Leicester City Council suffers a crippling ransomware attack, and a massive data breach, but is it out of the dark yet? And as election fever hits India we take a close eye at deepfakery.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- When a breach goes from 25 documents to 1.3 terabytes… - Graham Cluley.
- Leicester street lights stuck on all day due to cyber attack - Leicester Mercury.
- Top AI researchers race to detect ‘deepfake’ videos: ‘We are outgunned - Washington Post.
- AI deepfakes threaten to upend global elections. No one can stop them - Washington Post.
- Models, dead netas, campaigning from jail: How AI is shaping Lok Sabha polls - India Today.
- Why Elections Take So Long in India - The New York Times.
- How A.I. Tools Could Change India’s Elections - The New York Times.
- Bollywood deepfakes fuel AI election meddling fears in India - GG2.
- World Explained: How India's politicians are using AI to reach voters in the world’s most populous country - The Scotsman.
- 12 Angry Men - Wikipedia.
- VIA Rail.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Sonrai's Cloud Permissions Firewall - A one-click solution to least privilege without disrupting DevOps. Start a 14 day free trial now!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. There's a very simple reason, I suspect, why they're not doing that anymore.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Two words.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Bird poop.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Is this true or are you just guessing?
GRAHAM CLULEY. I— look.
CAROLE THERIAULT. You're guessing. Okay.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yes.
UNKNOWN. Smashing Security, episode 369. Keeping the lights on after a ransomware attack.
Attack with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 369. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Carole, you are back from your secret mission overseas, underwater. On a different planet. I don't know where it was. It's all secret.
CAROLE THERIAULT. Yeah, I'm going to be talking about that in the pick of the week. But can I tell you something absolutely gorgeous and spring-like that I can tell you?
GRAHAM CLULEY. Oh, yeah.
CAROLE THERIAULT. Because remember a few weeks ago, I was "oh, I have a pick of the week. It's this app called Merlin Bird ID."
Anyway, so I come — I'm home from my adventures and I have 3 baby robins in my garden. And they came into the house. They flew into the house. I was a total — what's the Disney girl that has all the — Cinderella?
GRAHAM CLULEY. Snow White?
CAROLE THERIAULT. Snow White, I don't know. One of them, most of them have little birds floating around. That was me. I had all these tiny little birds flying around in and out of my house and it was gorgeous.
So happy spring everyone from England. So let's thank this week's wonderful sponsors, Kolide, Sonrai, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm gonna be asking, will the last company to be hit by ransomware please turn off the lights?
CAROLE THERIAULT. Okay. And I'm heading to India because they've just kicked off their new elections.
All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, let's travel to old Blighty, the UK. And there is a city in the UK called Leicester.
CAROLE THERIAULT. And for our American friends, it's spelled Leicester.
GRAHAM CLULEY. Leicester. That's right.
CAROLE THERIAULT. Leicester.
GRAHAM CLULEY. Leicester. And Leicester City Council, they were thrown into chaos last month.
When a crippling cyber incident, as they like to call these things, forced it to shut down its IT systems and phone lines. And it had some real, very real-world impacts. Charities reported they were unable to support vulnerable homeless people as a result of the infrastructure being shut down.
You know, it's obviously really serious. And care homes were warned that payments of hundreds of thousands of pounds could be delayed. So their funding was being delayed due to the incident.
All kinds of nastiness being caused by a ransomware attack. Surprise, surprise. And by the end of last month, the council was still being tight-lipped about whether any data had been breached during the attack.
And of course, normally these days, if you get a ransomware attack, you will have some data stolen at the same time because it increases the opportunities for the criminals to extort some money out of you.
CAROLE THERIAULT. Yeah, and I'm imagining — no offense to Leicester's city council — but I'm imagining they are not as tight in security terms as, say, a bank, for example?
GRAHAM CLULEY. Well, maybe not, but if you think about it, just as it's really important to secure your funds, it's really important to secure your citizens' details because you can't— if you live in that area, you don't have any choice. You have to give your information to the council because, you know, you want your bins picked up and, you know, you have to pay your council tax and all the rest of it.
CAROLE THERIAULT. Vote and stuff. Yeah.
GRAHAM CLULEY. Now, in early April, Leicester City Council confirmed that about 25 documents had been shared online by the attackers.
CAROLE THERIAULT. So they had some information stolen then.
GRAHAM CLULEY. Yeah, that's right. And they described that data leak as a very serious matter. 25 documents, they said.
CAROLE THERIAULT. It doesn't sound like a lot.
GRAHAM CLULEY. Hmm?
CAROLE THERIAULT. It doesn't sound like a lot, 25. Maybe— I have no idea how big the documents are.
