[SPEAKER_02]: So if you can secure that, you're going a long way to repenting yourself from becoming the next cybersecurity headline. [SPEAKER_04]: Beautifully said. [SPEAKER_04]: Beautifully said. [SPEAKER_01]: Thank you. [SPEAKER_04]: It's almost like you have a show that you do for a living. [SPEAKER_01]: I wouldn't call it a living, but yes. [SPEAKER_00]: smashing security, episode 444, we're sorry, wait, did a company actually say that?
[SPEAKER_02]: With Graham, clueless, and special guest Trisha Howard, Hello, hello and welcome to smashing security episode 444, my name's Graham, clueless And I'm Trisha Howard, aka Trisha kicks SAS Trisha, hello, you're new to the show, where have you come from? [SPEAKER_04]: I am so excited to be on here. [SPEAKER_04]: I have been a fan of this show for such a long time. [SPEAKER_04]: It's an honor. [SPEAKER_04]: I work at Akamai Technologies.
[SPEAKER_04]: I represent the security intelligence group here. [SPEAKER_04]: And I work with our hundreds of researchers globally. [SPEAKER_04]: They break stuff. [SPEAKER_04]: And I help them write about it. [SPEAKER_02]: Oh, cool. [SPEAKER_02]: Now, where'd you get a nickname like Trisha Kickstarter from? [SPEAKER_04]: So of course security as a service. [SPEAKER_02]: Oh, yes.
[SPEAKER_04]: There was a vendor that came in one time at my first job long long time ago And they had said something kicks sass and I thought that was so funny that I stole it and it has become my name ever since [SPEAKER_02]: Most of the best things are stolen, aren't they? [SPEAKER_02]: But that's basically how the British Empire was. [SPEAKER_04]: I prefer inspired by, but I definitely stole this one. [SPEAKER_02]: Ah, okay.
[SPEAKER_02]: Now, before we kick off this week, let's thank this week's wonderful sponsors, Vanta and Horizon 3 AI. [SPEAKER_02]: We'll be hearing more about them later on in the podcast. [SPEAKER_02]: This week on smashing security, we're not going to be talking about how a simple security floor in WhatsApp exposed 3.5 billion phone numbers. [SPEAKER_02]: You'll hear no discussion of how British Hacker must repay 4 million pounds after hijacking celebrity Twitter accounts.
[SPEAKER_02]: And we won't even mention how Cloud Flare experienced the massive outage taken down large chunks of the internet. [SPEAKER_02]: So Trisha, what are you going to be talking about this week? [SPEAKER_04]: I'm going to be chatting about a new malware campaign that is targeting hotels and their guests through semi-legitimate means. [SPEAKER_02]: And I'm going to be asking why more companies don't say sorry.
[SPEAKER_02]: All that and the featured interview with Snahal and Tany of Horizon 3 AI come up on this episode of Smash In Security. [SPEAKER_02]: Right, we've got a chance now to thank one of the supporters of this week's podcast, Horizon 3 AI. [SPEAKER_02]: You can't defend what you don't see. [SPEAKER_02]: And that's why Horizon 3 AI created Node0 to continuously test your network the same way real attackers would and built to help you prove your defenses work.
[SPEAKER_02]: Traditional pen tests happen once a year. [SPEAKER_02]: They're manual, they're expensive, and they're outdated, the moment they're done. [SPEAKER_02]: Node0 changes that by continuously testing your environment. [SPEAKER_02]: With over 170,000 pen tests completed, Node0 doesn't just find vulnerabilities, it proves how they can be exploited safely.
[SPEAKER_02]: From active directory trip wires to AI-driven attack paths, you'll see your network, the way an adversary does, and before they do. [SPEAKER_02]: Join thousands of organizations who've moved from reactive to continuous security, because the best defense is understanding offense. [SPEAKER_02]: Visit horizon3.au to get your autonomous pen test demo today. [SPEAKER_02]: That's horizon3.au and thanks to horizon3.au for supporting the show. [SPEAKER_02]: What's that?
[SPEAKER_02]: No, not what's happening. [SPEAKER_02]: What really gets my... [SPEAKER_02]: I've done. [SPEAKER_02]: I've done. [SPEAKER_02]: Companies who won't say sorry, right? [SPEAKER_02]: Sorry? [SPEAKER_02]: Yeah, sorry exactly. [SPEAKER_02]: I know, you say like you never heard the word. [SPEAKER_02]: Sorry, you just never do hear the word. [SPEAKER_02]: Do you these days from these companies? [SPEAKER_02]: No. [SPEAKER_02]: They are terrible at apologizing.
[SPEAKER_02]: They're terrible at apologizing when they take advantage of your personal data for instance. [SPEAKER_02]: You know, the privacy controls. [SPEAKER_02]: Oh dear, we've accidentally turned on this new feature and forced you to log in if you don't like it, but in fact we're already scraping all your information for our artificial intelligence large language models. [SPEAKER_04]: but they really care about security. [SPEAKER_02]: They really care about security.
[SPEAKER_02]: They really do. [SPEAKER_02]: And they really care about privacy as well. [SPEAKER_02]: Oh, they won't say sorry because they've just suffered a cyber security attack. [SPEAKER_02]: They are terrible. [SPEAKER_02]: I didn't admit it, thought that they will stall. [SPEAKER_02]: They will waffle. [SPEAKER_02]: They will hide behind phrases like out of an abundance of caution when not to find you that your first born child and your house are no longer your property.
[SPEAKER_02]: And he'd go, but mostly it's those, was it warm time in Lord the Ring? [SPEAKER_02]: It's still whispering the air of the King of wherever it was. [SPEAKER_02]: I'm sorry all the Lord the Rings fan, so remember who was? [SPEAKER_02]: Anyway, Lord, it's always whispering in the air out there. [SPEAKER_02]: They said, let me, nothing. [SPEAKER_02]: Don't own up to anything, because they are so terrified of a class action suit in the wake of a day to break.
[SPEAKER_04]: Yeah, letting legislation or fear of retaliation run your security program. [SPEAKER_04]: That seems like a great move. [SPEAKER_02]: Yeah, it really doesn't, does it? [SPEAKER_02]: Every hour of silence or hiding behind bland security advisories, the truth is that damage is trust much more.
[SPEAKER_02]: I think it's better just to say sorry, because that hopefully will take the [SPEAKER_02]: If their data is being auctioned off to the highest bidder, all the while, business is a hiding behind their bland excuses which avoid saying sorry. [SPEAKER_04]: Yep. [SPEAKER_04]: And I think it's a huge misstep for a number of reasons. [SPEAKER_04]: One, first and foremost, your customers have a right to know. [SPEAKER_04]: where their data is going and who has been access it.
[SPEAKER_04]: That's like first and foremost. [SPEAKER_04]: Secondly, the security community really prefers that. [SPEAKER_04]: And they respect that. [SPEAKER_04]: We've seen that with a there was an an outage on discord. [SPEAKER_04]: I think a few years ago and they were so good at updating. [SPEAKER_04]: where things were at. [SPEAKER_04]: Like they were super transparent. [SPEAKER_04]: Yes. [SPEAKER_04]: It was honestly a master class in how it should have been handled.
