• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

    Comments:0

    Add comment
Content

On this week’s Behind the News episode; Dan, Gar and Vinh kick off by taking a look into a ‘false subscription callback scam’ from a group called Luna Moth. We then review the latest attack on LastPass and breached customer details; we continue with another win for the good guys, this time with the arrest of nearly 1,000 suspects. We then wrap up of the latest breaches and vulnerabilities to make the headlines.

Content

The Get Cyber Resilient Show Episode #119 Transcript

Dan McDermott: Welcome back to the Get Cyber Resilient Show. This week, is our Behind The News episode. I'm Dan McDermott, your host for today, and I'm joined by our resident cybersecurity experts, Garret O'Hara and Vinh Nguyen. Today, we'll begin by looking into a false subscription callback scam from a group called Luna Moth. Next, we'll look into the latest attack on LastPass, this time accessing customer details. Then, we'll continue our series of looking at another win for the good guys. This time, with the arrest of nearly 1,000 suspects. And then as always, we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines. Gar and Vinh, welcome to episode 119. Let's start this week with diving into a callback scam that has been identified by Palo Alto's Unit 42 research group. What can you tell us about this one?

Garrett O'Hara: So first things first, not to be confused with Luna Lovegood from Harry Potter. This is a very, very different thing that's going on here. So this is an example of some some approaches that have become much more popular this idea of callback sort of scams or, or phishing attacks. The idea there is that you get the inbound phishing attack that arrives into an organization. They tend to be fairly well customized so, you know, people get individual phone numbers to call back on.

So the idea is that it's social engineering the person gets the email, in this case, Dan, as you said, it's you know, fake subscription cancellation just under 1000 bucks on average. And then, you know the person that's socially engineered, they panic, they call a phone number that's set up by the, the attacker. And then from there they essentially go and use well-known tools, so legitimate tools to ex- exfiltrate the data.

They do it in a couple of different ways. They either look for data straightaway and, and see if they can get some stuff out immediately. So using things like FTP but they can also get it set up so that as they get the remote support session going, which is part of this by the way. So you know when you call back the number, they help you. And to do that they get a support session going, and anyone who's used, you know, TeamView or LogMeIn, you know, those kind of tools will be very familiar with that, you know, we use, we use one of those internally.

But once they've got that control, they basically then can set up resistance and remote access tool as well, and at that point then they can obviously spend longer, look for more stuff and essentially exfiltrate the data.

The big thing here is there's no encryption, and I think we're starting to see more and more of that, right? You know, they're not using any dropped malware files aren't getting locked up, systems aren't getting locked up. They're basically just getting the data out and then using the threat of it being published as the, you know, the thing to get the ransom paid.

Dan McDermott: And it really does show that notion of, you know, multi vector sort of attacks, right? Like we sp-, spoken about for a while, but like, really coming to the fore. And that sophistication, like you say, of not only like is this, you know, sort of, it, a, a, like it's a standard email based approach, but they're investing into like call center infrastructure and and you know, remote access infrastructure and all of these sort of things to actually sort of build out, you know, I guess, you know, the sophistication and their offering, if you like. 'Cause we probably will see this a, as-, as a service, call back scam you know, scam offering as well that that others might be able to tap into.

Garrett O'Hara: Oh yeah, I think we, we probably, we're already at that point I would say. And you're spot on, I think the, the interesting thing always is that large investment in things like h-, centers and infrastructure to support these attacks. This isn't new, by the way, I used to work for one of the companies actually I just mentioned many, many years ago, which was an incredibly good tool, like phenomenal, brilliant, used in, in legitimate organizations for supporting their customers. And the bane of our lives was the amount of fraud that was used.

It actually became synonymous, unfortunately, at one point, the tool that we sold, with these scams, where you know you get, at the time it was basically, you'd jump on a machine and then use the remote session to do things like sign up to subscriptions or steal credit card information, was the big one, you know, we're going to check your machine because we've detected a security issue [laughs]...