GRAHAM CLULEY. Carole! Oh, I see. What you're thinking is maybe they're RTF files with a great big bitmap embedded inside them. So they're actually—
CAROLE THERIAULT. Right.
GRAHAM CLULEY. 312 gigabytes or something. It's just— I mean, it's not that huge, is it really? But how do you feel about 1.3 terabytes of data?
CAROLE THERIAULT. So the biggest files on the planet.
GRAHAM CLULEY. Well, it turns out that as with many other victims of data breaches in the past, the initial estimate as to just how much data had been taken was a little bit out. Having described 25 documents as having been taken as a very serious matter, they needed a whole new way to describe the fact that 1.3 terabytes of data was now being published on the leak site by the ransomware gang.
IncRansom is their name. Very corporate.
CAROLE THERIAULT. Very large files.
GRAHAM CLULEY. Well, yeah, you could argue maybe it was still 25 files. I think that's unlikely. I suspect they've got rather more than that.
And Leicester City Council can't rule out the possibility that yet more data might be leaked in the future. In fact, IncRansom, the criminals, they claim that they've taken 3 terabytes of data. It's a huge amount of data to take from a network.
CAROLE THERIAULT. I'm wondering though, okay, so the Leicester City Council will have probably one, maybe a handful of people that look after IT.
GRAHAM CLULEY. I imagine they've got a few more than one or a handful. I would think they'd have—
CAROLE THERIAULT. Really?
GRAHAM CLULEY. Yes, yes.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Oh, absolutely, Carole, you know, because they're—
CAROLE THERIAULT. In this age of AI, Graham, I don't know if you could be sure about that. You're just too old to understand how things work these days, I'm telling you.
GRAHAM CLULEY. Leicester's quite a big city, isn't it? I think it is. It's bigger than Magdeburg.
Is it bigger than Magdeburg? Let's not start that again. Anyway, quite a big difference. 25 documents, 1.3 terabytes, maybe up to 3 terabytes.
So you can understand why some people might think that the attackers sent the council back to the dark ages and whether it can do enough to keep the lights on.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Well, it's now nearly two months after the initial attack, and they're still struggling to get everything back up and running. In fact, residents of Leicester may be considering donning sunglasses due to a state of perpetual brightness in the city.
Now, why might that have occurred? It's not continental drift. They're not now up in the Arctic Circle.
CAROLE THERIAULT. Okay, I've no idea.
GRAHAM CLULEY. What's happened is the streetlights have been found to be permanently on. 24 hours a day. And no one knows quite how to turn them off.
CAROLE THERIAULT. What, are you kidding me?
GRAHAM CLULEY. Nope.
CAROLE THERIAULT. This is your story. That's what I'm shocked at. Okay, so the lights on the Leicester streets are on continuously.
GRAHAM CLULEY. Continuously. And it's the consequence of a ransomware attack. There's a 65-year-old guy called Roger Evans. He told the Leicester Mercury that the streetlights down his neck of the woods have been turned on constantly.
So he complains to the council. I imagine Roger complains quite a lot about things to the council. He hasn't got much to do. And he said that they got back to him and said the ransomware attack had attacked and affected the central management system and that the streetlights were, quote, misbehaving.
CAROLE THERIAULT. Okay, I don't know how streetlights work in Leicester, but in my neck of the woods, they are on all night, right? I don't think I would notice them even being on during the day.
I'm not Roger Evans, but it's not like it's giving light pollution, is all I'm saying.
GRAHAM CLULEY. I'm not sure everyone's streetlights do stay on all night long.
CAROLE THERIAULT. I would love if mine didn't, to be honest.
GRAHAM CLULEY. Well, exactly, because it can bleed straight through your—into your bedroom window, can't it?
CAROLE THERIAULT. It does, yeah.
GRAHAM CLULEY. It can ruin your sleep. It's a very important thing. And some of these newer streetlights with the LED, you know, it's all "Oh, designed to save energy and everything." And it's "Oh my goodness, that's so bright."
Can't cope with that. You end up having to buy really thick curtains, don't you, Carole?
CAROLE THERIAULT. I do have very thick curtains.
GRAHAM CLULEY. Say no more. So, a city council spokesperson said, "We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue related to the recent cyberattack.
When we were forced to shut down our systems, it means we are currently not able to remotely identify faults in the street lighting system." What?
CAROLE THERIAULT. I wish they'd give us more information. Surely if they shared this with the world, some techno wizard would say, "This is how you can do it."
GRAHAM CLULEY. Well, you don't want any old Thom, Dick, or Harry shimmying up streetlights, Carole, trying to debug them.
CAROLE THERIAULT. No, I imagine they would've emailed them and said, "Maybe do this in the code. You know, check this out."
GRAHAM CLULEY. Oh, what, so they should just publish the streetlight code on GitHub and say, "Go for it," their remote access system? Well, because these things are bad. I bet streetlights have got a default password.
I bet they're streetlights. I bet they're roadwork signs.
CAROLE THERIAULT. I never thought about that.
GRAHAM CLULEY. So I'm surprised because I thought, why are there central systems managing streetlights anyway? Right. I thought, surely I remember as a kid there was streetlights outside my bedroom window.
You know, it was a decent enough distance, didn't keep me awake. But I noticed it would come on when it got to about dusk and then turn off again in the morning. And it was a different time every day. You know, it would slightly change over the weeks. You'd notice it slightly.
CAROLE THERIAULT. Yeah, there'd be some sensor that would go, "Oh, daylight."
GRAHAM CLULEY. Exactly. You'd have a light-sensitive sensor telling if it's dark or not and turning the light on and off accordingly. And, well, there's a very simple reason I suspect why they're not doing that anymore.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Two words.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Bird poop.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Is this true, or are you just guessing? I—look.
GRAHAM CLULEY. You're guessing.
CAROLE THERIAULT. Yes.
CAROLE THERIAULT. Okay. So you just think there's these massive seagulls running around, literally trying to aim their feces at the sensors to fuck with people?
GRAHAM CLULEY. In my experience, a seagull or a pigeon with an iffy tummy can be more precise than an Exocet missile.
CAROLE THERIAULT. Why, have you been hit before in the face?
GRAHAM CLULEY. You would be surprised, Carole, where I have been hit.
CAROLE THERIAULT. I don't think I would.
GRAHAM CLULEY. By bird poop in the past. But of course, if that goes on the sensor, you have to employ someone to go round with a broom, cleaning the streetlights.
So the team at Leicester City Council and elsewhere have thought, well, what we should do is we should connect all the streetlights. Because it's all smart cities, right? It's everything's got to be connected, everything's gotta be connected, that's brilliant, let's connect everything.
And then from one central place, we can find out if they're faulty. We don't have to send a man round to clean them, we don't have to send a man round to see if they're not working, we don't have to man phones, because obviously there'll be a hotline for people to report broken streetlights.
CAROLE THERIAULT. It's not man phone.
GRAHAM CLULEY. Alright, people phone.
CAROLE THERIAULT. Thank you.
GRAHAM CLULEY. And— Sorry. Anyway, so as a consequence, in Leicester, the lights are on.
CAROLE THERIAULT. 24/7.
GRAHAM CLULEY. I don't know if there's anybody home in the IT department. Now, this is not the first time lights have been permanently left on.
There is a school in Massachusetts which had 7,000 of its lights left on for over a year because no one could work out how to turn them off. It cost thousands of dollars every month, and it caused problems when teachers were trying to play videos on the whiteboards, and some teachers resorted to unscrewing light bulbs.
The reason was they struggled to make contact with the firm that had installed this system which controlled the lights. It changed ownership a few times, apparently, the firm, and then they waited for months and months for parts to be delivered from China.
There were supply chain issues, which obviously has been a security issue in the past. And there were complaints at the time, "Why are we outsourcing our light bulbs, lighting systems to China?" And I mean, I don't think it was an attack, but you've gotta be careful about this sort of thing.
CAROLE THERIAULT. Yeah, so do you think this is part of the attack or do you think this is maybe incompetence on the part of the council?
GRAHAM CLULEY. Oh, I don't think it's the ransomware gang. No.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. No, I think this is just a side effect of the IT systems being busted. In Leicester, they're longing to turn off the lights, they want to recover from the attack.
But the councillor said it's not gonna pay any ransom. Frankly, they said, we're broke, even if we wanted to, we can't afford it, because like many councils in the UK, they've just got no money and there's no more money coming from central government.
CAROLE THERIAULT. And presumably they're more concerned about the 3 fucking terabytes of data they lost as opposed to the lights being on.
GRAHAM CLULEY. Yeah, that's not—
CAROLE THERIAULT. I would be.
GRAHAM CLULEY. That could be quite costly, couldn't it? I mean, what happens when the regulators start fining them over that or find them to be incompetent or they didn't encrypt properly or blah, blah, blah, blah, blah, about that data, which is now in the hands of the criminals?
CAROLE THERIAULT. Exactly. Who is that guy you quoted? Roger Ewins, right?
65-year-old Roger Ewins who complained. He maybe should be more worried about the data they stole from him and where it's ended up.
GRAHAM CLULEY. Don't get him started.
CAROLE THERIAULT. Which the lights being on.
GRAHAM CLULEY. Well, at least we are shining a light on this problem. And don't— Remember everybody, cyberattacks— I hate it when they call them cyberincidents, or there's been an IT— Just use the R word. It's a ransomware attack. Don't be afraid. Carole, what's your topic for us this week?
CAROLE THERIAULT. Well, we're going to India, and you might be aware that India is currently going through an election cycle that just kicked off in earnest last Friday.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And for those of you out there who are unfamiliar with the country's political modus operandi, know that India's democracy is the largest in the world. The country has a parliamentary system defined by its constitution, with power distributed between the central government and the states.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Now, India's elections are no small feat because they must cater to almost a billion voters, more than a tenth of the world population.
GRAHAM CLULEY. It's amazing, isn't it?
CAROLE THERIAULT. It's incredible. And there's another hurdle, the languages, right? So whereas the UK has one—
GRAHAM CLULEY. UK has Welsh.
CAROLE THERIAULT. Oh, you're absolutely right.
GRAHAM CLULEY. Gaelic, Cornish. Cockney? Mancunian?
CAROLE THERIAULT. Okay, let me rephrase. So whereas the UK has a small number of official languages and where Canada has two official languages, India has 23 official languages including English, but there are apparently 780 languages spoken. What? Imagine.
GRAHAM CLULEY. That's crazy.
CAROLE THERIAULT. Imagine. So no wonder that India's elections take upwards of six weeks and involve millions of poll workers, voting machines, and security forces to cover deserts, mountains, forests, and cities. And India's laws also state that no voter is required or should be required to travel more than two kilometres from their home to get to a polling station. What?
GRAHAM CLULEY. Really?
CAROLE THERIAULT. Yes. So workers, poll workers and all this, must trek up mountains, go deep into forests. According to the New York Times, they will be using all manner of transport to collect the votes, even camels or elephants, let alone helicopters and boats. And with a billion voters, you need millions of machines, right?
GRAHAM CLULEY. Okay. So this two kilometre rule, I can— That seems insane to me at first, because it's well, two kilometres doesn't take you very long to walk two kilometres, does it? It's gonna take—
CAROLE THERIAULT. No, it takes you long to walk 10 kilometres. Right.
GRAHAM CLULEY. But at two kilometres, it's gonna take you what? 10 minutes, 15 minutes, something like that? I guess there are problems if you're in a mountainous area.
CAROLE THERIAULT. Yeah. Elephants, Graham.
GRAHAM CLULEY. They're not very fast.
CAROLE THERIAULT. Yeah, but they can go through debris that humans can't go through.
GRAHAM CLULEY. Only if you— Yeah. And they only go for so far until you've got to fill them up again at a diesel station.
CAROLE THERIAULT. I'm getting back to my story.
GRAHAM CLULEY. Go ahead.
CAROLE THERIAULT. But this election cycle is different from previous elections thanks to the rising power of AI. And it turns out that AI plus elections equals crazy times a-go-go.
GRAHAM CLULEY. Ugh.
CAROLE THERIAULT. So of course we have the troublemakers, right? An example would be fake videos featuring two prominent Bollywood actors.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. Aamir Khan and Ranveer Singh, where they purportedly criticized Prime Minister Narendra Modi and advocated support towards the opposition Congress Party. The two videos have been viewed on the socials more than a million times, reported Reuters.
Now, both actors have said the videos are fake. Facebook, X, aka Twitter, and at least 8 fact-checking websites have said they are altered or manipulated, which the Reuters Digital Verification Unit also confirmed.
There was also a viral video of Rahul Gandhi's resignation from Congress that took over social media, but it was fake. They used an AI-generated cloned voice and used an altered video of him filing his nomination papers for the 2024 polls.
So they basically took an existing video, tweaked it, added new voices to it, and tried to say, "I'm resigning from Congress." But AI is also being used legitimately by candidates.
So imagine, Graham, right? So let's say we're having an election here in the UK, right? And you pick up the phone, the phone rings, right?
You pick it up and it's a cold call campaign thingy saying vote for Rishi Sunak. So what do you do, right? You would probably, what would you do?
Would you hang up? Would you say, I'm very sorry, I'm not interested?
GRAHAM CLULEY. I'm a very busy man.
CAROLE THERIAULT. Say you're eating or pooping or something. Yeah, my other half calls bathroom breaks business meetings. So you have a big business meeting to attend.
GRAHAM CLULEY. I'm just on a conference call at the moment. Yeah. I would be pretty annoyed.
I don't— so it's just a robot, is it? It's not actual human ringing up on Rishi Sunak's behalf.
CAROLE THERIAULT. Well, no, but the way normally, typically these campaign calls would work is you would either get someone calling up and going, who are you voting for? What are you doing?
GRAHAM CLULEY. And it's just a huge invasion of my privacy. It's none of their business. I don't want to speak to anyone from any political party on the phone.
How dare they? Ring my bloody phone and interrupt my life.
CAROLE THERIAULT. What if they show up at your door?
GRAHAM CLULEY. Well, you know, I can obviously—
CAROLE THERIAULT. Slam the door in their face as opposed to hang up the phone?
GRAHAM CLULEY. I don't mind when people come round to the door as much.
CAROLE THERIAULT. It's because you're lonely, probably.
GRAHAM CLULEY. I think that could be the reason.
CAROLE THERIAULT. Come in for coffee!
GRAHAM CLULEY. Please, please be my friend, please!
CAROLE THERIAULT. But what if, you know, the phone's ringing, you pick up, and the caller says, "Hi, Graham, I hear there are issues in your town, such as Amazon deliveries going awry."
GRAHAM CLULEY. Yes, that's very true.
CAROLE THERIAULT. Right. So they use your name and contextualize the pitch for you to make you stay on the phone longer and hear what they have to say.
GRAHAM CLULEY. Yeah, yeah, yeah. Okay.
CAROLE THERIAULT. Right. And this is what's happening right now in India, making the job of candidates much easier, all thanks to AI, because they can use AI to contact their voters in their native tongue, be it one of the 780 languages that are spoken.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. And talk about the issues that are close to the communities and the specific geographies.
GRAHAM CLULEY. But are they actually having conversations with people, or are they just reading out a speech?
CAROLE THERIAULT. Honestly, I have no idea. But I can appreciate if you were a candidate in India going for the prime ministership, and you have 780 languages, and you speak, what, two of them, as the current prime minister apparently does? How do you get your message across to everybody else?
So AI-generated stuff could be the answer, right? Because it can translate it into all the dialects, at least the 23 official ones. So political parties are crafting AI-generated news anchors, right? So you even have fake news anchors to convey political messages, election promises, and manifestos.
Now, when I say AI-generated, I don't mean fake. These are advocated by the actual party. And the point is to connect with a wider voter base over live streaming on social media platforms across diverse linguistic demographics.
GRAHAM CLULEY. Well, hang on, hang on. Just roll back a second. What do you mean here? So you're saying these are AI-generated, but they're not fake. Do you mean they're not malicious? They're not deliberately deceptive?
CAROLE THERIAULT. Yes, they're not deep— see, that's the problem. So I think many of us associate the word deepfake with bad.
GRAHAM CLULEY. OK.
CAROLE THERIAULT. Right? But if I am a party and I want to do this, I'm like, let's just create an avatar. Let's get the messages out. Let's target specific messages based on specific regions. And then let's slap it in and way to go.
GRAHAM CLULEY. You know, I think these politicians, I think they've got the wrong end of the stick of how to deal with this. Because I think most people do not want a call from a political candidate, right? They do not want to have that phone call.
What I would do if I were a political party, so if it were the Cluley Party, what I would do I think is I would run a campaign which rang up people pretending to be my opposition, right? And annoy the voters with my constant phone calls pretending to be the opposition in order that I get the votes instead.
CAROLE THERIAULT. Do you think that's not happening right now? Do you think that there are not other parties that are trying to, you know, take down the current political leader?
GRAHAM CLULEY. It's like a Joe job, isn't it? Yeah, oh, I'm sure there are, but I just think use the deepfake and the AI technology to pose as—
CAROLE THERIAULT. No, no, don't do that. Don't do that. Do not listen to Graham. No, no, no, no.
GRAHAM CLULEY. No, no, I'm not saying do it. I'm just saying that if—
CAROLE THERIAULT. I think what I'm saying is both things are happening. So a legitimate party is using AI tech to be able to get their messages out in a more engaging way. To a broader audience.
But also you've got the baddies that are trying to discredit certain parties or cause some strife using deepfakes to try and mess the whole thing up, misinformation, all that stuff.
GRAHAM CLULEY. Yes. All I'm saying is the bad guys don't have to be lying in the message. They could just be saying, "Hey, isn't the party Van Dabby Dozy terrific?" And just the sheer fact that they've rung you up is irritating enough that you would never vote for Van de Beekdosen.
CAROLE THERIAULT. Okay. Okay. Okay. Well, they've heard it here. You've heard it here, folks. There's elections coming up across Europe and the States, and maybe they'll use that, Graham. So you've given that away for free.
GRAHAM CLULEY. I bet everyone agrees with me. I bet everyone agrees.
CAROLE THERIAULT. I'm sure they do. So in my view, there are a few massive problems here. Right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Number one, voters don't know what's real or fake. Yeah, because there was also on Instagram, there was an Instagram Reel featuring the current Prime Minister Modi singing a popular Bollywood song using AI. The video depicts the Prime Minister seated cross-legged playing a guitar, and it's amassed over 3.4 million views on Instagram.
Now, as far as I understand, there's no political message in there. It's just like, oh, isn't he great? Look at him, so cute.
GRAHAM CLULEY. There he is, sat cross-legged. That's quite impressive for a man of his years.
CAROLE THERIAULT. Well, who knows if it was really him, right? So voters don't know what's real or fake. The use of AI has led offenders to disown their statements after criticism.
So if people complain, they go, "Obviously, that was a deepfake, nothing to do with us. We wouldn't have done that." But maybe the most important thing, which is the Wild West effect at the moment, or Wild East in this situation, is there's no serious legislation to curb the misuse.
So while policymakers and regulators from Brussels to Washington are racing to craft legislation restricting AI-powered audio, images, and video on the campaign trail, a regulatory vacuum is emerging. So the European Union's landmark AI Act does not take effect until after June's parliamentary elections.
And in the US Congress, bipartisan legislation that would ban falsely depicting federal candidates using AI is unlikely to become law before the November elections. So I think the thing I'm, I guess I'm trying to get across is pay attention to the India elections and what happens throughout them.
Try and use reputable sources like Reuters or The Times or The Washington Post or the—
GRAHAM CLULEY. And don't answer the phone.
CAROLE THERIAULT. I don't know if it's only phones that we need to worry about. It's all over the socials as well.
GRAHAM CLULEY. Okay. Oh, sorry. Yes, you're right. Don't go onto Instagram.
CAROLE THERIAULT. I agree. Follow my lead. Get the fuck off the socials.
So as the lines between real and fake blur, what the actual fuck are voters supposed to do? Like, what are their options?
Don't vote because you don't know what you don't know. You don't know what's real. You don't know what's fake.
Or you cast a vote and hope that you weren't misled. Like, it's a bit of a nightmare for democracies the world over, and it's leaders of countries that aren't democratic that might actually win out here.
Yeah, that's a bit ominous, but there you go. So there's my cheery pick of the week.
But I would just say pay attention to see what happens there, because elections are coming in lots of our countries. A lot of our listeners live in countries that I've mentioned, and it might be good to have an idea of what actually happens there, because trust me, the bad guys are paying attention too.
GRAHAM CLULEY. You just said pick of the week, I think, by accident. He said, and there's my cheery pick of the week.
CAROLE THERIAULT. I can't wait to get to my pick of the week, that's why.
GRAHAM CLULEY. I've noticed, so there are some elections coming up here in the UK. Yes. At both local elections, and then later in the year, there's at some point to be determined, there's going to be a general election as well.
And it's quite interesting, this whole, are we going to begin to see fake news?
CAROLE THERIAULT. Of course we will.
GRAHAM CLULEY. Well, I'll tell you what I've been noticing. I've been getting campaign leaflets through my door. Now, there's a particular political party which isn't doing terribly well in the polls at the moment compared to their current allocation of members of Parliament.
I'm not going to name any names. But what's interesting is the things which come through the door, they've really disguised which political party they're from.
So if it's the incumbent who isn't doing terribly well, you have to look really, really hard to actually work out, well, which political party is this person actually represent— oh, it's that one. 'Cause they don't want to mention it 'cause they know that that's not taken the right way.
So I wonder if we will see fake, you know, deepfake and AI technology somehow getting around that problem as well.
CAROLE THERIAULT. Yeah, and still I would say today, I think, I don't know, I'm just guessing here, the ballparking, but I feel that when I read AI-generated content, I can kind of spot it after a few paragraphs, if not earlier. But I suspect that's going to get much, much harder to spot with the naked eye in years to come.
GRAHAM CLULEY. Good luck in your election.
CAROLE THERIAULT. Actually, I think it's more good luck to all of us who are going to be facing elections in the near future. So take heed, my friends.
GRAHAM CLULEY. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Now you can assess risk, secure the trust of your customers, and automate compliance for ISO 27001, SOC 2, and more with a single platform.
And that platform is Vanta. Vanta's market-leading trust management platform helps you continuously monitor compliance alongside reporting and tracking risk.
Plus, you can save hours by completing security questionnaires with Vanta AI. Join thousands of global companies like Atlassian, Flow Health, and Quora that use Vanta to automate evidence collection, unify risk management, and streamline security reviews.
Smashing Security listeners get 20% off Vanta. All you have to do is go to vanta.com/smashing to claim your discount.
That's vanta.com/smashing. And thanks to Vanta for supporting the show.
CAROLE THERIAULT. If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with the click of a single button, what would you say? Sonrai Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions.
Even better, the solution maintains this level of risk reduction by automatically enforcing least privilege policies as new identities are added to the environment. What's better?
The fact that you can test drive Sonrai's Cloud Permissions Firewall for free for 14 days. Just visit smashingsecurity.com/sonrai.
That's smashingsecurity.com/sonrai. That's S-O-N-R-A-I.
GRAHAM CLULEY. You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.
For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing, but now as part of 1Password.
So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM, your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better.
Check it out at kolide.com/smashing to learn more and watch the demo today. That's kolide.com/smashing.
And thanks to them for supporting the show. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, Carole, you know me. I to keep my picks of the week topical.
CAROLE THERIAULT. All right. Is this from the '50s or something?
GRAHAM CLULEY. 1957 it was.
CAROLE THERIAULT. Oh my God.
GRAHAM CLULEY. When a movie came out, which I have never seen, a classic movie. Maybe you can guess what it is. Directed by Sidney Lumet. Nope. Starring Henry Fonda.
CAROLE THERIAULT. Oh, I Henry Fonda, but I haven't seen all his films.
GRAHAM CLULEY. Also has Jack Klugman, who later found fame as Quincy in it.
CAROLE THERIAULT. Hmm.
GRAHAM CLULEY. It's basically—
CAROLE THERIAULT. Our listeners are going crazy. They're, 'Carole, don't you understand?
GRAHAM CLULEY. It's easy.' It's an all-male cast and largely on one set. It is 12 Angry Men.
I had the flu this weekend, so I was cuddled up on the sofa, and I thought, 'What can I do?' to make myself feel better. And so I watched 12 Angry Men.
Have you ever seen 12 Angry Men?
CAROLE THERIAULT. I think I have, because my husband's a movie buff. So, I get to be educated regularly with wonderful films from the past, yeah.
GRAHAM CLULEY. It's a great old black-and-white movie with fantastic cast. It is a seemingly open-and-shut case of murder where a jury has to decide if a young man is guilty or not.
If he is found guilty, he's gonna be sentenced to death. And I'm sure many people already know this.
Some, many of you may already have watched it, but for you youngsters who listen to the podcast who haven't got around to watching it yet, or people me who are sort of quite mentally young and culturally young, you may not know. But anyway, the premise is this: at the beginning of the movie, only one of the jury believes that there is reasonable doubt about the murder charge.
Everyone else thinks that the suspect is guilty. And they also think they should be allowed to nip home early from the jury service to go and watch the ball game.
And so it's up to Henry Fonda as the one man on the jury to convince all the others—
CAROLE THERIAULT. Brilliant.
GRAHAM CLULEY. —that it shouldn't be a guilty verdict. I'm gonna watch this.
CAROLE THERIAULT. I'm sure I've seen it. I'm gonna watch it again.
GRAHAM CLULEY. It's great. Great characters, sharp script.
Explores prejudices in this single claustrophobic jury room. I'm sure it's been done as a play many times as well.
CAROLE THERIAULT. Christ, do you think we're going to get AI-generated movies where the plots are going to be so fucking boring we're going to want to just gouge our ears?
GRAHAM CLULEY. I saw a trailer for one just the other day. A completely AI-generated movie.
CAROLE THERIAULT. It's going to make so much money just because people want to see, and it's going to be so poo-poo.
GRAHAM CLULEY. After watching the trailer, you won't want to see it, probably.
CAROLE THERIAULT. No, it's not on my list.
GRAHAM CLULEY. Anyway. 12 Angry Men. I only just saw the original Top Gun a few years ago, so—
CAROLE THERIAULT. No, you're hip, you're hip, you're fashion.
GRAHAM CLULEY. I still have to see E.T. and Jurassic Park. So once I've seen those, I'll maybe make a decision.
CAROLE THERIAULT. Oh, E.T., come on. Gotta see E.T.
GRAHAM CLULEY. Never seen it, never seen it.
CAROLE THERIAULT. That's so adorable.
GRAHAM CLULEY. Carole, what's your Pick of the Week?
CAROLE THERIAULT. Well, as listeners know, I was travelling last week. I was in Canada, and I ended up taking the train to catch my plane back to Heathrow. And the trains in Canada are operated by VIA Rail. And I have to admit, I've always been a big fan, especially after coming to England, because they are staffed by lovely people.
There's a lot of staff. You know, there's people to help you on the train, people to help you put your bags away, people to direct you where you need to go.
It's just— you're never lost. You're always feeling like, I know where I'm going and I know what I'm doing and I know where my seat is.
GRAHAM CLULEY. Did you say there are lovely people manning the train?
CAROLE THERIAULT. Damn it! So— Oh, working on the train. Right. No, no, thank you, thank you. Let's just keep doing this. This is good for us.
GRAHAM CLULEY. Also, you seem to have offended everyone who works on the train system in the UK by suggesting they're not lovely. I mean, there may be fewer of them, but—
CAROLE THERIAULT. Okay, you tell me at the end of this story if this would happen in the UK. All right. Now, the only drawback of these trains, and I'll admit this now, is they're not nearly as frequent as trains in Europe. So you have to plan your journey a little more carefully so you don't end up waiting somewhere for hours.
Anyway, I take the train. Great experience. Get to the airport on time and then end up getting some food because the plane is delayed by a few hours.
I know, right? So whatever. We have some food. We go through the secure area and I'm getting ready to fly. And I realize I do not have my wallet.
GRAHAM CLULEY. Oh, not Carole.
CAROLE THERIAULT. I didn't pay. I didn't pay the food, so I didn't notice at the restaurant. But I pack and unpack my carry-on luggage, tiny, but nowhere to be found.
And now I'm out of contact with the world for seven hours. And in the wallet, I had a number of important cards, banking stuff and all that. I had my driver's license, and I had a lot of cash because I'd sold a few paintings while I was out in Canada.
So nightmare, just annoying. So when I get home, I'm jet lagged as anything 'cause it was a full flight. They basically put two flights onto one. So we were sitting sardines on an overnight flight.
But I start calling banks to cancel cards. And they were all, aside from one, Barclays, relatively easy to do with new cards being dispatched instantly.
So I get some shut-eye because I'm jet-lagged. I haven't slept. I get to sleep for a few hours. I wake up and I have a lovely email from the people at Via Rail.
I get this email from Via train agent Raphael, emails me to say they have found my wallet on the train at the end of the line and requests that I get in touch with them on how they can get it back to me. I tell them, I'm out of the country. Could a family member in a completely different city pick it up? Yes, no problem. The wallet was on the train the next day to be delivered to the station of my request.
Now, my question in my head is, will the cash be in there? Because who knows how the wallet got into the hands of the lost and found Via Rail. It could have been somebody.
GRAHAM CLULEY. Oh my goodness.
CAROLE THERIAULT. Well, you don't know how much cash was in it. It was an annoying amount of cash. I'm a very good artist.
GRAHAM CLULEY. I would never even have thought of that. Really? No, I wouldn't worry about the cash. It's the cards that matter, isn't it?
CAROLE THERIAULT. I know, but whenever I'm with you, you never seem to have any cash on you at all.
GRAHAM CLULEY. Exactly. So my wallet was picked up by a family member. And guess what? All the money is still there.
CAROLE THERIAULT. I thought you're going to say the family member pinched it.
GRAHAM CLULEY. They probably have. So my pick of the week is that I love Via Rail, I love Mr. Raphael, and if you find yourself in Canada, I do think you should check out the trains just to see how to do them right, because it is a really lovely experience. I might even do a cross-Canada, east to west on the train sometime because it's so comfortable.
CAROLE THERIAULT. Well, it is a lovely story and a true reflection of how Canadians are the loveliest people in the universe. But did they charge you anything for delivering your wallet to the sovereign?
GRAHAM CLULEY. Yeah, £400. Reasonable, right? Not a cent.
CAROLE THERIAULT. Okay, not a cent. Not a cent.
GRAHAM CLULEY. All I got was lovely emails, 'cause obviously I was very effusive at this service.
CAROLE THERIAULT. I think I sent at the end, I was like, "Digital hugs." It occurs to me that this could be something which could be exploited. Because maybe if you want to deliver a package or a parcel across Canada, maybe what you do is just leave it on any old train and wait for Via Rail to get in touch with you and say, oh, could you deliver it to a family member in Vancouver? And they'll say, sure, we'll organise that. And then it gets over there and you don't have to pay anything.
GRAHAM CLULEY. I cannot believe you would put a tinge of shit on this otherwise beautiful rainbow of a story, Graham. Actually, I'm not surprised at all. I'm not surprised at all that you've done that. Anyway, Via Rail is my pick of the week. Thank you very much, Raphael. Thank you to everyone who helped find it and return it to me, and I'm thrilled.
GRAHAM CLULEY. That is a brilliant story. Oh Canada! Yes, yay Canada! Well, that just about wraps up the show for this week. You follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Sonrai, Vanta, and Kolide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 368 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, when we have a great special guest. Cheerio. Bye-bye. Bye.
CAROLE THERIAULT. Who's our guest next week? I'll tell you. Secret.
GRAHAM CLULEY. I don't get to know. I can tell you. It is in the calendar.
CAROLE THERIAULT. The listeners do. The listeners. Okay.
GRAHAM CLULEY. I'll just open my email. We can beep it out. We can beep it out if you like. It's only— Oh, fuck.
CAROLE THERIAULT. Do I just block out the fuck or—
GRAHAM CLULEY. You can just block out whatever you want.
-- TRANSCRIPT ENDS --