[SPEAKER_04]: And I wish more companies did that because your point about bland, it's so, there's just zero substance whenever these things happens. [SPEAKER_02]: And it's impossible. [SPEAKER_04]: Yes. [SPEAKER_02]: I don't think people expect perfection. [SPEAKER_02]: I mean, I don't think in one sensible expects that there's such a thing as a hack proof company, right? [SPEAKER_02]: You don't expect them to be completely impossible to breach, right?
[SPEAKER_02]: You know, in this day and age, being hacked is a fact of life. [SPEAKER_02]: It's more about how you respond to it afterwards, but people do expect incustomers and business partners do expect honesty and transparency, but so often they let it down. [SPEAKER_02]: Yeah, and I think if someone came out and said, I'm really sorry, we f***ed up, right? [SPEAKER_02]: This is what happened, is what we're doing about it.
[SPEAKER_02]: That almost always lands better with people than a sort of polished version of things. [SPEAKER_02]: But that's what we keep on seeing. [SPEAKER_02]: That's why it was really pleased this week to see an organisation actually say sorry after suffering a data breach. [SPEAKER_02]: Check out.com. [SPEAKER_02]: They are a payment processing service for businesses. [SPEAKER_02]: They're just like a stripe or a PayPal or a clarner or one of those.
[SPEAKER_02]: It allows firms to accept and manage money transactions, regardless of whatever currencies or payment methods the customer wants to use. [SPEAKER_02]: But being a big global payments processor like that does mean of course you've got a bit of a target on your back because you've got sensitive information, right? [SPEAKER_02]: And cybercriminals are going to mean we like that. [SPEAKER_04]: Many, many, many.
[SPEAKER_02]: And sure enough, the hackers ended up stealing some data from Checket.com. [SPEAKER_02]: Now, it's thought that the criminals respond to whether notorious shiny hunters gang, and they apparently access data from one of checkout.com's legacy third-party cloud file storage systems. [SPEAKER_02]: No. [SPEAKER_02]: Yeah, so check out.com, they estimate it affects less than 25% of their current merchant base, which could of course mean that they've lost a huge number of customers.
[SPEAKER_02]: No, I don't think I can see. [SPEAKER_02]: Anyway, they say, look, all of our current customers, only a quarter of you have to potentially be worried, and they say it was mostly internal operational document, and [SPEAKER_02]: other materials at that time. [SPEAKER_02]: So not like payment date, which go through and not card numbers, thank goodness, but it was an old system and it was described as having been used up until about 2020.
[SPEAKER_02]: In other words, it was a system that should have been shut down long ago, but wasn't. [SPEAKER_02]: So they haven't used it for five years. [SPEAKER_02]: Right, said Trombone, and according to CTO, Mariano Alberra, the hackers demanded this ransom to avoid the stolen data being leaked onto the dark web. [SPEAKER_02]: So this wasn't a attack where they encrypted files, they simply stole the files. [SPEAKER_02]: Some of these hackers now, they don't even bother with the encryption.
[SPEAKER_02]: Why bother with the encryption? [SPEAKER_02]: We're just steal the data, we're proof that we've got the data, we give people a sample back, we're saying give us the money. [SPEAKER_04]: Yeah, I mean, if that's the ultimate goal, yeah. [SPEAKER_04]: Attackers are just like a business, right? [SPEAKER_04]: They have to find what is going to work for them. [SPEAKER_04]: And if they're looking for the money, that's where to do it.
[SPEAKER_02]: But this is the thing which I really like. [SPEAKER_02]: This CTO, Mariano Alberra of checkout.com, posted up on their blog, and you don't often expect to hear this from a major financial tech firm, but they didn't give any excuses. [SPEAKER_02]: They publicly disclose the incident and they apologized, yes, they actually used the word [SPEAKER_02]: Sorry, they said, we are sorry, full stop. [SPEAKER_02]: This was our mistake. [SPEAKER_02]: We take full responsibility.
[SPEAKER_02]: It's so refreshing. [SPEAKER_04]: Yeah, I hope other companies or organizations take note of this because I was truly shocked whenever I wrote it's all this too. [SPEAKER_04]: Wow. [SPEAKER_02]: Can you imagine the response from their internal legal department? [SPEAKER_02]: That'd be a hell of a hell of a [SPEAKER_02]: There must be this internal battle going on saying, well, I think we should say it because we are sorry, we do accept that this should not have happened.
[SPEAKER_02]: I think it's brilliant, but they went further than that. [SPEAKER_02]: They said, we will not be extorted by criminals, we will not pay this ransom which again. [SPEAKER_02]: I think it's not a position which every company which has data stolen from it can take, I don't think it's all was easy to make that decision. [SPEAKER_02]: But brilliant, that they felt okay to say, we own this, we're sorry about it. [SPEAKER_02]: And by the way, we're not going to pay the ransom.
[SPEAKER_02]: But what I really liked was they carried on, and they said that they were going to donate the equivalent of the ransom, which the cybercriminals had wanted, to cyber-criminal researchers at places like Oxford University and Carnegie Mellon. [SPEAKER_02]: So they're donating all that money to support their research into the fight against cybercrimes. [SPEAKER_02]: So they've turned what could have been a PR disaster actually into a little bit of good news of them doing.
[SPEAKER_02]: I guess it's what corporations called CSR these days, isn't it? [SPEAKER_02]: Right, corporate social responsibility. [SPEAKER_02]: They're giving back to the community. [SPEAKER_04]: truly way to go above and beyond. [SPEAKER_04]: First, you say, I messed up, then you say, sorry about it, then you say, you know what? [SPEAKER_04]: We're going to still give the money because we did mess up somewhere, but let's put it in a place where it could potentially have good in the future.
[SPEAKER_04]: That's phenomenal. [SPEAKER_04]: And what an incredible brand move because if I were a customer, I would see that and say, wow, instead of saying, we really care about security, they're literally putting their money [SPEAKER_04]: That's awesome. [SPEAKER_02]: So maybe we should give them a little round of applause. [SPEAKER_02]: Hang on. [SPEAKER_02]: Hang on, Trisha.
[SPEAKER_02]: I don't think we should get too carried away because when you do, because when you dig into the details, there are a few uncomfortable truths. [SPEAKER_02]: And the first thing that we can't ignore is that checkout.com was used in a legacy system. [SPEAKER_02]: and legacy systems are a liability. [SPEAKER_02]: It's often not the new shiny platform that gets you hacked, it's the dusty bucket in the corner, literally maybe a web bucket that no one remembers existed.
[SPEAKER_02]: It could be a file share you used to use seven years ago, but don't anymore, it could be a testing environment someone promised would be decommissioned next quarter, but hasn't been.
[SPEAKER_02]: It could be a cloud folder from 2020 no one thought to lock down, so although we're applauding them, for saying sorry and that's good and we're applauding them for giving money to cybercriminal researchers and things, they did still lose data, they were a bit sloppy with their security won't they? [SPEAKER_05]: No beer.
[SPEAKER_02]: And side of the criminals, they love these forgotten systems because they're also often accessible and poorly monitored or unpatched and can be the route by which hackers can get into organisation and spread further and still even more information.
