Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack?
QUENTYN TAYLOR 2026-7-1 23:12:11 Author: grahamcluley.com(查看原文) 阅读量:1 收藏

QUENTYN TAYLOR

Well, permanent means permanent.

GRAHAM CLULEY

You would think so.

QUENTYN TAYLOR

So surely you can take the bet, but you could never pay out. No, you'd have to wait till the heat death of the universe before you could pay out.

Unknown

Smashing Security, Episode 474: PolyMarket Can Predict the Future.

QUENTYN TAYLOR

So how did it miss this hack?

Unknown

With Graham Cluley and special guest Quentyn Taylor. Hello, hello, and welcome to Smashing Security episode 474. My name's Graham Cluley.

QUENTYN TAYLOR

And I'm Quentyn Taylor.

GRAHAM CLULEY

Quentyn, welcome to the show. First time on Smashing Security. Great to have you here.

QUENTYN TAYLOR

No, thank you for having me. I am doing the representation for all the people called Quentyn, of which there aren't many.

GRAHAM CLULEY

Well, there aren't many, and I don't think there's been anybody with the letter Q ever on Smashing Security at all. So you are the Q of cybersecurity, aren't you?

QUENTYN TAYLOR

Indeed, indeed. That's the nickname that I pretty much go by, 'cause no one can spell my name. So I answer to many things, Q being one of them.

GRAHAM CLULEY

Yeah, so aside from potentially being the person who can give us spy gadgetry and the likes of that, why else might people know you?

You've got a pretty important job at a big company, haven't you?

QUENTYN TAYLOR

Yeah, sure. So I look after information security at Canon, and I've been there for quite some time now.

I know in this world of everyone leaving and changing jobs every 3 to 5 years, I've been in Canon for 25 years, which is really unusual to be in a similar role.

And now I head up information security. I also now, which is really weird, I head up product security. And I also head up global response as well.

So having product security and cybersecurity under the same hat, I think it's unique in Canon.

But I do think though, that this will be the way that information security teams of the future will be formed. I think we're kind of setting a trend here.

I think this is the way things will work in the future.

GRAHAM CLULEY

And what's the benefit of that, do you think?

QUENTYN TAYLOR

Well, it means, especially given the fact that if you think about the products that we have, and obviously this isn't sponsored, but obviously we've got the camera side, we've got the CCTV side, we've got medical as well, but that's somebody slightly different.

And then we've also got the printer side, and the office and the scanner. So all the stuff that goes into the office.

So we both use our own products, which means I have to secure our own product, which means I can then be the best person to suggest to our customers how to secure it because we've also had to do it ourselves.

QUENTYN TAYLOR

So we can turn around and go, not only do I recommend that this is the way you harden it, I can also demonstrate that that hardening guide is very, very, very similar to our internal hardening guide.

And the first version of the hardening guide that we wrote for customers, we didn't write for customers, we wrote for ourselves and then gave to customers.

And that's kind of how cybersecurity started because we were doing testing internally because we had to for our own deployments.

And then people say, well, could we give that to a customer? And I went, of course we can.

QUENTYN TAYLOR

I mean, this is us proving that the product's good, the product's solid enough to work inside our network, so it's good enough for their network as well.

GRAHAM CLULEY

And of course it meant you could give feedback as well to your own product team when they're building the cameras, the printers, the scanners, and so forth.

QUENTYN TAYLOR

Yeah, and now that's actually part of what we do.

In the past, it was very much ad hoc and we would pass in titbits through, and now it's actually a proper defined process that we sit down and we say, right, well, we tested this, this is what we think about in our market and this is how we would improve it.

And a great example of that is things like ubiquitous encryption on the device, on the printer device. That used to be an option and now it's just there by default.

GRAHAM CLULEY

Ah, fantastic.

QUENTYN TAYLOR

Disabling access to certain things that were good from an engineering perspective, but really just opened up an attack surface that we didn't think should be there.

Well, that was a change that we and several other people pushed for simultaneously and said, no, just make this change.

GRAHAM CLULEY

Well, very cool and great to have you on the show today. Before we kick off, let's thank this week's wonderful sponsors: CoreView, Proton, LastPass, and Vanta.

We'll be hearing more about them later on in the podcast.

This week on Smashing Security, we won't be talking about how a Danish privacy activist doxxed his own prime minister and ended up getting raided by the police.

You'll hear no discussion of how a UK hospital has reported itself to the Information Commissioner's Office after 40 people were found to have accessed the medical records of a 3-year-old thrown into a crocodile pit.

And we won't even mention how an attacker called Snoopy has been sent to prison after hacking a fantasy sports betting website.

So Quentyn, what are you going to be talking about this week?

QUENTYN TAYLOR

So I'm going to be talking about FortiBleed. Someone has managed to break into Fortinet firewall devices on an industrial scale.

GRAHAM CLULEY

And I'm going to be looking at whether you're wise to take a gamble with your security on Polymarket. All this and much more coming up on this episode of Smashing Security.

