[SPEAKER_04]: Well, actually, I haven't got a pick of the week. [SPEAKER_01]: What? [SPEAKER_04]: No. [SPEAKER_04]: What's wrong with this? [SPEAKER_04]: I've got, excuse me, it's my podcast, not yours. [SPEAKER_02]: smashing security, episode 436, the 600,000 euros gold highest, powered by ransomware, with grand clooly. [SPEAKER_04]: Oh, fantastic, you know, you don't have to go out and buy a cat. [SPEAKER_04]: Just come on the podcast.
[SPEAKER_04]: You could just say, hey, Graham, can I come on the podcast? [SPEAKER_00]: Well, now you tell me you've got a bloody cat now. [SPEAKER_04]: That's your problem, isn't it? [SPEAKER_04]: Well, before we kick off, let's thank this week's wonderful sponsors, one password and Vanta will be hearing more about them later on the show. [SPEAKER_02]: this week on smashing security.
[SPEAKER_04]: We're not going to be talking about how flights were canceled or delayed across Europe after a cyber attack targeted Collins Aerospace's Muse Software. [SPEAKER_04]: You'll hear no discussion of how two UK teenagers have been charged for a cyber attack on transport for London that resulted in £39 million worth of losses. [SPEAKER_02]: Then we won't even mention.
[SPEAKER_04]: How a US teenager has surrendered to police in Las Vegas, a mean charged with hacking into casinos, as part of the scattered spider gang. [SPEAKER_04]: So Zoe, what are you going to talk about this week? [SPEAKER_00]: Well, I'm going to talk about, Shay Haloud, the supply chain attack. [SPEAKER_04]: Traffic, and I'll be discussing hackers and heists. [SPEAKER_04]: All this and much more coming up on this episode of Smashin's Security. [SPEAKER_04]: Now, chums, chums.
[SPEAKER_04]: If you've been following the cyber security headlines lately, you'll know. [SPEAKER_04]: This isn't used to any of you, though ransomware continues to be a big problem. [SPEAKER_04]: We've had JLR. [SPEAKER_04]: You know, when I first heard the headline that JLR had been hit by a ransomware attack, I mixed them up with that pop group, JLS. [SPEAKER_04]: That's hot, very good. [SPEAKER_04]: My feet there had been hit said, but it turns out JLR is completely different.
[SPEAKER_04]: It's Jaguar Land Rover. [SPEAKER_04]: They look like they can be shut down for weeks. [SPEAKER_04]: They're bleeding 72 million pounds every day. [SPEAKER_01]: Hmm. [SPEAKER_04]: Meanwhile, their suppliers, they've been disrupted, they've been told their staff stay at home or they've been laid off amid fears that some of these companies may go bust or won't survive. [SPEAKER_04]: So that was jailer, pretty nasty stuff.
[SPEAKER_00]: Yeah, that makes sense though, because some suppliers might only supply to them. [SPEAKER_04]: Absolutely. [SPEAKER_00]: Totally relevant there. [SPEAKER_04]: It'd be a huge customer. [SPEAKER_00]: Yeah. [SPEAKER_04]: And if that customer isn't ordering new parts, because your production line isn't moving. [SPEAKER_00]: You're no longer making money. [SPEAKER_00]: Did they also have a just in time production line? [SPEAKER_00]: I don't know.
[SPEAKER_00]: So it would make even a bigger impact. [SPEAKER_00]: They're just creating as demand. [SPEAKER_04]: I don't know. [SPEAKER_04]: Anyway, so that's been going on. [SPEAKER_04]: And we've had this European airports fiascoed just as last weekend. [SPEAKER_04]: He throw Brussels Berlin or brought to their knees.
[SPEAKER_04]: because someone decided to attack Collins Aerospace's check-in systems, it caused flight cancellations, delays, staff were forced to manually write out boarding passes, like it was 1975. [SPEAKER_04]: It's remarkable how everything grinds to a halt when you're so reliant on technology and that technology is suddenly sort of scooped away from you. [SPEAKER_00]: Do you know what?
[SPEAKER_00]: It's funny because I was thinking back to when I worked in retail many, many years ago I had to write credit card things on paper because the systems were down and it's like, I'm using technology that's older than me Did you have to use one of those two tips? [SPEAKER_00]: Well, you had to pull it over and make the copy of what it was Yeah, and I was just like, what is this thing and they had to teach me how to use it?
[SPEAKER_00]: I've never seen one before [SPEAKER_04]: Anyway, there is one attack that many people listen to this podcast will not have heard about. [SPEAKER_04]: You've heard about JLR, you've heard about the airport, but this one hasn't really made the headlines very much outside of France, because in late July. [SPEAKER_04]: The Museum National Distual Natural, which is the Natural History Museum on Pauly in Paris.
[SPEAKER_04]: I'm translating all of this to those people who don't speak, but it was hit by what officials diplomatically described as a massive ransomware attack, an massive attack, as it is known. [SPEAKER_04]: And if you thought that dinosaurs were wiped out quickly by a metride 65 million years ago, that is nothing compared to how rapidly the museum's computer network got knocked to six when it got hit by this ransomware. [SPEAKER_04]: So this attack affected all of the museum sites.
[SPEAKER_00]: Interesting. [SPEAKER_04]: Apparently it has marine research stations. [SPEAKER_04]: As part of the museum, I have no idea why. [SPEAKER_00]: So I never had them as a client, but I did chat with the museum when I was a consultant and they were talking about their needs.
[SPEAKER_00]: And it's interesting, because a museum, you don't realize how many people actually work there, because you also have visiting scientists, and you're visiting people that do restoration, you know, you've all these different things, and then you've got such data, because if you're scanning something, because you're trying to figure out what's inside of it, the images are just massive, so actually the amount of data in a museum and the amount of people affected isn't saying you would never have guessed it.
[SPEAKER_04]: Well, I was surprised as well because when I was reading this report, it said that this attack had disrupted the work of 600 scientists attached to the museum. [SPEAKER_04]: They've lost access between 30,000 euros to 50,000 euros in research funding. [SPEAKER_04]: So, it has this knock on effect. [SPEAKER_04]: And, well, I don't know about you. [SPEAKER_04]: So, we don't know how much you love a museum.
[SPEAKER_00]: I love museums, especially natural history museums, they're so lovely. [SPEAKER_04]: Well, I had really been looking forward to the natural history museum in Paris. [SPEAKER_04]: It's upcoming tropical autumn, palms, treasures and secrets exhibition. [SPEAKER_04]: And I know what you're thinking. [SPEAKER_04]: Oh, no. [SPEAKER_04]: not the Palm Exhibition. [SPEAKER_04]: And I'm afraid, yes, the Palm Exhibition was disrupted. [SPEAKER_04]: It has been delay because of this attack.
[SPEAKER_04]: So you won't be able to go there and check out the beautiful palms and the treasures and the secrets of tropical autumn anymore. [SPEAKER_04]: Now, an exhibition, even a poem one, is a big deal for a museum.
[SPEAKER_00]: Yeah, well, I mean, museums, as far as I'm aware, they're not like these big profit machines, they generally meet what they can, and then, you know, I need support to do research and everything, and it's critical, I think, to society, [SPEAKER_00]: know all of this information, historic, current events and record things happening in our society.
[SPEAKER_00]: So lots of funds, that's quite concerning because generally if you get money from the government, if you don't use it, you don't get more, you know, it doesn't come back the next year, right? [SPEAKER_00]: So I don't know what I'm going to do. [SPEAKER_04]: And if you can't show people coming through the doors, you're not going to get as much funding on this.
[SPEAKER_04]: Because if you don't prove that you're popular, and also, you know, the thing with your museums is loads of old stuff in there. [SPEAKER_04]: So if you've been to see it once, you're not necessarily going to think, oh, they're about it lots more stuff in the last year.
[SPEAKER_04]: That's why they have regular exhibitions, because if you go to the Louvre, for instance, and you see the Mona Lisa there, and everything else, but you look at the Mona Lisa, and you say, well, that's very impressive. [SPEAKER_04]: You know, a good painting. [SPEAKER_04]: Many people would say, [SPEAKER_00]: You'd say, yeah, well, you're complaining about the lap of my brows. [SPEAKER_04]: Well, all right, no, come there. [SPEAKER_04]: There's nothing wrong with that.
[SPEAKER_00]: I have an eyebrows, but if you are a painter and you're painting, or if the person he painted in have a eye don't have eyebrows, like I've got more in touch, you don't. [SPEAKER_04]: Really? [SPEAKER_04]: Yeah. [SPEAKER_04]: This is fascinating. [SPEAKER_04]: You are cyber security is equivalent to the Mona Lisa. [SPEAKER_04]: That's what you're saying. [SPEAKER_00]: basically. [SPEAKER_04]: But the thing is, a exhibition is a big deal for a museum.
[SPEAKER_04]: It's what draws people in from museum. [SPEAKER_04]: Cancel in an exhibition like this Parme exhibition, which got cancelled. [SPEAKER_04]: It's a bit like McDonald's running out chips. [SPEAKER_04]: It's humiliating. [SPEAKER_04]: It costs money. [SPEAKER_04]: People start asking uncomfortable questions about your competence. [SPEAKER_00]: I imagine researchers are not going to want to go there. [SPEAKER_04]: Right, because, well, we don't have anything for us to overlook it.
[SPEAKER_00]: Well, no, I meant more because, like, they would want to do that to collaborate and build a research. [SPEAKER_04]: Ah, yes, yes, because they're just sick. [SPEAKER_04]: They would say, they were clearly, I don't know why I laughed in a French fashion. [SPEAKER_04]: But you are clearly amaders, you would say. [SPEAKER_04]: And it's not as if French museums haven't been hit by ransomware before last year, cybercriminal struck during the Paris Olympics.
[SPEAKER_04]: They hit a computer system that centralised the financial data from stores located within 40 museums in France, including the Louvre, and they demanded [SPEAKER_04]: And the thing is, when it comes to a ransomware attack, the damage rarely stops where you expect it to, right? [SPEAKER_04]: There is the immediate impact. [SPEAKER_04]: And all dear our files are encrypted. [SPEAKER_04]: Are we going to recover from a backup? [SPEAKER_04]: What are we going to do about the extortion?
