The Get Cyber Resilient Show Episode #108 Transcript
Dan McDermott: Welcome back to The Get Cyber Resilient Show. This week is our behind the news episode. I'm Dan McDermott, your host for today. And I'm joined by our resident cybersecurity expert, Garrett O'Hara. Today, we'll be looking behind the news of how phishing fraudsters allegedly use a sim box to play hundreds of victims. Then, we'll look at how the Federal Court of Australia has ruled that an insurer is not liable for ransomware cleanup costs. Then, we'll review the latest warning on a ransomware gang making million dollar demands. And we'll end with the wrap of the latest breaches and vulnerabilities to make the headlines.
Gar, welcome to episode 108. Today is a bit different, as we are recording live in-person for the first time, rather than over Zoom. A bit like the original Australian government, we've decided to meet halfway between Melbourne and Sydney and find ourselves here in Canberra together. So, let's begin by unpacking the story of a phishing scammer using a sim box. What is a sim box?
Garrett O'Hara: Yeah. So, a sim box's basically a large kinda piece of hardware that you can plug a bunch of sim cards in for phones. And, and what that allows you to do then, is scale up for sending of phishing texts via SMS.
Dan McDermott: Mm-hmm.
Garrett O'Hara: So, it's meshing as they're called. So I'm sure everybody's familiar with SMS texts. We get multiple SMS texts or you know, spam messages every single day. And I know I certainly do do. My phone does a really good job for the most part of, like, detecting those sort of scams-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... and, and, you know, that, that sort of feels good. Unfortunately the reality is sometimes they can be really, really convincing and really, really good. And you know, part of what's happened here, is that there was a fraud syndicate. And they were actually operating out of a home in, in Sydney's northern suburbs, which is not far from where, where I live.
Dan McDermott: [laughs]
Garrett O'Hara: So, that, that hotbed of crime that is the, the northern suburbs of Sydney. But they were sending hundreds of thousands of automated texts out to people. And things like banking, telco websites and essentially looking to steal people's details.
Dan McDermott: Mm-hmm.
Garrett O'Hara: You know, standard unfortunately, the standard story. The good outcome here is that they were caught. So, the AFP were able to, to get them and actually arrested two people. One of them in, in [inaudible 00:02:22]. So definitely good outcome. And yeah, obviously something that's... Look, it's been around for, for quite some time. I don't, I don't think it's going to go away. I've actually interestingly saw some LinkedIn posts about two weeks ago. One of the, the Australian politicians I think it was a photo of them holding up their phone saying like, "Why is this still happening?"
Dan McDermott: Mm-hmm.
Garrett O'Hara: And the commentary kind of indicated that actually there's a bunch of reasons. And I think it's not as easy as we might think to, you know, just to outright block SMSs and, and do a kind of default deny kind of approach.
Dan McDermott: Mm-hmm.
Garrett O'Hara: Because it's a phone, and [laughs] it needs to work in a certain way. And you sorta need to be able to get SMSs from unknown numbers for obvious reasons. You know, if it's a brand new supplier or somebody you've just met at I don't know, I was gonna say a party. It's been a long time since I've met someone at a party.
Dan McDermott: [laughs].
Garrett O'Hara: But I don't know, a conference is probably more appropriate. So, yeah. And, and the in this case, the, the cops or the police were working with some of the, the banks and and one of the telcos to figure out who the victims were. Some of them actually had a significant amount of money stolen. So, you know, that human impact that we've talked about-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... so many times.
Dan McDermott: And does the sim box... What does it actually... How is it's role in, I guess, you know, being able to perpetrate a crime? What, you know, how does it work in terms of, like, making this something that is, you know, at scale and, and such a concern and, and needing to get the police involved?
Garrett O'Hara: Yeah. Look, if you, do you guys have the game, Guess Who, in Australia?
Dan McDermott: Mm-hmm, yeah.
Garrett O'Hara: You know, the thing where you have to, like, is, "Does he wear glasses?" So you know the, like, what that looks like? It's got those flip down cards with the people on them.
Dan McDermott: Mm-hmm.
Garrett O'Hara: It doesn't look unlike that, except it's got literally, in this case, about a hundred sim cards in there.
Dan McDermott: Mm-hmm.
Garrett O'Hara: So you could hook that up then via a USB connection, or you know, to a, a computer. And then you can start to use those sim cards to send messages. So instead of one phone number, now, all of a sudden, you've got 100 phone numbers and that means you've got sort of a bigger scope for sending.
Dan McDermott: Mm-hmm, yeah.
Garrett O'Hara: It gives you that ability to, to do that. Interestingly I got a, [laughs] I got a, an SMS scam. It wasn't even a scam, it was one of those ones where something like, "Hi, I'm Ellie." I don't, you know, "I, I found your number on my phone and would you like to be friends?" And it was from one, one number. And I'm like, "Oh, my God." I actually sent it to one of our work groups, kind of joking.
Dan McDermott: [laughs]
Garrett O'Hara: "Look. Should I say hello to Ellie?" Not even two minutes later, I got exactly the same message from a different phone number.
Dan McDermott: Right.
Garrett O'Hara: So I was like, making the joke, "Well, Ellie clearly has a lot of money that she can send-
Dan McDermott: [laughs]
Garrett O'Hara: ... SMSs using multiple numbers." But yeah. I mean, that's, that's kind of what they look like, you know. A bunch of sim cards in a box.
Dan McDermott: Yeah.
Garrett O'Hara: And then, you can kinda scale up the, the volume of SMSs that you can send out. It's a volume game.
Dan McDermott: Yeah.
Garrett O'Hara: I mean, that's the thing, right.
Dan McDermott: Mm-hmm.
Garrett O'Hara: Your, your hit rate is probably pretty low these days. So the more you can send, the more chance you've got of kind of making some money.
Dan McDermott: Yeah. The more you can monetize it. And when you referenced Guess Who, or Guess Whom Andy Lee runs a Guess Whom for for legal reasons it's called something different, during the Australian Open.
Garrett O'Hara: [laughs]
Dan McDermott: If you're ever watching the tennis and, and... So it's actually-
Garrett O'Hara: Yeah.
Dan McDermott: ... a very funny segment.
Garrett O'Hara: It's brilliant.
Dan McDermott: So, it's it's well, worthwhile. Terrific. And the next story is how the federal court have made a ruling declaring that the cleanup costs from a ransomware attack are not covered by cyber insurance policies. Big ramifications here, Gar.
Garrett O'Hara: Yeah. This is look, this is an ongoing conversation. And I think it's we, we actually just came out of a round table here where this kinda came up, you know, this idea of, of cyber insurance and what can it do and what can it not do. In this case, there was a, a lawsuit over ransomware insurance and what was covered and what was not covered. And essentially, right, it... I'm not a, you probably know I'm not a lawyer, right?
Dan McDermott: Right.
Garrett O'Hara: So, yeah.
Dan McDermott: Yeah, yeah, yeah.
Garrett O'Hara: I don't know if this is a surprise to you but,
Dan McDermott: It is, yeah, it is, mate.
Garrett O'Hara: But what I took from this was just the specificity, specificity of legal of language-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... and what that means when it comes to sort of executing on it. In this case, on an insurance policy and the, the difference here between the word direct and indirect. And in this case the organization that was was attacked, Inchcape. It's a, an automotive distributor and services firm. Obviously, you know, something happened there. They, they had a bunch of costs that were associated with that breach including cleanup and reputation damage and, like, all of the things that happen post-breach. And Chubb Insurance Australia were the defendants. And obviously, in this case, you know, I suppose the case went-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... their way. But the policy it covered direct costs. So indirect costs being, you know, if, if people are in for analysis. It's the, you know, gen-, generally the sort of second-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... level indirect costs that, that you're looking at there.