Dan McDermott: [Laughs].

Garrett O'Hara: And these characters were, you know, pretending to be, or legitimate organizations like Microsoft, you know. So you know, brandjacking very well respected brands to get that social engineering in place to then have somebody connect, and unfortunately they were quite often older people, not technical people. And the brilliant thing with many of these legitimate tools is that they're designed to be easy to use for people who are not tech savvy, like remote con- support tools, they're designed to connect to, I don't know, like the front desk or the, you know, people that are, their job is not to be sort of tech savvy.

The downside of that is then it becomes incredibly easy to attack people who are not tech savvy [laughs], because it, it takes two seconds, you, you point them at a URL, you give them a six digit code and then that's it, you're basically connecting to their machine. So yeah, to your point Dan, like this, this stuff has been around a long time. I think, the, the interesting thing to me is that investment in call centers, you know, these people will have done an overall analysis, you know, and they're so similar to legitimate businesses, it's not like they're going to do this for fun. They will do it because there is a return on investment.

So you know, kitting out and, and fitting out these these call centers where as you say, there's supporting infrastructure, machines, voice over IP services sending services for email, all of that good stuff, and the people you know, you got to pay the, pay the staff, and you know, there's probably an employee of the month competition...

Dan McDermott: [Laughs].

Garrett O'Hara: And there's probably an employee engagement department and, and HR, it probably has all of that stuff. And also on the dark side, and you know, not to go on too much about this, but we have seen those stories, unfortunately, where people are sort of tricked into working in these places and, and then, you know, it's a much darker version of the call centers that are used by the crooks in these cases.

Dan McDermott: Yeah, indeed, and as you say, it's it's really interesting that then, they're ex-, being able to extort the data and then really, what's, the threat back is what, they're going to publish that or is it, are they stealing sort of, you know, steal personal information? What is it that they're actually getting at, and getting out from these attacks?

Garrett O'Hara: I, I suspect it's a variety of different things Dan.

 And you know, if you think about, yeah, your machine, my machine, Vinh's machine, there's, there's things on there that I would certainly not be keen to have published, yeah, on the dark web or really anywhere. And yeah, like I suspect, given that the inbound phishing attacks are fairly well targeted, as I understand it, it's you know, it's going after people that potentially, they already have identified as targets. So they may know that somebody's you know, working in a lab or potentially they've got information around and, you know, pending patents or some IP that means a, a drug company's stock price is about to go through the roof or, you know, like who knows?

 I think we're going to talk about a story a little bit later about you know a, a sort of car an organization that you know, works in the c-, in the car industry and then some of their data that got stolen, so you know, you, you throw a dart at the average machine in a corporation, there's probably going to be something of value on there. And then I think when you're better at darts and you can [laughs], you can target the, the bull's eye of, you know, the, the people who have the IP or the, the information are in payment or strategy for an organization, then all of a sudden that's stuff that you definitely don't want to get published in the dark web or anywhere else.

Dan McDermott: Yeah indeed. And we, we said that like, Palo Alto's research group obviously have called it out and I think named the group who are behind it and that sort of thing. So certainly sort of calling that out. But as MimeCast, we've also seen like a lot of these emails come through, right, and actually seen, I guess that front end of the actual email part and the scam coming through and something that you know, is something that I guess we're very aware of and certainly want to make sure that like, all of our customers and that are also, you know, very, you know, cognizant of and are understanding what is happening in this space and what can be done about it.

Garrett O'Hara: Spot on Dan, it's, it's funny one of our colleagues here, Nish who's a pretty awesome guy, actually works out of our, kind of UK team kind of raised this internally, and I think I might have even mentioned this in one of our internal meetings, but this, you know, the call back the spam variations that our threat teams are, are tracking as I'm sure many kind of several vendors are but it's, it's one that we're kind of constantly on the watch out watch for, and you know, as, as relevant and as appropriate, we will, you know, add protection. As have Palo Alto, by the way, you know, they called that out in their write up, that their customers are protected.