This episode is sponsored by Proton Pass.

JOE

Proton Pass, the password manager from the team behind ProtonMail, the world's largest end-to-end encrypted email service.

GRAHAM CLULEY

Now, Joe, you and I both know the grubby little secret of how a lot of businesses actually share passwords.

JOE

A spreadsheet? A Post-it note? Sending it to a colleague via Slack and hoping for the best?

GRAHAM CLULEY

That's pretty much it. All of the above. And every one of them is a breach waiting to happen.

Proton Pass is built to fix exactly that, letting teams store and share credentials securely with end-to-end encryption baked into every feature.

JOE

It's open source and fully auditable. It runs on Swiss infrastructure, so your data sits outside US jurisdiction.

And it's backed by a nonprofit, no venture capitalists, no pressure to chase a quick exit.

GRAHAM CLULEY

Which is the bit I like. You know, it's built to serve you, not investors.

So it will never be pressured to cut security corners or rush towards a liquidity event that could change ownership, pricing, or priorities overnight.

It's trusted by over 100 million people, ISO 27001 certified, SOC 2 audited, and it helps you tick the boxes for NIS 2, DORA and the UK's Cybersecurity and Resilience Bill.

JOE

And crucially, people actually use it. One Swiss customer told Proton, and I quote, "It works. It works perfectly." High praise indeed.

GRAHAM CLULEY

So why not start your business's free trial right now at proton.me/smashing?

JOE

And thanks to Proton Pass for supporting the show.

GRAHAM CLULEY

Quentyn Taylor, how good are you at telling the future?

QUENTYN TAYLOR

It depends. Am I gonna be hungry? Yes, I know. Do I know what next week's National Lottery numbers are? Sadly not.

GRAHAM CLULEY

Right, well, I want to tell you about a company that's built its entire brand on being really, really good at predicting the future.

And maybe you've heard of it, because it's been making a lot of headlines recently, called Polymarket.

And last week, it completely failed to predict that it was about to have a very, very bad week indeed. It's always a bit embarrassing, isn't it?

It's a bit like when an astrologer's convention is cancelled due to bad weather.

QUENTYN TAYLOR

Unforeseen circumstances.

GRAHAM CLULEY

Yes, unforeseen circumstances. So for those who don't know, Polymarket is a crypto-based prediction market. It's a platform where you can bet on pretty much anything.

You can bet on an election or the weather or the economics or military conflict, whether there's going to be a Doctor Who episode on at Christmas.

All of the big questions which people are wrestling with.

QUENTYN TAYLOR

Well, someone even bet on the weather at an airport.

And then what they did, because the weather in airports are measured by those little weather stations that you often see, they bet that the temperature would go up by a couple of degrees.

So they took a battery-powered hairdryer, went down there, shoved it in the casing, turned it on, and then mysteriously, the temperature of that airport went up.

GRAHAM CLULEY

Are you suggesting that people might actually attempt some sort of fraud? In order to fill their pockets. Surely not in this day and age.

QUENTYN TAYLOR

Well, a member of the US Special Forces has been indicted for predicting when certain military operations was going to go on on Polymarket.

And he might have known this because maybe he was involved in them.

GRAHAM CLULEY

Maybe, maybe, perhaps. So Polymarket launched in 2020 and it just went crazy, bonkers, really. Got really big. It saw over $3 billion worth of monthly trades by the end of last year.

Racked up a $9 billion valuation, doing pretty well. But let's talk about last week because Polymarket confirmed last week that hackers had successfully stolen funds from its users.

And they did what any serious corporation does in that situation. They hopped onto Twitter, or X, as it likes to be called.

They released a very serious, very dry, very corporate apology. Standard kind of thing. And I'm a bit disappointed with the people on Twitter, to be honest.

Well, I'm very disappointed with all of the people on Twitter, to be fair.

QUENTYN TAYLOR

The people who are left on Twitter.

GRAHAM CLULEY

So I'm ashamed to say that some people were rather cruel. They didn't hold back.

Overwhelmingly, the replies went along the lines of, for a company that claims to know the future, why didn't you open a betting market on whether your website was going to get pwned or not?

Which seems a fairly fair question to ask.

According to Polymarket, a compromised third-party vendor allowed attackers to inject malicious JavaScript directly onto its website's front end.

So this was a supply chain attack, effectively.

And according to the firms which monitor the blockchain, they estimate that hackers made off with about $3 million worth of cryptocurrency as a consequence.

And what was most astonishing to me about that was the $3 million had been stolen from just 11 victims, which works out as about $260,000, $270,000 per person, just casually sitting in a hot wallet somewhere.

So quite a lot of cash was got from not many customers. And Polymarket says they've contained the incident. They said they will refund everyone in full, which is very nice of them.

But this isn't Polymarket's first rodeo. In fact, this is at least their third notable incident involving cybersecurity in under a year.

