How Many Lost Laptops Is Too Many?
Episode note - In this episode, we mention that 26,000 public sector devices were lost or stolen. That number isn’t accurate. The real figure is still shocking, with just over 2,000 devices in the past year, according to FOI-based reports. We caught the error before the episode went live, but since we recorded it, we’re calling it out here to keep things straight. Always better to be accurate.
This week’s episode of The Awareness Angle is a deep dive into the strange, risky, and often ridiculous world of cybersecurity – from QR code scams to phone network hacks, doxxing in a video game, and why Microsoft thinks black is the new blue.
We start with something that feels almost sci-fi: organised criminal gangs using fake cell towers, known as SMS blasters or Stingrays, to send malicious texts straight to your phone. These attacks don’t need your phone number or your network – they just broadcast to everything nearby. Google’s latest Android update, rolling out on newer Pixel devices, includes features that detect when you’ve connected to one of these rogue towers. iPhones, meanwhile, can’t even disable 2G, making them far more vulnerable. It’s a worrying gap in mobile security that most users don’t even realise exists.
From phones to cameras, the next story takes us to Canada, where the government has officially banned Chinese surveillance tech from Hikvision and Dahua. While the headlines focus on national security and state ownership, the deeper message is this: cybersecurity isn’t just about software. The physical devices we install – webcams, CCTV kits, smart monitors – all carry risks based on who made them and how they operate. This is especially relevant as Prime Day approaches and cheap tech floods the market. Saving a few pounds upfront can cost far more later if your footage ends up somewhere it shouldn’t.
Speaking of misplaced tech, a recent report revealed over thousands of UK public sector devices have been lost or stolen in the past two years. These aren’t just phones and laptops – they’re potentially loaded with confidential data from civil servants, government contractors, and national infrastructure teams. Worse still, many departments didn’t know if the lost devices were encrypted. It’s not about the cost of a laptop – it’s about the data, the access, and the delay in reporting that creates the real risk.
While organisations scramble to secure data, Cloudflare has launched a new defence on the content front. Their latest AI bot blocker quietly watches for suspicious behaviour and stops bots from scraping websites without permission. It’s a big moment for creators, writers, and businesses whose work has been silently consumed by AI tools without credit or consent. Protecting content isn’t just technical now – it’s ethical.
From global AI battles to one woman’s personal crime spree, another story this week was almost cinematic. A former electrical engineering student at Western Sydney University began by gaming the system for free parking. But her access grew – and with it, her ambition. She’s now facing 20 charges for unauthorised access, data theft, extortion, and more, having stolen over 100GB of student and staff data. The case is a harsh reminder that small misuse of access can escalate fast if left unchecked.
Scams using QR codes – known as quishing – have now cost victims in the UK over £3.5 million. These codes show up in emails, on fake parking signs, or stuck to public walls, often leading to malicious sites or malware downloads. The problem is, they’re easy to trust. That’s why IKEA’s new checkout warning is such a win – a simple, well-placed message that encourages people to stop and think before buying gift cards for strangers.
Insider threats were a recurring theme this week. One IT worker, suspended from a Huddersfield-based company, used his privileged access to wreak havoc across systems in the UK, Germany, and Bahrain – all before his credentials were revoked. He was jailed, but the disruption caused hundreds of thousands in losses. It’s a stark reminder that offboarding processes need to be instant, especially for people with elevated access.
Even long-standing tech traditions aren’t safe this week. Microsoft has officially retired the iconic Blue Screen of Death, replacing it with a sleeker, less alarming black version. It’s a small design change, but it raises a big question: are we softening the signals that tell users something has gone very wrong? Familiar signs of failure – like that blue screen – carried urgency. The new one might look calmer, but will people still take it seriously?
One of the strangest stories came from Reddit, where a gamer was playing CSGO when someone on the opposing team dropped his real name and LinkedIn profile into the chat. He hadn’t shared his name or city on Steam – but years of reused usernames and scattered online activity had left enough digital breadcrumbs to find him. It’s a perfect case study in digital footprint awareness. What you post, what you reuse, and what you think is hidden often isn’t.
That’s not the only personal story we saw this week. Ant received a scam message on his private Instagram – complete with a tear-jerking cancer backstory and a $7 million “legacy.” He ran it through ChatGPT, which immediately flagged the red flags: poor grammar, dramatic storytelling, a suspicious URL, and zero account followers. Yet despite how easily the scam was identified by AI, Instagram let the message land anyway. It’s another example of where tech platforms still fall short on user protection.
And finally, shout-out to IKEA again. That gift card warning we mentioned earlier? It might seem small, but placing it right in the checkout flow is a perfect example of human-centred security design. It nudges people in the moment that matters – and that’s exactly how we make real behavioural change.
From rogue phones to phishing QR codes, university hacks to helpdesk revenge, this episode had it all. If you’ve ever worried about AI scraping your work, someone digging through your online past, or losing a government laptop full of secrets – you’re not alone. Stay aware, stay secure.
Sign up for The Awareness Angle Newsletter today and get notified every time a new episode is released. Each newsletter contains details of the topics discussed and more from the world of Security Awareness.
You're almost there!
To confirm your subscription, please check your inbox for a confirmation email. Click the link in the email to complete your signup and start receiving our newsletter!
If you don’t see the email within a few minutes, check your spam or junk folder, just in case.
Thank you for subscribing!
AJ King interview highlights
Watch – https://youtu.be/JTXkkILEW6Y?t=90
Read – https://riskycreative.com/podcast/aj_king_on_phishing_present_bias_and_purple_cows
SMS Blasters and Google’s Pixel 10 protection
Watch – https://youtu.be/JTXkkILEW6Y?t=206
Read – https://www.forbes.com/sites/zakdoffman/2025/06/27/googles-next-pixel-update-apples-iphone-falls-behind/
Canada bans Hikvision over national security risks
Watch – https://youtu.be/JTXkkILEW6Y?t=567
Read – https://www.securityweek.com/canada-gives-hikvision-the-boot-on-national-security-grounds/
Thousands of UK public sector devices lost or stolen
Watch – https://youtu.be/JTXkkILEW6Y?t=904
Read – https://www.techradar.com/pro/security/thousands-of-pcs-phones-and-tablets-stolen-and-lost-by-uk-public-sector-bodies-prompting-fears-of-huge-national-security-risk
Cloudflare launches AI bot blocker
Watch – https://youtu.be/JTXkkILEW6Y?t=1239
Read – https://www.bbc.co.uk/news/articles/cvg885p923jo
Ex-student hacks university over parking, triggers breach
Watch – https://youtu.be/JTXkkILEW6Y?t=1468
Read – https://www.bleepingcomputer.com/news/security/ex-student-charged-over-hacking-university-for-cheap-parking-data-breaches/
Cornwall school cyberattack and UK education stats
Watch – https://youtu.be/JTXkkILEW6Y?t=1641
Read – https://www.bbc.co.uk/news/articles/clyz81k05l8o
Read – https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025-education-institutions-findings
£3.5m lost to quishing (QR phishing)
Watch – https://youtu.be/JTXkkILEW6Y?t=1873
Read – https://www.linkedin.com/posts/national-economic-crime-centre-necc_new-quishing-alert-35-million-lost-last-activity-7343222030034456576-Py3T/
IT worker jailed for revenge attack after suspension
Watch – https://youtu.be/JTXkkILEW6Y?t=2120
Read – https://www.dewsburyreporter.co.uk/news/crime/batley-it-worker-jailed-after-revenge-cyber-attack-costs-huddersfield-company-ps200000-in-lost-business-5198303
Microsoft kills the Blue Screen of Death
Watch – https://youtu.be/JTXkkILEW6Y?t=2303
Read – https://techcrunch.com/2025/06/26/windows-killed-the-blue-screen-of-death/
Awareness events: SANS Summit, IASAP, and Huficon
Watch – https://youtu.be/JTXkkILEW6Y?t=2520
Read – https://www.sans.org/cyber-security-summit/security-awareness/
Read – https://iasapgroup.org/
Read – https://humanfirewallconference.com/
Can we teach our mums to spot fake AI videos? (Corridor Crew)
Watch – https://youtu.be/JTXkkILEW6Y?t=2761
Read – https://www.youtube.com/watch?si=G8okAHs3_B_CjnVN&v=M4TXO4kQwSQ
Adaptive Security demo and the un-drinkable Yeti mug
Watch – https://youtu.be/JTXkkILEW6Y?t=4055
Read – https://www.adaptivesecurity.com/
IKEA gift card checkout scam warning
Watch – https://youtu.be/JTXkkILEW6Y?t=2886
WHSmith rebrands as TG Jones – phishing vibes
Watch – https://youtu.be/JTXkkILEW6Y?t=3027
Instagram inheritance scam analysed by ChatGPT
Watch – https://youtu.be/JTXkkILEW6Y?t=3247
AI chatbots recommending phishing links
Watch – https://youtu.be/JTXkkILEW6Y?t=3555
Read – https://www.theregister.com/2025/07/03/ai_phishing_websites
CSGO player doxxed via Steam OSINT
Watch – https://youtu.be/JTXkkILEW6Y?t=3849
Read – https://www.reddit.com/r/Steam/s/qXWYBdnH42
Digital footprints and parenting in a connected world
Watch – https://youtu.be/JTXkkILEW6Y?t=4127
Local business cyber day preview
Watch – https://youtu.be/JTXkkILEW6Y?t=4276
Read – https://www.hertsgrowthhub.com/events/07-2025/cyber-confidence-protecting-your-business-in-a-digital-age/
Weekly wrap-up and final thoughts
Watch – https://youtu.be/JTXkkILEW6Y?t=4331
📬 Subscribe to the Newsletter
Missed the episode? Watch it below!
