The latest cyber news and resilience insights: 9/05/21

In our latest cyber news update we take a closer look at the hack that resulted in what hackers claimed was access to ‘tens of thousands’ of SIM cards that included ‘financial information, contracts and banking information’. We also discuss the proposed Australian cyber curriculum for kids aged 5 years and up, how cybercriminals are using Google search to snare unsuspecting victims for malware attacks, and the worrying statistic that over a third of New Zealanders fell victim to cybercrime last year.

The Get Cyber Resilient Show Episode #53 Transcript

Daniel McDermott: Hi all, and welcome back to the Get Cyber Resilient Show. My name's Dan McDermott, and I'll be your host for today for episode 53. Where I'll be joined by our resident cyber security experts; Bradley Sing, and Garrett O'Hara, as we review some of the latest trends and topics that have been happening in the world of cyber. And particularly their impact on our local businesses in Australia and New Zealand. Great to have you join us again, Gar and Brad.

Garrett O'Hara: Good to be here.

Bradley Sing: Thanks for having us.

Daniel McDermott: Fantastic. Well, we'll kick of this week with, probably the biggest, I guess news in terms of a cyber-attack that's happened in recent times, around tens of thousands of SIM cards being hacked. Brad, this sounds like pretty scary stuff, that it sounds like they're actually getting into, into people's SIM cards themselves, and infiltrating data from there?

Bradley Sing: I mean, look, it does sound like an exciting hack, like that SIM cards are being hacked, and it's something very, you know, sophisticated and advanced. But I think this is another one where the headlines potentially get away from us a little bit. Not to say that, you know, that there wasn't, you know, it's a fairly significant breach. But, also a couple of other interesting ones as well.

So there is an organization, a reseller of Telstra, effectively had their systems compromised and ransomwared. they're a reseller of Telstra so, you know, they resell things like, SIM cards, phone plans et cetera, hen- hence the reference to SIM cards. but also interestingly enough, they help businesses move towards Telstra cloud services.

Um, the hackers put a ransom note on their website, which effectively said the company is not, cooperating, the data will be leaked. but also said at the same time that they were D-Dosing the company, so kind of like a double, or kind of a triple pronged attack all at once.

Daniel McDermott: Well, it's a, that's a- it's a pretty, intensive attack that they've, launched on them there. and to put up the ransomware note saying, you know, that they've got tens of thousands of- of SIM card information, financial information, contracts, banking information. it sounds pretty scary, and pretty compelling for, for the company to have to deal with. I guess now they're having to- to manage whether to pay that ransom, or not, and then what the implications of that might be?

Bradley Sing: And it's... I think it's... I mean, obviously that- that's a huge gray area. Interestingly enough, like, the website's back up, like, it- it seems running to me or it's, [laughs], hopefully I didn't get a - a rogue access tool, or download something malicious. might do a password change after this, [laughing]. but I think this is another example of, you know, kind of supply chain attacks, right? Where Telstra, a huge organization, with millions of Australians as customers, a reseller gets pop- compromised, the primary brand is now at risk, and you've got lot of customers who are, I guess, to- to a degree, Telstra customers, who are probably a little bit upset that their data's out there.

Garrett O'Hara: And- and potentially what, like, what does it mean for, secondary attacks? And whe- when I see SIM cards or s-, you know, those sorts of, things getting popped, y- you can wonder about people who are potentially using SMS for, you know, pseudo two-factor author, or multi-factor authen. Like, is there implications there? I mean maybe, maybe not. But, yeah, there's... that- that... if- if it's true, and then, yeah, you kind of wonder about, yeah, how that information gets used for kind of secondary attacks down the line.

Bradley Sing: Yeah, and I think something that we also said on that is, like, the rise of, you know, effectively stealing people's phone numbers, like, mobile phone numbers. Like, going into a- a phone store, pretending you're somebody else using stolen identity information and then... so you're on point, Gar, then giving the two-factor keys to everything. So it's a- it's a bit of a scary thing.