[SPEAKER_02]: So we have to recognize that and transparency buys goodwill, but it doesn't erase the underlying security failure to their credit, they communicated quickly and clearly they took responsibility, they didn't try to apply some PR spin, but it was because this wasn't fully decommissioned. [SPEAKER_02]: So, I like that they refuse to pay the hackers. [SPEAKER_02]: That's commendable, but you can't use that as your shield.
[SPEAKER_02]: What I wouldn't like is any organisation thinking, well, our stance of we won't negotiate with criminals. [SPEAKER_02]: is going to be a strong defense, because one day, cybercriminals might take something from you, which is irreplaceable. [SPEAKER_02]: It completely prevents your organization from running any more, or it can lose you your customers or you'll have to make stuff for a等等, or you see operations or your production line isn't working.
[SPEAKER_02]: So check out our come actually got really lucky on this occasion, because the data exposed was old, it was limited, but many companies won't be [SPEAKER_04]: Yeah, true. [SPEAKER_04]: And legacy systems are particularly tricky now with all the new technologies that we're introducing. [SPEAKER_04]: So many, so many of the research pieces we do here are based on flaws that were known, even some as 10 years ago. [SPEAKER_04]: And they are being used now in new and different ways.
[SPEAKER_04]: And because of these things like you said, the dust you put into the court, I love that. [SPEAKER_04]: Because, of course, if I'm an attacker and my goal is to get the data then to get money, I'm going to go in through the window if it's open rather than trying to knock down the blocked front door. [SPEAKER_02]: Yep, a completely agree. [SPEAKER_02]: So, what's my advice? [SPEAKER_02]: I don't want to poo poo too much.
[SPEAKER_02]: You know, they did say sorry and I love that they're giving money to cyber criminals or cyber criminals research. [SPEAKER_02]: To the research into cyber crime, it's the right way round. [SPEAKER_02]: I hope at least that money that they're giving. [SPEAKER_02]: I suppose we better just check the small print there, but what can companies do to avoid this?
[SPEAKER_02]: Well, one of my piece of advice would be to do a pre-mortem, now we're all familiar with the idea of post-mortems. [SPEAKER_02]: You investigate something after a bad event. [SPEAKER_02]: Why not do one in advance? [SPEAKER_02]: Why not ask yourself what systems might we have forgotten about? [SPEAKER_02]: What's still accessible? [SPEAKER_02]: That shouldn't be any longer. [SPEAKER_02]: What would an attacker find easiest to breach inside a organisational?
[SPEAKER_02]: What would embarrass us most if it were ever to leak? [SPEAKER_02]: Because most of the time I think these attacks are grabbing the low hanging fruit. [SPEAKER_02]: So if you can secure that, you're going a long way to prevent in yourself from becoming the next cybersecurity headline. [SPEAKER_04]: Beautifully said, beautifully. [SPEAKER_01]: Thank you. [SPEAKER_04]: It's almost like you have a show that you do for a living.
[SPEAKER_01]: I wouldn't call it a living, but yeah, it's okay. [SPEAKER_02]: Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. [SPEAKER_02]: You know how everyone's gone AI assistant these days. [SPEAKER_02]: Well, imagine one that doesn't just write kikus about zero-dane vulnerabilities, but actually does your audit work for you. [SPEAKER_02]: That is Vanta.
[SPEAKER_02]: It connects to all of your tools, gathers evidence, tracks, compliance, and quietly helps you prove that yes, you do take [SPEAKER_02]: It pulls everything together, keeps an eye on your systems and basically make sure you're ready for an audit at any time, which means no last minute panic for screenshots and policies. [SPEAKER_02]: It also plugs into the tools you're already using and flags up issues before they become a right-ord mess.
[SPEAKER_02]: So if that sounds like something that might save you from a few sleepless nights, check out vantar.com slash smashing. [SPEAKER_02]: And if you use that link, you'll get a thousand dollars off. [SPEAKER_02]: So don't forget, vantar.com slash smashing, and thanks to vantar for sponsoring this week's episode. [SPEAKER_02]: On with the show, [SPEAKER_02]: Trisha, what's your story for us this week? [SPEAKER_04]: Well, mine is less uplifting, I would say.
[SPEAKER_04]: However, since the holidays are upon us, at least over in this part of the world, travel is going to be up. [SPEAKER_04]: And that means that as we all know, this is whenever the attackers come out to play. [SPEAKER_05]: Yeah. [SPEAKER_04]: So there is a new iteration. [SPEAKER_04]: in a series of malware incidents, if you will, that we've seen over the past few years that are targeting hotels and also hotel guests.
[SPEAKER_04]: So this is where it's not just I'm going after the hotel itself or I'm not even just going after the booking platform itself. [SPEAKER_04]: I'm actually doing that as my first step, and then moving on to attack the customer, the actual end user. [SPEAKER_04]: This is actually a pretty sophisticated social engineering attack.
[SPEAKER_04]: How it worked is an attacker compromise an email account to send malicious messages internally through a booking platform to various hotels worldwide. [SPEAKER_04]: So this is really wild. [SPEAKER_04]: Right. [SPEAKER_04]: It's not just geospecific which we've seen before. [SPEAKER_04]: This one is actually worldwide. [SPEAKER_04]: Huge yikes, okay?
[SPEAKER_02]: These are all hotels using a central booking system, so one of the big names which may be we would use to book our own hotel rooms or vacations and things, so the hotels are linked with them and they receive an email which they believe to have come from that booking organization in San Francisco. [SPEAKER_02]: That's correct. [SPEAKER_04]: Yep, and it's sometimes to the point of editing the header to say that it was actually from that platform.
[SPEAKER_05]: Okay. [SPEAKER_04]: This is where the sophistication comes in because I would say largely aware as a society that we need to be looking at what we're clicking on, but it's really hard to do that whenever the things that you are clicking on look exactly like the things you think you're supposed to be. [SPEAKER_04]: Yes. [SPEAKER_04]: And so this was a really, really bad example of that. [SPEAKER_04]: So the email was how it started.
[SPEAKER_04]: It's a click fix campaign, but the click fix email contains a big bad URL and upon being clicked on kicks you to a page that downloads some malicious JavaScript and then that even checks for certain security measures so that it knows. [SPEAKER_04]: how to go about it. [SPEAKER_04]: So if you do have an iFrame for instance, it will literally redirect you to a new page that does not have an an iFrame, does not have HTTPS, just goes over HTTP, and bingo bingo.
[SPEAKER_04]: We land upon a super legitimate looking extra net. [SPEAKER_04]: So this would be like a partner portal or something for the hotels to go in looking at these booking platforms, right? [SPEAKER_02]: And that's where they grab the hotels, password or their logging credentials or something about. [SPEAKER_04]: Somewhat. [SPEAKER_04]: So here's how the attack works.
[SPEAKER_04]: The person clicks on the email, it goes to a page that looks like booking.com's extra net, even to the point of in the URL, using the words extra net or admin. [SPEAKER_04]: So this kind of suggests that the attackers probably did access the legitimate one so that they could mimic it if nothing else. [SPEAKER_04]: And then they do the recapture tactic. [SPEAKER_04]: Have you heard of this one? [SPEAKER_02]: Ah, this is, yeah, I love a capture. [SPEAKER_02]: I did, yeah.