Transcript -
Ant Davis (00:02.517)
You're listening to The Awareness Angle, the podcast that cuts through the cyber security noise to bring you the stories that matter, the scams you missed, and the risks that hit closest to home. We break down the last seven days so you don't have to scroll through a dozen headlines. Everything we say is our own take. Not our employers, not our lawyers, and definitely not approved by comms, but we like it that way. I'm Matt Davies, and joining me as always is the man behind the magic, the edit, and most of the funny titles, Luke Pettigrew. Hello, Luke.
Luke (00:37.934)
Hey, hey everyone.
Ant Davis (00:40.481)
Did I bamboozle you with another new intro every week? like something new.
Luke (00:44.258)
Yeah, it's changed. Always evolving.
Ant Davis (00:46.677)
every week's different. I'll find one I like at some point and then stick with it. But for now, we're just.
Luke (00:53.187)
Yeah.
Ant Davis (00:55.211)
How's your week been? good?
Luke (00:58.7)
Yeah, not too bad. It's been warm. Well, today's been bit cooler, but it's been warm in the UK.
Ant Davis (01:03.755)
Yeah, it's been really warm here in the UK, really, really warm. It's been warm at the wrong time, because I'm going to the cinema to see the new Jurassic World movie at the weekend. So I could have done with that like Tuesday night when it was really, really hot, but it will probably be raining on Saturday when I go to the cinema, so, typical. If you don't subscribe to the newsletter already, why not?
Luke (01:21.484)
Right, yeah, probably.
Ant Davis (01:30.444)
we have a free weekly newsletter that accompanies every single episode. It's available in your inbox. Go along to riskycreative.com and subscribe, or you can get it on LinkedIn where most people get it, and you can just search for the awareness angle on LinkedIn or find me, and it's there. And last bit of business before we get started. Our latest interview episode came out last Thursday where I sat down with AJ King.
He's a behavioral psychologist. He's a UX expert. He's a presentation coach. He's a man of many talents, but this was a really, really interesting conversation on psychology, the reason people click, the way we can approach security awareness, and he's outside of cyber. He's not in cyber. So he's got a really refreshing take. He's familiar with our space.
but it was a really, really good conversation. Already, that only came, like we record this Thursday, it came out this morning, and we've received some really good feedback about that episode already. So it's proven to be an interesting one. Me and AJ do go on a bit, like there's a bit of waffle in there, but if you get through that, it's like being a fly on the wall. So.
Luke (02:39.0)
That's it.
Luke (02:46.318)
That's caused, like you said, different sort of perspective. Not being a typical guest of having a background in cyber security.
Ant Davis (02:57.491)
It's really good that AJ isn't immersed in cyber security, but understands the mission that people like us are trying to do, trying to make people, humans, everyday folk understand the risks that they face by using computers and the internet and having access to all this data that companies think is really important, but people don't necessarily do. yeah, you can find that episode in the podcast feed. It's the episode before this one.
Luke (03:19.98)
Yeah.
Ant Davis (03:26.647)
and there'll be another one out in a week or so. So keep them peeled, we'll tell you about that next time. Right, let's get straight on with the news. And the first one is yours, sir.
Luke (03:30.83)
Thank
Luke (03:40.494)
I always like that little transition. Yeah, so first one. Sort of touches on the last episode where we spoke, well, not the interviews, the one before, we spoke about SMS blasters. And this is a story that's titled Google's unbeatable pixel upgrade just left iPhone behind. So it's a new feature.
Ant Davis (03:44.193)
Yeah.
Ant Davis (04:04.503)
So just before you continue, SMS Blaster is a backpack or a box. People walk around and just shoot a load of SMS messages out to all the mobile phones in the area, bypassing any security protocols, and they can make them look like they're from Royal Mail or DPD or FedEx or the, you know, yeah, anyone or everyone. Yeah.
Luke (04:16.749)
Yeah.
Luke (04:23.106)
Mm-hmm. Yeah, exactly that. Yeah, tricks the phone to connect to this rogue sort of network to receive these messages. And yeah, basically. And yeah, so new wave of attacks. think it's...
Ant Davis (04:32.491)
Yep. Like an SMS hotspot.
Luke (04:42.35)
organized criminal gangs in China in this story. So they're disguising messages around unpaid tolls, undelivered packages, violations. So essentially, yeah, phishing texts. But yeah, these are coming straight from these SMS blasters to the phones and Google's new feature, which unfortunately is only for Android 16 and Pixel 10. So...
And it does mention it may not come to older phones, but it's essentially protection for this sort of attack. it's a feature that basically will alert you if your phone is connected to an unencrypted network. So it will sort of disable, well, I think it tells you you're vulnerable to...
Ant Davis (05:10.835)
Everybody needs to buy a new Pixel phone.
Luke (05:37.816)
that your calls and your messages and the data is currently vulnerable. it's like a little cellular, yeah. It's quite unusual to see that, I guess.
Ant Davis (05:43.394)
So this isn't wireless network, this is cellular network. Wow, okay, yeah. So it must be like if it's a cell site that isn't owned by the network or a network, because these must just be rogue cell sites. That's, hmm, yeah.
Luke (06:01.07)
Yeah, so I've got the screenshot here. I share it? So as you can see here, that's the kind of simple warning that you'd see. So, yeah.
Ant Davis (06:14.623)
If you're listening, you can find this on YouTube.
Luke (06:17.902)
So as you can see it pops up non-encrypted connection and that you're vulnerable to interception
Ant Davis (06:26.241)
Wow, that's cool. You're connected to a non-encrypted cellular network. Your calls, messages, and data are vulnerable to interception. So this is different. This is completely different to connecting to an insecure Wi-Fi. This is out of your control, pretty much. This is you are connected to an insecure cell site, mobile network. Wow, that's cool.
Luke (06:41.356)
Hmm.
Luke (06:46.574)
Yeah, essentially it talks about how Google I think they disable 2G connections or allow you to do that but obviously there's a title that says iPhone doesn't let you disable 2G but that's kind of how cellular works at the moment I guess but obviously it depends on if you're connected to a 4G 5G connection it goes through that sort of thing but
Ant Davis (07:02.967)
Hmm.
Luke (07:17.474)
Yeah, I guess you could still be walking around and be hit by an SMS blaster.
Ant Davis (07:24.791)
You see, it's funny you mentioned 2G, because I know many of the phone networks are moving away from 2G. So I just looked here, Virgin Media 02 here in the UK are withdrawing access to 2G and 3G networks for inbound roaming services from October the 1st this year. But 2G is still going to be available for emergency calls where 4G coverage isn't available. Now, from an iPhone's perspective,
Luke (07:29.74)
Yeah, that's true as well.
Luke (07:50.392)
Right.
Ant Davis (07:53.368)
For emergency calls, they now have satellite calling. So when you have an iPhone and you're out of signal, you get a little picture of a satellite that appears in the top right. So you can make only an emergency call via satellite, which I think the coverage is awesome. So there's no need for 2G in that instance. iPhone obviously haven't picked this up yet, but it'll be coming in iOS 27 or 28.
Luke (07:56.407)
Yeah.
Luke (08:17.43)
Yeah, yeah, I'm that I did. Yeah.
Ant Davis (08:21.365)
Yeah, yeah.
That's cool. So if you've got an Android phone, watch out for a warning that you're on an insecure cell network.
Luke (08:31.918)
Yeah, although it seems to be an Android 16 thing. It might not be happening right now, but I guess you could disable 2G, potentially, on an Android. I think it might affect other things, I guess your mileage may vary on that.
Ant Davis (08:45.004)
Yeah.
When does Andrew 16 come out?
Luke (08:52.68)
It's quite soon, think it's like the beta is being tested now so...