Daniel McDermott: Yeah, I think this one's, one to definitely keep an eye on as- as I'm sure it's going to evolve. as, you know, many people will be quite concerned by it, and- and hoping that it's obviously not- not the first of many, I guess, of trying to get into- into using, sort of, the reseller network as a way into, you know, this large data set that we say that the- the attackers are constantly looking to- to get to. and then be able to sort of use on a- on a long-term basis as well as for the immediate short-term gains as well.

Brad, and changing gears slightly, looking at, one of the key issues I think, l- last week we had privacy awareness week in Australia, you... obviously the issue of cyber security is- is front of the paper on too many occasions, right? and one of the ways to look to try to combat this is, is how do we get to the digital natives, and- and the next generation, and make them more cyber aware? And it's certainly something that, very, aware of in my household. you know, when- when my youngest was two, we were showing him some ph- photos on the laptop and, he touched the screen and said, "Broken," because the only thing he knew was an iPad, and then thought that, you know, everything should be a touch screen.

Um, I now have an eldest one who tells me that, he- he can put anything he likes on- on Snapchat, because it only lasts 24 hours, and it- and it's fine. So, so obviously I've got a bit of work to do in my own household, of- of constant education. But it's interesting to see that there's, a new sort of curriculum coming which will actually support it through the school system as well. can you tell us a bit more about what's happening here? And- and hopefully the- the impacts that, can help people like myself.

Bradley Sing: Yes certainly. So this was first read, report in The Register originally, but it's effectively an initiative by the Australian government to look to bring cyber security into standard public, or standard curriculum. which is something quite interesting in- in the same concept right, and I guess you're backing up some of the comments there about your personal experiences, Dan.

[Laughs], the comment about the- the iPad was fantastic, and interestingly enough, I think in- in other countries as well, we see where the internet is becoming newer, things like Facebook become the natural platform, or medium, in terms of the internet. Like, in some countries, Facebook is just instead of... what you use instead of, like, Firefox or- or- or Chrome, as an example.

Um, what we're trying to do here in Australia is, the idea of effectively from the age of five, starting to teach, children in schools, you know, what to look out for for cyber security, or cyber safety. The general stuff is around, you know, not to share your things like your date of birth, your name, as an example, don't take photos of yourself, as an example, in your school uniform. Things like GeoTagging as an example which, again, might seem like it's a little bit, you know, advanced for a child, but I- I think the reality is, you know, they're potentially picking up the stuff a lot faster than we are.

Daniel McDermott: Indeed, and they certainly love, love an- accessing free WiFi, I can tell you. That's a... it's like the highlight of the day, if they can jump onto a free WiFi network somewhere.

Garrett O'Hara: Yeah, definitely. And- and I think we, you know, we've had people on the pod talking about this, Leonie Smith, you know, the- the Cyber Safety Lady, talking about this at length, you know, how to keep kids, safe online. I think it's such an important- important thing to think about. yeah, it- it sort of frightens you sometimes. I've got nephews and- and nieces, and they... I mean, to your point, Dan, they're just obsessed with digital. You know, you- you have to pull the devices out of their hands, 'cause if they're not playing games and talking to their pals on, you know, gaming forums, or they're on You Tube, they're- they're just kind of getting out there.

Um, I- I- I kind of wonder, you know, as a sort of mid-40s man, [laughs], mid-40s person, like, what it would be like to grow up in- in that sort of world, where everything is- is so connected, and- and digital. And it must be so tempting to maybe over-extend yourself as a kid, and- and not get the implications of, you know, putting a certain type of photo up. You know, you think it's innocent 'cause you're a kid, but somebody else doesn't. or that, you know, that sharing of information.

I know, it's- it's one of those things I find, yeah, just in- incredibly important, that we get there early and- and kids thinking about this stuff. And then I would, like, I was [laughs] chatting- chatting to people earlier on about this story, and we were kind of wondering what the format is. You know, when you're five years old, like, how do you- how do you teach those lessons without making it scary? And, you know, do you, you know, wear the Barney suit and- and people tell me that Barney's really old, and it's bluey now apparently, so, you know, I've gotta- gotta update my- my kids' TV. But, yeah, I'd be very keen to see what it actually looks like, you know, when they pull out a curriculum for the kids that young.

Bradley Sing: Instead of the, tooth fairy, we should have, like, the- the hacker theory, I don't know, he wears like a hoodie and hides under your bed, [laughing], actually that doesn't sound too appealing, does it? [Laughing].

Garrett O'Hara: Oh, wow. The- the new bogeyman, the- the cyber bogeyman.

Daniel McDermott: Yeah, that's right. It's uh, Brad, I think that the, the government had a go at this, previously. So it's not the first time around that, you know, an initiative like this has, has come up as a need, I guess, in society. what do we think's going to, be the difference this time around?

Bradley Sing: It looks like they did try it back in, 2015. And I- I think some of the original side was- was lack of training and- and, you know, potentially experience for some of the teaching staff in delivering the training. Which, I think's, you know, a fairly, you know, a fair comment. but we'll go... I think if you look at how much we've digitized over the past five years, and 80s code a- as the example again but, you know, school aged children are used to using remote technology to connect in the cl- classrooms, right? Like, we've... they've sat through a year of that, so if anything, I think probably a year ago would've been the time, but now is definitely the- the right time to start, you know, educating our- our youth about, you know, what to look out for. And- and really, if you're uploading something, to understand, you know, it- it's potentially there for ever, and- and no longer under your control.

Garrett O'Hara: And I wonder, you know, we- we've talked about this sort of thing before, but it's probably both ends of the s- the age spectrum. where, you know, yeah, we talk about very young kids, but I would say there's probably very similar things to be done for the older generation, you know, those folks who, they're- they're sort of being forced into digital in some way, because government services are being provided that way. And, you know, people have may- maybe have no desire to go online, kind of have to now.

Um, but it is such a wild west, that I wonder is there an opportunity to- to also do that for, you know, the aging population, and those absolutely non-digital natives, that are just in that older age bracket?

Bradley Sing: There was something on, Four Corners the other day, if any of our listeners like Four Corners, I'd recommend giving it a listen, but it was looking at Australians and, ours addictions to video games and micro transactions. And interestingly enough, aside from children, the- the number one group in terms of spenders and addiction was- was retired, females. So, like, retired again women. So, definitely, probably a bit of an opportunity there for- for hackers, but also, I guess the demographic we need to make sure who's skilled up against this stuff.

Garrett O'Hara: Mm-hmm [affirmative].

Daniel McDermott: Yeah, definitely, I think it... like you say, building resilience across society is going to be critically important and it, it has, you know, huge impact. we often focus on sort of the impacts of business, and- and what's happening in the business world, but it all starts with individuals, right? And if we can improve that, we'll have, you know, a long- long reaching impact in a positive- in a positive way for, for all of us as well, which is great.

Looking at the, the next one, this is, what I probably wouldn't consider a new type of, a- attack vector, it's probably not new, but it certainly was new to me, something I hadn't heard of before, but seems to make a lot of sense, and- and that's the notion of SEO, or search engine poisoning. so it looks as though, the criminals are... as they're getting the- these sites up and- and running, are finding new ways for people to access them. And we all know, you know, that search and- and, you know, using Google, is the number one way to access so much information, that's where so many things start in terms of people's research and what they're doing online. So the fact that now, that the hackers are seeming to, to get into this, and- and putting up these fake sites, and having them at the top of the- the Google rankings, is a- is a real concern.

Bradley Sing: Yeah, well, I- I think one thing we've all kind of seen over the past year, is- is the rise of e-commerce, and I don't want to say the rise of e-commerce, but just- just online shopping. personally, like, one- one thing, you know, I've noticed as I've been trying to find things, is going through pages and pages of Google search results.

But what we've started to see is that hackers are using, you know, the clever technique, or- or the idea of SEO poisoning. so seemingly after you get through about two to three pages, and- and more often on the very unpopular search results, there's a good chance that, you know, in some of my experiences, I will say something like 20, 10% of the pages redirect into fake websites, effectively delivery malware. And what they're effectively doing is, they- they're compromising legitimate websites, like real estate agencies, sport teams, and then using clever coding and scripting back within the CSS of the page to effectively then show up against things like, Pokemon cards, PlayStations, Lego, so anything that's kind of going through a massive shortage right now.