[SPEAKER_02]: So I think we may have mentioned this on the show before. [SPEAKER_02]: So the capture is the thing which asks you, are you a robot or not? [SPEAKER_02]: And it makes you jump through some hoops. [SPEAKER_02]: You maybe have to write some letters or press a key sequence or something. [SPEAKER_02]: And with these particular ones, if I'm correct in saying, what they ask you to do is press like a keyboard sequence.
[SPEAKER_05]: Yes. [SPEAKER_02]: Which copies a dangerous link into your clipboard. [SPEAKER_02]: And then run some script which will take you to another page. [SPEAKER_04]: It's a PowerShell command. [SPEAKER_02]: PowerShell command, okay. [SPEAKER_02]: So the ultimate end resultable, this is you're gonna have something malicious running on your computer. [SPEAKER_04]: Yeah. [SPEAKER_04]: So this is yet another step in this sophisticated social engineering thing.
[SPEAKER_04]: A good attacker knows that we created the internet and told people to click on things and then we invented security and said, don't click on things, that doesn't work.
[SPEAKER_04]: Then we add in new things to click on and the attackers mimic it to just like the I am not a robot now this is wild because that in itself for a typical user clicking I am not a robot instills some sort of confidence yeah what it says to them is that oh this company this company cares about security and see how many times I can say that they take security seriously very very seriously [SPEAKER_04]: So they're actually not only abusing the platform, the hotels.
[SPEAKER_04]: I mean, there are so many people involved in this. [SPEAKER_04]: They're also abusing a well known quote unquote security tactic. [SPEAKER_04]: I mean, you don't get much worse than that. [SPEAKER_04]: But fun doing the command. [SPEAKER_04]: It downloads a zip file. [SPEAKER_04]: There's a bunch of big baddie stuff including a pure rat malware. [SPEAKER_04]: It does a lot of stuff.
[SPEAKER_04]: It actually even sends status updates to the C2 so that the attacker can see what's happening in real time. [SPEAKER_04]: And of course, that's up persistent, so it'll stay there for as long and it is fileless, so it's pretty difficult to detect. [SPEAKER_04]: So the baddies know what they're doing because they even hosted the Zip Archive on a legitimate site that was compromised.
[SPEAKER_04]: So they know on some multiple steps here, they have created ways to have trust within the victim and they're just lure in them right in. [SPEAKER_02]: So the victim at this stage is still the hotel. [SPEAKER_02]: So the hotel has been scanned. [SPEAKER_04]: Yeah. [SPEAKER_02]: They've now got malware on their computers. [SPEAKER_02]: So how does it get to the hotel's customers? [SPEAKER_04]: So this is part two as the late Billy Mays would say, but wait, there's more.
[SPEAKER_04]: After getting over the actual hotels, they target the guests themselves using legitimate booking information that they got from the hotel that they had compromised.
[SPEAKER_04]: So they would reach out via email or WhatsApp and say something like, [SPEAKER_04]: uh we saw your stay is on the this date to this date we actually as an additional security measure we need you to validate your card because people have been doing illegitimate things on bookings and we want to make sure you are secure. [SPEAKER_04]: So what that does, of course, we all know where this story goes. [SPEAKER_04]: They click on the link that is absolutely malicious.
[SPEAKER_04]: And then the victim inputs their credit card information and other personal information into a fishing site. [SPEAKER_04]: And that is then used to be compromised. [SPEAKER_04]: Bingabango, your attacker has all of your information. [SPEAKER_02]: And because the criminals have stolen the credentials of the hotel to log in to the booking site dashboard, [SPEAKER_02]: They are able to send messages to hotel customers via that dashboard, so via their infrastructure.
[SPEAKER_02]: So any messages you get, which may be inside the booking app as well, really appear legitimate. [SPEAKER_02]: I know about this because I was out by no Beijing's in the supermarket two years ago. [SPEAKER_02]: and I got a message from booking.com inside the booking.com app for a hotel trip which I was just about to make, saying that they needed to revalidate my card.
[SPEAKER_02]: And thankfully I was suspicious, but many people because it would have arrived via the actual app, rather than an email or a text, would have found that message really, really convincing. [SPEAKER_04]: Oh, yeah. [SPEAKER_04]: I mean, you're not only using the words and your your typical social engineering tactics, now the method in which you're delivering the message is also a social engineering tactic. [SPEAKER_04]: Yes. [SPEAKER_04]: As you said, it goes in through your app.
[SPEAKER_04]: We actually did a piece of research on that specifically that one. [SPEAKER_04]: There was a campaign that was going on as an extension of the original infostaler campaign that was targeting hotels. [SPEAKER_04]: through booking.com sites.
[SPEAKER_04]: They were saying that they were going to lose their reservation in the event that they did not revalidate their card and they went so far actually as to have email correspondence directly with the victims both at the hotel site and the actual end user victims to create this trust me. [SPEAKER_04]: It was a very sophisticated campaign.
[SPEAKER_04]: And I think what's particularly scary about this one is that again, this is another evolution of something that has been in the works since I think we did the research on it since 2023 was the first time it came out and so many of the steps are actually as a service models. [SPEAKER_04]: So now, not only are we having to defend against the people who are actually technically savvy enough to build the malware and or edit whatever else is out there to fit their malicious purpose.
[SPEAKER_04]: Now we're dealing with anybody who has an axe to grind and 40 bucks on the dark web. [SPEAKER_04]: So it's a real problem. [SPEAKER_04]: The malware itself was an as a service. [SPEAKER_04]: I believe there was a telegram bot that was scraping credentials and stuff that was also a service. [SPEAKER_04]: I mean, it's effectively puts a little bow on cyber crime, doesn't it?
[SPEAKER_02]: It really does, and I have to wonder whether these hotel companies are really doing enough, because I've heard these complaints now about the way in which these companies are getting hacked and the way these messages are tricking travelers so convincingly for a few years now, like you said yourself. [SPEAKER_02]: And it feels like it's still going on. [SPEAKER_02]: The complaints are still coming in from travellers. [SPEAKER_02]: That they are being scammed in this way.
[SPEAKER_02]: And they're not getting the best of support from the booking companies themselves. [SPEAKER_02]: In fact, there's been a complaint here in the UK that booking.com have been replacing their customer service desk with AI chat box. [SPEAKER_04]: I mean, it's just so tragic because especially, you know, we were talking about it around the holidays, which is like a good reason to travel, but they're also not super great reasons to travel, right?
[SPEAKER_04]: And if you're already in an emotional state, you are going to be more susceptible to this too, especially if it looks super legitimate and especially especially if it's coming through your legitimate application that you booked it through all of these things create so much trust and is just scary. [SPEAKER_02]: You know what, I'd really like, Trisha. [SPEAKER_04]: What's up? [SPEAKER_02]: I'd like some of these hotel booking companies to say sorry.
[SPEAKER_02]: I was hoping you were going back for it. [SPEAKER_02]: Well, I'm delighted to be joined by another special guest this week, and our guest was the first CTO of J-Sulk. [SPEAKER_02]: That's the part of the U.S. military that runs special operations. [SPEAKER_02]: His job was to build technology that helped real-world operators outthink real adversaries. [SPEAKER_02]: And now, he's bringing that mindset into every day's sub-security with Horizon 3 AI.
[SPEAKER_02]: Now, Antani, ex-CTO of J. [SPEAKER_02]: Silk CEO of Horizon3.ai, that's quite the business card. [SPEAKER_02]: Great taboo on the show! [SPEAKER_02]: Thank you for the opportunity I appreciate it. [SPEAKER_02]: It's really fantastic taboo hit. [SPEAKER_02]: So I'm curious about this background of yours. [SPEAKER_02]: How do you go from running military cyber operations to running a product demo for a Fortune 500 CIO?
[SPEAKER_03]: I was actually in industry for almost my entire career, so I was at IBM, I was the CIOG capital and I moved out west to be the CTO at Splunk and my time at Joint Special Operations Command in many ways, I was a tourist, my military experience was watching Jack Ryan and Tropic Thunder. [SPEAKER_03]: I didn't come from a military background, right?
[SPEAKER_03]: And so it was an absolute privilege and honor to serve within that community, recognizing that I had to earn a right to be in that organization every single day. [SPEAKER_03]: Now, keep in mind within DOD, special operations, and Jason, they're already tech savvy. [SPEAKER_03]: The bulk of their first mover of any sort of technology or capability or mindset is pioneered within the special operations speed, because that's how talented they are.
[SPEAKER_03]: And so the privilege of being able to help that organization get even better than they already were was amazing. [SPEAKER_03]: I think the flip though is the influence and impact special operations experiences had on me as a leader and how much I grew personally and professionally from that whole. [SPEAKER_03]: And how I now use that to try to be a better leader every day at Horizon 3 and that's probably the bigger story out of this than anything else.
[SPEAKER_03]: That's interesting. [SPEAKER_02]: So now I Horizon 3. [SPEAKER_02]: You're doing some pretty interesting stuff. [SPEAKER_02]: My understanding is it's all about autonomous pen testing. [SPEAKER_02]: So let's say I'm a normal company. [SPEAKER_02]: I do an annual pen test. [SPEAKER_02]: I get a PDF report. [SPEAKER_02]: I put it in my drawer and thought it's away. [SPEAKER_02]: Are you suggesting that's not enough?
[SPEAKER_03]: Yeah, you know, the goal of running a pen test isn't to find problems. [SPEAKER_03]: The goal of running a pen test is to quickly fix problems that matter. [SPEAKER_03]: And that's the fundamental mind shift that high-performing security organizations have over the laggan organizations that often end up in the news.
[SPEAKER_03]: And so, in cybersecurity, the only perspective that actually matters [SPEAKER_03]: And the attacker's perspective is how you're going to prioritize what to fix. [SPEAKER_03]: The attacker's perspective is how you're going to make sure your EDR or your sim or your waft are actually tuned in working properly. [SPEAKER_03]: And the attacker's perspective is how you're going to make sure your team has built the muscle memory to respond to a breach.
[SPEAKER_03]: And that's the real epiphany for me, and my time is a CIO, my time at Splunk, and then my time within the Department of War. [SPEAKER_03]: And I think that the limiting factor throughout all that time was there are only about 25,000 certified ethical hackers globally. [SPEAKER_03]: There's only about 5,000 certified ethical hackers in the United States. [SPEAKER_03]: Many of whom are in the military and the government.
[SPEAKER_03]: And so the amount of folks available to serve [SPEAKER_03]: commercial organizations is very few. [SPEAKER_03]: So that severe constraint of supply with an increased spike in demand makes it a very untenable situation. [SPEAKER_03]: And so you need some sort of force multiplier. [SPEAKER_03]: And that was my bet.
[SPEAKER_03]: Could we invent some sort of AI system or autonomous system that could execute production, pen testing of infrastructure at scale to be that force multiplier. [SPEAKER_03]: So humans can focus on the things humans are uniquely gifted at. [SPEAKER_02]: Right. [SPEAKER_02]: So then you've got the resources, you've got the technology to be doing this effectively all the time. [SPEAKER_02]: It's round the clock, rather than a once a year approach. [SPEAKER_03]: That's exactly right.
[SPEAKER_03]: Our customer's shift from one or two pen tests a year to 40 or 50 pen tests a month. [SPEAKER_03]: Wow. [SPEAKER_03]: And when I first saw that behavior, I was like, who on earth needs to run that many pen tests a month. [SPEAKER_03]: And when you double click, the journey is actually really interesting.
[SPEAKER_03]: So the first thing is we all start with [SPEAKER_03]: We're testing a small slice of our network that's hopefully a reasonable sample of everything and the problems we find there hopefully allow us to understand where else to look. [SPEAKER_03]: And so is this incomplete snapshot? [SPEAKER_03]: And the first thing people did with us was move to a comprehensive snapshot.
[SPEAKER_03]: instead of running a pen test against five or 10% of their network, they can now run a pen test against their entire network as one large scope. [SPEAKER_03]: In fact, there was a large transportation authority in a big city in the United States that ran a pen test with 100,000 hosts in it. [SPEAKER_03]: And these hosts represented subway stations, tram buses, ticketing turn-siles like all of that transportation infrastructure, so legit production environments.
[SPEAKER_03]: And they immediately found all sorts of exploitable problems that they had no clue existed in the network. [SPEAKER_03]: You know, we see dwell time data. [SPEAKER_03]: And attackers, once they get in, they lurk. [SPEAKER_03]: They take the time to map your entire network. [SPEAKER_03]: And in that mapping of the entire network, they become very precise and where to make the least amount of effort to cause the maximal amount of harm.
[SPEAKER_03]: And we don't do that from a pen testing standpoint at least we didn't until we saw the comprehensive side. [SPEAKER_03]: Does that make sense? [SPEAKER_02]: Yeah, it makes a lot of sense to me. [SPEAKER_02]: So you've got this autonomous pen testing platform. [SPEAKER_02]: I think you call it no zero, right? [SPEAKER_02]: Correct. [SPEAKER_02]: And what does that do?
[SPEAKER_02]: How does it emulate the tactics and techniques that real threat actors are launching against an organization? [SPEAKER_03]: Yeah. [SPEAKER_03]: It's a great question. [SPEAKER_03]: So when you think about a cyber attack, when the one hand, we all are going to read news headlines about substance such a breach. [SPEAKER_03]: But in that news headline or in that initial report, we're only told of the way the attacker gained initial access, usually. [SPEAKER_03]: Right.
[SPEAKER_03]: The gained initial access through this Palo Alto vulnerability that's now a cystic [SPEAKER_03]: or through this eventee vulnerability or whatever else. [SPEAKER_03]: That was just the way in. [SPEAKER_03]: Once the attacker was in, they conducted reconnaissance and enumeration to discover everything that was network reachable. [SPEAKER_03]: They used techniques to harvest credentials, whether it was listening for credentials on the network, and they do these other steps.
[SPEAKER_03]: to build basically a cyber terrain map of every host, poor at service, defensive tool, credential, policy, and so on. [SPEAKER_03]: And it's from that map that they're able to effectively maneuver throughout the environment. [SPEAKER_03]: And at the end, the outcomes of the impacts are fairly well defined. [SPEAKER_03]: The attackers are either going to become domain admin, which gives them the keys to the kingdom.
[SPEAKER_03]: They're going to find interesting sensitive data that they're going to pull for an Xful trait. [SPEAKER_03]: They're going to deeply borrow into some component to create the opportunity to attack at a future date of their time in choosing. [SPEAKER_03]: And so it actually looks kind of like a chess game. [SPEAKER_03]: They're a well-defined opening moves. [SPEAKER_03]: Yeah. [SPEAKER_03]: There are well-defined closing moves in the middle of the chess game is completely dynamic.
[SPEAKER_03]: And so, as we built Node0, we thought of it in the same way. [SPEAKER_03]: There are well-defined opening moves to a penetration test. [SPEAKER_03]: There are well-defined closing moves. [SPEAKER_03]: But the middle needs to be completely dynamic based on what we've discovered in the environment. [SPEAKER_03]: And should we go after the router, the printer, or the television next?
[SPEAKER_03]: Well, that decision that next best action is based on discovered services, harvesting credentials, historical record of success, likelihood of achieving our objective or our goal. [SPEAKER_03]: And so when you think about this as a graph analytics, next best actions, technical infrastructure, you can start to imagine what the underlying technology systems are still looking like. [SPEAKER_02]: So this isn't just about binding vulnerability.
[SPEAKER_02]: You're actually discovering attack chains here. [SPEAKER_02]: You're analyzing the movement switch of the hackers. [SPEAKER_02]: We'll commonly make it how they chain these things together. [SPEAKER_03]: Exactly right. [SPEAKER_03]: More importantly, it's the combination of the attack path. [SPEAKER_03]: Yeah. [SPEAKER_03]: Attackers are going to combine a low plus a low to equal a critical. [SPEAKER_03]: and that's how they're going to maneuver in the environment.
[SPEAKER_03]: It's about understanding the kill chain or the multiple steps the attacker took while also understanding the consequence of that exploitation. [SPEAKER_03]: Don't just tell me I've got a vulnerability on a host. [SPEAKER_03]: That doesn't tell me it. [SPEAKER_03]: Right. [SPEAKER_03]: The attacker can chain together multiple issues that leads to the consequence of domain admin and consequences how you're gonna prioritize your resources.
[SPEAKER_02]: Okay, so let's give some real-world examples here. [SPEAKER_02]: You guys have run hundreds of thousands of autonomous pen tests for organizations. [SPEAKER_02]: There must have been somewhere everyone in the room goes pale. [SPEAKER_02]: What was the most sort of uh-oh moment which you've had with a customer where something has been unearthed? [SPEAKER_03]: Well, let's break this into probably a couple of subcategories because there's amazing stories. [SPEAKER_03]: Uh-huh.
[SPEAKER_03]: So the first is the fastest. [SPEAKER_03]: And this isn't about speed, but it is a testament to where the world is moving. [SPEAKER_03]: Our AI hacker node 0 and actually talked about this during my keynote at Black Hat. [SPEAKER_03]: It got Domain Admin at a Defense Industrial Base supplier in 77 seconds. [SPEAKER_03]: Oh boy, no humans involved, point click shoot, go 77 seconds. [SPEAKER_03]: That means if your defensive controls can't stop us in 76 seconds, it's game over.
[SPEAKER_03]: Because at second, 77, we're going to get domain admin, we're going to lock out all of your employees from the office, gain access to all of your data, do whatever we want. [SPEAKER_03]: So 76 seconds, think about that as a sock. [SPEAKER_03]: Can you, as a sock analyst, detect and stifle and contain an attacker in 76 seconds or less? [SPEAKER_03]: The answer is probably not. [SPEAKER_03]: So we have an effectiveness problem.
[SPEAKER_03]: In the future of cyber warfare is AI fighting AI with humans bi-acaptists. [SPEAKER_03]: So that's probably the craziest is the speed at which we're able to get there. [SPEAKER_03]: And I've got a few others. [SPEAKER_03]: Like, one is the coolest story. [SPEAKER_03]: Oh my goodness. [SPEAKER_03]: Tell us. [SPEAKER_03]: Actually, coolest in terms of, we didn't expect this as a customer that had Windows Defender installed against 14,000 endpoints.
[SPEAKER_03]: Okay. [SPEAKER_03]: And when they ran the pen test of the 14,000 Defender agents, only one of them was misconfigured. [SPEAKER_03]: Now we're going to be like amazing job, 13,999, [SPEAKER_03]: All it took was that one misconfigured agent for no zero to drop an implant, dump Sam, gain access to credentials, and then use that to ladle maneuver and eventually became domain admin. [SPEAKER_03]: One out of 14,000.
[SPEAKER_03]: And so when you think about your EDR and how crucial it is to ensuring your security, you have to make sure these EDR agents are actually configured and installed correctly. [SPEAKER_03]: And you can't trust that they're installed correctly. [SPEAKER_03]: You've got to verify [SPEAKER_03]: those configurations with the attacker's perspective. [SPEAKER_02]: You've got some pretty scary stories that's now.
[SPEAKER_02]: Now, until we can have scary things and you've already touched upon this, the threat from AI artificial intelligence will actually happen in today in your opinion. [SPEAKER_02]: And how is AI changing both offensive and defensive security?
[SPEAKER_03]: Let's start on the offensive side in bad guys, in September, then Dropics team talked about a single person, not even a team, a single person, creating various AI agents on end-thropic, [SPEAKER_03]: to execute a ransomware campaign and they were able to successfully ransomware 17 different organizations in this technique.
[SPEAKER_03]: And what this clever ransomware operator did was they built specialized agents in cloud that focused on one specific part of the attack, one for data discovery, one for evaluating the value of the data. [SPEAKER_03]: In fact, [SPEAKER_03]: cloud recommended what the ransom price should be to the ransom operator based on what they found in the data. [SPEAKER_03]: Oh my goodness brilliant and amazing and terrifying.
[SPEAKER_03]: Now on the one hand of all the AI frontier labs in Thropic is probably the most safety focused. [SPEAKER_03]: yet this operator was able to bypass that because in many ways, if you look at what they did, it was extreme compartmentalization. [SPEAKER_03]: What this ransomware operator did was create highly specialized agents that did one task, which on its own looks benign, but an aggregate across the agents is malicious.
[SPEAKER_03]: And so that's how they circumvented anthropic safety mechanisms. [SPEAKER_03]: Now, if anthropic makes their safety mechanisms more aggressive, then they're going to fall [SPEAKER_03]: And then what's the attacker going to do? [SPEAKER_03]: They're just going to further subdivide the task, yes, to be even more specialized. [SPEAKER_03]: In that example, in Thropic and the Frontier Labs, enable a single ransomware operator to operate like a large ransomware team.
[SPEAKER_03]: So it was a force multiplier effect. [SPEAKER_03]: I thought that was pretty remarkable. [SPEAKER_03]: When you think about the force multiplication effect, and AI infrastructure can have for the bad guys, and the bad guys are embracing it faster than the good guys are.
[SPEAKER_02]: This is the thing, isn't it AI has not only democratized cybercrime putting it in the hands of absolutely anybody really don't have to be that much of a technical nerd anymore, but it's also multiplied the impact because things can be run on a bigger scale against moral organisations they don't need as much manpower as they used to need. [SPEAKER_03]: Yeah, exactly right. [SPEAKER_03]: And that's a good segue into villager.