So I think, you know, to me, it points to the value of threat research teams within cyber vendors and, and that idea that, instead of each individual customer having to write their own block rules, you know, that happens at a vendor level rather than at the customer level, which I think is in- incredibly important. And, and the other part, and it's probably stating the bleeding obvious at this point, but it's the value of awareness training. Like time and again it is the humans that are the, you know, the human firewall. I think people are starting to hate that expression because it get so used, used so often. [Laughs].

But you know, you think about it in this case, awesome to have the technical controls in place, but if we've got a set of employees who are well trained to say, hang on a second, what, you know, what subscription service, I'm not even part of that, you know, why, why would I be getting this, this email. And you know, if they even think it may be legitimate, raise it with the security team and let them have a look at it and, and they will quickly identify that this is a scam.

Dan McDermott: Yeah, no, it's a really good point and it, one that's not on the run sheet for today, but actually, I've got one overnight. So from, a different one from Amazon and it was saying, I got an email saying that somebody had like downloaded a, a gift voucher that was g-, offered to them. The thing is that this employee had left a while ago, the gift voucher's from the start of the year, I'm sort of like my memory's fading me, right? And it-, it's possible that we did something, but it's got their email addresses, like their internal one, which obviously they don't have access to anymore.

So I'm like, this feels wrong. And then not long after, I got another email from Amazon saying, watch out for these type of scams. And actually had outlined it and detailed, sort of, what's happening in that. So it was like, but it, it felt very, very real, and, and with all the detail in there, it felt like this is something that like, you know, actually felt, like, pretty legit. [Laughs].

So you've got to, it's like the, the way that they come across and the sophistication and that, it's so easy to feel like, and particularly you know, if you, if you're busy and under time pressure and all those things that we know, it's so easy to just go, oh, that looks about right, I better do something about this, right? And then bang, as soon as you've taken that first step, then all the bad things sort of, you know, flow on from there.

So definitely I think like you say, Gar, that notion of sort of, you know, people have to take that moment and it can be just that moment, to just reflect and just go, something's not quite feeling right, it's probably enough to to stop a lot of this as well.

Garrett O'Hara: And on that Dan not to go down the bunny trail of this stuff too far, but you know, one of the things I've, I've heard time and again is the, there's I think more of an onus on organizations to make sure that their comms look really legitimate. 'cause interestingly, I've heard some stories where the legitimate stuff looks so sort of shonky, that actually it's, it's, you know, w-, we, we talk about this the other way around, where we talk about how, you know, good the attackers have gotten. And yeah, I've heard this problem where third party, you know, sort of organizations are sending out comms, legitimate comms to the customers, and often where they're using like, some sort of SAS platform and legitimate domain spoofing to send on their behalf. Then you get these emails that don't look anything like the, the normal comms from that brand.

So it's something for you know, cy-, cyber leadership, as they work with their marketing brothers to and, and sisters to think about, is that, you know, if you're going to use those third party sending services then you know, really have a think about how to make the branding consistent so that it's not jarring for the end users when they do get something that they should maybe action. And it is consistent, because I think that inconsistency actually, that's a, you know, it's sort of a vulnerability for organizations.

Dan McDermott: Yeah, and in my example, like the second email I got from Amazon, I was looking at that, reading it going, "Is this from them?" Because I mean, it looked exactly the same as the first one and I'm like, "Oh my goodness." I, like, and it's got a whole bunch of links in that and it seems really legitimate and it talks about, you know, the, the type of scam and I'm thinking, "Is this like a follow up to the first one [laughs] or is this legit?"

It just, you get into this mindset of, and you know, and obviously then you just don't like anymore, or I don't, [laughs] and always type in links and that sort of thing. But it is like, very very easy to just, to get into that spiral of, which one's real, which one's not, and how do you actually really decipher? And you know, you've got to feel sorry for people that, you know, aren't looking at this every day, right and would be you know, other, other prime targets of these attacks as well.