Ant Davis (08:56.841)
Is it around September like on the iPhone one, like the iOS?
Luke (09:01.718)
years potentially
Ant Davis (09:03.327)
no. Final version, was June the 10th. So it's out now. Android 16 apparently.
Luke (09:11.874)
Okay, yep.
Ant Davis (09:13.195)
Yeah, okay, that's cool. Awesome. But your handset has to be compatible and only those premium tier like pixels or stuff like that will be. Yeah.
Luke (09:20.568)
You
Yeah.
Ant Davis (09:27.177)
Right, next story. Canada bans HICvision over national security risks. So this doesn't really come as a surprise. Canada has ordered HICvision to cease all operations in the country and has prohibited the purchase of HICvision products within government entities. So HICvision are headquartered in Hangzhou, China.
and is partially state owned. Hickvision Digital Technology Co. Ltd., known internationally as Hickvision, they manufacture and sell CCTV systems for civilian and military purposes.
And the Canadian government basically prohibited the purchase of these for use in government departments, agencies and Crown operations. And they're conducting a review of existing properties to ensure that legacy HIC Vision products, so any that are there already, aren't going to be used going forward. HIC Vision have kicked back and said, strongly disagree and view it with deep concern. We believe this lacks any factual basis, procedural fairness and transparency.
It's been driven purely on the parent company's country of origin and not on our cyber security measures, merits, say, Hickvision. I kind of cribbed that a bit, but. Canada aren't the first. China, obviously, the United States have been trying to remove Chinese-made equipment from the country's networks over concerns that they'll be used to spy on them.
Huawei, ZTE, Hiterra, Pacifica Networks, China Mobile, China Telecom have all been added to a covered list saying they pose a risk to national security. I know Hikvision, I'm sure here in the UK, two, three years ago, there was something about Hikvision here in the UK as well, like it was removed from government buildings and stuff. I remember this because where we used to work had, during COVID, they got Hikvision temperature monitor things, you know.
Luke (11:29.368)
Right, yeah.
Ant Davis (11:37.56)
camera and a screen and it puts a square around your face as you walk in and then detects if you've got temperature and everybody were walking in the building was having their picture taken like clear as day and I used to have great fun turning that machine off and then someone to turn it back on again and then I'll turn it off and someone to turn it back on again. an interesting thing on this is there was a report released and I haven't got the report to hand but I heard this on another podcast. Can't remember which one.
Luke (11:41.646)
Thank
Ant Davis (12:06.263)
There was a report released recently about cheap CCTV devices that you buy on Amazon or other tech stores. Prime Day is right around the corner, So if you wanna spend 20 or 30 pounds on a camera, really, really think about what footage that's gonna get. And the large thing on this was that the report said that there was something like 600,000 exposed cameras.
Luke (12:17.709)
Yeah.
Ant Davis (12:34.913)
that were found on like sites. There's a subreddit called controllable webcams, which is basically people find exposed webcams on the internet and share them on Reddit and people can go there and many of them can move the camera around and they're all exposed to the internet completely open. It'd be a cafe, it'll be a shop, it'll be a back garden, it'll be a library, you know, just. So if you are, the message on this other podcast was if you are gonna buy a camera, if you are gonna buy an online internet connected camera,
Luke (12:43.361)
Mm.
Luke (12:54.658)
Yeah.
Ant Davis (13:04.661)
buy a well-known brand that you can trust or get one that does local storage. So I have TP-Link ones. I assume TP-Link's another name that the US tried to ban, but it's been around a long time and it's a household name. So the Tap-O cameras store everything on the SD card inside. I can access it through my phone. I can't access it through a web browser because that's not available. So just buy a trusted brand.
Luke (13:16.524)
Yeah.
Luke (13:32.814)
Yeah.
Ant Davis (13:34.524)
you're paying, quite often you're paying for the security.
Luke (13:38.126)
No yeah, I agree. I guess as well, just any internet connected smart devices. I mean Amazon's flooded with unbranded stuff, right? So you've got to be careful what you're buying. Things like baby monitors.
Ant Davis (13:53.56)
Do you know, I bought a really cheap camera on Amazon once, like an unbranded, looked like one of the TP-Link ones, one of the Tappo ones, but it was unbranded. I bought it just to like, it wasn't going anywhere sensitive and it was cheap. I didn't want to spend a lot. But then the company reached out to me and offered me another one. Like, we'd like you to try our latest product, us a review. I was like, yeah, okay, you're going to send me a free camera. That's not a problem. So they sent me another free one.
Luke (14:17.847)
you
Ant Davis (14:23.223)
And it was like, oh, that's cool. Neither are currently in use. That one is now in my daughter's bedroom. She thinks I'm spying on her. My daughter's five. This isn't weird. But it gives her security. She thinks we're there. Like if she gets scared, then we're watching. So I think I also previously called it a spider camera to keep an eye out for spiders. But it's actually not even plugged in and it's not got a battery. So it's just dummy. So yeah, don't buy really cheap cameras unless
Luke (14:44.632)
He
Luke (14:49.368)
Mm-hmm, yeah.
Ant Davis (14:53.439)
you're prepared that someone else is watching them, I think is the message on
Luke (14:57.48)
Yeah, pretty much.
Ant Davis (15:01.587)
Right, next one's yours,
Luke (15:04.408)
Cool yeah, so this story talks about how in the UK thousands of public sector devices are lost or stolen. It's reported that the UK public sector have lost more than 26,000 devices and this includes laptops, phones, tablets over the last two years. Yeah.
Ant Davis (15:27.319)
Over two years, 26,000 devices. Wow.
Luke (15:32.948)
and you'll love to hear that the biggest offenders include the Ministry of Defence, HMRC and the Home Office.
Luke (15:45.806)
is over £1.3 million worth.
Ant Davis (15:46.4)
Laptops phones and tablets 26,000 pounds. Let's play devil's advocate That each one of those is what? 500 quid I Mean there's wow. That's it. But the data my god go on. Sorry. I digress
Luke (16:04.27)
Yeah. So yeah, mean, it says here about how it's been reported that they don't know how many were encrypted and it's unclear whether the data is accessible. So you're probably going to find something on eBay or a car boot sale. So yeah, it's obviously a huge exposure of sensitive
confidential data. These are devices used by civil servants, government contractors, could have employee data, confidential communications. Yeah, it's quite worrying. It wasn't long ago that you spoke about how the government's still using Windows 95 or whatever it was. And yeah, all these devices are just out there.
Ant Davis (16:59.339)
That's dreadful. This reminds me, just a couple of weeks ago, actually, I saw a similar news story, and again, equally as the Bank of England, so this was June, 13th of June, the Bank of England has come under fire after losing hundreds of tech devices worth nearly 300,000 pounds, and it said that the Bank of England has lost or stolen over 300 laptops, tablets, and phones.
between May 22 and March 25.
Luke (17:33.08)
Well.
Ant Davis (17:33.816)
And Chief Executive of Think Tank Parliament Street, Patrick Sullivan says the Bank of England is blundering towards a major security disaster. 30 laptops were lost in the last year, 30 grand in value, but it's not about the value. It's the data on them, isn't it? And if they don't even know if they're, if the Ministry of Defence and HMRC don't even know if their devices are encrypted,
Luke (17:51.907)
Yeah.
Luke (18:00.886)
Yeah, so I mean, they do have a few quotes around how some of these departments have sort of said, yeah, they are encrypted. I mean, you'd hope it safeguards the data on it. You never know. Depends how well it's been done. And obviously their statement says that they take it all very seriously. And yeah, it's just worrying.
Ant Davis (18:13.661)
Yes. Yes.
Ant Davis (18:30.685)
It's I know like, well, I'm not worked in it. I know people that have worked in those spaces. I've not worked in those spaces, but There's quite a lot of contractors in those spaces as well. Ministry of Defense recorded, I'm looking at the article now, Ministry of Defense recorded 103 missing laptops and 387 phones in just five months. Five months? 103 missing laptops in five months. You've got a wonder there, right? Missing.
So I don't know how many employees we're talking but it does make you wonder whether or not these aren't locked down as well as they could and there is a culture of moving them on car boot sales, eBay, Facebook.
Luke (19:04.43)
Hmm.
Luke (19:11.235)
Mm.
Luke (19:15.587)
Yeah.
Ant Davis (19:17.651)
inside.
Secure your devices people. The amount of comments we get, stuff we've shared about OneDrive and stuff like that. Lots of people, technical people that watch our videos on TikTok and on Instagram think that MDM, mobile device management, is easy. They all claim, you can do this with Intune, you can do this with Jamf and stuff. But it's not always quite as simple as that in massive organizations, massive legacy corps or...
Luke (19:22.922)
Yeah.
Ant Davis (19:50.124)
you know, small businesses, there's probably this sweet spot in the middle where it's really easy. know, many organizations, it's probably simple, but wow.
Luke (19:54.882)
Yeah.
I guess you end up with lot of rogue devices that just go missing. Either they're stuck in someone's drawer or they've been nicked or just left.
Ant Davis (20:09.867)
This doesn't even mention people using their own devices. Like the amount of shadow IT in these organizations must be huge as well. For anyone that doesn't know, shadow IT is like IT that isn't owned and managed by the business. It's the stuff you don't know about that is accessing your resources. That's frightening. Right, moving on. Cloudflare AI bot blocker.
Luke (20:27.822)
Mm-hmm. Yeah.
Ant Davis (20:39.393)
Cloudflare is rolling out a powerful new tool, let's start that again. Cloudflare is rolling out a powerful new tool to help website owners block AI bots from scraping their content. These bots are often used to train large language models, chat to BT, all of these different AI tools. They crawl the internet copying text images and data frequently without permission.
Much in the same way that Google search engines do because you want to be ranked on Google. So your website's traditionally are open to being crawled because that's how you get ranked on the search engines. Cloudflare's new detection method doesn't rely on old school captures. Captures the things are you human? Instead, it watches for behavior patterns that give bots away. And it's being made available across millions of websites using Cloudflare's
Luke (21:13.059)
Yeah.
Ant Davis (21:37.332)
services. So I think a fifth of all website traffic goes through CloudFlare servers. Many people will be going through CloudFlare servers and they don't even realize. So this includes sites like Sky News, the Associated Press, Buzzfeed. They'll all now be able to block their content from being chewed up by AI tools. And eventually what will happen obviously is that these sites will say, you want to chew our content? us.
And then people like ChatGPT and other AI tools, Copilot or whatever, will have to pay Sky News and Buzzfeed to chew through their content. So yes, CloudFlare are like I said, CloudFlare, fifth of all traffic goes through their servers. And they also, CloudFlare are great because they also, we talked about it last week, they're the ones that defend against DDoS attacks.
Luke (22:16.59)
Yeah.
Ant Davis (22:36.405)
So they can help protect sites from being taken offline.
Luke (22:42.178)
Yeah.
Ant Davis (22:44.146)
It's the only problem I see with this and not so much a problem, but in malware, when you get certain malicious software and you run it in a virtual environment, a lot of malware now can detect if it's in a virtual environment. So it kind of plays it back. It's like, am I on a real human computer or am I in a virtual environment?
So I wonder now, are these AI tools gonna try and spoof humans to get past the bot detection? Like now are they gonna, I'm gonna act human. I am human, honestly. A bit like that scene from Prometheus, where he's just, we did some work on it once with something, do remember? David, yes. Yes, where he's like acting all human, but really he isn't. Yeah, so I...
Luke (23:14.926)
Probably.
Luke (23:20.558)
you
Luke (23:27.822)
David?
Ant Davis (23:39.222)
What's the good news about that? I suppose the good news is that if you are writing content, if you're a creative person, your content now isn't gonna get chewed up by anonymous AIs and get spat out at random people. If you're a user of AI tools, this might actually make them worse. Or not worse, this might just slow their growth.
Luke (23:53.475)
Mm.
Luke (23:58.626)
Yeah.
Luke (24:03.406)
So she's like, yeah, the day it won't be as up to date potentially. Man about to search as well, get all the sources and stuff.
Ant Davis (24:09.537)
No.
Ant Davis (24:14.871)
I've got a story about a bit later on I'll get to a story about how reliable AI data is. There's something else coming a bit later in the show I'll tell you about.
Right, that's enough on that. Move on to the next one.
Luke (24:28.366)
Yeah, so the next one we've got here is an ex-student hacks university for cheap parking and sparks a major data breach. a former electrical engineering student at Western Sydney University has been charged with a series of cyber offences after allegedly hacking their university system over several years. And it was a...
initially an attempt to get discounted parking and yeah, it's become quite serious. They've been accused of accessing internal systems and altering academic results, stealing over 100 gig of data on staff and students. And they reportedly threatened to publish or sell the information unless the university paid off her ransom of 40,000 Australian dollars.
Ant Davis (25:21.345)
Cheers.
Luke (25:22.798)
So it here on this article that the individuals known online as the Handel of Birdie and they were arrested in late June after a police raid and they had 20 charges being faced against that. So quite crazy.
Ant Davis (25:46.872)
You have to wonder if they'd have just stopped at the parking, would they have got noticed? If they'd have just carried on getting free parking just every day, would they have noticed? Wasn't that film, was it Brewster's Millions? There was a where they took a penny off. I'm sure it was Brewster's Millions, or an old film where it just took a penny off every transaction.
Luke (25:51.397)
Yeah.
Ant Davis (26:12.287)
And it like racked up and racked up and then like, you know, I think they got greedy and got caught or something, but it's, if you'd had just stopped at the parking, you'd have got away with it. Yeah. That's mad. I mean, it's. Yeah. Gone too far. And all of a sudden things get real, you know, when you're changing results and then you're stealing over stealing data. That's when things get real.
Luke (26:17.314)
Yeah, I guess this kind of happened here. Yeah.
Luke (26:39.906)
Yeah, extortion for money.
Ant Davis (26:44.759)
20 charges, did you say? 20 different charges. Well, the parking's probably, I mean, getting access is probably one, changing the parking is probably fraud. So there's probably two or three associated with that, but wow, that's insane.
Luke (26:47.461)
yeah, apparently.
Luke (26:54.702)
you
Luke (27:00.962)
Yeah, it says as well how it prompted the university to review its cyber security posture around access and monitoring.
Ant Davis (27:11.017)
Something good's probably come from that. Yeah. I'll, that'll bring it. I'm going to go, I'm going to jump around now. Another story I had was a secondary school in Cornwall had to close for two days due to a cyber incident. So this sounds, this like made local news. This wasn't like a big, massive, I think it did get featured on the BBC, but.
Luke (27:12.588)
Yeah.
Luke (27:36.974)
Thank
Ant Davis (27:41.144)
Richard Lander School in Truro said on Facebook that an external issue had affected its IT systems, but there was no evidence of personal data being compromised. And it basically said that if students could bring in packed lunches, because it's affected their way they can pay for food or something like that. So the disruption was kids had to bring in a packed lunch, okay. But.
Luke (28:03.091)
no.
Ant Davis (28:07.639)
A little bit of digging on this, this got me thinking about, and this is obviously in the UK, not Australia. Did you know, so there was recently a report released, the Cybersecurity Breaches Survey, and this is a government report. It's available on gov.uk. We'll put a link to it in the newsletter. So UK educational institutions were surveyed, it covers primary schools, secondary schools, further education, higher education.
Um, and in summary, 60%, 60 % of secondary schools reported a cyber incident in the past 12 months. 60. 44 % of primary schools, 85 % of further education colleges and 91 % of universities. And phishing was obviously the top attack type. And it was phishing was reported in 89 % of
Luke (28:47.787)
as
Ant Davis (29:07.351)
breached schools. Interestingly, ransomware affected a smaller percentage, approximately three to seven percent of schools, but 15 percent of further educational higher education. And the impact on this, 20 percent of affected schools couldn't recover systems quickly. Four percent of schools took more than half a term. That's like five, six weeks to recover.
Ant Davis (29:38.196)
So yeah, the mad thing is, educational settings aren't, private ones might be different, but typically educational settings aren't allowed to pay ransom. So if it is, that's why the ransomware figures are quite low, I think, because it's probably just opportunistic and it lands. But they're not allowed, because they're government owned and the Department for Education has not got loads of money. They can't pay a ransom. So it is literally just disruptive.
Luke (29:50.412)
Yeah.
Luke (30:04.002)
Yeah, probably just some pupils in some cases, students.
Ant Davis (30:07.223)
I'm
Ant Davis (30:11.497)
It could be, but it does also make me wonder whether the cyber education is very strong there, like the awareness training. I don't know what awareness training looks like for staff. And bearing in mind, pretty much all staff probably get an email address from, but it's access to systems, isn't it? Like one teacher in each class has access to a computer. So it's the office staff. don't know, I should ask, because I'm a governor at school and I've done the cyber training.
but I don't know who else has done the cyber training. So maybe that's something I'll ask. It's an interesting question.
Luke (30:44.322)
Yeah.
Luke (30:49.42)
maybe have a listener that works in that area potentially. If anyone's listening and knows.
Ant Davis (30:54.165)
Yeah, yeah. If anyone's listening and you're in education and tell us what the training's like, reach out hello at riskycreative.com or leave a comment. That'd be awesome.
Luke (31:06.083)
Yeah.
Ant Davis (31:07.959)
The QR one sir, you can do that one. I stole the Cornwall one from you.
Luke (31:13.742)
Yeah, that's cool. So this one yeah QR fishing or quishing National yeah, it's terrible
Ant Davis (31:22.623)
I quishing, sounds, quishing sounds like something we shouldn't be talking about on a family rated podcast. But anyway, care.
Luke (31:30.926)
Yeah, so the National Economic Crime Center have issued fresh warning about these QR scams. Yeah, obviously in a lot of cases, they're probably they could range from being manipulated QR codes or in a phishing email. And yeah, talks about how
the fraud reports has seen a sharp increase and is now exceeding 3.5 million pounds and yeah, sort of covers how it could happen in a phishing email, fake parking I've seen a lot, recently in the news there was some stuff around parking QR scams again seems to always be a thing
Ant Davis (32:20.887)
A couple of comments there. Three and a half million pounds lost means nothing to no one, because that could be one big attack costing three and a half million. They need to explain that in a better way to make it more impactful. Action fraud have published that figure and they need to be saying, how many people have been impacted? What has the impact been other than three and a half million pounds? Because that doesn't mean, it's not relatable to anyone, really.
Luke (32:30.733)
Hmm.
Luke (32:41.592)
Yeah, the average person's lost.
Ant Davis (32:50.443)
The other thing you say about parking, the government needs to hurry up because they were making the part we spoke a few weeks ago now about standardizing so you don't need a different app for different car parks. Like you can use multiple different apps in the same car park and they need to make that thing so everybody has their own trusted parking app and they don't have to scan a QR code in a car park to get to it because...
Luke (32:56.98)
yeah respect
Luke (33:15.182)
Yeah, let's get rid of QR codes. Yeah.
Ant Davis (33:18.741)
Most of this problem goes away. know, there's a time and a place for QR codes, but in a public space probably isn't it.
Luke (33:27.182)
Yeah, I mean, they've obviously been around for a long time, but I guess since 2020 and COVID times, sort of really were used everywhere to scan various things.
Ant Davis (33:38.485)
Yeah.
I like this article, it's got a nice little line, what can you do to avoid being a victim of quishing? And it does say QR codes used in pubs and restaurants are usually safe to scan. Scanning QR codes in open spaces like stations and car parks may pose a greater risk. And then it says check for signs that it might have been tampered with, a sticker placed over the legitimate code, if in doubt, don't scan it. And that's good advice, but.
It's nestled in normal text at bottom of an article on an action fraud website.
Luke (34:14.786)
Yeah, it's definitely been in the news a lot, but guess yeah, it's still a thing. It's got to be careful when you're scanning these codes and using the apps that show you the destination. Maybe just go direct and use an app if it's available instead.
Ant Davis (34:22.871)
Hmm.
Ant Davis (34:26.519)
Absolutely.
Ant Davis (34:36.379)
Native camera app shows you, it never used to, but on iPhone and Android, the native camera app, use it in photo mode to scan a QR code and it tells you where you're going. That's, yeah.
Luke (34:46.67)
And sometimes it's tricky as well, they might use a short URL. As we've seen before, of bad-looking official short URLs get used.
Ant Davis (34:57.323)
When I was on the train as well, the URL it said you were going to didn't match the URL that it actually went to. like, you have to use some common sense sometimes. If in doubt, Google it. And stay away from the sponsored ads. Just like, ugh, it's messy. Just turn off your computer, walk away from your phone, pick up a book, and forget you ever needed it.
Luke (35:01.806)
Yeah.
Luke (35:10.126)
It's difficult,
Luke (35:20.066)
next story.
Ant Davis (35:20.575)
Right, next story. Suspended IT worker jailed after revenge cyber attack cost the firm £200,000. So this story is from the Dewsbury Reporter, everybody's favourite news source. So hi everyone at the Dewsbury Reporter. Thank you for your story. A disgruntled IT worker from Batley has been jailed.
after launching a revenge attack that cost his employer more than 200,000 pounds in lost business. Mohammed Umar Taj had been suspended from his role at Huddersfield based company in July, 2022, when he began targeting their systems. And within hours of being suspended, he accessed the premises and altered login credentials to disrupt business operations. He didn't stop there. He changed access credentials.
and even the company's multi-factor authentication set up impacting clients not only in the UK but in Germany and Bahrain. They later found recordings of him discussing his actions. He pleaded guilty and has now been sentenced to seven months and 14 days in prison.
Luke (36:36.162)
Well, doesn't sound very long considering, but...
Ant Davis (36:40.433)
No, very specific as well.
Luke (36:42.542)
Mm-hmm.
Ant Davis (36:45.855)
Yeah, so he changed access credentials with the company's multi-factor authentication. He'd get recordings, discuss the attack on phone recordings that were recovered by forensic investigators. He set out revenge on his employer following his suspension from work. He targeted their IT system, which he had privileged access to. Look, if you're gonna get rid of someone...
Luke (37:09.166)
Wow, even Astrid got suspended. Crazy.
Ant Davis (37:13.257)
If you're going to suspend someone, make sure you've got everything lined up to click the button. And if it doesn't work that quickly, you need to make it work that quickly. Like review your processes. Supposing, if I went into work and just like decided to wreak havoc and got suspended, they need to be able to block off my access almost immediately. You know, because...
Luke (37:23.705)
yeah. Well, preemptively. Preemptively do it.
Ant Davis (37:41.366)
Malicious actors, supposing that was scattered spider that was on the network, you need to be able to stop the rot. Disable the account, lock it down, shut it down. That's what you need to be able to do. So yeah, it's people with privileged access, you need to watch them especially. Those people with godlike permissions.
Luke (37:48.078)
Yeah.
Ant Davis (38:07.563)
It's funny though, isn't it? One guy, one upset employee in Yorkshire in the UK ends up his actions impact someone in Bahrain, you know, it's funny. Yeah. Right, next one.
Luke (38:11.992)
deal with that.
Luke (38:23.458)
Yeah, so this is the final news story potentially. Windows has killed off the blue screen of So this is after decades of the terrifying BSOD, blue screen of death, they've retired it now for a wonderful black screen instead of some white text.
Ant Davis (38:45.377)
What is the blue screen of death, Luke? Do you want to explain what the blue screen of death
Luke (38:49.716)
I mean, I guess it's a nice arrow screen that you see when your Windows machine has sort of had an error from a driver or some deeper level issue and it's told you it's broken.
Ant Davis (39:03.051)
when your Windows machine, when your Windows machine literally kills over and dies, go, I can't continue. Then it will flash up a blue screen of death. This screen's changed over the years. So it's been a blue screen of death for 40 years, apparently, it's been a blue screen. And it's changed, they've modified it. There's been like a little sideways smiley face on there and stuff. Now, the problem with the blue screen of death always was.
Luke (39:09.198)
Yeah, you're the wonderful.
Luke (39:24.782)
Mm.
Ant Davis (39:30.583)
that it didn't actually tell you what had caused the problem. It just gave you like a 0x8003469d.
Luke (39:38.062)
Yeah, it usually disappears before you've got a chance to note it down.
Ant Davis (39:41.632)
Yeah. So this black screen of death, which is still called the BSOD, apparently now tells you exactly which application has caused the crash or what it will say Nvidia graphics driver has killed over and died in different wording, but essentially that. But why change it to black? Why is it not still blue? Like, and this is the problem, right? If I didn't know this.
Luke (40:05.218)
Yeah.
Ant Davis (40:10.453)
and all of a sudden I get a black screen of death and I didn't know what it was. I'm gonna think that's ransomware. I'm gonna think that's malware. I'm gonna think someone's infected my machine. And many people will call a help desk or a sock and go, my machine's got black screen, I don't recognize on it. If you ring up someone on help desk and go, I've got a blue screen with an error code, they'll be like,
Luke (40:21.954)
Yeah.
Luke (40:33.26)
Yeah, exactly. That's crazy. Yeah, it's funny this new story talks about how they have called it simplified UI and they've put here because a blue background with white text was apparently too complex. yeah. Yeah, and everybody knows it. Well, most people know it. I'm sure everyone's seen it who uses a Windows machine.
Ant Davis (40:36.364)
But now...
Ant Davis (40:53.463)
been fine for 40 years.
Ant Davis (41:02.401)
The other thing with the blue screen of death is it's the only thing you would ever see that looked like that. How many black screens with white writing do you see in a window if you look below the hood?
Luke (41:12.234)
updates or yeah if you think windows updates it's the same
Ant Davis (41:16.629)
Black screens with white writing is everywhere and has been for years. Predates Windows. DOS, which predates Windows, was a black background with white writing. So the blue, you knew what you had with a blue screen. They even, for a little while, there was a red screen of death. Do you remember that? I don't know if that was Vista. It might have been Windows Vista, but there was a red screen of death at one point. I don't know if there was something different with Vista, but there was definitely a red screen of death, but.
Luke (41:22.552)
Mm.
Luke (41:32.514)
vaguely.
Might have been, yeah.
Ant Davis (41:44.851)
Shame on you, Microsoft, for getting rid of the blue screen of death. Shame on you.
Luke (41:47.342)
Everyone's Yeah.
Ant Davis (41:53.843)
Rest in peace, in peace, blue screen of death.
Luke (41:57.368)
Yeah.
Ant Davis (42:00.472)
I think that's the news for this week. Yeah, cool. Okay, just two things I wanted to mention. These aren't written down. I'm taking you by surprise here. The SANS awareness summit in August in Chicago. If you're as a security awareness professional, get yourself to Chicago for the SANS security awareness summit. I also saw this week that the...
Luke (42:04.622)
cut yeah
Ant Davis (42:28.919)
Let me just try and find it. The IASAP, the International Association of Security Awareness Professionals, have got a thing on for the days before the SANS Summit. So if you're there for like the Monday, Tuesday, Wednesday, Thursday, Friday, Thursday, Friday is SANS, then just before that, you can do the IASAP stuff. If you go to IASAPgroup.org, you can find out all about it there.
They've got their summer meeting August 11th to 13th in Chicago. And if you're not in Chicago and you're in Europe and you can't quite afford the flight to Chicago and the hotels in Chicago, then a much cheaper option, but still equally as cool, is HoofyCon, the Human Firewall Conference, which is in November in Cologne. And I booked my flights this week for about 50 quid. So...
Luke (43:25.048)
you
Ant Davis (43:25.515)
Two days in Cologne, it's Tuesday and a Wednesday. And I think you can get out there, if you book it now, you can get out there, stay in hotel. All of that will cost you less than two, 300 pounds. And you get a two day conference. do, Hurficon's awesome because not everyone can just go. You have to like apply to go. they then, so it's like, if you get in, you're you're privileged. Ralph Schumacher, you're an F1 fan.
Luke (43:50.51)
exciting
Ant Davis (43:54.761)
Ralph Schumacher is one of the keynote speakers.
Luke (43:57.774)
interesting.
Ant Davis (43:59.052)
Yeah. Yeah, so...
Huffy Conny's run by SoSafe as well, just to say. So that's like SoSafe's conference. The website, I've never been, but the website makes it look lovely. Like the stage set and the lighting and everything is, looks like the vibe feels really cool.
Luke (44:15.534)
Hmm, that was interesting. I was just gonna quickly mention the, I think the Sand Summit you can attend virtually as well. If you can't. Yeah. Yeah. That's a double check if... I... Yeah, I did join. Yeah, you can't, it's down as... live.
Ant Davis (44:25.719)
Man, yes, and it's free to attend virtually, I'm sure it is. Yeah. You did that last year, didn't you? I went in person and I'm sure you jumped on some of it remotely.
Because they did all the cool illustrations, didn't they? Each talk and speech, they illustrated and had someone illustrating them, which was really cool, really unique. You get added to a Slack instance, and everyone who's attending virtually and in person gets to chat about it on the Slack, and there's a great community element to that as well. That's pretty cool.
Luke (45:00.994)
Yeah, I know. It does seem it is available to attend it virtually. And you get some sound CPE credits as well, if anybody needs those.
Ant Davis (45:07.873)
Cool.
Ant Davis (45:13.365)
That's good. Do you need those? I don't need those. I think you do. You'll have to double check. Yeah. Careful with the CPEs because apparently they can creep up on you. I've not, the qualification I've got isn't CPE based, so I'm all right. yeah, Huffycon as well is available on demand. All the talks from last year on there actually.
Luke (45:17.486)
I think I have enough from the last time, As for the whole check...
you
Ant Davis (45:41.405)
on humanfirewallconference.com. So that's really cool. August and November, you're sorted. There's two really cool things in our space, which is cool.
Luke (45:52.404)
Amazing.
Ant Davis (45:54.936)
Right, topics. Do you want to kick us off this week with the topics?
Luke (46:01.262)
Yeah, sure, so I've got a few Two quite quite simple ones, but I saw an interesting video This week from our favorite youtubers. We've mentioned them before I think Corridor Crew or Corridor Digital but the Yeah
Ant Davis (46:16.343)
Corridor Group are cool. They're a bunch of VFX artists, aren't they? They started doing content during, was it during COVID when production stopped? I think that's when we discovered them because they really put effort into their YouTube channel because movie production shut down and they had something to do. They're a really cool bunch of people that do lots of cool things, recreating effects and doing effects. Yeah, what's this one that we're talking about?
Luke (46:31.724)
Yeah, that's...
Luke (46:43.97)
Yeah, so this video they've released a few days ago, can we teach our mums to spot fake AI videos?
Ant Davis (46:54.849)
That's how relevant is that? That's amazing.
Luke (46:57.226)
Yeah, we can potentially play for a few minutes maybe, but a few minutes, a few seconds, but it's definitely one to check out. It's quite an interesting one. to quite relevant to everybody, I think. Covers, yeah.
Ant Davis (47:30.133)
He's not wrong, is he? At all. No, that's exactly, that's brilliant. That's really, really cool.
Luke (47:31.904)
No, it's definitely
Yeah, and it goes through various different sort of typical scams and how to spot them and they ask their mums if they think it's real or AI. It's quite a fun video. Yeah, four is worth sharing. And yeah, I've got a couple more things that I saw this week. So I was buying some IKEA gift card, e-gift cards online on the official IKEA website.
Ant Davis (47:50.721)
Cool.
Luke (48:06.67)
and during the checkout I spotted a nice little warning. Just after the terms and conditions let me click to accept them. It says be scam aware. If you've been asked to purchase a gift card to pay for a service or item or buy a gift card on someone else's behalf you may be getting scammed.
never make a purchase on behalf of anyone you don't know or trust. And yeah, never seen anything like that before on a checkout page. Especially gift cards.
Ant Davis (48:39.671)
Do you know what? Do you know why that's awesome? Because it's right there in the checkout flow. Like this is something AJ from our interviews won. This would be a great one to discuss with him when we get him back on. Because this is right in the user experience. It's not hidden anywhere. It's not banner off to the side. This is literally your eyes scroll through it as part of the checkout and you kind of read it. It's there. It follows the natural flow.
Well done, IKEA. That's a useful nudge. That's kind of a good security nudge there. They've made a conscious effort to put it right in front of the user and make them consume it. So that's cool. Well done,
Luke (49:13.806)
Yeah.
Luke (49:21.178)
Hmm. Yeah. I guess it could be maybe a little bit flashier, a bit more eye-catching potentially. I thought as well, I think I said it to you in the future, I'm sure we'll see them as being checkboxes or something you can't actually check out until you've read it and confirmed it's not a scam sort of thing.
Ant Davis (49:40.726)
I'd see benefit in that. I can see people going, it's another, we don't want the user to have to click anymore. I could see a space in time when some kind of legislation is passed that a user has to do that. a user has to acknowledge that they're aware. And it would protect the company as well. Maybe it's like by ticking this box, you have no recompense. By ticking this box, you agree that.
You these isn't a scam and then if you come back and want a refund you can't have it because you tick that box
Luke (50:14.06)
Yeah, so, yeah, it'll be interesting to see if other people do that for gift cards.
Ant Davis (50:15.575)
baby.
Yeah, that's good. Nice one, Ikea. Well done.
Hmm. Yeah.
Luke (50:27.126)
and then just one more I saw so I mean I'm sure many people in the UK saw this. Our beloved W.H. Smith's got rebranded.
Ant Davis (50:36.599)
So I didn't see this email and I heard ages ago that this was happening. But if you went up to most people in the street, anyone who isn't familiar, WH Smith, 200 year old UK brand on the high street. I used to work there as like a 20 year old on their music counter selling CDs and cassettes in between working at another music store. But WH Smith's been around for years, sells stationary magazines, jigsaws, books.
news, sandwiches, music, everything. And W.A. Smith's are in train stations and airports. And I think that they're the brand will survive. That makes money. But they sold off the high street stores because high street stores didn't make any money. They're free branded them. This isn't a branding podcast, but we we we're interested in the creative because we've created brands for security internally and we create.
Luke (51:13.571)
Yeah.
Luke (51:16.888)
Yeah.
Yeah, they got sold to her.
Ant Davis (51:33.143)
creative content, visually interesting content that people have got to engage with. TG Jones.
Luke (51:41.326)
So yeah, that's what it now looks like. It literally looks like a phishing email.
Ant Davis (51:44.522)
Smith. We need a name like Smith. We need a name like Smith. Jones. Yeah, it's second most popular English surname. Okay, WH. A, B, C, D, E, P, no. Tom, watch it. Tom, yeah, T. Let's go with T. It's like, TG Jones means nothing. It just meant to sound familiar.
Luke (51:48.814)
Hmm.
Luke (52:08.494)
Yeah, when I saw this at first, sorry, it kind of just looks like a phishing email. Typical really bad branding. There's almost no branding there. It just looks like a really bad HTML. Sort of crafted email.
Ant Davis (52:10.305)
Sorry.
Ant Davis (52:25.269)
like the most basic logo ever. The colour is still close to WH Smith blue if it's not the same. So this email is basically a privacy notice update. As part of our exciting transition from WH Smith to TG Jones, we've refreshed our privacy notice, which is a link. But this email's come from TG Jones. It would have been better coming from WH Smith, announcing something like WH Smith is now TG Jones. You know, announce the brand transition.
Luke (52:52.366)
Mm.
Ant Davis (52:55.359)
tell the story but instead you've received this and there's been no prior warning from who tg jones
Luke (53:04.75)
No, exactly, yeah. There's a lot of things to take from this one,
Ant Davis (53:08.641)
response.
Ant Davis (53:13.397)
And again, right, I know they probably have to send this email, but if you're an average Joe, this says, we've refreshed our privacy policy to ensure you understand how we process and keep your information safe. Notable changes, updates to confirm our data controllers. What the hell does that mean? Like my mum is not gonna know what that means. New details for contacting our data privacy and support teams. She'd know what that means, but why am I getting this email? Have I been?
Luke (53:32.654)
you
Ant Davis (53:42.967)
breached? Have I got a privacy concern? Who are TG Jones? Where did they get my... Like, it's just... It's just bad. It's just awful. Like, if that brand's gonna succeed...
Luke (53:48.046)
So many questions.
Luke (53:54.218)
Yeah, don't be like this.
Ant Davis (53:58.936)
It's bad, isn't it? It's not very good. Yeah.
Luke (54:02.06)
there and yeah as my free stories this week
Ant Davis (54:07.625)
Okay, what have I got for us this week? So I've received a ton of scan messages. received, do remember we talked about Turby a few weeks ago? I got another Turby message. So someone from Turby HR reached out to me offering me a job opportunity, which obviously I'm not interested in. I got an interesting message on my Instagram and obviously this was to my personal Instagram as well. This wasn't to my, this wasn't to the,
Luke (54:16.206)
Yeah.
Ant Davis (54:37.399)
You know risky creative the one that we share all the podcast stuff on so my Instagram is locked down. It's very private But someone managed to find me I've had the account years, so that's probably how they found me But the message here is from Ms. James Martin 229 to post no followers Doctors told me that I had little time left for cancer. I decided to travel alone and bid farewell to this world quietly
I have no children. My only regret is that I can't spend this life with you. You're my first love and you will always live in my heart. I leave you a precious legacy. I hope this friendship will bring us together again in the next life. Please keep this information safe. And there's a web address, a username, a password and $7 million. So obscure these obscure the these obscure the URL in
Luke (55:30.19)
Right.
Luke (55:36.168)
Yeah.
Ant Davis (55:36.193)
post because we probably shouldn't share that in hindsight. But yeah, it's this, do you know what's interesting about this? And this is a little angle on this. I took a screenshot of this and uploaded it to chat GPT.
Luke (55:52.994)
Right.
Ant Davis (55:54.9)
And literally no context, no words. I literally just uploaded the image to ChatGPT. And ChatGPT's response said, this Instagram message is almost certainly a scam. Here are the red flags. It's too dramatic and emotional. Scammers often use emotional stories, eg, terminal illness, lost love. Unsolicited message with sensitive info. Legitimate users don't randomly share private links, usernames and passwords.
massive crypto balances. That's actually what Chagimutti says.
I'm sorry, if chat GPT can tell me that within seconds, why is Instagram letting that message land in my inbox? That's not in spam, that landed in my Instagram inbox. But it does say block, delete or accept. Why does it not give a reputation rating? Why does it not say, our AI thinks that this is a scam? again, these platforms specifically meta.
Luke (56:59.438)
you
Luke (57:05.12)
Yeah, we've said before.
Yeah.
Luke (57:16.846)
It's amazing. We spoke about it so many times.
Ant Davis (57:21.769)
Right, Meta are bad at this. Like, they're gonna shoot me down, I'm gonna lose my followers. In a related article, I got two strikes on TikTok this week for talking about Windows key plus R and talking about doge ransomware. I successfully appealed both, but it's nice to see actually in hindsight that TikTok have blocked my content because they thought me talking about that was malicious. Meta isn't blocking anything.
Luke (57:22.402)
Mm.
Luke (57:48.974)
you
You
Ant Davis (57:51.65)
There's nothing being flagged there. It's a decent use for chat GPT. However, however, the other thing I picked up on in relation to this, and this was a new story I saw completely unrelated, is that AI chat bots are increasingly being tricked into recommending phishing sites and scammers are taking full advantage. The new research from Netcraft.
found that GPT 4.1 models, which are like the latest models on chat GPT and stuff, only gave the correct login URL for major brands 66 % of the time. That's two thirds. 29 % of responses pointed to dead or suspended domains, and 5 % sent users to unrelated or legitimate sites. So if you're just poking at this and you see a pattern in dead or unrelated domains,
or suspended domains. As a Fisher person, you could buy those and host a fishing site. And what we're seeing more and more of is a move away from organic Google searches to people using ChatGPT and Copilot and Gemini as a source of getting information. So some of the ways that people would have used search engines, they're now using AI in that way. So
Luke (58:52.91)
Yeah.
Luke (59:14.018)
Yeah.
Ant Davis (59:15.703)
If AI spouting URLs at them and the URL's not right, just today, like you paste a news story into ChatGPT and it's, I did this with a BBC link. I pasted the BBC link into ChatGPT and it told me it was about a ransomware at a school in Truro. And I was like, no, actually that's about Cloudflare. And it's like, oh, thank you for telling me. Yeah, sorry, I got that wrong. Here I go again. And it's like,
Luke (59:40.112)
Sorry, I got that wrong.
Ant Davis (59:45.548)
Dude, just go to the URL and find it. So you need to be really, really, really careful about what your AI is outputting because it's amazing that I can upload a screen share. It's amazing that I can upload a screenshot and it tells me quite correctly what the red flags are. If you work in a cyber function and you need to quickly and easily disseminate a phishing email or something, straight away there I've got five red flags.
and three recommendations to make to end users, which helps me shape an awareness campaign. But, as an end user, I feel Instagram should be doing that for me and then telling me that it's malicious. Or going, our reputation scores this as a amber face or a sad face, therefore don't trust it. Do you know what I mean? Like, only click on this. You can't click on this until you confirm that you know this person. It's...
Luke (01:00:35.512)
Yeah.
Ant Davis (01:00:41.279)
Much in a way you can't message someone on LinkedIn like that's too disconnected from you unless you know their email address. You can't connect with just a random if they've got their security set.
Ant Davis (01:00:54.027)
That was the first one I had. I had just a couple more things. I've been checking out this yet. I've got this new Yeti mug, right? And I got this from Adaptive Security. So I had a demo of Adaptive Security. Their tool, I need to have another demo. Their tool's awesome. Like it's got, you can use like build AI training and it's really, really cool. So they sent me this Yeti mug.
The Yeti mug's too good because I've had this since we started recording an hour ago and it's still kind of too hot to drink. Not that I'm ungrateful, it's amazing. yeah, so adaptive security is the only security tool that OpenAI have invested in. So OpenAI have backed adaptive security and it's got a load of cool AI functions. you can like, I need a training course on Kirby HR.
SMS scam and it will like generate it for you and you can say what you want it to. It's really, really cool. And it does a load of other cool stuff.
Luke (01:01:52.91)
Mm.
Luke (01:02:00.211)
just as well as it doesn't put dodgy URLs in it.
Ant Davis (01:02:04.385)
There is that there is that they've got cool deep fake stuff as well. The deep fake stuff was like awesome. So have a look at We'll do some more I'll we'll probably I'll probably get someone from adaptive to come on and have a chat with us or something on an interview show But if you are looking for a new platform, it's worth having a look at adaptive, especially if you like your AI toys Thank you adaptive for the mug. I have to give a shout out to our friend Hayden as well
I forgot to shout out the Nobafour fishermen are awesome and Pam also asked if I had a fisherman so Hayden gave me those for the boys so um thank you Nobafour Lego is awesome. I wanted to mention just quickly I had a quote featured this week in a report which is cool. The report
came from, let me just get it up here.
Ant Davis (01:03:09.911)
So this is from KeepNet and it's the new hires fishing susceptibility report that they've got. And basically it talks about the fishing susceptibility for new hires. I've got a little quote in there. It's a really interesting report actually. And talks about gamification, AI driven simulations. It's run by KeepNet. We'll put a link to that report in the newsletter. So you can get a look at that.
and can register and get a copy of that. So that's cool. Hello everyone at KeepNet. Right. None of these are sponsored by the way. This is all, no one's paying me to say that. I did get free mug, which is cool. The last one I wanted to mention, I saw this post on Reddit and this post has since, so I saw this post on Reddit two days ago and the post was titled, man found out my LinkedIn profile.
Luke (01:03:52.898)
Yeah.
Ant Davis (01:04:09.835)
while playing CSGO. So the person was playing Counter-Strike and then, well let me just explain, right? So I went, as we were preparing for the show today, I'd saved the Reddit link and I went back to the Reddit link and it just said, sorry, this post was deleted by the person who originally posted it. Right there at the top, sorry, this post was deleted by the person who originally posted it. I was like, no, I thought that was a really good story. So I was like, damn. So this person deleted it.
Luke (01:04:17.422)
Mm.
Ant Davis (01:04:39.243)
Doesn't matter because the Wayback Machine, thank you archive.org, saved the day essentially. Let me just get this up and I managed to find a screenshot of this very part on the Wayback Machine.
Here it is.
So.
Ant Davis (01:05:04.567)
2D86, and the funny thing is, right, you don't even need to use Wayback Machine. If you just Google that man found out LinkedIn profile when playing CSGO, the username comes up on Google search. So you have to be really careful about what you post online. So this was on the Steam, Steam the gaming platform. I was playing CSGO today and while in game, someone on the enemy team found my real name and LinkedIn profile.
posted them in the chat. I do not have my real name on Steam, neither the city I live in. This is super scary, honestly, and I do wish Steam takes action. Has anyone encountered something like this? What should I do? And then it comes back and says, later edit, solved. They used my Steam ID. Apparently they keep a record of everything I did on Steam in 10 years, even if it was deleted or overwritten. There was a slip up in there. Thanks for commenting though.
Now I'll go and live in a cave.
Luke (01:06:05.294)
Hehehe.
Ant Davis (01:06:06.967)
And when you look at the actual thread here, this is just an example of why you need to be really careful about what you share online. I'm not the most discreet person, a single glance at your Reddit history here, and I can tell that you live in or near Braslov, Romania with your mom and a dog and plenty of other details about you. If you're the same way in Steam discussions and on other people's profiles, you may have accidentally dodged yourself. Yep.
Luke (01:06:18.328)
Hmm.
Ant Davis (01:06:36.171)
Maybe he found content he posted and linked it in socials with a Google reverse image search. And then, I don't think most people know how much they reveal online that doesn't make more than 10 minutes of Googling to put together. Damn, could you imagine making a Reddit name almost 20 years ago that's just your name? Simpler times. Says Andrew V. So I'm guessing Andrew V's real name is Andrew. Yeah.
Luke (01:06:56.846)
Thank
Luke (01:07:03.459)
Yeah.
Ant Davis (01:07:05.943)
That's why it's hilarious when people think Reddit is anonymous and isn't social media. So yeah, there's lots here. This guy just typed your nickname on Google and found you. Steam is not responsible of data you publish on the internet. This one I thought was quite good. Digital footprint is real, man. You can find anyone's real info with even the smallest amount of information. It could be certain keywords you use, reused usernames, forums, and anything that exhibits a pattern.
And if you're a type of person to have a LinkedIn, then you've definitely got some stuff out there. That's why I don't talk online. You'll get humbled real quick if you meet somebody willing. So, and someone's linked to OSINT framework, which I think I've shared just a few weeks ago on the show as well, where you can obviously dig into the different sources and it tells you where you can find everything out about people.
these different sources where you can do some basic hosting. Yeah kind of a starter mode. Dark mode is a bit nicer than light mode. So yeah be careful what you post online people.
Luke (01:08:17.304)
Yeah, especially with...
Ant Davis (01:08:17.813)
when you share that, you could make sure you hide my Reddit username, that would be amazing. So yeah. Yeah.
Luke (01:08:23.246)
I always crop it out. I think people don't realise, yeah, like it's so easy to find this information if you're reusing usernames and freely just posting things on forums and public places. It's gonna get scraped and people are gonna find it.
Ant Davis (01:08:47.287)
A topic for another time, but my kids, so my kids' school have recently just signed this, they've signed a charter which is like no mobile phones at their primary school, so up to the age of 11. No smartphones. And they encourage children if they're walking home to get a dumb phone. And some of the mums are like, oh yeah, I don't think they should have them until they're 15. Blah, blah, blah, blah. You know, they can't be trusted. We know other parents.
Kids in year five, so kids that are like nine and 10 have got smartphones now and have got TikTok. And we've only just let my 12 year old have TikTok. But TikTok's parental controls now are quite good. Like they've brought new parental controls in. The amount of parents that don't know about parental controls and just let their kids do anything and everything. But beyond that, we regularly have a conversation with our kids about when you share something online,
It's out there. know, these apps, Snapchat used to be like, the image is gone after so long. And if you take a screenshot, you're notified. They're still away, right? There's still a photo of the phone or different apps. There's ways around it, right? Only post stuff on the internet if you're prepared for it to stay there forever. And I say this to the kids all the time. And that's the message. That's the message. There's no...
Luke (01:09:54.615)
Mm, yeah.
Ant Davis (01:10:11.489)
It's not training, it's not restrictions, it's not not letting them have access in my opinion, because then you just make them want it more and when they get it, they abuse it. Just talk to them constantly, open discussions about sharing responsibly and responsible online usage. But the problem is many of the parents don't understand this either. And in which case you're kind of doomed. So if you're listening to this podcast, you've clearly got an interest enough in
Luke (01:10:30.381)
Mm.
Luke (01:10:34.819)
Yeah.
Ant Davis (01:10:40.981)
being safe online. And that's the conversation you should be having with your kids. Talk to them about being safe online and well, good, secure online behaviors. I think that's important. Maybe that's something we should cover. I might get someone, actually I do have someone that I've been meaning to get on from a child online safety charity. So I'm gonna get them on the interview series. We'll get them on and have a chat with them.
Luke (01:10:52.236)
Yeah, definitely.
Luke (01:11:03.394)
So cool, yeah.
Ant Davis (01:11:09.463)
about kids being safe online. I think that's quite important.
Luke (01:11:12.642)
Yeah, definitely.
Ant Davis (01:11:16.535)
Right, I think that's pretty much us done. By the time we record next week, I'm going to a local, I'm hoping to go to a local small business cyber keeping your business safe day. It's run by the local police force and Vodafone. I saw it, it's only down the road. So was like, I'm gonna go to that. So it'll be interesting to see what they're talking about and see what local businesses, smaller businesses kind of attitude is.
We work at big businesses, know, like FTSE 100 kind of, so it'd be interesting to see what the, you know, the smaller, there's probably gonna be no one there, but we'll see. I'll go and it'll just be me, it'll be me, a couple of police officers and someone from Vodafone. Yeah, so I'm only going to push the podcast, but it'd be interesting to see what they talk about. Yeah.
Luke (01:11:46.626)
Hmm, yeah.
Luke (01:11:54.19)
He'll be the most famous one award-winning. Yeah.
Luke (01:12:09.262)
Yeah, definitely.
Ant Davis (01:12:11.991)
Cool, right, I think that's it from this week. Another packed week. Do let us know what you think of the show, if anyone's still listening. It's really important that we know what you like, because we want to do that. So we had Android 16's new security features, HIC vision, cheap cameras, keep an eye out. Prime Day's around the corner. We might talk about that again next week, because I think it's kind of, it'd be landing around then, I think.
Luke (01:12:41.238)
Yeah, I think it's the ninth, eleventh. Very fast, then,
Ant Davis (01:12:41.935)
passed by then. okay it's probably passed by then. Be careful what you're buying on Prime Day. Then yeah if your organization is losing laptops and phones, Left Right and Center do something about it. Disable the accounts of anyone you suspend immediately. Don't scan dodgy QR codes. Don't set off malware and ransomware and phishing emails at schools. That's just not good.
Luke (01:12:49.038)
You
Ant Davis (01:13:12.029)
And if anyone from Microsoft is listening, bring back the blue screen of death. Show your parents the AI video, Corridor Crew. Share it with your parents, share it widely. It's awesome. I haven't watched it, but everything they do is awesome. Luke thinks it's awesome. So share it with your people. Cool, okay. Speak to you next week.
Luke (01:13:23.406)
Yeah.
Luke (01:13:33.942)
cool catch next week
Ant Davis (01:13:35.49)
Yeah. Alright. Bye everyone. Bye.