[SPEAKER_04]: Let's close any security holes which may be the cyber criminals are coming through. [SPEAKER_04]: There can be serious repercussions on a ransomware attack. [SPEAKER_04]: A couple of months ago, a German phone repair and insurance company, they filed the bankruptcy after being hit by ransomware. [SPEAKER_00]: And how many businesses couldn't run without any income for a certain amount of time? [SPEAKER_00]: Or even just run paying employees essentially for a certain amount of time.
[SPEAKER_00]: There's a limit to everybody's good policy. [SPEAKER_00]: But it's all very limited. [SPEAKER_04]: There's a limit to what people and what fans can put up with. [SPEAKER_04]: Let's go to Belgium in 2024. [SPEAKER_04]: A Belgian brewery suffered what was considered a genuine national emergency. [SPEAKER_04]: Yes, Belgium suffered an attack on its critical national infrastructure. [SPEAKER_04]: When it found out its beer supply had been hit.
[SPEAKER_04]: I mean, attacking a country's water supply is one thing. [SPEAKER_04]: And so basically what I'm saying, so is that ransomware is a serious problem and there can be repercussions beyond the actual data encryption. [SPEAKER_00]: Well also the people, I mean, yes, with the person that probably was fishing related, I don't know, but it could very well be. [SPEAKER_00]: That's a very common approach. [SPEAKER_00]: How did they feel knowing that they caused this probably big outed?
[SPEAKER_00]: Yeah. [SPEAKER_00]: At the responding team, the technical team, they're probably overwhelmed and exhausted. [SPEAKER_00]: The stress on the employees not knowing what's going to happen to their job, especially in a time like right now, the mental load as well for the employees, for the people responding, all of that together on top of the business just trying to sustain itself, who's at all going to have a massive impact.
[SPEAKER_00]: And not just impact for the next couple of months for the next couple of years. [SPEAKER_04]: It could well do, and this is what the impact has been for this museum of Natural History in Paris, because there has been a repercussion. [SPEAKER_04]: Last week, Tuesday morning, cleaners went to work as normal to make sure that the Natural History Museum building in the heart of the Jardin de Plant, Plant Garden, in the fifth [SPEAKER_04]: of Paris was speak and span.
[SPEAKER_04]: I guess they were dust in the bruntosaurus. [SPEAKER_04]: You know, that's their kind of job. [SPEAKER_04]: And imagine, gel or air that they must have felt. [SPEAKER_04]: In scenes akin to a heist movie, like I don't know what your favorite heist movie is, Haitians 11, Oceans 12, Oceans 13, one of our dinosaurs is missing.
[SPEAKER_04]: One of the great movies, anyway, in scenes akin to that, a robbery [SPEAKER_04]: Bad guys, at Brokenyp that headed to the Geology and Minerology Gallery, they attacked a reinforced display case containing several gold nuggets. [SPEAKER_00]: Ah, okay. [SPEAKER_00]: I was like, what are they going to steal a dinosaur? [SPEAKER_04]: No, no, no. [SPEAKER_04]: With an angle grinder and a blowtorch. [SPEAKER_04]: They broke in. [SPEAKER_04]: They took the collection worth 600,000 euros.
[SPEAKER_04]: Gold of course. [SPEAKER_00]: He's only going to get more valuable. [SPEAKER_04]: Right, and gold is easier to resell than precious stones. [SPEAKER_00]: You could just melt it. [SPEAKER_04]: Exactly, you just put it in a George form and grill. [SPEAKER_04]: Just put it in something that hot. [SPEAKER_04]: There's nothing quite, nothing can withstand the heat of molten cheese. [SPEAKER_04]: So you just put it in one of those, a piece of gold.
[SPEAKER_04]: You can melt it down as it probably already has been. [SPEAKER_04]: And these apparently were scientific specimens. [SPEAKER_00]: I know. [SPEAKER_04]: With a measurable heritage value, I think, from all kinds of places around the world, which have been dug up or old examples, they're now probably in some criminal's mouth, you know, as gold fillings.
[SPEAKER_00]: Oh, I heard about another bracelet, a really, really like, ancient bracelet that was essentially melted down and so it was like 4K or something, but it was like worth in Seenemiles. [SPEAKER_00]: The suit pressing. [SPEAKER_04]: It is. [SPEAKER_04]: This criminal team were apparently really well informed because the alarm and video surveillance systems had been out of service for several weeks due to and yes you guessed correctly due to the ransomware attack.
[SPEAKER_00]: I bash you there doing an internal audit now as well. [SPEAKER_04]: Can you imagine? [SPEAKER_00]: That's so sad. [SPEAKER_04]: So, ransomware attacking your computer systems may have knock-on effects, which you wouldn't have possibly imagined. [SPEAKER_00]: So, while I have to say, this is an negative, but it is more positive than I thought you were going to say when I was talking about mental health of employees.