So last December, they confirmed a security incident on its Discord. Users reported missing funds, suspicious login attempts.

Again, that was blamed on an unidentified third-party login provider. So we're hearing a similar sort of story from the company.

In May, just a month or so ago, an admin wallet used internally by Polymarket for employee reward top-ups — so they basically got a bag of digital cash at Polymarket, which they hand out to employees to say, well done, you've handled that well — that was drained of around about $700,000.

So first of all, they're clearly giving lovely bonuses out over there. But that happened through a, most likely, a private key compromise.

They had a 6-year-old private key which had been left exposed on the internet, allowing hackers to access that bag of cash.

And the official line from Polymarket was, this doesn't matter that much because user funds were safe. This was an internal-only problem. But Quentyn, what do you think about this?

I mean, whenever a company starts screaming, it wasn't us, it was a third-party vendor, I tend to get a little bit cynical.

QUENTYN TAYLOR

Yeah, I do as well, because if we look at a lot of the attacks that are going on at the moment, look at all the Salesforce attacks. Salesforce themselves aren't being compromised.

It's the third-party companies that are getting compromised in between.

I mean, the number of Salesforce breach notifications you receive and you read it and you go, well, that isn't Salesforce.

It's one of the underlying integration partners that's being compromised, because attackers are not stupid. I mean, we saw this when we go back to Operation Cloudhopper.

That was to try and break into the US defence industry companies.

So instead of breaking into the companies themselves, they broke into the managed service partners that they were using.

If you then go back even further and look at when RSA got breached back in the day with the RSA SecurID tokens, when they got breached and all their key material got stolen, it wasn't RSA that the attackers were after, it was the underlying defence companies.

So this has always been the way of the world, which is you could either go after the individual really hard targets, or you could go, what is the glue that binds them all together?

And if I can attack that glue, I put a lot of effort into there, I get everything in one go.

And especially things like OAuth tokens these days, who really properly understands how they all work in all scenarios?

As a security professional, I'd like to say that I understand how every single one of them work.

As a realist, sometimes you sit there and go, sorry, that person with that thing could grant access to what?

QUENTYN TAYLOR

And you've got so much cloud and SaaS solutions that are stuck together with wet string and Blu Tack, and take some of the AI solutions that are linked in now as well.

And you're sitting there going, sorry, you managed to generate permissions to who by how? Yeah. And that's what worries me. I think this is the way of the world.

This is how stuff happens. Accept the fact that your supply chain isn't even your direct supply chain. It's the suppliers of your supply chain.

And when you start to multiply that together, you start to go, hang on a second, I've got 10,000, 20,000 companies in my supply chain. Yeah.

Maybe I should send them all an Excel questionnaire because that'll improve the world.

GRAHAM CLULEY

That'll put the fear of God into them, won't it? Having to deal with that.

QUENTYN TAYLOR

Well, they'll just all ignore it and I'll spend all my time chasing up these Excel spreadsheets. And then when I get answers back I don't like, what am I going to do?

QUENTYN TAYLOR

You can't get rid of your entire supply chain.

QUENTYN TAYLOR

And that's the thing people need to remember is virtually everyone is part of somebody else's supply chain and has somebody else in their supply chain.

QUENTYN TAYLOR

Very few people sit at either end of a supply chain.

GRAHAM CLULEY

Yeah, you're somewhere along the chain. It's unlikely you'll be right at the end. Well, this hack against Polymarket came just days after a spectacular corporate own goal.

So the Wall Street Journal published an investigation into Polymarket and they discovered that it had orchestrated a massive deceptive marketing campaign.

Apparently, they hired an army of TikTok and Instagram creators to post videos pretending they were making an absolute fortune on Polymarket.

And the Wall Street Journal took it upon themselves to analyse this video footage.

They found that in 70% of the videos, the creators, the people posting them up on social media, weren't even using the real Polymarket website.

Apparently Polymarket had created a fake dummy website with simulated funds just for the influencers to film themselves winning a heck of a lot of money, nearly $2 million.

So in a way, Polymarket is doing the same kind of thing which phishing gangs are doing, creating lookalike websites, but they're creating one of their own website for other people to use.

Still seemingly, I have to use my words carefully, with the intention maybe of fooling people into believing something?

QUENTYN TAYLOR

It does seem like there's a line, and that line might be a bit far to one side. They might have crossed a line quite considerably. Do you think?

There's aggressive marketing techniques, there's simulated results, and then there's what that might be.

GRAHAM CLULEY

So in one of these videos, a student who had been approached by Polymarket apparently won $100,000 after betting $1,000 that Donald Trump would publicly say the word McDonald's within a month.

But the Wall Street Journal, they checked the actual blockchain ledger and they found in reality 50 genuine real Polymarket accounts had made the same bet.

Every single one of them lost.

So these people who Polymarket was paying, they apparently were told hide the fact that you're getting paid, use the dummy websites, try and trick people into believing you can also make a lot of money on it.

