULEY. Um, it's an adult podcast.

CAROLE THERIAULT. It's an adult podcast, but it is wonderful. And the thing I love most is the horrific Mike Henshaw The mouth noises are just revolting, but so perfect because there are so many people that you speak on the phone with that eat on the phone, right? And do it really grossly.

GRAHAM CLULEY. And you're just like, "You're in my ear!" [Speaker:ANDREW] It really is, by both of them, a one— 'Cause there's only two people who appear in it. It's a wonderful acting performance.

CAROLE THERIAULT. [Speaker:KARA] Yep. Or just honest.

ANNA BRADING. They're short, aren't they? They're like 15 minutes long. [Speaker:ANDREW] Yeah, they're about 15 minutes.

CAROLE THERIAULT. Yeah, that's right. Anyway, snack-sized fun. I love it. So check it out if it sounds like your thing. It's Brian and Roger Podcast, and you can find it wherever you get your podcasts.

GRAHAM CLULEY. Fantastic. Now, Crow, you've got a featured interview for us this week.

CAROLE THERIAULT. I do. This week we have Max Linscott of Mimecast. Let's see what he has to say. Max Linscott from Mimecast. He is a senior manager of marketing strategy at Mimecast. Max, thanks for joining us and explain to me what you do. That's a big title.

SPEAKER_03. Hey, thanks, Carole. It's really nice to be here. So I've been working in cybersecurity for about 8 years now, and for the last 2 years I've been working on the market strategy team here at Mimecast. My job is to basically try and understand the threat landscape, what technologies are out there, and ensure that we're delivering solutions that are solving the most pressing problems for organizations today.

CAROLE THERIAULT. Yeah, so you've got to really keep your finger on the pulse. And obviously, the pulse in 2020 isn't what it was in 2019 or before. So companies are having a hard time. What are you seeing as the main challenges?

SPEAKER_03. Well, the first is remote working. So organizations are having to figure out how to keep users safe and productive while they work from home? How can they protect their intellectual property and people? And with the ever-increasing amount of data and collaborating that's going on, we have to think about how we can manage to avoid kind of like pretty important sanctions that can come on our laps from like GDPR, for example.

CAROLE THERIAULT. Yeah, no one's talked about that, the whole remote working environment and the GDPR component. That's actually quite a big one. Yeah, 100%.

SPEAKER_03. And as I say, like, you know, the more that people are collaborating, you start to suddenly lose control of what your users are doing, what they're using, and what they're interacting with. I think the second thing that I would highlight there is this new word that I've learned, pandanomics.

CAROLE THERIAULT. I like it, and I want an explanation of what it means.

SPEAKER_03. Yeah, so I think the easiest thing to, or easiest way to explain, is probably the economic impact that COVID has brought us, and this is obviously affecting, like, you know, most people's bottom line in one way or another. And it's therefore kind of inextricably linked to everything, but specifically from a cyber perspective, it affects this new strategy that people are having to set up. The run costs that people are kind of used to supporting are being driven down and new spend is rejected. And the sad truth of this is, is that all the while, the threats out there are increasing Part of this is the commercials of falling foul of some of this stuff could actually bring an organization to their knees. So, decision makers are kind of left in a really tight spot where they're forced to solve all of these problems and deliver complicated projects with half the budget, twice the pressure, introducing, you know, untried new technologies for the first time, and often sadly, with a very small amount of manpower. Yeah.

CAROLE THERIAULT. I mean, actually, you're giving me the thought that IT workers, and especially ones that work on security, they're like first-line workers, right, in this pandenomic situation that we have. So, okay, so what are the things that people need to keep top of mind? Okay, you've talked about this new remote working ecosystem. What's changed and what do we have to focus on?

SPEAKER_03. Well, from a threat perspective, it's worth just noting like the trends that have changed, as you say, and collaboration is of course the center of the new cloud order. We've seen amazing adoption of tools like Teams, which I believe went up in the region of 40% in 5 days at the beginning of our first lockdown. We've seen pretty similar trends for the likes of Slack, Zoom, OneDrive, SharePoint, Box, LastPass, Dropbox, and so on. Um, all of this is great, but email remains the most utilized and most universal tool that we have. 94% of cyber threats begin with an email. It remains the number one threat vector by a country mile. Um, and when we talk about the kind of impacts that COVID has had in the behavioral changes, we've only seen this rise in increased during COVID We've sent and received far more emails. We reply faster. We open links and attachments quicker than ever before because we don't have that immediate personal interaction anymore. Exactly. Exactly.

CAROLE THERIAULT. Yeah. So people are ever more reliant on email and the bad guys know it and are focusing on that vector.

SPEAKER_03. Can I sum it up that way? Yeah, definitely. I mean, we are increasingly relying on non-email tools as well. But the reality is, is that email is such an easy thing to manipulate as a malicious actor, and it was never really designed for security. Looking at the trends, we've seen a significant rise in email attacks over the last year, and this ranges from opportunistic drive-by type attacks to the lower volume and more targeted kind of headline-grabbing phishing and whaling. The hackers are better equipped to send more advanced threats with tools like sort of commercially available phish kits. If I was to sort of call out two highlights just in terms of common themes in all the emails that we've observed. Yeah, shoot, fantastic. Yeah, I think that, you know, these will probably both be quite familiar and obvious, but the first of these is COVID-related notifications, things like, you know, click here to see the latest guidance from corporates about, you know, when you're going to be able to return to the office, or, you know, local council about, you know, the new restrictions, and famously the World Health Organization that we saw sort of earlier in the year. And obviously we've sort of just had announcements in the UK, and as we enter this period of tiers and vaccination and announcements, this is likely to get worse. So the second thing that's noticed here is, as I said, we've got this increase in dependence on other collaboration tools, and a definite trend that's emerging is the impersonation of these collaboration tools and a threat that is sent through on email. So there is— it's interesting because there is always going to be be some sort of link or correlation between adoption and targeting. So the more people that depend on a technology, the more that technology is exploited as part of the attacks. And this could come in the form of fake links for Zoom meetings, password reset requests for Office 365, and so on.

CAROLE THERIAULT. So it's like they're using the email as a vector, but it's tied to a different service, and that collaboration obfuscates the risk for the user? Exactly, exactly.

SPEAKER_03. Right, gotcha. And, and like we said, we're dependent and more likely to click on these links because we are already using Teams or SharePoint or Office 365. And it's therefore a more successful and more compelling attack.

CAROLE THERIAULT. I feel like we're a fish in a fishbowl right now for the bad guys, because we're all interested in these topics, right? We're all doing this and we're all running a bit mad because it's been an insane year for everybody.

SPEAKER_03. Yeah, well, I mean, I really like that analogy and I think I think that as we maybe think about putting ourselves in a hacker's shoes, it's quite a useful exercise to think about, you know, where you're vulnerable and where you're most vulnerable. They're trying to run a business, if you think about it. So, they study their total addressable market. They're thinking about delivering a minimum viable product, and they're aiming for excellent adoption rates. Which basically means, you know, how can I successfully target as many as possible with the most effective attack that costs me the least amount to produce. Yeah, business 101, really. Exactly. And as, as you kind of pointed out, we are captive audience and we're frantically collaborating at home on all of these tools that we're thoroughly engaged with. We're protected by a security team that is stretched and underfunded at best, not to mention that, as you say, we're all clamoring for this information about when and how our lives are going to return to normal, and the list goes on. So there's this real spectrum of attacks. And the ones that make the headlines are often the sort of dastardly ones that are very sort of cleverly crafted. And while we do see hackers occasionally relish the challenge of architecting a bleeding-edge attack, they'd much rather shoot fish in a barrel.

CAROLE THERIAULT. Yeah, right, exactly. OK, we need a bit of— we need to pivot here to something a bit more silver lining to this doom and gloom. So tell me about how organizations are going about changing their strategy to compensate or to just meet the requirements of this new world.

SPEAKER_03. Well, I'm not quite finished with doom and gloom yet, but I think it's— Oh no. I think it's— Okay, carry on. I think it's pretty tough at the moment, obviously, but it's fair to say that a trend that's emerging is consolidation. So organizations organizations are looking to reduce complexity at every turn. The burden on IT is just too great. So, sadly, the sort of doom and gloom part of this is that the first things to be questioned are the headcount and licenses that are associated to operational costs, as kind of, you know, a CFO would look at their, you know, where am I spending my money? And IT doesn't seem to be making me any money, it's just costing me money. So how can I cut that down to size? So people are being forced to sort of consider their options at this point, and the future is in the cloud, and it always has been. But what COVID's done is it's catalyzed the transformation projects but simultaneously, as we've said, shrunk timeframes, resource, and budgets all in one fell swoop. So in order to kind of protect IP and people in the cloud, it is about striking a balance between, you know, how much consolidation do I do I go into and what other things do I need to consider?

CAROLE THERIAULT. OK, so what are the keys to an effective strategy? Would you say that Microsoft 365 is a kind of knight in shining armor for companies?

SPEAKER_03. Again, it's really important to strike the right balance. I think Microsoft solves an enormous amount of problems incredibly well. And consolidation is important because it can reduce complexity and cost. But we have to ask ourselves, can I deliver deliver economics, experience, and efficacy in equal measure. So, if we look at that Microsoft example and we were to take consolidation to its extremes by choosing the apparent economics and simplicity of becoming totally dependent on one single vendor like Microsoft, and we kind of ignore what we see in the rearview mirror and forget measures like layered security or independence, things that we used to value, right? Does that mean that I then underdeliver on efficacy? And what's the knock-on effect of like, if we think about the security side of things, like what's the true cost of failing to deliver that? Does it actually have an effect on the economics? So what would a breach cost me and how many breaches can I expect and how much time am I going to spend clearing them up?

CAROLE THERIAULT. Yes, seriously, really important questions that I think few companies really take seriously, right? Yeah. Good point. Good point.