Right, we'll move on to our next story, which is, a new breach detected by the password management company, LastPass. We featured this story a few months back, about how their source code and technical systems had been breached. It now appears that the insights gained from that breach have been used to access some of their customer data this time around. So Vinh, what can you tell us about this case?

Vinh Nguyen: It, it tells us the fact that cyber security companies like LastPass can be targeted and it kind of has a flow down effect where you know, anyone else can be a target of these things coming through. And the fact that in August, we had source code and technical information being accessed, but not customer info, and now all of a sudden, you know, LastPass and GoTo, its parent company are saying, "Hey, we've detected some unusual activity with the third party Cloud storage that we use."

It's always f-, fair and safe to just assume a breach. So what they've done is they've launched an investigation, they've engaged Mandiant, who they actually used for their previous breach back in August to kind of figure out the extent of what exactly has happened. You can, the CEO said that, you know, even though this is all happening, customer's passwords still remain safe encrypted. And this is largely part to LastPass's zero knowledge architecture, which I think is fantastic, right?

And it kind of leads to other stories where, well, if you're assuming breach and everyone's vulnerable and a potential target, if you don't have that information data on hand, there's not much they can get from there as well. So the fact that these passwords are stored locally rather than within LastPass's infrastructure, sure, they might get some information about customer's information, but the big thing which LastPass holds, which is your master password, isn't there.

So I'd be curious to figure out what information they've got from that or what they will do with that information, but for the most part, you know, if our LastPass passwords are safe there, then all the rest of our passwords should theoretically be safe too, right?

Garrett O'Hara: You kind of wonder, hey, like does this link back to what we just talked about, where, like that question, Vinh, of like what is, what's it useful for? Customer details is the, you know, name, addr-, name, address, email address and like, that's the thing I worry about, is the d-, data, I do get, so I'm a customer of LastPass, in the spirit of transparency awesome product and I think makes me sleep better at night knowing that I don't know any of my passwords. That's a wonderful position to be in.

Vinh Nguyen: [Laughs]

Garrett O'Hara: And so as I get to my, you know, my later, twilight years, not having to remember all of these passwords is fantastic. But the, the point you made there Vinh is, it's so critical, right, that zero knowledge approach. The the way that sort of, PKI [inaudible 00:15:58] works is that they don't know what my passwords are, so it doesn't really matter if they get breached, there's not really a whole lot anyone can do to do, you know, do with the, the data that they have got, which is, you know, customer details.

I suspect what you might see is some version of you know, phishing attacks where it's, your master password is being compromised, you know, please confirm here, blah blah blah and then, you know, that, that's the thing that would keep me awake at night, is somebody getting my master password [laughs] which is very long and sort of easy to remember, but you know, if they figure that out for s-, you know, in some way, then you know, that's game over.

Dan McDermott: I think you're right, I like that notion of like, like, this is the thing now, LastPass like, you say, Vinh, you tell us that you know, everything's safe, it's all okay, but you can't help but have that sort of sinking feeling in your gut that like, ooh, is everything all right, is there something wrong here? And then if you get an email from LastPass saying, "Oh, we just need to confirm, you know, your...", you know, very easy for people to, to go oh, I better just, I better click on that one, I better make sure it's right, I better update that.

It's, it's like, that's where I think it's, you know, that all of a sudden, the trust in the brand, like you say, the product might be working, but is the trust in the brand starting to become like, questionable, because it's like well, geez, these guys have been in the news twice now, like, am I okay, do I need to change something? Very likely for many people to be thinking about.

Vinh Nguyen: And that's probably the sentiment, right? And you know, we work in technology, we work in cyber security, we understand the value proposition that, L-, that LastPass do have. But you're right, if you talk to anyone that is not in this space on the street and they hear about this password manager being breached, then of course it's going to raise concerns for them. They're going to be, and that's half the battle with getting people to use password managers, in my experience anyway, is that, their idea is, I'm keeping, I have one password that has access to everything, what if they get access to that password, and that is a deterrent in them in using one.