Dan McDermott: Yeah.
Garrett O'Hara: They're not covered. So, you know, they kind of get into a bit of strife.
Dan McDermott: Yeah, just really interesting the type of things that they've actually called out as indirect costs including, like, forensics-
Garrett O'Hara: Mm-hmm.
Dan McDermott: ... incident response, and r-, even replacement systems. Like, I don't know. I, I look at that and I go, "Well, if you're in a ransomware situation, you probably want to do some forensics and understand, you know, what happened and, and why. Y-, incident response... Seems like the only reason why you're having a, a response is because you've had an incident-
Garrett O'Hara: Yeah.
Dan McDermott: ... which is the ransomware attack itself. So it doesn't feel like these are necessarily secondary costs. These are, you know, prime and center of what happens during this time. So you would naturally, I think, then expect and, and, you know, from your insurance provider that these things are going to be covered because they are part of what you need to do in that situation.
Garrett O'Hara: And so you raised very important points when it comes to cyber insurance, insurance in general. And it's the it's this idea that you've got to be very, very specific about what is covered and what that means.
Dan McDermott: Mm-hmm.
Garrett O'Hara: And, you know, if it means getting a lawyer in or, you know, some kind of counsel on, on what does the policy actually mean, if the worst thing or the worst case does happen. We see this all the time. We've had, you know, guests on the pod talk about this exact thing where this... Cyber insurance does a lot of good, right?
Dan McDermott: Mm-hmm.
Garrett O'Hara: That's, that, it's not all bad. You get access to potentially IR teams, people who know how to negotiate around crypto. You know, they've been through this battle many, many times before.
Dan McDermott: Mm-hmm.
Garrett O'Hara: The insurance companies can bring people in who are incredibly good at the bit where it's all going wrong. But the flip side is n-, you know, what else, you know, to your point.
Dan McDermott: Mm-hmm.
Garrett O'Hara: You know, in forensics, if that's a cost, you know, is, is the cost of that covered? Reputational damage, all the things that are downstream and sometimes very hard to quantify, is the other problem here. And, look, in our industry we talk about this all the time, the role of insurance as a, a counter-intuitive incentive to be attacked-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... because more and more we're hearing stories where on the dark web you can find out that Acme Corporation of insurance, you know, they're, they've got an indemnity up to X amount of dollars. All of this becomes a much more rich target for the attackers because, well, first of all, they know they've got cyber insurance, they know they've probably got the teams who have access to crypto, how to negotiate that, and they'll probably get a payment in way that they may not for a company that doesn't have cyber insurance. It's complex. This one, yeah, it's kind of a, yeah. I don't really know what to say about it. I think some of the commentary was that it may not have been a specific cyber policy, either. So, you know, again, I'm not a lawyer, so-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... don't even... I always feel so afraid of even talking about this stuff because-
Dan McDermott: [laughs]
Garrett O'Hara: ... it just, it m-, it's sort of out of my, my comfort zone.
Dan McDermott: Yeah. I think few things that I, I think advice in terms of this, is, like you said, you want somebody to review probably that insurance policy upfront. However, I think this changes that review process because, like I said, I would have expected that some of those things would be included as part of your direct costs. Now, there's a ruling saying that certain things are ruled out. It's getting even more complicated. So that review process, if they've been bringing somebody in, I think changes. And so I think the advice, you know, I would have for anybody out there is, if you have got cyber insurance, get it reviewed now based on this ruling.
Garrett O'Hara: Mm-hmm.
Dan McDermott: And if you're l-, looking into it, make sure that the person actually does review that in the basis of this latest ruling, as well, because this feels as though it's a narrowing of the scope and, therefore, you know, it's, it's putting, like, it's more emphasis back on if you want to include these things, I'm sure the insurer might be able to cover you, but what does that mean for your premiums-
Garrett O'Hara: Mm-hmm.
Dan McDermott: ... and all of those sort of things. So that balancing act, I think, is getting harder in terms of that equation, as well.
Garrett O'Hara: It does. I mean, I think what we're, we're seeing here is the pinch and, on insurance companies. They're, they're pretty good at knowing how to make profits. And in general-
Dan McDermott: [laughs]
Garrett O'Hara: ... that seems to be the thing. You know, they'll be able to [inaudible 00:11:10] data that, you know, what, what they're insuring, how much it's going to cost, and what the profit is that they're going to make. And I think one of the things we consistently see is the explosion of ransomware and just how expensive that actually was when it came to kind of potential payouts or the, you know, the implications or the damages to organizations. And you're spot on. The results of that was premiums have gone up. You know, we talked about that a bunch of times. But also the the part where you go to get the cyber insurance, the expectation of doing security well. You know, what have you got in place that says you take cyber security seriously and that you're worthy of insuring? A little bit like when you take car insurance. Do you have an alarm on your car?
Dan McDermott: Mm-hmm.
Garrett O'Hara: If you don't, it's going to cost you more.
Dan McDermott: Yes.
Garrett O'Hara: You know, if you live in a bad neighborhood, unfortunately, you know, that's going to cost you more, also. So they'll start to take all of that stuff into account. And then there are those those gotcha clauses that people probably need to be aware of. I think we've actually talked about this on the show in the past but things like what is a, an act of war-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... where you know, there have been instances where an organization gets c-, compromised extreme damage. But there's... Because... And, you know, the, the difficulty of attribution makes it so that potentially an insurance company can say, "well, actually, it was an act of war because it was a nation state and you happened to get caught up in something else. So therefore-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... you're not covered." All of that stuff, you know, is, is important to kind of take into account. And to your point, maybe you can get act of wars included. But I'm sure that's not for free, right?
Dan McDermott: Yeah. I guess the, the flip side and the, the positive to look at, right, is, is that, is this more incentive in order to actually get your house in order, do all the right things-
Garrett O'Hara: Mm-hmm.
Dan McDermott: ... have your cyber security in a place where then the insurance is actually just filling that, that last mile gap, if you like. And for that worst case scenario, rather than it needing to be the thing that actually is what's going to, you know, protect you overall.
Garrett O'Hara: It, and if you... What you just said is important because it's not going to protect you at all.
Dan McDermott: Right.
Garrett O'Hara: That's the reality. It may protect the business but it's not going to have any meaningful impact to whether a cyber attack is going to happen or not, except from the perspective of incentive. So it really is the, it's the c-, you know, it's the tool when it goes wrong. Well, okay, well, you at least hopefully can claw back some of the costs or the impact-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... for a breach. But, you know, there's no protection mechanism there except for the incentive sort of thing. So does it make you do cyber security better? That's a good thing. Does it force you to have a good IR plan or to think about response recovery? Awesome. That's a good thing. And then the negative incentive being potentially it's something that is making you more attractive to attackers.
Dan McDermott: Wow. It's it's definitely, it's a complex area, right, and one that I think will continue to evolve. And I think that this just shows that, you know, to keep on top of this. It's, it's not a set and forget, either. It's something that you need to be active in, in being able to actually review on a pretty regular basis. The final deep dive story for this week is the latest warnings from federal agencies in the US of a well-known ransomware gang. What's happening here, Gar?
Garrett O'Hara: Yeah. So this one, I mean, it kind of peaks my interest for a couple of reasons not least of which is Zeppelin. You know, being from, from the era when music was good-
Dan McDermott: [laughs]
Garrett O'Hara: ... I think Led Zeppelin. I'm like is, is it a call out to them? It probably isn't. I'm sure it's about the hot air balloon. But, you know, like, this is a type of ransomware and it's kind of come back but it's come back with a, a new sort of compromise and encryption approach. And here they are actually doing multiple encryptions. So rather than one key, they'll actually do multiple encryptions across an organization. So the potential of needing multiple decryption keys is, is now kind of real. We've talked on the show. It's quite a while ago, actually. But, you know, but when... I think sometimes when people think of ransomware they just think of a, you know, almost like Pac Man just chomping through a hard drive from one end to another. You know, starting at the beginning-
Dan McDermott: [laughs]
Garrett O'Hara: ... At bit zero and getting to bit, you know, whatever it is for, you know, one terabyte drive. And actually you don't need to do that, right? You can be selective. You can encrypt, you know, half of every file or, you know, every second byte or every third byte because ultimately where you land is corrupted files that are not usable. So it doesn't really matter if you spent the time to do a full encryption of, you know, 100 kilobytes. If you do 30 and that corrupts the file-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... and that makes it unusable, you've done your encryption faster, so, you know, your outcome is... You get to your outcome more quickly with the, like, from an encryption perspective but it's taking you less time.
Dan McDermott: Mm-hmm.
Garrett O'Hara: Probably going to be better return on value. You know, like in this case, they're, they're going after particularly healthcare, actually and some critical infrastructure organizations. So that's probably why you're seeing some of the, you know, the Feds in the US kind of warn about this stuff. But it is run more as a service and it's using RDP, which, you know, everybody would be familiar with. And, you know, basically it's that. It's, it's coming in. It's encrypting data. It's hit Europe, it's hit the US. And like, it's ongoing. Like I say, the CISA has put out a warning in the US and you know, people probably need to, to pay attention to that.
Dan McDermott: Yeah. There's, look, there's two elements of that that have really sort of peaked my interest a little bit. One is the multiple encryption case.
Garrett O'Hara: Mm-hmm.
Dan McDermott: Do you have to pay for each one to get a key back?
Garrett O'Hara: Yeah. That's a good question. I mean, they're, they're requesting payments. You know, but it depends probably on the organization. Between $1,000 and, and sometimes more than a million. What I think it is more about is the protection of the payment, if that makes sense. So the p-, the possibility of kind of, you know, decrypting a file or figuring out one key-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... versus them go and do that for multiple keys. It just makes it potentially harder to, to even consider using a cracker or, you know, reverse engineering the encryption. So I don't think it's multiple payment. I think it's, it's, you know, when you just won a million dollars but we'll give you five keys instead of one.
Dan McDermott: Mm-hmm. And I think that's a, the second part that really got, peaked my interest was the size of the prize here, like the ransom being such a large amount. So, obviously going after very sensitive, critical information into those, you know, vulnerable sort of sectors you know, and then asking for, you know, an enormous amount of money-
Garrett O'Hara: Mm-hmm.
Dan McDermott: ... as part of it. So really difficult, then, f-, situation for them to find themselves in. Not only is it the files and the data and potentially the extortion of that and that what that means but then also having to, you know, fund a considerable amount to actually try to get your systems back and back up online. It's a, it's a real-
Garrett O'Hara: It's a nightmare.
Dan McDermott: ... triple whammy, isn't it?
Garrett O'Hara: Yeah. Absolutely nightmare stuff. And, you know, it's a... Look at the, the fact that it, it is healthcare and and it is critical national infrastructure. It's such a tricky one with ransomware. You know, we, we talk about it all the time, "Don't pay the terrorists."
Dan McDermott: Mm-hmm.
Garrett O'Hara: And then I always come back to, if somebody is going to die, like, that's an incredibly hard decision to make not to pay a ransom if you think there's a chance that you're going to save a life or keep a water supply going or, you know, an electricity grid going. You know, stuff that actually potentially could be l-, lead to loss of life, as well.
Dan McDermott: Yeah.
Garrett O'Hara: I mean, the stakes are high so there, for obvious reasons, you can sort of ask for a bigger amount of money.
Dan McDermott: Scary stuff, indeed. And definitely one to look out for, that advice being put out in the US and sort of what it can mean here, as well. Finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. But before we do that, you were recently in Las Vegas at Black Hat 2022. What behind the scenes access did you get and what can you tell us from, from your trip to Vegas?
Garrett O'Hara: Yeah. It's I mean, Black Hat is just a, it's at a different scale than, you know, than more conferences I've been to and over many years. Maybe some of the ones in maybe, you know, Singapore and Asia are, you know, as, as, as big. Astonishing just, you know, on the exhibition floor the, the number of logos I saw at the stands. And I know this isn't particularly [inaudible 00:19:30] news but the set up that some of the stands had I mean, there, there was themes there. Certainly a lot of talk around the security of API and/or application programming in phases, which is important. We're seeing more of that, you know, problematic connection system of systems when it comes to building-
Dan McDermott: Uh-huh.
Garrett O'Hara: ... security fabrics for organizations. And you know, if, if your component part is secure but your way of communicating with the other part isn't, then, you know-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... clearly that's not a good place to be. And yeah. So there, there was a lot on that. And I think that's very important. Certainly, you know, see that, the, that sort of system of system thinking becoming more and more important. Love for JLC was, you know, it was, was everywhere.
Dan McDermott: Mm-hmm.
Garrett O'Hara: And many organizations using that as their kind of case study of, of how they would have helped or you know, have, what, what it meant and, and what their product would do. Obviously, the ever-increasing adoption of machine learning and like, I, I think we're at a point where we're past the hype cycle on that. And, you know, people get how-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... incredibly useful algorithms are for the gig of cyber. Not... You know, you can't get away from sort of static and dynamic content analysis and that doesn't change, but as an augmentation to that. That machine learning sort of thing has just become critical. So many vendors kind of talking about that. Chris Krebs gave a, I think it was the planner, one of the planners. And he talked about the issue with complexity, you know, that technology-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... stacks in organizations and how, you know, that has kind of introduced risk, unfortunately, because the more complex the environment, the more you got to manage, the more you got to protect. And, you know, it's probably pretty obvious as I'm saying it out loud but ob-, maybe something that, you know, many organizations need to think about as, as their tech portfolio explodes, that it, it's a problem. We see the same in cyber. That's the reality, also.
Dan McDermott: Mm-hmm.
Garrett O'Hara: You know, we, we see this explosion of cyber-security solutions and then, as you talk to security leadership, so often part of their problem now is how much resource it takes to manage all of these, you know, things that they're using to protect their environment. And actually that's not doing security. That's management platforms.
Dan McDermott: Yeah.
Garrett O'Hara: And that's a different thing. So I think it's a bit of a shift to try and figure out how to move away from complexity but still get the security outcomes.
Dan McDermott: Mm-hmm.
Garrett O'Hara: That was also a theme, I would have said there.
Dan McDermott: Yeah. It's an interesting one and one where, like, we talk about the skills shortage. And really, then, having multiple platforms and this plethora of technology to try to solve the things is actually-
Garrett O'Hara: Mm-hmm.
Dan McDermott: ... adding to the skills shortage, right? Because-
Garrett O'Hara: Totally.
Dan McDermott: ... w-, one person can manage all of those different aspects in that, as well. So that's definitely a, a key consideration. Now, we were talking off mic. And we won't go into any of the evening activities but-
Garrett O'Hara: Uh-huh. [laughs]
Dan McDermott: ... you did mention that, you know, Black Hat is also sort of known for a bit of, as the hacker community and, and, and-
Garrett O'Hara: Yeah.
Dan McDermott: ... things can happen and-
Garrett O'Hara: [laughs]
Dan McDermott: ... pranks done. What happened this year?
Garrett O'Hara: Yeah. It's such a funny one. And I kind of loved it. The [laughs], there's this air of tension when you land. I was told b-, as soon as you land, "Turn off WiFi. Turn off Bluetooth on your phone."
Dan McDermott: [laughs]
Garrett O'Hara: Like, don't even think about it. So I went in. I nearly wore my Faraday Cage suit, you know, I was so paranoid. But, anyway, you know, when you get there and you kind of start to, you know, the work of being at a conference. And I think it was only the first day, the first or second. I had jet lag brain so-
Dan McDermott: [laughs]
Garrett O'Hara: ... the days were all over the place. But they got the elevators. We were setting up. I was part of like a booth presentation over there.
Dan McDermott: Mm-hmm.
Garrett O'Hara: So I was kind of getting mic'd up and we were doing AV practice. And Mike, who is the AV guy, fantastic guy came out of the... You know when you build a big booth there's like a, there's a part where they go in and they close the door.
Dan McDermott: Yep.
Garrett O'Hara: And behind that there's all these wires.
Dan McDermott: [laughs]
Garrett O'Hara: And, you know, crazy stuff going on there. Those, those guys are in there but they've got digital mixers for the audio.
Dan McDermott: Mm-hmm.
Garrett O'Hara: So it's me and the co-, Larry who's the co-presenter. And we're micing up. They used the digital mixer to check levels and all that. So Mike comes out of the inside of the booth freaking out. And he's like, "Oh, the mixer's gone down."
Dan McDermott: [laughs]
Garrett O'Hara: So he's logged into it. And it turned out that they had... this was a fairly commonly used mixer type.
Dan McDermott: Yeah.
Garrett O'Hara: You know, it's digital looks like an iPad.
Dan McDermott: Mm-hmm.
Garrett O'Hara: It connects into WiFi and then, you know-
Dan McDermott: Mm-hmm.
Garrett O'Hara: ... gives you the ability to walk around and be outside and, you know, check the hotspots for the audio. So very cool tech. And he, he spotted them. And he's, like, he's freaking out.
Dan McDermott: [laughs]
Garrett O'Hara: So he just, like, he had to reboot it but apparently that was it. Like, it was a bunch of enders all using the same one and they all got popped. And then Tom Bailey, one of our colleagues mentioned that they got the... I don't know what they're... I mean, they're pokie machines in my mind.
Dan McDermott: [laughs]
Garrett O'Hara: But you know the gambling machines-
Dan McDermott: Yes.
Garrett O'Hara: ... on the casino floor?
Dan McDermott: Yes.
Garrett O'Hara: There's hun-, it looks like the Matrix.
Dan McDermott: [laughs]
Garrett O'Hara: There's hundreds of these machines. Apparently they got them there. And that's not the first time they've done that, by the way. They did that in Paris, as well-
Dan McDermott: Right.
Garrett O'Hara: ... at the casinos. And you know, they replaced the gambling content with very inappropriate adult content. That didn't happen in Vegas this time but yeah. It's funny how it messes with your head, though, Dan. And so I was getting on the plane to leave. Vegas had the biggest flash flood in, or the biggest rainfall in ten years.
Dan McDermott: Mm-hmm.
Garrett O'Hara: Right? So I'm sitting there and we're about to take off and my phone beeped. And it was a warning saying, you know, "If you're in this area, you're in extreme danger."
Dan McDermott: Right.
Garrett O'Hara: You know, "Evacuate," you know, "There's a risk of loss of life." And I'm like, "Is this real?"
Dan McDermott: Is this real? Yeah.
Garrett O'Hara: You know, so it's, it's such a weird one. It really does mess with your head.
Dan McDermott: Yeah, right. Really interesting. So definitely some funny elements there. And like you say, some of the, the messing with your brain. I think the hacking of pokie machines, though, that sounds like [laughs] you'd be concerned about the, the criminal implications of that one. I'm not sure I'd take on the casinos. That's,
Garrett O'Hara: Oh, God, no.
Dan McDermott: ... just gone too far. [laughs]
Garrett O'Hara: Yeah. I, I've got that movie, well, Casino, right? Yeah, and what happens to people who mess with the casinos. Yeah, no, wouldn't want to mess around with that.
Dan McDermott: Indeed. Well, it sounds like a great trip. And thanks for sharing the insights. The next story we have is that Starlink has been hacked. And this is one that you just spoke about recently.
Garrett O'Hara: Yeah. I mean, I've got a personal interest in this one because I'm potentially looking at use, using Starlink for-
Dan McDermott: [laughs]
Garrett O'Hara: ... for for my internet connectivity. But actually came out of Black Hat and there was a, a Belgian security researcher. I'm going to butcher the name, so apologies, but I'm going to say it's Leonard W-, Wouter. And figured out a way to basically do a full volt voltage fault injection attack on the Starlink user terminal. That's the, the little dishy thing, they call them.
Dan McDermott: Mm-hmm.
Garrett O'Hara: And that people use to connect to the system. But he was able to kind of break into the dish and he was able to kind of go and look at the Starlink Starlink network. So he did that and the presentation at Black Hat was called Glitched on Earth by Humans, so-
Dan McDermott: [laughs]
Garrett O'Hara: ... just thought awesome. You know, I love those. We had literally just talked about this and then you know, that story was there.
Dan McDermott: There you go. Yes. Now coming to real life in the podcast, as well, which is interesting to, to see the ramifications of of what is happening out there. The final story for this week is around Mitsubishi Electric and how they've inherited a vulnerability of open SSL bugs. What's happened here?
Garrett O'Hara: Yeah. I mean, I honestly thought this was men-, worth mentioning given we've talked about this stuff quite a few times. And actually, when, when we were talking about [inaudible 00:26:53], open SSL came up. You know, it's one of those things that is used in so many organizations and places, as are so many of these libraries.
Dan McDermott: Mm-hmm.
Garrett O'Hara: And, you know, what it means when something happens where there is a, you know, a, a vulnerability. And in this case, yeah, Mitsubishi Electric the ICS industrial control software that's, that's there globally but it's vulnerable to a critical open SSL vulnerability. So, yeah, kind of worth knowing. CISA, I think it was, that put out that warning. Again, so CISA, CISA doing some good work, [
Dan McDermott: laughs]
Garrett O'Hara: ... letting people know what they need to pay attention to.
Dan McDermott: Indeed. And as you said many times now, that the, the risk of open libraries and using those something that really does need to be considered and probably considered in the design upfront, right, of what you are using.
Garrett O'Hara: Absolutely. Yep.
Dan McDermott: Well, thank you, Gar. Appreciate all your insights, as always. Who do you have for us as our special guest next week?
Garrett O'Hara: So next week we've got a guy called Fergus Brooks. He's the an executive manager in cyber resilience and recovery for a large well, in finance. He's got a l-, man, he's got such an incredible background. He's actually worked in insurance. He's been a kind of on the tools, yo know, and sort of proper tech. But he's got a really interesting perspective on risk. And, I we get on really well. I think it's partly because
I agree with what he says which is around, you know, being thoughtful about defensive security, you know, the sort of tech, tech side of things versus thinking about impact, you know, and, and what it means and, you know, thinking about recovery and response, as well. So obviously organizational and operational resilience but, like, where's the data? How, how do we keep services up? What's critical? How do you keep the business going? He's just got a really interesting perspective on that and, and one that I kind of agree with in that you know, don't overspend on defense. Spend exactly what you need to.
Dan McDermott: Mm-hmm.
Garrett O'Hara: And then, also, be balanced and think about what it means if there is a what is potentially an inevitable breach.
Dan McDermott: Fascinating. Can't wait to hear that and, and get the insights from that podcast, as well. So until next week, if you'd like to continue exploring key topics in cyber security, please jump on to getcyberresilient.com and check out some of the latest articles, including how the education sector is a hot target but how it can fight back; also, looking at how machines can lead the fight, AI and incident response; and stop neglecting DNS security or pay the price. Until next week, stay safe.
Comments:0
Add comment