And that's concerning because, well, there's now a lawsuit actually alleging that Polymarket has unfairly exploited and targeted college students.

And of course, that's a demographic which—

QUENTYN TAYLOR

Yeah, yeah.

GRAHAM CLULEY

—has been found to be more addicted to gambling and maybe they're going to encourage it more.

QUENTYN TAYLOR

Yeah, because it's unregulated or it feels unregulated. Yeah.

GRAHAM CLULEY

Politico have reported that PolyMarket's marketing director used a personal PayPal account to pay over 800 Twitter users to post pro-PolyMarket content without disclosing them as ads.

So again, there are regulations about how things should be promoted on social media by—

QUENTYN TAYLOR

Yeah, in the UK, the Advertising Standards Agency will have a serious chat over that.

There were a lot of YouTubers who got caught out who weren't saying that they were being paid to do certain things. And of course they were.

GRAHAM CLULEY

And there's even more corporate drama now. PolyMarket is currently dealing with a massive $345 million bet on the Iran peace treaty.

Apparently, the bet has been frozen because the platform and its users cannot agree — they are in deadlock over the definition of the word permanent, as in permanent peace.

Rather like the US president, who keeps on claiming that the whole problem has been solved, only to decide actually, no, it isn't maybe quite as solvent.

QUENTYN TAYLOR

Well, permanent means permanent. You would think so. So surely you can take the bet, but you could never pay out.

You'd have to wait till the heat death of the universe before you could pay out, because only then you would know. You gotta think about the price of Bitcoin or Ethereum by then.

GRAHAM CLULEY

So Quentyn, when you see a company simultaneously dealing with phishing attacks and having $345 million bets frozen while they argue about dictionary definitions, or lawsuits for deceptive marketing, what does that tell you about their governance?

QUENTYN TAYLOR

I'd say it's refreshingly lightweight, possibly. I know who's behind, I know who the major shareholders are, so I'm imagining that, yeah, that might help.

Might not help as well, I don't know. But maybe being part of the family helps a little bit in terms of how you can get things done.

But any kind of business that's involved in that kind of stuff and doing that, you have to wonder — if that's the stuff you see, what's the stuff you didn't see?

Because if they said yes to that, what was the stuff that went, oh no, no, that's gone too far.

GRAHAM CLULEY

Yes, that's gone too far. What was that?

QUENTYN TAYLOR

I mean, that's got to be some fairly spicy areas, to be fair.

GRAHAM CLULEY

There's a lot of murkiness going on both inside PolyMarket HQ, but also maybe amongst regular users of PolyMarket as well.

There is a Google engineer who's just been charged with insider trading, because he allegedly used confidential internal Google search data to spot real-time trends, and he cleared over $1 million worth of profit on PolyMarket bets.

So when you can see what the world is effectively Googling before anyone else, your bet may be, well, a bit less of a gamble, mightn't it?

QUENTYN TAYLOR

Well, also, this is the problem with something like PolyMarket, because it allows you to bet on some very, very specific things, so it then becomes very, very, very hard to try and work out, well, is that very hyper-specific thing — because you know what the hyper-specific thing is.

I mean, it's kind of like the whole sort of Frodo, "What have I got in my pocket?" kind of thing, when he was having the conversation with Gollum. At the end of the day, you know.

So that's always gonna be the problem with these kind of betting things.

And I kind of wonder if it works very well in the US because betting's a bit of a — it's not legal in all states — whereas in the UK, I wonder whether it would be so big because people are a bit more cynical, maybe over here.

GRAHAM CLULEY

Maybe. Well, in case anyone out there isn't feeling too cynical, a couple of stats from the Wall Street Journal — their analysis of over 1.5 million accounts on Polymarket.

They found that 0.1% of accounts net 67% of the profits. So it's a very small number of accounts which are making a huge proportion of any money on Polymarket, so be wary of—

QUENTYN TAYLOR

And all the rest of them are losing their money. Yes.

GRAHAM CLULEY

Over more than 70% of regular users are actually losing money on Polymarket. So don't necessarily think that you're onto a winner — remember, the house always wins.

QUENTYN TAYLOR

Yes. So 70% of the people are losing and the house always wins. Your statistical chance of actually winning possibly isn't as high as you think it is.

GRAHAM CLULEY

So Quentyn, are you pleased you're not the CSO of Polymarket?

QUENTYN TAYLOR

Do they have a CSO? Yeah, they probably do have a CSO, to be fair.

GRAHAM CLULEY

I would hope so. Yeah, I hope so as well.

QUENTYN TAYLOR

I like working for a company that has really good sort of corporate ethics and corporate morals.

GRAHAM CLULEY

Oh, you're so old-fashioned, Quentyn, for goodness' sake.

QUENTYN TAYLOR

I know, I know, but it's nice because it gives you a nice safe place where you know that certain things will never happen.

So it's kind of — it gives you a base to then move forwards from.