And obviously when we've got, you know, people with a huge demand and a [inaudible 00:12:16] at the same time, we're seeing people, you know, potentially at- at a greater rate, fall victim to these. And then on the same flip side, exactly your point as well, Dan. Like, Google is your portal to the world, right? Like it's your view, outside of Google, I think for a lot of us, there's probably only one or two other main, kind of, online platforms that we- we engage with.

Garrett O'Hara: Ask Jeeves? Does- do people still use that?

Bradley Sing: Like- Like us? [Laughs].

Garrett O'Hara: Yeah, go... let's go old school. I think it's, like, kind of find this one a really interesting, story in that, I see it was always seen like a little bit of a black art. You know, I'm not... I'm certainly no marker, but the people, you know, who do that stuff, you know, it tends to come across like the mystical magic stuff and, you know, how to- how to get your site to rank in the- the top X, is- is kind of deemed to be pretty tricky. So, I, you know, I- I find it really interesting that the attackers have kind of understood SEO well enough to be able to execute this attack.

And- and to your point, Bradley, is it just, you know, identifying things where there isn't that much competition, and you can buy ads cheap or, you know, buy the promotion cheaper? But, you know, I wonder do- do we see, an exodus of, you know, attackers moving into, you know, mainstream marketing because they've been really successful at some point? I don't know Danny, are you gonna look at resumes a little bit more closely going forward?

Daniel McDermott: You know, maybe n- need a- a hacker on the team as well to, to help us? But, yeah, I, like, I think it's just... it's using, I guess, the notion of, you know, what's available, right? So you think about, like, you know, they're so used to using, you know, entering points like email, and to get people to click on links, but they've built these sites, often in the first place. So I guess what they're doing is, is using things like, you know, keyword technology, and- and, you know, keyword stuffing into these sites to basically get them to rank a bit higher. and- and have that way of coming in.

Um, we know that, you know, one of the things we tell people is, you know, if you're unsure of a link maybe don't click on it. You know, try to type the URL in, but often people will actually type it into Google, not actually type the URL directly. They'll do a search, so it's another way of, you know, it might be a multi-factored sort of, you know, attack where they're trying different things. People might be seeing an email and not trusting that, but then going to search, seeing it there, all of a sudden you feel much more confident, right? Then it's like, "Oh, this must be legit," and, you know, if it's on... if it's ranking highly it's probably okay, like, "Google have looked after me."

So, I think that, you know, there's no doubting, it's- it's trying to again get into the psyche of people and- and show that there's confidence in these sites, in order for people to take action.

Bradley Sing: There's also an extra, degree of, of kind of sophistication here as well. Because, what I'm just saying, "I guess they've used keywords," but I don't know exactly how they're doing it, but they've managed to mirror, or scrape, some content of Reddit. So it looks like you're going to a Reddit webpage, because the meta description of the page has comments, or it's kind of what you'd expect from the real search results. So, whether they're looking at your cookies as well in- in- in, I guess, tandem to that, to create a very personalized experience, which I guess is the key thing there. yeah, it's just seemingly quite- quite believable. And look, I did click on one, and thankfully my, end point Avast picked it up, so shout out to Avast, [laughs].

Garrett O'Hara: Go Avast. There's- there's sort of an adjacent story here as well which was in the news, I think during this week, I feel like it was. Where, there are... there's many services that are free, or very close to free. an example might be, like, the ESTA, process for getting entry into the US is one of the ones that was called out in the article. But, you see services that are built and, you know, charging 60 bucks, or $100, to do something that's, like, $5 if you were to go through government channels. You know, applying for a driver's license. and there's a bit of an issue, apparently, with those... they're- they're legit services, but they're charging a fairly decent mark up on services that are pretty trivial and free to apply to.

And, you know, it almost comes back to the education of people to be online, and how they kind of navigate things like searching for services and how to then, you know, establish what's real, what's not, what's- what's potentially a, you know, a good deal versus what's clearly, a very, very substantial mark up on a, you know, a free service or a very close to free service.

And, I believe Google is starting to try and take some of those down, but there's some struggles with that too. But it- it does feel like the- there's a battle ground happening within search, and- and how to use search as a way to either just make money or, you know, in Bradley's case, [laughs], go to potentially dangerous websites. Which, yeah, it- it's kind of an interesting change. Although it's not really a change, it's been happening, but in- interesting that it's been kind of highlighted again.