SPEAKER_03. Absolutely. And I think M365 is a phenomenal toolkit. It's got a compelling amount of functionality and it will be the heart of most cloud strategies, and rightly so. Microsoft have released more security features than they ever have done before, and you can see that it's really starting to shape nicely to deliver things like Zero Trust, which is pretty cool. But I think it's worth raising— there are a couple of issues with expecting using one cloud to be everything to everybody. So today M365 has almost 300 million business users on its platform, all ferociously adopting and collaborating with all of these tools and bits of kit that they've given you. And this means a few things. It means an increased attack surface. And what I mean by this is every single user added represents a new angle of attack for malicious actors. 95% of data breaches are the result of human error. And I always think about it like, you know, those old vampire movies. They can't cause you that much harm unless you invite them in. And like, as we kind of touched on earlier, it means that when you're creating an attack via email and you imitate a Teams login, it is more successful because you know that they're using it. Yeah, yeah, yeah. Also, this collaboration means that you've you've got more people generating more data all sitting on this Microsoft platform. And the result of that is that there is more data to steal, more people to target, and this incentivizes attackers to target Microsoft.

CAROLE THERIAULT. So you're kind of putting into question the whole idea of having this kind of homogeneous environment.

SPEAKER_03. Yeah, exactly. And this is the main sort of other point that I would want to make, and this is the dependence on that single vendor. So the compelling bundling and features that are included in the Microsoft kind of packages at the moment are combined with the pandemics and the financial pressure, meaning that organizations are very prepared to accept that suddenly Microsoft security is good enough. And this creates, like you say, a homogenous monoculture where more organizations are sitting behind identical protection. It's a really funny kind of phenomenon, and the result of this is that Microsoft has actually unified malicious actors. So there are more users to attack, there is more data to steal, and all of these users and all of this data is sitting behind exactly the same security. Email is the number one attack vector. It's, it's really unsurprising that email attacks are being purpose-built and designed to penetrate penetrate Microsoft's included security. It's just too obvious a target. And even against the best security that they've kind of invested in, the Microsoft Advanced Threat Protection, hackers are proving themselves well up to the challenge.

CAROLE THERIAULT. So, okay, so, okay, so you have to bring me a silver lining now as we wrap this up. You have to, you have to. I know you're English, but bring me some sunshine. Bring me some sunshine.

SPEAKER_03. So, I think the good news is, is there is some silver lining, and actually what we've described isn't a bad thing to look at and to do, it's just that we need to go into it with our eyes open. You have to build, and you must, and you probably will build your strategy around Microsoft 365, and you need to pick the other tools that you need to succeed. This has to include a thorough assessment of risks and for you to be able to ask some more challenging questions of the technology, like where is Microsoft great? Where do they need some help? And should I expect them to face certain challenges on their own? And what is the true cost of being totally dependent on them? So, like, you're going to introduce more vendors than your CFO thinks you need. So it's important that your vendors can help you demonstrate the value of any extra spend or more likely the cost of not spending that money. So we talked about organizations being brought to their knees and according to the IBM data breach report, the average cost of a data breach in the UK is $3.9 million.

CAROLE THERIAULT. Jeez. So in, in prepping this year, because we have to, we are actually building hopefully more resilient systems that actually can help IT security people provide better better services for their users and for clients and for everyone.

SPEAKER_03. Absolutely. Absolutely. Max Linscott, thank you so much.

CAROLE THERIAULT. Listeners, you can learn more on smashingsecurity.com/mimecasthub, and thank you so much for coming on the show today. I really appreciate it.

SPEAKER_03. That's a pleasure. It's been great to be here.

GRAHAM CLULEY. Well, that just about wraps it up for this week. Uh, Anna, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that.

ANNA BRADING. You can get festive snack recommendations, um, on @AnnaBrading on Twitter. And I'm also on LinkedIn if you want to give me work, but not for another 6 months or so. Yeah, hunting a bit early.

GRAHAM CLULEY. And you can follow us on Twitter, @SmashInSecurity, no G, Twitter must have a G. And you can also join us on Reddit, just look for the Smashing Security subreddit. And don't forget, you want to make sure never to miss another episode of Smashing Security, subscribe in your your favorite podcast app, whether it be Apple Podcasts, Spotify, or Pocket Casts.

CAROLE THERIAULT. Remember, you all have a VIP invitation to our YouTube Live Christmas special on Thursday, 17th of December. That is next Thursday, folks, at 8 PM UK time. You can sign up at smashingsecurity.com/live. Be there, be triangulaire. And again, quick shout out to our sponsors, Mimecast, Culture AI, and LastPass, and our individual contributors via Patreon. on this support is what helps make the show free for everyone. All the details for past episode sponsorship, guest list and everything else is until next time, cheerio.

GRAHAM CLULEY. Bye Bye. Bye.

ANNA BRADING. Bye. Bye. Bye.

CAROLE THERIAULT. I love how you say you sound like you're flying away like a bird.

ANNA BRADING. Oh, yeah, It's more like sort of flipping over like a whale. Like a beached whale.

GRAHAM CLULEY. Sometimes you have to do that to make your Graham clulies comfortable, though.

-- TRANSCRIPT ENDS --