[SPEAKER_03]: There's a great article on villager that came out in September as well. [SPEAKER_03]: In villager started as basically their capture the flag type tool that was written, I believe it's by some folks in China, and it was an MCP server in front of Cali Linux. [SPEAKER_03]: And it allowed this capture the flag grouper individual to quickly run various attacker commands in their CTF games.
[SPEAKER_03]: But that quickly expanded to be something like 4,200 different system prompts, plug-in architecture for different kinds of malicious things, whether it's keystroke logging, and kind of control, and so on, and so forth. [SPEAKER_03]: And then it was delivered through PIPI, the software distribution layer. [SPEAKER_03]: And in September there was something like 15 or 20,000 downloads of this already.
[SPEAKER_03]: And this is a pretty legitimate standalone hacker tool that embeds [SPEAKER_03]: And so this is an example where it dramatically lowers the barrier of entry into being a reasonably proficient offensive cyber person, especially if you're a bad guy.
[SPEAKER_03]: So now if you combine these, you've got villager as this AI enabled hacking tool, you've got this anthropic force multiplier effect, and you now have a massive increase of bad guy capability and capacity that the good guys are already struggling with a current state [SPEAKER_02]: It sounds like bad news, but surely AI can also help us in our defense. [SPEAKER_03]: Yeah, for sure. [SPEAKER_03]: So that's one part of it.
[SPEAKER_03]: There's a lot of hype around using AI for SIM for detection and response. [SPEAKER_03]: But I've actually not seen any impactful or useful application of that that actually works in real world systems. [SPEAKER_03]: at best what I see is using LLMs to help process tickets better if you're in the suck, but nothing that is truly transformed the reaction time of a defender yet.
[SPEAKER_03]: We'll get there, but I think there's a lot of hype, and I think marketing is way beyond what actuality is. [SPEAKER_03]: Right. [SPEAKER_03]: where I have seen some pretty incredible capability, though, is the use of AI to improve source code security. [SPEAKER_03]: And if you look at Ardvark from OpenEye that just came out caught code has been doing this really well for a while, it's completely transforming the way you do static application security testing.
[SPEAKER_03]: Yes. [SPEAKER_03]: being able to find bugs in software, and hopefully soon being able to quickly triage the bugs in software, which is actually the long pull in the tent when it comes to secure coding. [SPEAKER_03]: So I think that's where we're going to see the biggest effect. [SPEAKER_03]: But that only helps improve current code being deployed. [SPEAKER_03]: But what about all the legacy code?
[SPEAKER_03]: Yes. [SPEAKER_03]: In firmware and other infrastructure that doesn't get patched frequently enough. [SPEAKER_02]: Well, it's good to hear that future code may be better written than it has been historically. [SPEAKER_02]: Finally, you guys are basically sitting on a giant map of how companies are actually getting hacked, not theoretical vulnerabilities, but real-world weak points. [SPEAKER_02]: Imagine I'm a business leader listening to this podcast on the train.
[SPEAKER_02]: What should I be asking my security team on Monday morning? [SPEAKER_02]: That will tell me if we are actually secure. [SPEAKER_03]: It's a great question. [SPEAKER_03]: So the commander I had the privilege of serving under in special operations used to say to me, don't tell me we're secure.
[SPEAKER_03]: Show me and then show me again tomorrow and then show me again next week because our environment's always changing [SPEAKER_03]: The first thing every CIO and CISO should do is repeat those words to their team. [SPEAKER_03]: Don't tell me we're secure in PowerPoint, or in some arbitrary stats or some compliance checkbox, show me we're secure.
[SPEAKER_03]: Use the attacker's perspective to make clear the consequences of exploitation, and the risk we are accepting as a business, or that we need to go surge dollars [SPEAKER_03]: That's number one. [SPEAKER_03]: And then number two is how quickly are you fixing security problems? [SPEAKER_03]: How often are they reoccurring and why proactive cyber security is all about staying in shape. [SPEAKER_03]: You know, there's this quote.
[SPEAKER_03]: It's easier to stay in shape than to get in shape. [SPEAKER_03]: You need to build this cadence as a CIO or CIO. [SPEAKER_03]: Every single Monday morning, you should be looking at pen test results across your environment. [SPEAKER_03]: You should be understanding how many problems you have, how quickly you're fixing them. [SPEAKER_03]: Great stuff. [SPEAKER_02]: Well, listeners, you heard all about it here.
[SPEAKER_02]: And if you want to see what we've been talking about in action. [SPEAKER_02]: Horizon3.au are offering listeners a free autonomous pen test demo of Node0. [SPEAKER_02]: It runs the same attack-a-style tests that we discussed continuously, not just once a year, it's a simple way to find the issues that actually matter before someone else does.
[SPEAKER_02]: So to grab hold of that and give it a try, go to Horizon3.au, and all that remains is for me to thank you for joining us on the show today's smell. [SPEAKER_02]: Amazing, thank you for the invitation. [SPEAKER_02]: And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call, pick of the week.
[SPEAKER_02]: Pick of the week, it's the part of the show everyone chooses something they like, could be a funny story, a book that they've read a TV show, a movie, a record of podcast or website, or an app. [SPEAKER_02]: Whatever they wish, it doesn't have to be security-related necessarily. [SPEAKER_02]: Well, my pick of the week this week is not security related.
[SPEAKER_02]: Regular listeners will be well aware, probably all two familiar with the fact that I'm a huge fan of just two things in the world, which are the game of chess and classic Doctor Who.
[SPEAKER_02]: And in particular, when it comes to Doctor Who, I'm a big fan of the 1960s episodes made in Blackamite, when William Hartnorn Patrick Trouton was steering the TARDIS through the galaxy, [SPEAKER_02]: But, well, you may not be aware of, is that the BBC in their great wisdom, junked a whole load of episodes, way back when. [SPEAKER_02]: And many of them are still missing, although some have been found over the years, including in the basement of a Mormon church.
[SPEAKER_04]: Wow, amazing! [SPEAKER_02]: an inside dusty TV archives in Nigeria, 97 of the episodes are still currently missing. [SPEAKER_02]: It does sound like there could be news around the corner and maybe we're going to find another couple of episodes soon, but 97 episodes are currently missing.
[SPEAKER_02]: Now, fortunately, we have the audio of every classic Doctor Who story, but not the moving pictures, but what I can tell you is that there is a chap, his name is Philip Boyz, and he has devoted the last three years of his life to animating one of those missing episodes is the first episode of the classic Doctor Who story, first broadcast by the BBC in 1965, called The Darling's Master Plan. [SPEAKER_02]: Next term, and he did this, and I love this.
[SPEAKER_02]: He did it without using any artificial intelligence. [SPEAKER_02]: I mean, the truth is, after three years, he's posting, and I wish I had you's dot for sure. [SPEAKER_02]: But, I could have done it in three days instead. [SPEAKER_02]: So, it's a true labor of love. [SPEAKER_02]: It is up on YouTube. [SPEAKER_02]: It costs you nothing. [SPEAKER_02]: He hasn't even monetized the video because it probably get in trouble with the BBC if he tried to.
[SPEAKER_02]: I mean, it's not Pixar quality animation, but by a guy, I think it's extraordinary. [SPEAKER_02]: What he's done. [SPEAKER_02]: When the people are involved, it does look a little bit Thunderbirds. [SPEAKER_02]: It looks a bit super marionation, but when it's the Daleks and when it's the jungle and when it's spaceships, it's incredible.
[SPEAKER_02]: And I think it's great that there are people dedicated enough to their hobby to take restoring lost episodes like this with their bare hands and producing this, it's a work of art, no financial incentive. [SPEAKER_02]: I think it's marvelous, so well done to flip boys and his reimagination of the Daleks Master Plan episode one, The Nightmare Begines. [SPEAKER_02]: And I will link to it in the show notes and that is my pick of the week.
[SPEAKER_04]: I'm honestly very excited to watch that. [SPEAKER_02]: It's going to be so good. [SPEAKER_02]: You're a talk too fan too. [SPEAKER_02]: You like a bit of who? [SPEAKER_04]: Boo-woo! [SPEAKER_04]: Sure am. [SPEAKER_04]: Excellent. [SPEAKER_04]: I will say I came in on the reboots. [SPEAKER_02]: Yeah. [SPEAKER_04]: My first doctor was David Tennant. [SPEAKER_04]: But I really started watching it at the Christopher Eccleson episodes and yes.
[SPEAKER_04]: I haven't watched many of the the older stuff. [SPEAKER_04]: But man, so good. [SPEAKER_04]: That's a good show. [SPEAKER_02]: Well, there's a lot to put out through of the older stuff, and it is a fair bit slower. [SPEAKER_02]: So if you're of a certain vintage like me, you prefer it. [SPEAKER_02]: Dored with a longer bit more, 25 minutes per episode. [SPEAKER_02]: But anyway, go and check it out. [SPEAKER_02]: Trisha, what is your pick of the week?
[SPEAKER_04]: No, pick of the week is also not security-related. [SPEAKER_04]: Good. [SPEAKER_04]: It... [SPEAKER_04]: It is actually a being Eddie. [SPEAKER_04]: It is the Netflix documentary that just came out on Eddie Murphy. [SPEAKER_04]: I have been an Eddie Murphy fan since childhood. [SPEAKER_04]: I mean, Dr. DuLittle was and still is one of my favorite movies. [SPEAKER_04]: And I mean, what an icon, right? [SPEAKER_04]: I came in at a different part of Eddie's career than his stand-up.
[SPEAKER_02]: Yeah, which wasn't so child friendly, as I remember. [SPEAKER_02]: Yeah, when you said the camera fan of him was a kid, I was saying it, oh no. [SPEAKER_02]: But okay, yeah, dub to do little, that's all, all that donkey, which he played in Shrek, of course. [SPEAKER_04]: Yes, of course, of course, Shrek also, one of my favorite films. [SPEAKER_04]: Yeah. [SPEAKER_04]: He's just like super iconic.
[SPEAKER_04]: So when I was growing up, he was all over the movies and the family friendly movies because this was after he had his kids. [SPEAKER_04]: And so that became his focus. [SPEAKER_04]: And I'm the documentary. [SPEAKER_04]: I think is really, really nice. [SPEAKER_04]: First off, I mean, it's star studded. [SPEAKER_04]: It's such a testament to how much Eddie has shaped the industry and shaped.
[SPEAKER_04]: comedy in general and how, especially for a people of color, it's really, really fascinating. [SPEAKER_04]: A Dave Chappelle speaks on it, Jerry Seinfeld's on it as well. [SPEAKER_04]: And they all talk about how Eddie just really changed the game. [SPEAKER_04]: And it's really heartwarming to hear from him as well.
[SPEAKER_04]: How he stayed on the straight narrow and how he was able to kind of avoid some of the [SPEAKER_04]: truly tragic means of some people that reached his level of fame as well, and that was how he was able to manage it. [SPEAKER_04]: It's honestly just very heartwarming and he is brilliant. [SPEAKER_04]: I mean, getting to hear from him directly is such a gift anyway. [SPEAKER_04]: Yeah, it's certainly worth the watch. [SPEAKER_02]: Oh, okay.
[SPEAKER_02]: So it's called B&D and it's up on Netflix. [SPEAKER_02]: That's great. [SPEAKER_02]: Yep. [SPEAKER_02]: Fantastic. [SPEAKER_02]: Well, that just about wraps up the show for this week. [SPEAKER_02]: Thank you so much Trisha for joining us. [SPEAKER_02]: I'm sure lots of listeners would love to find out what you're up to and follow you online. [SPEAKER_02]: What's the best way for them to do that? [SPEAKER_04]: Well, thank you for having me. [SPEAKER_04]: This is so exciting.
[SPEAKER_04]: The best way to find me is on LinkedIn, actually. [SPEAKER_04]: So, LinkedIn slash Trisha Kickstarter's house is how you will find me. [SPEAKER_04]: That's where anything that I'm doing work or otherwise will be.
[SPEAKER_02]: Super dopa, and you can find me grand clearly on LinkedIn as well, or follow smashing security on blue sky and don't forget to ensure you never miss an episode follow smashing security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts. [SPEAKER_02]: The episode generates sponsorship info, guest lists, and the entire back catalog of more than 443 episodes. [SPEAKER_02]: Check out smashingscurity.com. [SPEAKER_02]: Until next time, Cheerio, bye-bye!
[SPEAKER_04]: Cybernara! [SPEAKER_02]: You've been listening to Smashing Security with me, Grand Clearly, and I'm really grateful to Trisha Howard and Snehala and Tani for joining us this week, and this episode sponsors Banta and Horizon 3 AI, and of course to all the chums who've signed up for the Smashing Security Plus over on Patreon for their support of the show.
[SPEAKER_02]: They include Michael Crum, Tim Derroik, Skidone, Sattal, [SPEAKER_02]: Bobby Hendrix, Ashley Woodall, Marvin 71, Govind, Acharya, Christo V, Frankie Guzikowski, funky duck, Dan H, MJ Lee, and Richard Van Lisa. [SPEAKER_02]: Well, what a marvelous bunch of people they are, and if you would like to hear your name read out occasionally at the end of the show, all you've got to do is sign up for smashing security plus.
[SPEAKER_02]: You will get early access to episodes without the ads. [SPEAKER_02]: We got to do. [SPEAKER_02]: just head over to smashinscurity.com slash plus for all of the details. [SPEAKER_02]: Now you can support the show, in other ways, for instance you can tell your friends, all about smashinscurity and encourage them to subscribe.
[SPEAKER_02]: Or you can leave us a five star review, made a pretty bad one there for today and every time I go to look at our reviews it kind of it stings my eyes everybody. [SPEAKER_02]: So if you were to leave us a nice review then maybe you would [SPEAKER_02]: You know, you pour in the love it drips out the bottom, but you could plug one of the holes in my calendar by leaving a lovely five star review on somewhere like Apple Podcasts. [SPEAKER_02]: Anyway, no pressure.
[SPEAKER_02]: Don't feel like I'm begging you too much. [SPEAKER_02]: Every little bit helps. [SPEAKER_02]: Uh, I will be back next week with another episode and I hope you will be joining me. [SPEAKER_02]: Until then, see you around. [SPEAKER_02]: Bye-bye.