GRAHAM CLULEY

Well, we've got time right now to chat about one of our sponsors. Sponsors this week, Vanta.

JOE

Oh yes, my favourites. What do they do again?

GRAHAM CLULEY

They stop you running your entire security program out of a spreadsheet, Joe.

JOE

That seems aimed at me personally, Graham.

GRAHAM CLULEY

Well, it is a little bit, yes.

But you know how most companies have to prove they're secure to customers or auditors and regulators, and the whole thing involves chasing down evidence, filling in questionnaires and forms, updating the same spreadsheet cells over and over again.

JOE

Over and over again. It sounds utterly soul-destroying. Yeah, well, Vanta automates all of that. Automates it, how?

GRAHAM CLULEY

Well, their trust management platform keeps a continuous eye on your systems. It pulls everything into one place and keeps you audit-ready around the clock.

So no more staring at the ceiling at 2 AM wondering whether you've got the right controls in place or whether one of your suppliers has been breached.

JOE

The stuff of nightmares.

GRAHAM CLULEY

Yeah, it would be, wouldn't it?

But this Vanta solution uses AI as well, and it's the useful kind — flagging risks, collecting evidence, slotting into the tools your team already uses.

So you move faster, scale without the headaches, and perhaps actually get some sleep.

JOE

Go to vanta.com/smashing to find out more. That's vanta.com/smashing. And thanks to Vanta for supporting the show.

GRAHAM CLULEY

Quentyn, what have you got for us this week?

QUENTYN TAYLOR

So I was going to talk about the story FortiBleed. Yes, where they discovered that around 75,000 Fortinet firewalls had been mass cracked.

So it seems to have come from a LinkedIn post from a while ago from a Russian guy who went, oh, hang on a second, I found this website and it appears to have some Fortinet credentials in there.

When they looked into it, they discovered credentials to 75,000 Fortinet firewalls.

Now, if you think about where Fortinet sits in kind of the corporate hierarchies, you've got a lot of the smaller Fortinets that are the backbone of the SME to sort of small to medium-sized enterprise that sits in there.

And these are the kind of companies who might be doing some very interesting things, but probably don't have a dedicated security person.

So the problem I see here is not only did the attackers get these credentials, the attackers didn't use AI, but they used infrastructure that only exists because of AI to crack large amounts of the credentials.

They wrote a password stealer in Go that they could install on the individual firewalls, but then steal any credentials that went through the firewalls that they could actually see and then crack those as well.

They've actually done it really, really well. They've done a really professional thing.

They appear to have done some stuff in Kali Linux so they can then deploy stuff in there that other people could then screen share while they're doing some hacking into things.

As the nationality of the initial access brokers, don't know, probably someone from the East. That's the sort of rumour that I heard on there.

But the point here is that for large corporates, they have security teams, they have teams who can fix these things and can rotate the credentials.

But for the SME market, do they have large security teams? No. Do they have a security person? Probably not.

These credentials are probably going to sit there cracked for a very long time, both the firewall and any of the credentials that were flowing through that firewall that subsequently got cracked as well.

So this is going to be one that's going to run and run and run and run.

GRAHAM CLULEY

And it's important, I think, to stress here that the vulnerability that revealed the credentials has been patched. So Fortinet have done their bit, in a way, haven't they?

And obviously this has been making the headlines and so forth.

QUENTYN TAYLOR

Well, they have been having quite a lot of security issues. Yes.

So if you look at the CISA KEV list, so CISA's one of the big government security agencies from the US, and they have a list called the KEV list, the Known Exploited Vulnerabilities list.

Now, the important point for your listeners here is, obviously vulnerabilities get graded on a 10-point scale, and you think, oh, if it's a 10, it's really, really serious.

But what the KEV list does is it says which of these vulnerabilities are getting exploited, not which is the one which is theoretically the highest vulnerability, but which ones are actually being used by real-world attackers to break into real-world systems.

And there's a couple of vulnerabilities that dominate that KEV list, with this particular firewall manufacturer being one of the ones that are quite heavily represented in that particular list.

So attackers are using these vulnerabilities to break in because they probably sit open for a very long period of time. They've had a lot of vulnerabilities.

So it's kind of things like this that are going to sit around and have a very, very, very long tail to get fixed.

Because we saw some big ones with Oracle, and one would presume when the Clop ransomware group went after some people who had Oracle exposed to the internet, pretty much if you had vulnerable Oracle exposed to the internet, which wouldn't be hundreds of thousands because not everyone's got that particular Oracle module set, you probably got compromised.

So you probably had to fix it.

Was this — this is 75,000 firewalls that are potentially victims and are going to sit there for quite some time because not all are going to get fixed and not all have been fixed.

And not all are probably going to ever get fixed.

GRAHAM CLULEY

See, I feel a little bit sorry for Fortinet in a way. I know that they have had all kinds of vulnerabilities, but this one they have patched.

I mean, I wonder if FortiBleed is really a fair name for the vulnerability.

Is it more a case of admin fail because administrators haven't rolled out new credentials, for instance, haven't responded to this?

I mean, even though the original flaw was in the Fortinet devices, which allowed the hackers in, so they could steal information and then obviously crack the passwords.

QUENTYN TAYLOR

Yeah, I think a lot of the cybersecurity industry likes to focus in on the vendors and likes to blame the vendors rather than blaming the users.

Blaming the users, blaming the administrators is very, very unpopular. It's now, "Oh no, no, it wasn't that fault that person clicked on a link.

We should have stopped the link from getting through to the user." And kind of that's true, but it's easier, I think, for the naming convention.

But they have had quite a lot of vulnerabilities. And also with things like password reuse, we know admins also reuse passwords in places. This one's gonna have a long tail.

This feels like this is gonna have a tail like the LinkedIn breach from like 2010. So I think this one's gonna go on and on and on and on.

And someone's gonna look through and say, "Okay, 'cause you've got your real email address in there, where else did you use that set of credentials on the internet?

'Cause if it was for a file, well, it was probably an important one, so let's have a hunt around." And especially if you're an SME kind of person, you're not MFAing everywhere.

You're not linking off to something else. This is probably a static password that you've used on lots of different sets of customer infrastructure.

So this isn't 75,000 firewalls have been compromised. This could be hundreds of thousands, millions of devices.

Because if that administrator is used on that Fortinet device, but it's also used on all those other manufacturers' devices, well, they won't get a fancy name.

They won't get a fancy website. They'll just get compromised.

GRAHAM CLULEY

So what should Fortinet and vendors like them be doing about this, you know, going forward? Should they be enforcing some sort of minimum password complexity on the devices?

QUENTYN TAYLOR

Honestly, for any vendor, I think they should be looking at why are the vulnerabilities occurring?

Don't sit there whack-a-moling trying to fix the vulnerabilities because you're going to fail.

You need to look at what are the classes of vulnerability and how you design those out of your system.

'Cause there's certain vendors in the world where they don't seem to be learning from the vulnerabilities that come up. You still start seeing things like SQL injection.

You go, wow, I haven't seen SQL injection in 10, 15 years in a regular product. That's interesting. So you see things like that.

So it's like, hang on a second, you need to get deeper in.

And this is where things like, ironically, things like Mythos — yes, the AI model — might actually help you out, to say, don't just sit there spitting out vulnerabilities that are like whack-a-mole vulnerabilities.

Dig in deeper and tell me what I need to fix at the root cause of all of those ones over the top.

Is there a certain module that is so badly written it is just a hive of vulnerabilities? Tell me where that one is and just look at it. Can I just get rid of it?

So that's what I think vendors need to do.

But I also wonder, and this is kind of digging across to the AI side, I'm not so worried about the AI apocalypse that seems to be coming along.

I think it's going to take a bit longer to get to there.

And I also think that a lot of attackers won't be using AI to write exploits, because why would you bother with an exploit if you can just steal credentials and credentials are reused?

I mean, it works every time. An exploit, and this is the problem I have — sorry, we've gone on top again.

This is the problem I have with exploits: a lot of cybersecurity people's experience with exploits is things like EternalBlue, which was written by the NSA and literally was like chef's kiss.

It was beautiful. It was like a proper commercial piece of software. Whoever in the NSA wrote EternalBlue, hats off to you — you need an award.

GRAHAM CLULEY

This is the exploit which was actually stolen from the NSA and then later showed up in the WannaCry ransomware, wasn't it?

QUENTYN TAYLOR

It certainly did. And it worked in almost 100% of cases, and it was gorgeous. But 99.99% of exploits aren't that good.

They work like this: they need a lot of fiddling, they need a lot of messing around to get them to work. Whereas credentials — credentials work the same every single time.

And especially now you can steal OAuth tokens, you've already logged in for the attacker.

So you've actually now got an OAuth token, which is pre-logged in, pre-access session, boom, straight in, and you go for it.

And let's be clear here, I joked earlier on — who actually knows how all of these things like the OAuth stuff works properly?

Some people do, but the vast majority of people don't, and they grant them and they get stolen, and that's how some of these attacks occur.

But what I'm trying to say here is I think that the temperature with the AI side is just gonna go upside, but the weather's gonna remain broadly the same.

And I think especially with things like when we go back to Fortinet, I think we're now on vendors — we're moving into a post-patching world where the ability to generate an exploit is gonna be so fast and come so cheap that you need to start thinking you're not gonna be able to patch.

Does that mean to say you stop patching? No, it doesn't. But it means you need to say my percentage failure rate, my speed of being able to patch is gonna come down.

I know CISA has now just said we've gone from 20 days patching to 3 days patching — well, 20 days to 3 days, okay, that's better, but actually it needs to be like 3 minutes, it needs to be 30 seconds, it needs to be patch it before actually the vulnerability came out because the attacker was already using it.

So how on earth are we gonna move in this new world where it's gonna become a post-patching world? Well, it goes back to the basics — it comes back to security layering.

If you don't want to get hacked, don't put it on the internet.

GRAHAM CLULEY

So you are a CISO — there's gonna be a lot of IT admins who are listening to this.

We probably should give them some practical advice on what they should be doing about FortiBleed right now. Is it changing their passwords? Is it about enabling MFA?

Is it about checking whether they're included in that 75,000? What should they be doing?

QUENTYN TAYLOR

Well, what I would say first of all is if you are using that manufacturer's firewalls and those firewalls were connected to the internet or were adjacent to the internet, just accept the fact that you're gonna be bouncing all the credentials immediately.

You should be having MFA and phishing-resistant MFA — so passkeys or tokens everywhere. If you're not using passkeys or hardware tokens, then what is your MFA?

SMS is probably push code — you've gotta move on to passkeys or tokens if possible.

Bounce those credentials, but not just bounce your admin credentials on those firewalls — you're gonna have to bounce the credentials potentially of all the people whose data was going through those firewalls.

And that's a big, big, big task.

GRAHAM CLULEY

Now, time for a quick word from our friends at CoreView. Joe, quick question for you. How confident are you in your Microsoft 365 security posture?

JOE

Graham, I don't even have a Microsoft 365 tenant.

GRAHAM CLULEY

Oh, for goodness sake, Joe, it's for our sponsor. Just play along with me, right?

Picture the scene — it's Monday morning, you've got your coffee, you're wearing your second best hoodie, you're feeling pretty good about your Microsoft 365 setup because you checked Purview, you tightened conditional access, and frankly, you deserve a biscuit.

JOE

Biscuits? Okay, I'm in. I'll play along with you. Thank goodness for that. So, and then someone forwards you a breach report about a company that did all of that too.

So how did they get hacked? Turns out some quiet little permission that crept wider over 3 years.

A policy exception that nobody had reviewed, the kind of thing that's invisible until it isn't.

GRAHAM CLULEY

And this is exactly the stuff that CoreView's free Microsoft 365 Security Posture Check tool is designed to sniff out.

It's the drift, the exceptions, the little permissions you stopped looking at because, well, you assumed they were fine. And the spoiler is that they're often not.

JOE

It's free, it runs locally on your own machine, it does not send your tenant data back to CoreView or anyone else for that matter.

And if you'd like a hand setting it up, their team will happily walk you through it.

So all you've got to do is visit smashingsecurity.com/coreview to download your free copy of the tool, and even you will be able to answer the question, how secure is your Microsoft 365 tenant?

And thanks to CoreView for supporting the show.

GRAHAM CLULEY

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security related necessarily. Well, my Pick of the Week this week is not security related. My Pick of the Week this week is music related.

I think it's no secret to fans of Smashing Security that I am a bit of a fan of the Fab Four. The mop top from Merseyside, Paul McCartney, has just turned 84 years old.

And he's still cranking out albums at the age of 84.

QUENTYN TAYLOR

Can you believe it?

GRAHAM CLULEY

There's hope for all of us. There is hope, isn't there? And to my mind, he's just released one of his strongest LPs that he's made for years. It's called The Boys of Dungeon Lane.

It's an introspective look back on his childhood, the resilience of his parents bringing him up during the Second World War, his early adventures with John Lennon and George Harrison years before Beatlemania took off, and he still has melodies pouring out of him, which pass my test, which is, can I whistle it?

If I can't whistle it, it's not a proper song. And I'm quite impressed.

I've listened to it a few times, and the last time I listened to it, I thought, you know what, this chap has some musical talent.

And some people were saying, well, he can't sing as well as he used to. I mean, to which I say, he's 84 years old.

Of course he doesn't sound like how he's sounded when he was 24 years old. I don't sound like I sounded when I started this podcast, for goodness' sake. So give him a break.

The truth is, he's still got some great tunes in him, and I'm impressed that anyone of his vintage is able to pull off something like this.

And so my pick of the week is The Boys of Dungeon Lane by a chap called Paul McCartney.

He probably doesn't need your money, but you can all stream it online, and that way Spotify makes all the money rather than the artist.

Actually, I shouldn't be encouraging that at all. Anyway, it's out now. It's lovely stuff. And that is my pick of the week.

QUENTYN TAYLOR

So I'm going to have to give that a listen, actually. As you probably know, I do a huge amount of running.

And so I tend to sort of hammer Spotify and various other things as I'm running. I always am listening to podcasts like this one while I'm running. Good man.

And also listening to music while I'm running. So yeah, I'm really looking forward to having a listen to that.

And let's be honest, some people do some of their best work when they're sort of like rather like the end of their life. Yes.

I'm sure everyone remembers Hurt by, oh, what was his name? Oh, Johnny Cash. Johnny Cash's cover of Hurt.

That one brings a tear to my eye when I watch the video every single time, because it was the last thing he recorded.

GRAHAM CLULEY

He really had a resurgence, didn't he, in the last few years of his life with the albums which he was bringing out. I think it was Rik Rubin who was producing them and—

QUENTYN TAYLOR

And Trent Reznor said, "You own that song. That's your song now. That's not mine anymore."

GRAHAM CLULEY

Great stuff. So, Quentyn, what's your pick of the week?

QUENTYN TAYLOR

So my pick of the week is something that I've been listening to a lot, and it's a bit of an unusual one, which is the Summer Portraits by Ludovico Einaudi.

And it is classical, but hear me out. It's classical but arranged in a modern way.

So he's using classical instruments, but you can hear rock and pop kind of themes in the way he's put it together.

But I mean, it must be very, very boring for the musicians, because they're having to do one chord over and over and over again. But it's really good. And I've been running to it.

I've been listening to it on planes. I'm gonna go and see him. He's apparently coming to Wembley. I've got tickets to go and see him.

GRAHAM CLULEY

I think he does a lot of TV and movie soundtracks and things like that, doesn't he?

QUENTYN TAYLOR

Yes, yeah, yeah. And you'll probably, when you start to listen to some of it, go, "Oh, I recognise that from— Oh, I recognise that from—" Like Lenny Kravitz.

I remember when I saw Lenny Kravitz for the first time, my wife was a fan. I didn't know I was a fan.

And when I heard him at Pinkpop in God knows when it was, like 2010, it was like, "That's the advert from that. That's the advert from that.

That's the music from that." And I kind of sat there enthralled going, "I have been a fan of this man for a very long time."

GRAHAM CLULEY

"I just didn't know." Terrific. So it's The Summer Portraits by— remind me who it's by again, 'cause I'm going to butcher his name.

QUENTYN TAYLOR

I think I'm butchering his name, but Ludovico Einaudi, I think it is.

GRAHAM CLULEY

I'll put in a link in the show notes. It's really, really good.

QUENTYN TAYLOR

He's done a couple of other albums and, yeah, he's just nice. No vocals in there, just instrumental and it's good.

GRAHAM CLULEY

Well, that makes for a great pick of the week. And that just about wraps up the show for this week. Thank you so much, Quentyn, for joining us.

I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?

QUENTYN TAYLOR

Best way, I'm on Bluesky, I'm on LinkedIn, I'm on Strava if you want to follow running or cycling.

GRAHAM CLULEY

I don't think we've ever had a guest say follow me on Strava before. That's a new one.

QUENTYN TAYLOR

Well, if you do, probably best to follow me on one of the other channels first, because I get people wanting to follow me on Strava, and if I don't know who you are, I don't accept.

GRAHAM CLULEY

Fair enough. And of course, Smashing Security is on social media as well.

We don't have a Strava account, but we certainly do have a Reddit account and a Bluesky account and a Mastodon account. You can find me, Graham Cluley, on LinkedIn as well.

And don't forget to ensure you never miss another episode.

Follow Smashing Security in your favourite podcast apps such as Pocket Casts, Apple Podcasts, Spotify, and for episode show notes, sponsorship info, guest lists, and the entire back catalog of roundabout 474 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

QUENTYN TAYLOR

Thank you, everybody.

GRAHAM CLULEY

You've been listening to Smashing Security with me, Graham Cluley, and thanks ever so much to Quentyn Taylor for joining us this week.

And also to this episode's sponsors, ProtonPass, CoreView, and Vanta. And also we've got to thank our patrons, haven't we? Those people who've signed up for Smashing Security Plus.

Let's pick a few of them out of the hat right now. We've got Jason B, who is maintaining their mystery by just using an initial for their surname.

The terribly wise sounding Govinda Charya. The crispy monosyllabled Roy Tate. Nigel Scott, who sounds like he might manage a garden centre.

Michael Crumb, who quite literally takes the biscuit. The iconic and economical Jay, doing their bit for the world's byte shortage. Just the one letter there.

Steve B, who doesn't like to use a spacebar. And half man, half fish, Jonathan Haddock. Thank cod for him.

These are just a few people who have signed up for Smashing Security Plus, which means that they get their episodes ad-free and earlier than the great unwashed public.

And they can also have the benefit of having their names pulled out at random to be mercilessly mocked at the end of the show, just like this.

If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details. But you don't have to become a patron.

You can also support the show in plenty of other ways. One of the ways in which I'd really appreciate it is I love to see good reviews popping up on Apple Podcasts and elsewhere.

So why don't you leave a little comment? It really does warm the cockles of my heart.

Leave us a nice review, subscribe to the show, give us 5 stars, but best of all, tell your friends about Smashing Security. Spreading the word really does help.

Until next time, cheerio, bye-bye.


文章来源: https://grahamcluley.com/smashing-security-podcast-474/
如有侵权请联系:admin#unsafe.sh