I know Gar, you've mentioned in the past, it's like, friends don't let friends not use password managers. I love that, I've used that so many times already.

Garrett O'Hara: It's, it's it's so true, and it, here's, it's sort of a funny story, somebody who I care about deeply uses a password manager, and guess what they do, they basically store, like three variants of the same password that they created themselves in LastPass. [Laughs]. I'm like, oh, that is so not the point. But like, I, I think Dan, what you've raised is actually really an important point here, right, because part of this is understanding an architecture that's probably, let's be honest, like beyond the average kind of civilian on the street.

You know it's, it's that en-, encryption and you know, a, a sort of an architecture that is secure and there's no, no such thing as perfect sec-, security, but you have to sort of asterisk everything you say these days with that, I get that. But as an architecture, like at least on the surface of it, it, it sort of works for me. And you know I, when I see the LastPass stories hit as they have a couple of times now so far I haven't had that sort of, run, run out of the building freaking out that my, you know, my online life is, is sort of crumbling around my around my ears.

It actually just feels like okay, well, we'll see what, you know, what data has been stolen, but I can feel okay about the password side of things. Plus, no matter what, this has to be a safer version than, you know, using the same password or you know, two variances of the same password everywhere, regardless. Even if they get my master password, they would have to then, like literally go, work through a long list of accounts that I've got in there and every single password is unique, so they'd, you know, they'd need to go and reset or attack those. So like, there's no keys to the kingdom, even when you get the master password.

Dan McDermott: Exactly. So it's, it's, like you say, I think it's, so I'm guessing it is partly now on, you know, LastPass and other providers of this, to make sure that that is understood, right? Like that the value of it is understood so that then you don't have all of those, you know, all of those concerns. Like, you know, you said at the end of, you know, most people go, "Ooh, well, I've only got one, that doesn't sound very good, so I better not have that, right?" Like, and so therefore step away from it.

So it's definitely an education in this space that needs to be done around this and then, you know, these things don't help in that education, right, because they create, fear, uncertainty and doubt in people's minds. So definitely a tricky one, but one that I think we will continue to espouse the benefit of, that's for sure.

Vinh Nguyen: And it gets you thinking as well, like today, this is where we're at. But then what is the future of passwords in general? And we're going from state hearing, oh, this is a fun question, Gar and Daniel what do you think is the most commonly used password here in Australia? It, it ranges from different sources but there are a couple that I'm pretty sure we can guess it on the, on the bl- on the pod today.

Garrett O'Hara: Password123 seems to come all the time.

Dan McDermott: I, I think it, I think it's password1234 Gar, like, you know, like getting really sophisticated.

Garrett O'Hara: Oh yeah, complexity.

Vinh Nguyen: Oh, I was reading something from NordPass and apparently the top two, number one was, 123456 and second is just, password. They didn't even bother with numbers, it was just password.

Dan McDermott: We, we got even too sophisticated there.

Garrett O'Hara: So, I, here-, here's where my head goes in that is that we have like the, there's an obligation, I would say, on the provider's side to check for that kind of nonsense and say, forget about it, like you're, like have a dictionary look up of the obvious stuff, like password, password123, you know, those, those things, like, let's just not use them. I mean that's a pretty trivial thing to implement.

Dan McDermott: Yeah, you'd think most, most, oh, you know, things these days say, you know, they have to have a degree of complexity and all of that in it, right, so you would hope that that becomes at, at least a, a minimum default standard.

Let's have a look at our final deep dive story for this week, which looks at the arrest of nearly 1000 cyber criminal and seizure of $130 million in virtual assets. The international law enforcement response to cyber crime has certainly stepped up and escalated in 2022.

Garrett O'Hara: Yeah, def-, it definitely has, I think this is a, is this the Christmas miracle, it definitely feels like a good news story. We're, we're kind of, I don't know about you guys, we're slowly burning our way through all the Netflix and stan Christmas movies that are basically of the same script and you just swap out the actors and yeah, it gets hilarious. But this feels like it could be a nicer Christmas movie, you know, something that could fit right in and make this a, a rom com.

Nearly 130 million in vir-, virtual assets taken down, with this stuff or re-, or retrieved. I think that's a really good news story, and then they've arrested nearly 1000 people, which I think is, is phenomenal. So it's Inter-, Interpol's operation, operation Haechi. I don't know how you say that word, H-A-E-C-H-I but it was, it was a, a five month exercise that they were running. A long list of countries, I don't know if you guys saw the Interpol sort of landing page where they went through this, but like, a long list of countries involved. And it ran from June to November this year.

So fraud investigators around the world looking at intercepting, yeah, obviously cash and money but then also, the kind of virtual assets that these criminals and scammers kind of get, you know, through money laundering sextortion romance scams, like there's been a bunch of things online gambling. So you know, all the fun stuff, unfortunately they're kind of like, having a go at.

But yeah like it's, it's a pretty impressive I would say sort of outcome and I think a really, the thing that gives me sort of, I suppose, hope, is the level of cooperation that actually happened here across, you know, multiple kind of jurisdictions and regions. I think that is just incredibly heartening. And they're, the fact that they're, they're starting more and more to be able to track and block funds, because I know we've, you know, over the, how many years we've being doing this pod, one of the things that's consistently come up is just how difficult it is when you've identified a crime, to actually go after the funds and the cash, you know, to, to either block it or to retrieve it.

In this case, it sounds like through this, this collaboration and you know, like nearly 30 countries involved that they were able to actually retrieve funds. I think it's just, yeah, it's just incredibly good news.

Dan McDermott: And it's definitely the tightening of both ends of the spectrum, right, to like, we talk a lot about prevention and how do you stop the things in the first place, but we know that, you know, like the unrelenting nature of the attacks of, you know, the continued evolution of sophistication and everything else it, you know it, it's not stopping, right? And so it's like, prevention's one part, but obviously this part of it, in terms of actually, the law enforcement side of actually coming in at the back end and being able to actually, you know, be able to find people, find the funds, prosecute is, is huge, then becomes a huge deterrent as well. So you hope that the two things combined really do make for, you know, better outcomes as we go forward.

But yeah, it's certainly at a different scale and level than, you know, we've spoken about a few good news stories recently off the back of all the, sort of the bad news and that, and you know, we've had 30 people and 60 people and bang, all of a sudden you've got 1000 people sort of, you know, implicated into this one sort of investigation. So huge effort and it certainly I think, should give some confidence, you know, that there is that back end law enforcement support that is there and available as well. And so hopefully that becomes a deterrent as well as to prevention. And like I say we we hopefully move forward in a better way.

Garrett O'Hara: Agree, drop the hammer of the law.

Dan McDermott: [Laughs].

Garrett O'Hara: I think, yeah, and to your point Dan, I mean the-, the-, I really liked the way you just put that, because if you think what about the protections against stuff, the deterrents are actually really important too. And you know that, that, you know, we talked about the ORI and setting up call centers and infrastructure. Like if you started to see some of that money getting siphoned back away, it changes the, it changes the math, right?

I mean it does deter because it just doesn't, it stops being worth it, you know? So I think to your point it's, it's actually a really important part of this. Good news, that everyone got their money back. But I think there's a longer term impact, which is, hopefully it deters people who [laughs] who otherwise would have a go, saying well actually, it's probably not worth it.