Daniel McDermott: Definitely, a bit concerning and, it... I think it's the first time, Gar, that, in the- on the Get Cyber Resilient show that we've gone down the- the route of price gouging, and ACCC issues. So, but, one that probably a little bit outside of, my realm of expertise, [laughs], that's for sure.

Garrett O'Hara: Yeah, it's more just, it relates to the, kind of, you know, manipulation of SEO and- and getting- getting s- you know, your sites to the top, so yeah.

Daniel McDermott: Yeah, and Brad, it's certainly, it's, my youngest, birthday coming up, so Pokemon cards and Lego, are high on my search list, and now I'm gonna be even more wary of them, and- and concerned about what [laughs] what I might be, getting myself into as I- as I go forward with that as well.

Bradley Sing: Well that's it Dan, like, it's such a clever dynamic. And, you know, if we think back to, you know, who the riskiest groups are, like, if you're a- a retired female, like, apparently it seems you're the riskiest group, and you're purchasing a gift for your nephew or grandson, whoever it is then, you know, potentially you're the ones at risk. And we don't need to go on the stories about, you know, old people falling for victims of scams today, but, a- again just, you know, another great reason in terms of why we need to start the education from, I guess... all the kids- kids are starting to use technology. Which- which is a very young age, it seems.

Daniel McDermott: Indeed. And, our final story for this week's review, is looking at, what's been happening in New Zealand recently. And another, security research that's been released around the fact that one third of New Zealanders have fallen victim to cyber crime. Brad, this is pretty - scary stuff. Like, if we're really looking at a third of society, being, you know, falling victim on an annual basis, it's a- it's a massive implication. And- and one that, you know, our friends in New Zealand, will need to, you know, continue to look to get on top of as well.

Bradley Sing: Yeah, so look, a new report came out which is an annual report, performed by, Norton and, in conjunction with Harris. a great report if you want statistics to- to scare a boardroom, or just to kind of put up in a presentation. But hon- honestly, go check it out. some interesting things I took from it was, I guess, the sentiment towards cyber security, and I guess the- the feelings that individuals have.

So a couple of interest- interesting stats, over- over the past year 65% of people around the world reported spending more time online, and evident the results of- of COVID, as we know. online criminal activity has led to a feeling of anger, fear and anxiety. More than half of New Zealanders who und- who detected unthau- unauthorized access to an account or device in the past 12 months felt angry. 56%, or more than two in five, felt violated or stressed. And about a third felt powerless.

So just kind of, I guess, you know, it's kind of how I would feel as well. But interesting to see people are starting to be a lot more aware of the problem, but obviously, you know, the- the personal stress and- and emotional tac- toll it can take as well.

Garrett O'Hara: Yeah, it feels like this stuff is- is huge. We're- we're currently, prepping for the AusCERT's talk, and I'm not going to give anything away, but part of that, the- the person I'm co-presenting with, Amy Holden, has a friend who- who went through a fairly significant business email compromised attack, and- and hearing that personal story, the- the words you've just used there, Brad, are spot on.

You know, when you- when you hear, her name is Laura, talk about it, it's that human part, you know, the bit where we, we so often talk about the- the statistics, but you forget that it's actually, there's people, individuals, at the end of so many of these things that, are being affected and- and hurt, you know, like directly. So, yeah, horrible stuff.

Bradley Sing: Yeah, and it seems like we're aware of it as well from the same report. and I thought it's a fascinating stat, so the research showed that most New Zealanders, about 79%, want to do more pro- to protect it. 87%, or nine in 10, have taken steps to protect their online activity. And personally recently I went through this big exercise of getting all my password manager sorted, two-factor on a bunch of accounts. but interestingly enough as well, for anyone out there who uses password managers, very recently, a lot of the free ones don't do cross-platform syncing any more, so just be a bit... a little bit careful in terms of what you're using as a, kind of, a manager for that.

But definitely a- a bit of a wake up call. Because, we're all aware of it un- until it happens to us. It might be, you know, that might be the catalyst for people to update their password and their hygiene. But, I think it will be... it's something we all need to focus on.

Daniel McDermott: Brad, for us novices that may have missed that one, what- what's the implication of not doing cross-platform syncing?

Bradley Sing: So, the implication is, is that let's say you have device A and you go ahead and change or update your password there. if you have that same application stored on bi- device B, it won't update on those other devices. There's also a bit of encryption built into the, password manager as well, so if you lose access to it you need to be very careful, because quite often you can only actually get the details back on the same machine. But it has been a shift as, I think, we've seen password managers become more marketized, and effectively being brought out by larger tech companies.

Garrett O'Hara: And one- one thing that I would say as a avid fan of password managers is, get yourself a YUBIKey, because that is just a phenomenal way to, protect the password manager itself, [laughs]. So rather than, necessarily having to rely on a- a really long, difficult pass phrase, which is what they re- generally recommend, you know, you just choose something incredibly difficult to get into your password manager, um. But yeah, a YUBIKey I've found just incredibly useful for, authorizing access to things like Gmail, and- and those kind of accounts. just so, so elegant. And it's hard where I don't have to remember anything, I just plug it in, hit the button, and it does the, the two-factor for me.

Bradley Sing: [crosstalk 00:22:17] like the USB device then, the YUBIKey?

Garrett O'Hara: Yeah, yeah, correct. And they're USB, or NFC, so there's different types, but yeah, I mean, they're a- they're a thing that you could sort of put on your keyring. I- I personally... I don't use it that way, it's my, you know, it's my nuclear code if, [laughs], if- if everything goes really badly, it's sitting in a drawer and I, you know, I take it out and, like, that's how I reset, kind of the- the, core passwords. Or if I rebuild a machine or anything like that, then it- it prompts me, but it's so much quicker.

Daniel McDermott: This reminds me of the, there's a bloke up in New South Wales, I think it was, a few years ago, um. He legally changed his name to 99Cap, something like that, but he was the guy who, put in a, whether it's, New South Wales because of a myki card is, genetically into his arm. And then he was using it to like tap on, and- and tap off to- to public transport. but, you know, like, in terms of I guess password and bio-security things like a face ID, like, is it a stretch within five to 10 years we'll have a little implant or something which does all this kind of stuff for us. And is, I guess, more bio-graded to us [laughs] so that, you know, it does prevent things like spoofing.

Garrett O'Hara: Does the... yeah, I mean, not to get into the weeds here. Like, yeah, do- do you need an implant? Or do you just start using bio-metrics, you know? Something like an iris scan or, you know, things that are very, very unique to people. yeah, I mean it's- it's totally in future stuff, but I think we're heading in that direction.

Daniel McDermott: Mm-hmm [affirmative].

Garrett O'Hara: It's time for the tinfoil hat, [laughing].

Daniel McDermott: Well terrific. I think, it's, a wide array of topics that, we've been able to cover today. You know, from hacks that we've sort of seen, to new attack vectors to try to help- help the kids from the youngest age possible, and looking at what's been happening in the personal impact of cyber crime in New Zealand as well. So, thank you very much Brad and Gar, for taking us through that.

Now Gar, looking forward to next week,  episode 54, I believe you have a big announcement for us of taking our humble little podcast on, a bit of a global scale?

Garrett O'Hara: Yeah, we're very, very lucky and, sort of privileged, to have Dmitri Alperovitch on, so I'm actually in... going to be interviewing him tomorrow morning Australia time, and for those who don't know him he's, co-founder of CrowdStrike and runs Silverado thinktank and policy kind of institute over in Washington at the moment.

But, he's a very large public figure in cyber security, so I'm very, very much looking forward to, that conversation with him.

Daniel McDermott: Yeah, really exciting to have Dmitri part of the show, and sharing, you know, those very global views of what's happening in cyber. And as you said, working on, on policy issues at a government level. And we know how critically important that is at the moment, we see so much going on around, you know, critical infrastructure in Australia, talking about bills around ransomware, what do we need to do. Dmitri's, you know, a- a leading light in thinking through all of these things, and- and shining a light on- on where the problems lie, and- and potential solutions for them as well. So, enjoy the interview and, really looking forward to that one.

Terrific. Well thanks again for tuning in, we really appreciate, all our listeners and, really looking forward to, to, Dmitri's interview next week. And, until next time, be safe.