[SPEAKER_00]: So, I'm happy it was, I don't sad, but I'm happy this was the result first, there's something else being gruesome, so yes. [SPEAKER_04]: So it sounds like this wasn't some opportunistic burglar who just stumbled upon a vulnerability while looking for a place to relieve themselves and thought, I'll just go into the museum for a pee and all there's some gold witch up-inch.
[SPEAKER_04]: This appears to be someone who did their homework, realized the ransomware attack had effectively turned their museum into like a barn with the door left swinging open in the wind. [SPEAKER_04]: because systems which normally they would have had there to determine that a burglary was happening, there and then, and set off the alarms and informed the police, but only actually got spotted by the cleaners the following morning. [SPEAKER_04]: So, this is what I'm wondering.
[SPEAKER_04]: We've spoken many times in the past about how conventional criminal gangs. [SPEAKER_04]: have turned to cybercrime. [SPEAKER_04]: Maybe because of the vast amount of money they can make or because it's less risky than getting personally involved. [SPEAKER_04]: You know, you'd have to drive your Ford transit van up to the subpost stop isn't. [SPEAKER_04]: Mug an old lady and pinch the money from that instead you can do it all via computers.
[SPEAKER_04]: Could we now see more traditional thieves thinking you know what? [SPEAKER_04]: The hackers could help us in our traditional theory.
[SPEAKER_04]: So, I'm not suggesting necessarily that the ransomware gang behind the July attack were necessarily WhatsApp in the gold thieves with updates like a gaze near the camera's [SPEAKER_04]: But yeah, let's see, but what's worrying is the possibility that different criminal enterprises are monitoring each other's activities or just simply reading the newspapers and thinking, oh, I wonder how their security is right now.
[SPEAKER_00]: But let's be honest, in my opinion, likelihood is, for companies, hip-op brands, okay, a lot of organizations separate CCTV cameras with their internal infrastructure, like two separate infrastructure. [SPEAKER_00]: Not everyone, but I assume most, I could be wrong. [SPEAKER_00]: But I wouldn't have seen, if your hit was once more, your camera system is also, I also feel like it's more likely that somebody internal is like, hey, [SPEAKER_00]: Well, Nick was going on here.
[SPEAKER_04]: I like the way your mind works. [SPEAKER_04]: Sorry. [SPEAKER_04]: I think that certainly will be something which the police will be investigating, isn't it? [SPEAKER_00]: But they'd have to. [SPEAKER_04]: Whether it could have been someone internal who knew that the systems were down and had not been replaced by a couple of webcams. [SPEAKER_04]: I mean, no, which is the other thing that they could have done. [SPEAKER_04]: So, could have.
[SPEAKER_00]: I'm shocked that they didn't. [SPEAKER_00]: I'm not going to lie. [SPEAKER_00]: I am absolutely shocked. [SPEAKER_04]: You just thought you could have Heath Robbins and some device, you know? [SPEAKER_00]: You can use an old Android phone, because it's in there now. [SPEAKER_00]: You can put on it. [SPEAKER_00]: Somebody's got one in their basement. [SPEAKER_04]: A baby monitor. [SPEAKER_04]: That's all you need. [SPEAKER_04]: Oh, you could. [SPEAKER_04]: You could.
[SPEAKER_04]: You could have a baby monitor. [SPEAKER_00]: Good. [SPEAKER_00]: You could do so many things. [SPEAKER_04]: There's actually a lot of similarities out there between a baby and the cot. [SPEAKER_04]: And one of those villains who sort of does all the acrobatics to get past the lasers to get past the pressure pads to, you know, if you've ever had a child escaping from a little prison cell, which we put them in at night.
[SPEAKER_00]: Yeah, my daughter, my youngest, she is a proficient climber, so she could very much steal so many things from a museum without any cameras, granted she probably wouldn't go for gold, she'd probably go for the dinosaur. [SPEAKER_04]: Zoe, what have you got for us this week? [SPEAKER_00]: My mind is not as exciting. [SPEAKER_04]: Oh, I'm sure it is. [SPEAKER_00]: No, I'm just talking about the splite chain attack. [SPEAKER_00]: Let's see if I say it right.
[SPEAKER_00]: Shai, hallowed, I think. [SPEAKER_04]: Shai hallowed, I think. [SPEAKER_04]: Shai hallowed. [SPEAKER_00]: I don't know. [SPEAKER_00]: Apologies to everyone that I'm portraying the game. [SPEAKER_00]: But it's the attack where, essentially, the threat actors were able to compromise over 40 developer accounts and publish more than 700 malicious package versions of the NPM registry. [SPEAKER_04]: So this is what's called an NPM supply chain attack, isn't it?
[SPEAKER_04]: NPM or node package manager. [SPEAKER_04]: That's used by developers to download pre-built code. [SPEAKER_04]: So they don't have to write everything from scratch. [SPEAKER_04]: And if that pre-built code is compromised, then hackers can compromise the code that developers are using to build their apps. [SPEAKER_00]: Yeah. [SPEAKER_04]: Rather than attacking applications directly.
[SPEAKER_00]: Yes. [SPEAKER_00]: So essentially, your account is compromised, I then see what registers you have, I then deploy under your name malicious things and it attack more people, which is great. [SPEAKER_00]: I mean, if I must factor, I want to return to my investment, right?
[SPEAKER_00]: So I want to [SPEAKER_00]: Get it in, I want to automate my attack, I want to spread it as far as possible, so if the original author changes something, you won't know, but you'll still be using it, so you have to validate it's doing what you expect of it. [SPEAKER_00]: But as we know, we're not so good at that. [SPEAKER_00]: Integrity checks is not something where the most robust at.
[SPEAKER_01]: Yeah. [SPEAKER_00]: We've had many attacks where if you remember when the ICO, I think it was ICO that had crypto minor on its own website. [SPEAKER_00]: It was a script that they had called from a third party, but didn't validate and so it installed a crypto minor on their website.
[SPEAKER_00]: Which if you don't hear that ICO is that's pretty funny because essentially they're the people that will get mad at you and give you fines if you don't do something you're supposed to be doing. [SPEAKER_04]: If you come into a bit of a pickle when it comes to people's privacy and controlling their data for instance, you may well find yourself knowing who the ICOR rather more than you wanted to. [SPEAKER_00]: Exactly. [SPEAKER_00]: So it was hilarious one a few years ago.
[SPEAKER_00]: They got the crypto minor installed. [SPEAKER_00]: So this is not a new thing, right? [SPEAKER_00]: But the thing that stood out to me is, if you read about it, they say, you know, it's a self-propagating worm, but the thing I liked is there was many versions of it, and the researchers found that throughout the versions, there were slight changes.
[SPEAKER_00]: So... [SPEAKER_00]: Actually, the thractor is basically doing a live testing, deploy it, and then slowly add it a little bit, make it more effective. [SPEAKER_00]: You know, so they're doing what my dream analyst would do is creating something and then learning, improving the automation, reducing the amount of workload that they have to have the best return on the effort they're putting in. [SPEAKER_00]: So, you know, maybe this person is professional.
[SPEAKER_04]: So this is really quite nasty, isn't it? [SPEAKER_04]: Because this is a worm, which is infecting lots of different packages being used by lots and lots of different developers. [SPEAKER_04]: It's stealing information from them, like passwords, special keys, tokens, stuff that actually get into other places like your computer or cloud storage or GitHub account. [SPEAKER_04]: And then it is publishing those things openly on GitHub.
[SPEAKER_04]: Where more mischief can be made from those credentials. [SPEAKER_00]: Yeah, and anybody that's compromised could then ultimately be restarting their attack. [SPEAKER_00]: Because their account is now the initial source, right? [SPEAKER_00]: It's like a third party, maybe you have an existing relationship with a school or a lawyer and they get comprised and they send you a fishing email, which happens, and it's very common actually.
[SPEAKER_00]: It's the same idea, you know, I'm the victim and now I'm enabling the attack to go on. [SPEAKER_00]: One thing I thought was interesting that I read on one of the articles is the worm target, Linux, and Mac OS. [SPEAKER_04]: Yeah. [SPEAKER_00]: and deliberately, deliberately, skips windows machines. [SPEAKER_00]: So that's interesting because the person knows their target audience.
[SPEAKER_00]: They're going for developers and the likelihood is they're more likely to be on a Linux or macOS machine. [SPEAKER_04]: There's suddenly a lot less which is written for Mac and Linux isn't there than there is for Windows. [SPEAKER_04]: If you look at the millions and millions of pieces of malware which are being written. [SPEAKER_04]: And so I think you are more likely to encounter Antivirus software, for instance, on a Windows computer than you are on a non-Windows computer.
[SPEAKER_04]: I wonder if that was also a reason why maybe Windows was ignored. [SPEAKER_00]: could be. [SPEAKER_00]: I kind of feel like it's probably because the target audience is these these developers because because they're targeting repose that the people have. [SPEAKER_00]: So they're going into their account. [SPEAKER_00]: They're seeing, okay, what repositories do we have? [SPEAKER_00]: What secrets do you have here? [SPEAKER_00]: What can I republish?
[SPEAKER_00]: What can I then compromise and cause further issue to other people or other systems? [SPEAKER_00]: So the target audience are probably more likely to have Linux and Mac, but you're also right in the sense [SPEAKER_00]: How many mac users have you said do you have Andrew Wilson? [SPEAKER_00]: They're like, well, I have a back.
[SPEAKER_04]: So what should developers be doing to counter this to make sure that they're not spreading on the infection or if they have found it to clean themselves up? [SPEAKER_04]: What should the steps be? [SPEAKER_00]: Yeah, well, I'm going to push it on the company, not just the developers, I mean the one thing I flagged is automation is super useful, but it's also for characters, so don't count on it being like, oh, what I'll know, and I can stock it in time.
[SPEAKER_00]: No, you know, expect that if your system is compromised, you need to, we act very quickly, supply chain attacks again or not going away to actors want and return on the best [SPEAKER_00]: So is integrity checks is very important, making sure that you know where your dependencies are, what they're doing and what they're supposed to be doing. [SPEAKER_00]: You need to know your baseline's, right? [SPEAKER_00]: And also, that point that everybody says is, oh, keep things up today.
[SPEAKER_00]: Always update. [SPEAKER_00]: Okay. [SPEAKER_00]: I'm going to have an asterisk there. [SPEAKER_00]: It is important to keep things up to date, but when it comes to dependencies, you need to be very careful there because what happened here is these packages were compromised and they were also updating to wherever people were making use of them and so they were also updating a compromised package. [SPEAKER_00]: So yes update, but validate first.
[SPEAKER_00]: If you have dependencies, maybe do a couple versions like a version behind or something, or have a robust process to validate that it isn't doing something notay before installing it into production, so I can't remember how long these packages were live, but it wasn't an excessive amount of time if I remember correctly, so having that approach would have the [SPEAKER_00]: And then the second possible compromise, they said users are advised to check for new repose or branches.
[SPEAKER_00]: So you know what you're doing? [SPEAKER_00]: You know it actions you've taken. [SPEAKER_00]: If you don't remember it, it's probably wasn't you. [SPEAKER_00]: So make sure in this specific case, make sure that you recognize all the actions that were taken. [SPEAKER_00]: Additionally, they also say you should check for public repositories [SPEAKER_04]: Shay Haloud, I think. [SPEAKER_00]: Shay Haloud. [SPEAKER_04]: That's my guess.
[SPEAKER_00]: Yes. [SPEAKER_00]: Yes. [SPEAKER_04]: Don't add us if we could it wrong. [SPEAKER_00]: I apologize. [SPEAKER_00]: Shay Haloud migration. [SPEAKER_00]: I think was the other one. [SPEAKER_00]: That also contained your organization's name. [SPEAKER_00]: Review your audit logs. [SPEAKER_00]: Look for any suspicious API calls. [SPEAKER_00]: That's what the researchers specifically recommended. [SPEAKER_04]: Right, cyber security, bit of a fact, isn't it?
[SPEAKER_04]: Everyone nods along in the board meeting, then quietly, hope someone else is dealing with it while they go and put the kettle on. [SPEAKER_04]: Well, that is where Vanta comes on. [SPEAKER_04]: Think of them as your mate at school who actually did their homework, and then let's you copy it. [SPEAKER_04]: They'll help you get things like ISO 27,000 and one sorted without the headaches, but they don't stop there.
[SPEAKER_04]: Sock 2 GDPR Hiper, even the shiny new iOS 42,000 and one, Vantage's got you covered. [SPEAKER_04]: Instead of drowning in spreadsheets and tickbox questionnaires, Vantage automates the boring bits, centralizes your security workflows, even helps you manage vendor risk. [SPEAKER_04]: Meaning you can spend less time panicking about audits, and more time worrying about what really matters, but whether you run out of biscuits in the canteen.
[SPEAKER_04]: And here's the clincher, because you're a smashing security listener, banners offer you $1,000 off if you book a demo. [SPEAKER_04]: You can't say fair in that. [SPEAKER_04]: So go on, give yourself a break. [SPEAKER_04]: Head over to vented.com slash smashing, take the demo, claim your discount, let Venter deal with all the dull compliance grind.
[SPEAKER_04]: Venter, the first ever enterprise ready, trust management platform, one place to automate compliance workflows, centralize and scale your security program. [SPEAKER_04]: Learn more at venter.com slash smashing and thanks to Venter for supporting the show. [SPEAKER_04]: How many SaaS applications are your colleagues using right now? [SPEAKER_04]: If you can't keep count, don't worry, you're not alone. [SPEAKER_04]: SaaS sprawl and shadow IT are everywhere.
[SPEAKER_04]: And that's where Treleka by one password comes in. [SPEAKER_04]: Treleka discovers every app you use across your company, whether it's officially managed, or someone quietly signed up for it with the company credit card. [SPEAKER_04]: Trellaker by one password gives you the tools to assess risk, manage access and enforce security best practices across the board.
[SPEAKER_04]: No more abandoned accounts just waiting to be hacked, no more paying for licenses than nobody uses, no more scrambling when an employee leaves and you're not sure what they still have access to. [SPEAKER_04]: With Trellaker, you can securely onboard and off-board staff reduce unnecessary costs and stay on top of compliance.
[SPEAKER_04]: Now, I've used one password for years, I love how it takes the headache out of security, and now, with Treleka, they are tackling one of the messiest problems in modern IT, SAS Sproul. [SPEAKER_04]: Treleka by one password is trusted by businesses of every size, and it's backed by one password, rock solid security. [SPEAKER_04]: So what are you waiting for?
[SPEAKER_04]: Take the first step to clean in up your SaaS landscape, secure credentials, and protect every application, even unmanaged shadow IT. [SPEAKER_04]: Learn more at onepassword.com slash smashing. [SPEAKER_04]: That's onepassword.com slash smashing. [SPEAKER_04]: And welcome back and join us at our favourite part of the show, the part of the show that we like to call, pick us a week. [SPEAKER_00]: Pick us a week!
[SPEAKER_04]: Because the week is the above the show where everyone chooses and that I could be a funny story at book that they've read a TV show, a movie or record a podcast or website or an app, whatever they like, it doesn't have to be security related necessarily. [SPEAKER_04]: Now, my pick of the week this week, well actually I haven't got a pick of the week. [UNKNOWN]: What? [SPEAKER_04]: No. [SPEAKER_04]: What's from a dish? [SPEAKER_04]: I've got, excuse me, it's my podcast, not yours.
[SPEAKER_04]: Instead, I've got a lip pick of the week. [SPEAKER_04]: because sometimes something comes along and I think that's terrible. [SPEAKER_04]: One awful thing. [SPEAKER_04]: Now I'm grateful to say that this has not affected me personally, but it has affected other people on the internet because some people somehow accidentally spent $2,000 on a smart fridge. [SPEAKER_04]: Now I already think that was a bit silly, wasn't it? [SPEAKER_00]: I already know where this is going.
[SPEAKER_04]: People have been paying $1,000 for some son smart fridges and these fridges have been updated and the update has meant that you are no longer able to opt out of adverts on your flipping smart fridges. [SPEAKER_04]: I'm not sure why anyone would ever buy a Samsung device in the first place, so their TVs can be just as bad at trying to inject ads to you.
[SPEAKER_04]: But yes, so someone up on Reddit posted an image of what is actually appearing on people's screen warning them that they're now going to be having ads playing inside their kitchen all the time and not being able to stop them. [SPEAKER_04]: And I just don't know why firms do this.
[SPEAKER_04]: I mean, can the mega amount of money, which Samsung is making from these ads, be worth the damage which is done to their reputation customers, who will go out into the streets and start screaming, to the top of their lungs, never ever buy a Samsung Smart device, because at some point they will make it display ads. [SPEAKER_04]: By the way, I'm sure this isn't just a Samsung problem, but they will do for today. [SPEAKER_00]: I think it's normalised.
[SPEAKER_00]: I think it's normalised. [SPEAKER_00]: I'm prime also started sharing ads and you have to like pay more to not get ads and prime. [SPEAKER_04]: Well, you know, that's fair enough, you know, but- No, not fair enough. [SPEAKER_00]: That's a little bit.
[SPEAKER_04]: No, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no
[SPEAKER_04]: You can decide whether you want to fill Jeff Bezos' pockets every month, or book Disney at where it's not book Disney anymore, or who which these streaming there you are paying month to month, right, and you're saying yes, I will give you my $12 or whatever it may be, and... I'm so not a Disney. [SPEAKER_04]: I have no idea, because I've cancelled all those streaming services myself, because I'd take the billionaires.
[SPEAKER_04]: But you could do that, and if they say, well, you can carry on payiners, but you're going to get slightly worse quality, or you can pay as even more, and you'll get ad-free. [SPEAKER_04]: That is the decision you can make. [SPEAKER_04]: However, if you spend, [SPEAKER_04]: $2000 on a fridge. [SPEAKER_04]: You expected to be a flipping fridge and to not change.
[SPEAKER_04]: You do not expect to have to pay a subscription for the fridge and you do not expect them to have basically change the deal. [SPEAKER_04]: Having bought the fridge and say, well, no, actually this thing which you bought is now going to do something you never wanted it to do in the first place. [SPEAKER_04]: I think that's the difference. [SPEAKER_00]: I am not surprised though. [SPEAKER_00]: I'm not surprised because everything is moving towards adverts.
[SPEAKER_00]: I mean, I literally bought a tele, but it's purposely did not buy an actual tele. [SPEAKER_00]: I have a display, basically, it is not intelligent. [SPEAKER_00]: It plugs in. [SPEAKER_00]: I mean, do you wrong? [SPEAKER_00]: There are limitations. [SPEAKER_00]: It's not the best in the world. [SPEAKER_00]: So if you're really, really critical about high quality cinema, you probably wouldn't use it. [SPEAKER_04]: Anyway, Samsung, you and your smart fridges.
[SPEAKER_04]: You are awarded my nitpick of the week. [SPEAKER_04]: So, what's your pick of the week? [SPEAKER_00]: Well, mine is a pick and a nitpick actually at the same time. [SPEAKER_00]: I like that word. [SPEAKER_00]: So, my pick of the week is a boss cordless multi-function tool. [SPEAKER_04]: Hey, what is a boss cordless multi-function tool? [SPEAKER_04]: Is it like a Swiss Army knife? [SPEAKER_04]: What is it?
[SPEAKER_00]: It is like a power tool that you can put on so many different heads that it can do so many different things. [SPEAKER_00]: Like it has a little tiny sander if you want to get in that really big, like really tight corners, it's got things you can cut wood with, things you can cut middle with, like all these different attachments. [SPEAKER_00]: It is small as well. [SPEAKER_00]: So if you are someone like me who, I mean, I have a house, so I've got little renovations.
[SPEAKER_00]: I've got to do here with there, but I'm not of professional, [SPEAKER_00]: I'm not a professional, but I'm also not a professional trade sparsons. [SPEAKER_00]: So I don't really need a million different tools, right? [SPEAKER_00]: I can get by with small things here and there.
[SPEAKER_00]: This one was actually quite useful for me because I'm currently trying to [SPEAKER_00]: get the carpet glue of my stairs and that is a bloody nightmare and so this tool was really good for basically scraping it off and then I could sand it down and then I also can sand down like the tight tight corners I could cut that in the garden I have to do some gardening so it's cutting the very thick branches because I like not a tree but like a big
[SPEAKER_00]: Um, my nitpick over is it is for sure so it does not have the greatest battery, um, but I think they have the standard battery so you can like use other branded batteries and pretty sure. [SPEAKER_04]: Does it display adverts to you while you're not in that blue? [SPEAKER_00]: It is not intelligent, which bringing the whole, if your clumsy don't use it because it does not have a safety. [SPEAKER_04]: Oh. [SPEAKER_04]: Yeah. [SPEAKER_04]: It's not for me.
[SPEAKER_04]: I'm quite clumsy. [SPEAKER_00]: Fair enough. [SPEAKER_00]: I would not recommend it if you have young children around. [SPEAKER_00]: I wouldn't recommend it if you've got a annoying pet. [SPEAKER_00]: I wouldn't recommend it if you are clumsy because you turn it on and it does not turn off [SPEAKER_04]: So yeah, some serious damage could be done with it. [SPEAKER_00]: Yes, but it is super useful. [SPEAKER_04]: Alright, but it's the Bosch-Cordless Multi-function tool.
[SPEAKER_00]: Yeah, I loved it. [SPEAKER_00]: I loved it. [SPEAKER_00]: Unfortunately, I did get off Amazon. [SPEAKER_00]: I know, I know, but I just, it was the only option. [SPEAKER_00]: And I need something. [SPEAKER_01]: Come on, Zoe. [SPEAKER_00]: I know. [SPEAKER_00]: I know, judging me all you want. [SPEAKER_00]: That is a fair point. [SPEAKER_00]: But yeah. [SPEAKER_04]: Never mind, it's still your pick off the week. [SPEAKER_04]: And that just about wraps up the show for this week.
[SPEAKER_04]: Thank you so much, Zoe, for joining us. [SPEAKER_04]: I'm sure lots of our listeners would love to find out where you're up to. [SPEAKER_04]: And follow you online. [SPEAKER_04]: What's the best way to do that? [SPEAKER_00]: Check out my website, rosesect.com or a most frequent on blue sky or LinkedIn but I'm not that frequent to be fair so my website is very best. [SPEAKER_04]: Okay, and of course we are on social media as well.
[SPEAKER_04]: You can find me grand clearly on LinkedIn or follow smashing security on Blue Sky and don't forget to ensure you never miss another episode. [SPEAKER_04]: Follow smashing security in your favourite podcast app such as Apple Podcasts, Spotify and Pocketcasts, website show notes, sponsorship info, guest lists and the entire back catalogue of 436 or so episodes. [SPEAKER_04]: Check out smashingsecurity.com until next time! [SPEAKER_04]: From me, Cheerio, bye-bye!
[SPEAKER_00]: Bye-bye! [SPEAKER_04]: You've been listened to smashing security with me, Graham clearly, and I'm grateful to Serby Rose. [SPEAKER_04]: For Join us this week, and of course to this episode, Sponsors 1 Password and Vanta, and to all of the chums. [SPEAKER_04]: We've signed up for the smashing security plus, over on Patreon.
[SPEAKER_04]: They include Elbow, Orberus, Gadoon, Bobby Hendrix, Jamie Forster, Nate, M, Nigel Scott, Roy Tate, Steve Lapton, Jay, Cajotan, Kazan, Nywish, forever. [SPEAKER_04]: As Leo, Sean, Dr. Herblist, Yuri Taraday, just in Dale Lisa, Andrew Davis and Amanda, Matt Cotton, Ryan Hull, Mark Norman, Bravo Whiskey, Robert Martin, and Ree Bassel.
[SPEAKER_04]: If you'd like your name to be read out from time to time on the credits at the end of the show, well, that is just one of the pleasures of signing up for smashing security plus for as little as $5 a month. [SPEAKER_04]: You get your name read out every now and then, as well as the early access to smashing security episodes, and... [SPEAKER_04]: Your episodes are smashing security won't come with any advert, so you may all like that.
[SPEAKER_04]: Now I realise that time's tough for many people, so don't feel too bad about. [SPEAKER_04]: Not being able to support the show financially, you can support us in other ways. [SPEAKER_04]: So, like, subscribe, give five star reviews, all that stuff, which social media people are saying to you.
[SPEAKER_04]: Or just, you know, be really old fashioned and go up to someone and say, hey, I say old fellow, have you tried the smashing security podcast, maybe grab their phone from their hands, and subscribe to the podcast on their behalf, actually maybe should ask permission first. [SPEAKER_04]: Whatever it is that you do, it's all really, really appreciated. [SPEAKER_04]: I'm very, very grateful indeed.
[SPEAKER_04]: There anybody listens to these podcasts, let notes, bought some, so, uh, thanks very much, well, [SPEAKER_04]: I will catch you again next week when we'll have, yet another guest. [SPEAKER_04]: So until then, sure yeah, bye bye.