Vinh Nguyen: And we were also told about Interpol as well, right, and I didn't know it was so big, I thought it was a few countries involved, but I looked, there were close to 200 countries. So although this particular thing was, you know, 30 or so, having the, I guess the law involved and making that, as you said Dan, the deterrent piece, like, that's going to have huge flow down effects in terms of like, is this going to be worth it for us if we know that x percentage is now able to be stopped and transferred to the offshore accounts as well. So very interested to see, like where this kind of leads, the anti money laundering rapid response protocols and kind of how that helps moving forward.

Dan McDermott: Indeed. Well finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. The first news item is a breaking story on how energy provider, AGL, has reported that thousands of customer accounts have been unlawfully accessed. What's happened here?

Vinh Nguyen: I think this is quite still very early days in terms of what it is, but essentially from AGL in a statement, it's around their My Account platform experiencing some suspicious activity which you know, customers have been notified, it's, it's in the thousands I think. I was reading it was about 6000 or so at this time, it could grow. But really as a precautionary measure, what they did was they locked down the platform, and they're now doing their due diligence in terms of figuring out what exactly has happened.

It appears that malicious actors have stolen credentials quite externally, such as user name and passwords and are using that to log into several customer's accounts. And like most stories, it starts with credentials being asked somewhere and using it to access a platform. So more of a, stayed tuned and we'll keep our ears open to how this develops, but pretty big given AGL's I guess, presence here in Australia.

Dan McDermott: I think it is, the interesting part is the fact that like, user name and passwords being stolen from somewhere else [laughs] in order to access it. Like, this just feels like the ongoing never ending saga of Optus and Medibank, right, and, and, and how this is how the next stage of the use of that data and what might, might happen from here.

Which leads us to our next two updates on the ongoing sort of fall out from the Medibank breach. Firstly, the hackers have announced the notion of a case closed, by dumping all the remaining customer data onto the dark web.

Garrett O'Hara: Yeah, I think, I think this one sort of, it is what you, you just said, basically the the hackers basically have done, like they're done with it, it sounds like, so they they put the, the the remaining kind of data on the dark web and sort of, or at least what appears to be that, and then kind of said well, that's it, you know, case closed for the hack. And I don't know, I think, I think it will be interest-, it will be interesting to see you know, whether that is the case or not. And you know, what, what the implications are Dan, that's the other thing.

As you said, I mean, this stuff gets used for other things, it's, you know, there ends up being a long tail of impact from these breaches and yeah, I suppose that, that will be the question, what does this mean? I think it was a compressed file that was just over five gigs, so reasonably substantial amount of data, whatever it was.

Dan McDermott: Indeed and then the, I guess the scrutiny on Medibank doesn't end. The breach has now prompted an intensifying look by APRA, from a regulatory perspective, on the cyber security around, I guess, Medibank and the rest of the industry. So Vinh, what is, what's APRA looking at here?

Vinh Nguyen: It's look exactly at that, Medibank Private given what has happened over the weeks. It's only fair that the likes of APRA being able to look into Medibank Private's data practices and how they store and how they kind of use it but actually kind of expand it more broad. I guess the all APRA kind of regulated organizations, so we're talking the likes of banks, you know, insurance companies yeah, generally if you're dealing in the financial space, you do fall under APRA, and therefore their prudential standard, which is CPS234.

So really it's a review of that particular to make sure that you know, we're introducing proper cyber resilience around things like, you get banks insurance evaluation, and we're constantly retesting to notify if, you know, if things do happen, that there's a certain kind of playbook to follow and to report up.

But definitely it's going to be one of those cases that we're going to be talking about for a long time in terms of the instant response, but also how that changes legislation. But also like, things like CPS234, what that means for other APRA regulated organizations.

Garrett O'Hara: I think this is an interesting one in that I think there's a pattern here. I was kind of thinking about this story kind of over the weekend. I do have a life, but I do, I do sort of-

Dan McDermott: [Laughs].

Garrett O'Hara: ... Unfortunately I think about this stuff a little bit too much. How, how many standards exist and how many certifications exist and we kind of know, sort of what good looks like when it comes to security. But it's the, it's the push and the enforcement of that to get organizations doing the right thing. And a CPS234 before it was a standard, it was certain guidelines that APRA had. So it was kind of like, here, please go do these. [Laughs]. These are good, you should do these bec-, because they're guidelines, they're obviously opt in and, and it's not mandatory. And I think what you see is, as the stuff becomes more and more important, the stakes get higher year over year.

You know, a guideline becomes a standard and it becomes not a, "Hey look, you should go do this," but, "Go do this." It becomes kind of a, you know, an obligation and, and mandatory. And even then, not just for CPS234, but I think it's fair to say, you know, the essential aid or you know, look at a vertical [inaudible 00:32:09] look at the industry, look at their standards and then look at the gaps. And the reality is that a bunch of organizations, for lots of different reasons, whether that's the leadership that's in play or you know, availability of budget, talent, all of those things will be some way off. They won't be there, they'll be trying to get there, but they won't be there.

And I think to Vinh's point, I think that's, like it, as awful as all this stuff has been, like the thing I keep trying to come back to is like does, does this help us get the change that we need to, in terms of seeing this stuff as really, really serious and really, really important for every organization to, you know, look at? I think, you know, the financial services in particular, given the very sensitive information you provide to them that they have access to this seems like it, you know what I mean, it's just kind of common sense in so many ways. Rant over. [Laughs].

Dan McDermott: And I think though, it's also an opportunity for those that are not regulated by APRA to, to say, is this a gold standard? Is this, you know, considering, you know, banking and, and that industry, of being sort of at that level, is it something that should be reviewed and, and looked at, you know, in terms of how does everybody raise their own standard and get to another level. And we also see, sort of you know, the c-, the deterrent coming in through the, sort of the Federal government's legislation around, you know, the increase in fines that you know, come with not being able to meet certain standards.

So you know, I think again, it's the push and pull of some of these things to really look at how, like you say Gar, how to uplevel and take the opportunity now to really get to those levels of, of, cyber resilience and that new standard. Otherwise, you know, the next time something goes wrong and there's a fall out, the implications, you know, continue to to get higher and higher.

So finally for today, a story that Gar mentioned before around a German manufacturer in the car industry, Continental, have brought in the FBI to assist with an ongoing investigation into a data breach from August this year.

Garrett O'Hara: Yeah, this is, I mean, Continental, I'm sure folks who, maybe you know who that is they're an automotive supplier out of Germany. And yeah, it's, it's kind of an interesting one. There was like a sort of issue that had happened and and then, and so I'm going to pronounce this wrong, Handel-, Hans-, Hans-, Handelsblatt which apparently it was news to me, but it's a financial newspaper [laughs] in Germany, forgive my ignorance there my German friends. But yeah, they sort of reported on that, that yeah, the, the FBI's brought in.

So I don't know what that points to, presumably the sort of involvement of folks outside of Germany but what they were looking at was the investigation of theft of company data. You know actually f-, I've nearly full circled Dan back to, you know what, what, what are the things that would be of importance or of interest. But yeah apparently there was some stuff around kind of strategy and you know, the kind of business side of Continental that had been exfiltrated.

So obviously that's, that's not amazing. If you're out there kind of going shoulder to shoulder and competing for business you certainly don't want your competitors aware of what your strategies and what your thinking are for kind of, your organization. So yeah, I think kind of an interesting one. For what it's worth, I use Continental tires on my road bike so far so good, they've been really good.

Dan McDermott: Good to hear. Well, I think that wraps up for this episode. Thank you Gar and Vin, appreciate your insights as always, in another big week of of cyber news. So until next episode, if you'd like to continue exploring key topics in cyber security, please jump onto Get Cyber Resilient.com. And check out some of the latest articles, including parts two and three in our series on Securing Australia's Cyber Future, as well as a full wrap of the headlines from November in our this month In Security article. Thanks for listening and until next time, stay safe. 

Tags
Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott