• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

    Comments:0

    Add comment
Content

In this episode we break down the brand risk associated with compromised Social Media accounts as highlighted by the recent Disney hack, we review the crypto crash and its impact on ransomware in the short and longer term, we then look into the backlash to the facial recognition roll-out across major Australian retailers and how it could have been avoided, and wrap up with a review the latest breaches making headlines.

Content

The Get Cyber Resilient Show Episode #104 Transcript

Daniel McDermott: Welcome back to the Get Cyber Resilient Show. We've had a few weeks off for a winter break, and returned for our first episode of Season Seven, and remarkably our 104th episode in total. Thank you so much to all our listeners, you make doing this all the worthwhile. This week is our Behind The News episode. I'm Dan McDermott, your host for today. And I'm joined by our resident Cyber Security expert, Garrett O'Hara. Today we'll be looking behind the news of the brand risk associated with compromised social media accounts, as highlighted by the recent Disney hack.

Next, we'll review the crypto crash and it's impact on ransomware, in both the short and longer term. Then we'll look into how the backlash to the facial recognition roll out across major Australian retailers could have been avoided. And we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines. So Gar, welcome to Season Seven. Let's begin by diving into the hack of Disneyland's Facebook and Instagram accounts.

Garrett O'Hara: Yeah, Season Seven. Lucky Season Seven. Do we ha-... we should have Bingo numbers for the episode numbers. You know Lucky For Some Number Seven, or whatever it is.

Daniel McDermott: That's right [laughs].

Garrett O'Hara: Yeah, I mean Disney, okay, so this- this isn't anything new. You know, we've certainly seen social media accounts of m- many kind of large brands be hacked. I think there's something very emotional about Disney, because it is associated with, at least for me still you know, lovely little cartoons-

Daniel McDermott: [laughs].

Garrett O'Hara: ... and this- this sort of huge trust in Disney as a brand. And the- the real issue here is that I- I think it's... what it's starting to do is point to the impact cybersecurity has on stakeholders outside of cybersecurity. You know, we talk about risk, and I think so often when we think about cybersecurity stakeholders, it's the board, you know, that trans out every other sort of set of concern to people. But actually here you look at the damage that something like this could do to a brand. I... the- the nuance here is that it is social media. It was pretty obvious that it wasn't Disney.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: You know, this could've been worse in that somebody could've hacked the accounts and- and sent people to phishing links or used it as a way to kind of influence a topic or, you know, conversation. I know Disney was in a sort of little bit of controversy around the sort of inclusivity conversation in- in the US at one point, because they weren't being vocal enough.

So, you can image where there's potential for hactivists and- and folks to do something similar, but actually with a view to getting a point across. In this case a- a guy who's [laughs] claiming to be a super hacker and I always think like, you know, in this kind of industry, if somebody's claiming to be a super hacker, they're- they're probably not [laughing].

You know, the- the super hackers are the ones that we never hear about by... almost by definition. But this guy's name is David Do, or Do, I'm not sure how you me-... pro- pronounce that. But was very offensive in the contents that-

Daniel McDermott: Yeah.

Garrett O'Hara: ... This person posted. So, you know, kind of racist aggressive language, lots of slurs and- and that sort of stuff. So, in a way Disney was lucky, because it was very, very obviously not Disney that was posting- posting this stuff on both Facebook and Instagram. So, both of those were compromised. I mean you're- you're obviously a fairly senior marketer, and I'm guessing stuff like this would make you s- sort of anxious, right? Because it's just, yeah, it's such a trusted channel for communications with, you know, directly with customers.

And then we see it compromised like this you know, that that's the- the- the thing that I suspect many people will be paying attention to more and more. But we've- we've certainly seen this where the interest in cybersecurity from the marketing and branding side of businesses has become much more acute, because they're aware of what it means when they're the ones making the news to you know, whether it's been a hack or- or even a service outage because of a ransomware attack.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: And I think I've spoken to you before, Dan, about the, you know, the watch that I'm- I'm kind of wearing at the moment. Fairly famous brand-

Daniel McDermott: [laughs].

Garrett O'Hara: ... and had an incident where a bunch of us in my... our fitness group, you know, one- one of the mornings we're looking at what's... like we can't find GPS, like our watches were all a bit wonky. And it was as the result of a ransomware attack. And- and, you know, there's a little bit of... bit of a wobble. It's something that I think is a, you know, great watch to that point. I'm like, "Oh, hang on a sec. You know, if I can't use it for a week, then it's not really a great watch at all, is it?" So, you know, I think there's impact to, yeah, to brand in a very meaningful way with this stuff.

Daniel McDermott: Yeah, definitely. And I think I think David Do may have sort of undone a little bit of his supposed super hacker credibility by also claiming that I think he started COVID-19, or created it. So so-

Garrett O'Hara: [laughs].

Daniel McDermott: ... so probably not a lot of credibility. But as you said, it's certainly a lot of slander, right? And- and therefore, you know, which does blow back onto Disney that it's on their channels, right? It's on their own channels and it's- it's very much f-... you know, you know, how did they allow this to happen. And it's interesting that you... we talk about, you know, the responsibility of sort of cyber and brand reputation, and where does that lie within an organization.

And I've spoken to a few very senior CMOs of very large Australian brands about this topic, 'cause I thought, "This will be really interesting," right? Like they're- they're gonna really lean in and- and- and sort of understand, you know, brand reputation is p-... you know, particularly those big consumer brands, it's gonna be number one or two on the most important things that they have in- in terms of their job description. I got significant pushback pretty quickly that it was like, "That's not my job."

Garrett O'Hara: Yeah.

Daniel McDermott: Like, "We have a cyber team, you know, that's on them." And I was really surprised, because I thought, and probably being in the industry, sort of thought, "But don't..." like it's like, "Don't you care?" It's like, "Yeah, yeah," but it's like, "It's not my problem." It's like, "We've got a team that look after that." And I sort of thought, well, you know, who should be... you know, we talk about the boards and responsibility of the board, but who should be owning that item on the risk register?

To me it's not the cyber team, right? It should be part of the CMO actually doing that, and- and therefore if they own that on the risk register and they need to be able to report on it and be able to show what is being done, it drives the collaboration with the CITO and the cyber team to make sure that like they are considering, you know, how are we protecting our social media accounts? Who's actually asked that question at Disney?

Like, you know, has anybody even asked the question? And then it's like... then they start the internal blame game of "Oh, marketing should have done this," or, you know, "The cyber team should've protected it more." It's like somebody has to own it and I think drive the conversation, and I think that for brand reputation, it has to be the CMO. Because thyre the ones ultimately that understand the implications and the ramifications of when it goes wrong, right?

And so it's- it's- it's, to me, very clear that they should be driving the conversation. They won't own the outcome or the delivery of a, you know, of a policy or a procedure or technology that protects, but they should drive the- the conversation internally. And- and I was surprised how little buy-in I got to that conversation, and I feel as though it will just take, you know, some more high profile sort of attacks like this, where I think the conversation will flip.

But unfortunately it takes it being in the media, in the front page of the news and all those sort of things, to- to get the attention to say, "We probably need to do things differently."

Garrett O'Hara: You- you raise a really interesting point, Dan, around who owns the risk. Because the CISO doesn't own the risk in an organization. Like that's a- a misconception-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... I think that certainly gets kind of repeated often. You're spot on. Like the- the CISO's job is to build a, you know, defensible strategy. You know, in conversation with the business say, "What- what is our tolerance for risk? What are we gonna accept transfer, you know, all of that good stuff.

You know, the CISO doesn't own the risk. Their job is to, you know, evaluate where, you know, where the risks lie, to your point, and then it's up to the business, to actually own the risk. You know, they have to f-... you know, fundamentally pay for a program or not. That's, you know, that- that's the budget negotiation and that's the reason you know, the business is on the hook.

So, I totally agree with you you know, it's not up to a security team to- to own the risk of what it means when a social media or other channel kind of gets a hack like that. Yeah, it really is up to the business. And the- the other thing is all of the value these days is intangible-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... in- in sort of most organizations. It isn't the building you own. You know, half the time people are just leasing buildings these days, they don't own corporate fleets, they don't own anything. There's a lot of, you know, a lot of operating expenses and then the value of nearly every organization is in its IP and it's in its brand. And, you know, you can think of the- the- the most valuable organizations on the planet, it's the little logo-

Daniel McDermott: [laughs].

Garrett O'Hara: ... and the name of that organization, that's what you're paying for half the time. It's the feeling you get when you buy a certain type of phone, or when you use a certain, you know, streaming platform or whatever. So, that-

Daniel McDermott: Yeah. And we- we know the power of social media a- as influencing-

Garrett O'Hara: Yep.

Daniel McDermott: ... you know, consumer sentiment, right?

Garrett O'Hara: Mm-hmm.

Daniel McDermott: And so if that then gets compromised, then that is a significant risk to- to that reputation and therefore the valuation of your organization. So like to me there's doubting that like this has to be front and center for- for the CMO. And I think the think is I think a bit of it is unknown, right? You know, it's a bit scary. It's like they don't know like, you know, like what- what needs to be done, and I think therefore feel uncomfortable.

Whereas I think they should just be asking the questions. Be open to saying like, "Where do our risk lie? What can we do? And what do we have in place?" is it... is it all.... it's not all technology, right? What is, you know... if something does go wrong-

Garrett O'Hara: Mm-hmm.

Daniel McDermott: ... what was their remediation plan and how do they shut that down, and what's the conversation around that? Have they, you know, done the old desktop practice of those things and- and make sure that they understand what that looks like.

Garrett O'Hara: Mm-hmm.

Daniel McDermott: I- I think there's so many things where like they can drive that conversation at a business level and bring the teams along to support them, and to actually do it, and I think do it really well. I think that's the opportunity that lies ahead for all of these major brands, is just- just don't be afraid of it, this thing is out there, and how do you sort of start to get in front and take control of it? And I definitely think that there's work to be done and I think that unfortunately sort of it does take, you know, some high profile sort of hacks in order to sort of often change attitudes as well.

Garrett O'Hara: And the other thing you've just kind of raised there is the issue with kind of broader trust in an organization, right? So, and I think you said this right at the start, where you look at sort of the fact that Disney's had its Facebook and Instagram accounts hacked. It points to, well, what else? And if I'm a customer of an organization and- and especially one that maybe is storing my data-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... Potentially sensitive data, when I see something like this, you know, you kind of go, "Well, okay, if that happened, then what else is going on that, you know, maybe is gonna impact me in a more meaningful way?" And one of the things I've seen commented on but, you know, I don't think it's an out, but it is that when you think about Facebook and Instagram, they're not really corporate platforms per se.

You know, they're... they are social media. They're quite often not amazing when it comes to, you know, security settings et cetera. Like, yes, there's some privacy stuff, but they don't roll into, often sometimes they can, but they don't roll of-... Often roll into the kind of corporate stable of managed environments.

You know, people think of AD and the CRM and you know, access to email and those kind of things, where I- I feel like because they're sort of... I mean they're not really that new anymore maybe I... maybe I'm just getting old.

Daniel McDermott: [laughs].

Garrett O'Hara: But, you know, they- they sort of feel like they're these new things that sit outside of that kind of core, you know, standard corporate environment, and maybe we just need to shift mindset.

Daniel McDermott: Indeed. And like you say, I think there's that perception of is this the tip of the iceberg.

Garrett O'Hara: Mm-hmm.

Daniel McDermott: So, if somebody's getting into that, what else are people getting into, and how vulnerable are the rest of your systems and that? So, and that might be a- a long bow to draw, but- but people think like this. And I think it's definitely a you know, it's something that needs to be considered and understood as part of that overall risk mitigation, right? So, it's definitely one I think for us to- to keep an eye on, and not, like you say, not trivialize that it is, you know, oh, it's- it's just the Facebook and Instagram account, that's okay.

It's- it's really not, right? And- and it is the implications can be far more wide reaching than just that first instance as well.

Garrett O'Hara: Imagine if that David Do guy had a f-... you know, put a link that was dropping malware on machines.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: Like this would be a very different story, right? So, yeah, I think you're spot on, Dan.

Daniel McDermott: Indeed. Well, the next story is a review of the crypto crash and its implications for cyber criminals now and in the longer term. So, Gar, we've seen the crypto crash occur, what's happening in terms of c- cyber criminals and ransomware?

Garrett O'Hara: Yeah, is it a good time to buy?

Daniel McDermott: [laughs].

Garrett O'Hara: You know, now- now... is it on the dip? Yeah, but what a rollercoaster crypto is. I've- I've actually completely stopped... not stopped, but I mean I think I've just backed away from trying to follow what's going on there. It's so incredibly unstable it seems to me. And all the promises of crypto so far, I mean it seems to kind of equate to a really good way to steal money when you do a ransomware attack, but I don't really see it being adopted much more widely than that, so far, in- in my life.

What you're seeing here is, as part of the the crypto crash, the- the- the problem for ransomware crews now is that the thing, you know, the- the money that they've stolen is worth substantially less than it was pre-crash. And, you know, we're seeing some of the kind of exchange go out of business completely. So, any funds that were kind of tied up are gone potentially.

Some- sometimes it'll, you know, pennies on the dollar, et cetera, et cetera. But if you're an attacker and you're looking at ways to get funds out, that's become less appealing than it maybe was before. Where it's become so unstable that, you know, if it's you know, an imaginary coin is worth $100 today-

Daniel McDermott: [laughs].

Garrett O'Hara: ... and then you put all this effort in, you put your, you know, you risk your- yourself with you know, wh- whatever the kind of local law enforcement agency are, all the things that go into, you know, stealing money through ransomware, and then, you know, it's worth $1, $2 after all of that effort. So, no- no real surprise. And, you know, it's been kind of more broadly spoken about in the industry that you're s-... already starting to see a shift of crews away from ransomware and into, you know, what's almost traditional, BEC.

You know, social engineering, pay the money into the bank accounts, you know, that- that sort of stuff. So a little bit less- less appealing from the ransomware side of things. And then, yeah, much more the BEC. And I think you, yeah, w- we have certainly seen some of those signals, I think in our threat intel teams, where they're- they're picking up more that kind of, yeah, that social engineering stuff, than the- the Pure Play kind of ransomware side of things.

Daniel McDermott: Yeah, definitely. I think it's well, one of the favorite words of the last couple of years are pivot, right, that, for the- the cyber criminals you know, to real currency, right? And that's what BEC use, it delivers, you know, a real crash into the bank accounts, and that that isn't, you know, subject to these wild fluctuations. And if you're... if they're being planning, you know, longterm sort of attacks and, you know, sort of stealth and sort of taking time to get into things as we know, you know, happens these days by the time that they've actually executed the plan, it may be worthless, right?

So there's no doubting I think that what we will see is like we've been speaking for a while about ransomware as a service. It feels like it's gonna move to BEC as a service, right in terms of what's gonna be offered by the cyber crim. So, I don't think they go away, I don't think the risk goes away, I think it just morphs, right? And I don't think ransomware will stop either. I think that's the thing, is they've got no... you know, Bitcoin's still of a value and and they will still continue to to- to use that as m-... you know, if it's easy to actually get success, right?

I think that's the other thing, is that if it's a quick return, even if it's not as lucrative as it may have been that will still continue to proliferate as well.

Garrett O'Hara: Yeah, I- I mean and I totally agree, we won't see ransomware going away. Like as a way in, it's- it's... it is almost too easy sometimes. So, yeah, I totally agree with you. Fluctuation in, you know, the- the Bitcoin currency or cryptocurrencies, it is the fluctuation, and that's the other thing. The potential is this, you know, this stuff does come back up and, you know, kind of bounces in a way that makes it more appealing to do ransomware again. I mean it's just... it's the industry we work in, things change all the time and, you know, stuff becomes popular and then goes away.

Certain types of ransomware becomes popular and then goes away. It's sort of a... it feels like it comes in waves.

Daniel McDermott: Indeed. And if it's not the crypto crash that is going sort of have that longer term impact on- on ransomware, what is, Gar? What can be done to actually, you know, start to- to out an end to- to this?

Garrett O'Hara: Well, there's a few things that are happening, I'd say globally where you're starting to see with regulations or things like mandatory ransomware reporting, like that starts to get energy behind regulating crypto. You know, and that's been talked about for quite some time, and there's been moves by some countries to do exactly that and, you know, almost immediately you see a drop in value of the crypto currencies.

But, you know, that- that is the way is to sort of, you know, fundamentally regulate cryptocurrencies and bring them into the tent of society, rather than, you know, them sitting outside, which I know is the whole point of cryptocurrencies existing.

Daniel McDermott: [laughs].

Garrett O'Hara: But, you know, that- that is one one sort of approach. You've also got the potential improvement of technical security controls. You know, we- we talked about passwordless authentication and maybe some of that stuff starts to help in terms of, you know, people allowing at least their credentials or, you know, phishing links to be running amok using credentials.

Like that s- sort of starts to help in- in- in a way. Yeah, it's- it's like, you know, you come back, and I think we spoke about this a year ago or so, it's... I don't think it's one thing. It's probably like 20 things that all sort of have to happen, and then it- it starts to get to the point where, not that it won't be successful, but the cost and the effort becomes just like, why bother. Let's- let's go do something else.

Maybe we'll see like a return to drugs and- and good old days of, you know, human trafficking and- and weapons and, you know, all those traditional criminal endeavors.

Daniel McDermott: Well, that's a... that's a positive note to to end that discussion [laughing] on. I thought we were looking for the- the positive upside of- of the end of ransomware potentially, but yeah, like- like you say, like it just will change.

Garrett O'Hara: Yeah.

Daniel McDermott: They'll look for the next sort of, you know, the next crack, if you like, in the system, and the next sort of vulnerability that gets into and and exploit that, right? I mean that's- that's the nature of that game. And so, you know, we've got to continue to make sure that we are you know, at our best in terms of defense and understanding what those moves look like to try to preempt and- and be ahead of the game as much as possible.

But it think that's the things is, is that the cyber criminals move really quickly, right? They are agile, because they're money hungry, they're- they're able to move quickly, and they don't have sort of, you know, corporate bureaucracies around [laughs] them to to- to- to navigate and get through. So, I think the ability for good organizations to respond quickly is actually, you know, is a challenge. I think that moving- moving feast is actually one of the hardest things to- to keep up with.

Garrett O'Hara: Yeah. I totally, totally agree. Yeah, what- what works today, what works this year, won't work next year. You know, I thi-... been thinking about this a little bit lately, it's almost like inflation where the same dollar spent and the same security controls year over year is gonna do less, because the- the types of attacks are changing, the s- sophistication level's changing some very, very clever people out there and they lead. Like that's the reality.

It's not like, you know, v-... you know, technology vendors decide on a new protection approach, you know, and then the attackers go, "Oh, they've figured out a protection. Let's go, you know, attack in that way." It's- it's completely the other way around.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: So, who knows? You know, there was a time where ransomware didn't exist and we may f-... end of facing something brand new that no one's thought about, some very clever person figures out a way to make money from cyber crime.

Daniel McDermott: Yeah, indeed. Well one... our final deep dive story for this week is one that you sort of alluded to around as we move to a passwordless world and the- therefore how do we start to build in a new sort of I guess technology is part of that, and one is facial recognition as part of it. And we've seen a bit of a bungled rollout of the facial recognition technology across major Australian retailers of late. What's gone wrong here?

Garrett O'Hara: Yeah [laughs], it's- it's a... kind of a funny one, right? The- the organizations that are involved you know, in theory were doing this facial recognition stuff to add to their security systems. You know, and the idea being that I suspect kind of like casinos, you know, when Dan McDermott walks into [laughs] a store and you're a known shop- [laughing] shoplifter, you know, you- you're- you're other job Dan-

Daniel McDermott: [laughs].

Garrett O'Hara: ... That, you know, the- the cameras pick you up and then security escorts you out the door-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... very much like a casino, right, where they do facial recognition on card counting and, you know, people who are known to be [inaudible 00:21:38] the casinos.

Daniel McDermott: [laughs].

Garrett O'Hara: Similar kind of an idea, right? So, you know, it sounds, okay, like there's a reasonable use case for it. The problem there is the same as pro-... the problem in the society in general. Like you roll this up to the macro level of a- a country and you know, MET UK sorry, London Metropolitan Police in the UK rolled out broad AI facial recognition for crowded places using CCTV. You know, the idea being very much like one of these stores, that if you're Bob the burglar-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... That they can pick you up automatically on the cameras and then, you know, somebody can kind of joink you out of a crowd and- and, you know, job done, society's better. The problem is that pay- payment for that is a bunch of innocent people are getting their details scanned and stored and- and analyzed.

And in think that's the problem here. The organizations involved didn't do a privacy impact assessment, and there's been some conversations and- and pushes from various folks in a f- few kind of different bodies you know, privacy commissioners, Samantha Gavel was- was talking about this, and- and kind of called it out that you know, that if they'd really kind of done a risk assessment, they probably would have seen that it wasn't an amazing idea to- to do this.

And that's the problem. One of the organizations has backed away from using it, and I think it's probably a PR impact more than anything at this stage, where people feel a little bit funny about the fact that they're being analyzed. Here's the dirty secret of most very large malls and stores, they're already tracking everybody.

So, they're using beacon te-... Technology, and when you walk into your local big mall that everybody, you know, loves to spend a Saturday at-

Daniel McDermott: [laughs].

Garrett O'Hara: ... have a look in the- the door as you walk in. There's probably gonna be some sort of a privacy statement or a statement saying that your information may be collected and- and shared with third parties. A lot of these places have wifi systems, you know, the free wifi.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: And that sounds amazing. When you connect to that, you show up on a heat map and it- it shows exactly where you've walked within the stores, which stores you've visited, it becomes part of your data set the data brokerage will then sell for money. Beacons on Bluetooth and, again, similar kind of deal, they're- they're watching for when you appear and s-... like wh- where have you walked close to.

This stuff is already sort of happening so it's not like when you walk into these stores you're completely anonymous anyway. You're- you're already to a certain exten-... Extent being tracked.

Daniel McDermott: And as you say, I- I think it links back to that first story of like what is the like brand and PR impact, right? And we know that the Choice group have actually filed a complaint to the federal privacy regulator for this use of the- the facial recognition technology and- and how it's being stored and being used.

So, it's, again, it is not just the one time use and- and it's own, sort of, I guess, approach and what it's trying to do, but it is the broader implication of what does that mean. And therefore the flow on effect, again, for some of these retailers, their brand and their reputation. And these things continue to sort of build, right? And I think it's... maybe it's not just the one time thing, but it's like all of these things start to combine that there'll be less and less trust in- in a lot of these, you know, institutions, you know, in many ways of across the country.

And therefore like how... what does that mean in terms of consumer buying patterns and behavior and what happens from there? So, there's no doubting that these things have a- a long range impact, I think. And like you say, you know, it's also the sort of things that can just scare people off, you know?

Garrett O'Hara: Mm-hmm.

Daniel McDermott: Ooh, facial recognition in a... in a store, maybe- maybe I don't need that, right? Maybe I'll go and shop at the competitor where they don't do that.

Garrett O'Hara: It- it feels a weird, doesn't it? Like I think that's the thing, and like as you were talking there I'm thinking, you know, there's a privacy implication for people walking into the store, and then there's a bigger implication which is the guys who walk around the store, you know, when you look a little bit dodgy and pretend that they're customers and then, you know, grab you if you try and steal stuff. And I'm not speaking from personal experience here, by the way.

Daniel McDermott: [laughs].

Garrett O'Hara: It's just me imagining [laughs] what it would be like but, you know, there's a couple of jobs gone. And that's the other side of this, you know, you've got a computer that's brutally efficient. That's saying "There's Gar, you know, we- we busted him for, I don't know, stealing [laughing], I don't know, clothing in some other store and, you know, let's not let that guy in."

Wh- what of it, you know? There's a bunch of jobs that go away and- and that's, you know, part of this conversation that with- we still haven't really had. What does it mean when robots can do things so much more efficiently than we can, and like what do people do to make a living?

Daniel McDermott: Yeah, no doubting. Big implications across the board there and one I think that is gonna continue to evolve, and a- a story that I'm sure will continue to come up over time as well. So, finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. Let's start with the global outage of Microsoft Teams and 365 last week, and its impact.

Garrett O'Hara: Yeah it's s- sort of a bummer for folks who are using Teams as their kind of collaboration tool. Look, I mean this isn't kind of a new story-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... or a new thing to happen. Like we see this stuff all the time. The reason I think it's- it's interesting is just that in a COVID world, I think the impact of this stuff is probably much more significant and severe than it would've been in 2019, for example, where, you know, chances are you could at least walk across a- a floor and- and talk to somebody or, you know, pick up the phone.

We are absolutely reliant these days on collaboration tools, you know, whether it's Slack, Teams, I mean there's a bunch of them. And what you saw here was I think, you know, a little bit of a pulse check on what- what it means when something like this actually does go down, and- and I think it was about a seven hour outage, and it was global. It was kind of around the world. The- the sort that Microsoft have come back out and- and sort of said it it was a result of a recent deployment that contained a broken connection to an internal storage service, which has resulted in impact.

And, you know, it- it's sort of the impact of collaboration becoming unavailable, I think this is something you and I have talked about a bunch of time-

Daniel McDermott: Mm-hmm.

Garrett O'Hara: ... which is, you know, that centralization of services and what does it mean if that then goes down, because it's not a mail server in one organization, it's actually a mail server used by nearly every organization that now is unavailable. So, everybody can't connect or communicate with everybody.

Daniel McDermott: [laughs].

Garrett O'Hara: It's it's a- a much, much larger scale event when cloud service providers do have their outages. Years ago I was talking about the [laughs] the- the person sitting in a dark room wondering why their, you know, their internet enabled light bulb wasn't working-

Daniel McDermott: [laughs].

Garrett O'Hara: ... and it's was somebody had messed up the config in an S3 bucket. Stuff like that, right? It's it- it's a conversation that when it comes to cyber resilience, I don't think we have often enough. We spend our whole time talking about, you know, interesting attacks and vulnerabilities, and actually sometimes somebody kicks a cable or something just a little bit silly happens because there was a, you know, somebody made a mistake somewhere, and you see this.

But organizations, I think so often these days are not thinking about sort of secondary services, secondary data assurance, service assurance, things like that. So, definitely an important point.

Daniel McDermott: Yeah, the need for a good old fashioned continuity plan, hey? Like a- a-

Garrett O'Hara: [laughs].

Daniel McDermott: ... just it highlights, you know, the risk and the vulnerability there. And like you say, on such a wide scale, and- and, you know, there was lots of posts and social media activity around the Teams outage, what it meant and interesting reactions by different organizations, you know? Obviously some sort of going to other collaboration platforms and particularly video conferencing-

Garrett O'Hara: Mm-hmm.

Daniel McDermott: ... and that sort of thing, and others refusing to. "Oh, well, we're down. Like we can't do with- with like the corporate standards team, so we're not gonna go to an alternative." It's like... is that [laughs]... is that great for productivity? Is that the right answer? Like so many things that I think this raises in order for, again, for that conversation to be brought back front and center and to say, you know, these things will happen, and what is going to be our approach? And how do we sort of rally around and un-... make sure that people understand that otherwise people will sort of fill the void themselves and- and create their own continuity plans-

Garrett O'Hara: Mm-hmm.

Daniel McDermott: ... as we've seen in the past as well.

Garrett O'Hara: Yeah [laughs], that's right, everybody shou- should absolutely start worrying. I've heard some... and I'm- I'm guessing you have too, Dan, like horror stories-

Daniel McDermott: [laughs].

Garrett O'Hara: ... of what people do when their primary services become unavailable, and data being sent in ways that, yeah, I mean it just makes me cringe when I... when I hear those stories. But yeah, like it's- it's a... it's an important point of cyber resilience, but it's... like it's not sexy, it's not cool.

Daniel McDermott: [laughs].

Garrett O'Hara: You know, it's not some amazing hacker in a dark room figuring out cool stuff, it's actually just... it's sort of sometimes just dumb bad luck, but it actually has a huge impact to businesses.

Daniel McDermott: Well, the next story is probably of a- a- a cool hacker in a dark room.

Garrett O'Hara: [laughs]. It is.

Daniel McDermott: Is a... is a mysterious cloud enabled spyware that's been detected on macOS. What makes this different and unique, Gar?

Garrett O'Hara: Yeah, it's called CloudMentis and well, a couple of things. I suppose we don't often see Mac stuff. It tends to be that, you know, the attackers out there will go after Windows, 'cause it's used so much more widely for the large part, and then there's some other reasons, but, you know, mostly that.

This one is also interesting that what it's done is it actually just relies completely on cloud storage for its command and control activities. So, if you can imagine it gets onto the machine and, you know, does the- the usual stuff of using vulnerabilities to get privi- privilege escalation.

And then they've got a first stage loader component, but what it does is it connects to the cloud using tokens to various different kind of storage solutions and, you know, there's a few different kind of providers that are involved here. And then it pulls the the commands down from the cloud storage, if that makes sense? Then executes them and then returns the data back up to your cloud storage solutions.

So, what that means is that there is no... there's no domains in the code, there's no IP addresses in the code. It's actually all stored in the seat-... in the storage, the cloud storage. So, it's- it's actually quite a clever approach to sort of obfuscating the activity and just making it more difficult to detect that this is actually happening. It's not the first time it's been done, but I think it's interesting.

Daniel McDermott: Mm-hmm.

Garrett O'Hara: You know, it's that combination of Apple so a bunch of baristas and designers will be freaking out right now.

Daniel McDermott: [laughs].

Garrett O'Hara: And [laughs] and then the command and control storage side of things I'm sorry, cloud storage is also kind of an interesting angle.

Daniel McDermott: Yeah. Again, making it tougher for everybody to sort of track and- and be able to, you know, close those vulnerabilities. So, definitely an interesting approach there. One that's been around for a little while and just won't go away is Log4Shell. Continues to be a bane in in many organizations.

Garrett O'Hara: It does, yeah. And, you know, the story isn't Log4j obviously, but it is the department the US Department of Homeland Security saying that it's- it's something that we'll be dealing with the fallout of Log4j for a decade or more. And that- that actually rings true. I had a conversation with actually one of our customers as part of the event we did last week, which you were also at. And had a beer afterwards and we were talking about Log4Shell, which makes me sound like a sadder person than I am. Like we- we should've had a- a fuller life, then we could've talked about something else. But there we go.

Daniel McDermott: [laughs].

Garrett O'Hara: But he was describing how much of an absolute nightmare obviously it was for them as they kind of went through all their third party providers, those thi-... like the supply chain kind of, you know, goes so far out, because who knows, it could be, you know, a seventh degree separation where somebody's using code used by somebody, used by somebody, used by somebody, if that makes sense?

And then you know, further out that's the- the- the problem. Absolute nightmare. And, you know, when we spoke about this last, it's not gonna be the last time we see something like this, because we've got a huge amount of open source software and- and software and libraries maintained by volunteers, sometimes one person doing something because they just, you know, are into it and- and wanna kind of produce something good.

Daniel McDermott: Yeah.

Garrett O'Hara: That's- that- that is bonkers that we're embedding that stuff in very critical enterprise applications. You know, I shutter to think where, yeah, if you... if you were able to show a heat map of the types of organizations where this stuff shows up, like Log4shay Log4j specifically, I- I think we'd all have a- a hernia or a conniption and- and kind of freak out.

Daniel McDermott: [laughs].

Garrett O'Hara: But, you know, the point is we'll be dealing with, you know, this one for a decade or more, according to the Department of Homeland Security, and here's my big prediction, we're gonna see more of it and we'll be dealing with those ones for a decade or more. So, there's probably a bigger conversation around, you know, f- fixing the problem rather than waiting for it to happen again.

Daniel McDermott: Yeah, indeed. Very frightening to think that a vulnerability can- can last that long when we know how quickly everybody reacts to close these things down, patches, all of those sort of things that we know are all best practice, but it still can reside for such a long period of time.

Our last story today is how ransomware attacks on small towns across the US continues, with 113 attacks on local government reported in the last two years alone. So, this seems like while we said ransomware in the crypto crash might be having an impact, they've certainly been going after local government in the US at a rate of knots.

Garrett O'Hara: Yeah, spot on. And this kind of felt like a good story to close the loop on you know, the- the sort of deeper dive conversation we had earlier on. Yeah, spot on. I mean we're- we're seeing ransomware continue and, as you said and I said it too, it's not gonna go away. It's less lucrative, but that doesn't matter. The impact will be just as severe. And if you're one of the- the towns that's gonna be hit and potentially locked out of our critical systems and services, then yeah, I mean it's- it's- it's obviously a continuing worry.

It's a huge... a huge amount of towns in the US are being hit. We've seen it here locally with some of the councils and you know, the impact to them. It's not gonna go away. We'll- we'll potentially see less- less of it, but, yeah, really ransomware is probably here to stay, unfortunately.

Daniel McDermott: Indeed. Well, thank you, Gar, that wraps up today's episode. Appreciate your insights, as always. Who do you have or us as our special guest next week?

Garrett O'Hara: Next week Dan, we've got Lee Roebig who's the Customer CISO for Sekuro. He's a guy I met a couple of months ago and we had a pretty good conversation about Zero Trust. So, yeah, keen to kind of get him on, and that's gonna be the- the sort of focus of the conversation, but we'll, I'm sure, end up on bunny trials as we always do.

Daniel McDermott: Terrific. Well, looking forward to hearing Lee's episode next week. Until then, if you would like to continue exploring key topics in cyber security, please jump onto getcyberresilient.com and check out some of the latest articles, including why social posts can be an open goal for scammers, some practical advice on what makes a great incident response plan, and you can read the full article on could the crypto crash spell the end of ransomware. Thanks for listening. And until next time, stay safe.

Tags
Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott