Ep 85 | Behind the Cyber News: 8th of February 2022

In our first episode for 2022, we dive into the biggest news from the end of last year - the Log4Shell vulnerability. Where is it at? And what impact will this vulnerability have on companies making use of open-source libraries for code in the future?

We also look at the cyber risks associated with the Beijing Winter Olympics, cyber warfare in the Ukraine and Russia tensions, discuss the implications and usefulness of the Australian Identify and Disrupt Act as the first warrants begin to be issued, and review some of the latest cyber breaches including the Red Cross hack.

 

The Get Cyber Resilient Show Episode #85 Transcript

Dan McDermott: Welcome to the Get Cyber Resilient Show for 2022. I'm Dan McDermott and I'll be your host today. This episode marks our 85th episode in total and the start of season five. So thank you to all our listeners. We couldn't have got this far without you. This year, we will continue with our weekly episode release each Tuesday, alternating between fortnightly review of the behind the scenes, the latest cyber headlines, and every other fortnight, an in-depth interview with our community of cybersecurity professionals. So let's kick off today's Behind the News episode.

I'm joined by our resident cybersecurity expert, Garrett O’Hara. Gar, well, I tried to take a bit of a break from cyber over the holidays, the world of cybersecurity certainly never sleeps. Let's begin by wrapping up the big story from the end of last year, the Log4Shell vulnerability. 2021 seemed to be book ended by large supply chain attacks. We had SolarWinds at the beginning of the year and Log4Shell at the end. So where is Log4Shell at now?

Garrett O’Hara: Yeah, I thi- I think where it is, is many, many organizations frantically scrambling to try and, you know, understand what devices, what applications or platforms they had in, in their environments, and then kinda go forth and, and try and predict the organization's you know through updates and patching as is the way. This was a, a really interesting one to me, Dan in, in many ways. Obviously the, you know, the technical-

Hmm.

Garrett O’Hara: ... vulnerability and just how, as you know, relatively straightforward it was and what that gave you in terms of executable code, et cetera, it was, was kind of a shocker, you know, to score a 10, which we always kind of, you know, that always raises some eyebrows when you look at a CVSS of 10.

[laughs]

Garrett O’Hara: but to me, you know, we could talk about the technical side of things, I think that's been really well covered. But I think there's a big conversation that we need to have as an industry around the use of open source libraries. You know, this isn't the first time we've seen an open source library used as a way to kind of exploit the vulnerability and, and attack organizations. And, you know, we're seeing Log4Shell being used to distribute ransomware. For example, you know, the Conti Ransomware Group are using it.

Problem here is open source libraries are incredibly, incredibly useful. I would say they're like almost the pillar of many developments functions. You know, I talked about this on our webinar last week. I, I came from a dev background, and people think of development as the, the clever people who sit down and write lines of amazing, amazing code. In reality, most of what development is, is searching stack exchange, searching Google, trying to find the person who's already done the thing you're trying to do, and then either steal or code through copy and paste. Or if you're lucky, there's an open source library that you can point to, and then just kind of leverage that.

And, you know, the code you get in an open source library will be good. That's the reality. Thousands of organizations are using it. Its open source, so lots and lots of eyes are on it. The real issue is that I, I think what's happened is, many organizations just use the libraries without putting it through the kind of ringer in terms of making sure that it's secure code.

I spoke to Mark O'Hare actually on this last week. Mark has, uses a technology to actually evaluate open source libraries for security vulnerabilities, right? That's a good thing to do. Many organizations won't have the ability to do that. So the problem is, you end up with these single points of failure used by thousands, sometimes millions of organizations, applications these things are everywhere.

You, if you look around you or wherever you're, you're recording today, you know, spot a piece of hardware, you can almost be guaranteed that in there, there's an open source library being used somewhere. They're in cars, they're in VCRs, TVs, routers, toasters, they're everywhere. And a lot of the time they're completely underfu- underfunded. You've got, you know, one, or maybe two people doing a passion project, doing stuff that is used defense banking know, military organizations, large enterprise, and not getting paid for it. And then when something goes wrong, everybody jumps up and down and sort of, you know, kind of freaks out because, "Hey, you know, we're using open source library."

So, you know, there's a bit of a rant, but I think we've got a big, big issue here from a kind of secure development. You know, you and I talk about it all the time, security by design, a big part of that will be funding any open source libraries that are heavily used out there. And, you know, Log4Shell, oh, sorry, Log4i is clearly one of those, it's everywhere. And there are others. Open OpenSSL people may remember back in, I'm gonna get the year wrong here, 2014, maybe 2015, that was the Heartbleed vulnerability. And at the time Open- OpenSSL was like one person working on that. And it was used by so many places completely underfunded. That says that we've got a, we've got a systematic or a systemic problem here rather than anything specifically for Log4Shell rant over [laughs].

Yeah, which I think get, gets to me around like, you know, so where does the responsibility or the accountability need to lie for security of, of this open source, right? Like you, you said like, you know, like Mimecast as a, you know, an enterprise organization and is able to, you know, run, you know, run anything that they use through its own sort of security networks and tests and make sure you know, and do the right things in that level. But like you said, the idea of open source as well is, is to allow, you know, the proliferation of that to actually be used by many people. So where should we start to look for intersecting security into that process?

Garrett O’Hara: I, I would come back to it as always the company. It's, you, you know, the book stops with the organization developing the application or the platform. Using open source is a choice. No one puts a gun into anybody's heads, head and says, "Hey, you gotta use Log4 or j." No one does that.

Hmm.

Garrett O’Hara: The reason you do it is, because development timelines are driven by commercial reasons, not security requirements. So marketing teams, sales teams, you know, need new product, need new platforms. So stuff gets developed at a pace that sometimes outstrips developer's ability to be secure.

And likewise, you know, we've talked about it and talk about it on the show with mo- with many guests. Brand new startup organizations, their, their speed of development is driven by, you know, customer acquisition, f- you know, first market advantage, all of those things that have got nothing to do with security. And they probably got an exit strategy in mind. That's what they're aiming for. You know, they wanna sell the thing and then, you know, go and live in The Bahamas or whatever.

[laughs]

Garrett O’Hara: And then it becomes the problem of whoever acquires the, you know, the organization or the platform going forward. So I think the incentives are all wrong in terms of development, but ultimately the responsibility has to lie with the organization, developing the platform, the appliance, whatever it may be.

And ca- I would call it, you're generally gonna get better code by using a library than somebody sitting down. And I'll say this as somebody who was a really bad developer, who was really good at the UI side.

[laughs]

Garrett O’Hara: I wasn't, in hindsight, just not, you know, not a good developer. 'cause my job was, here's a one page sheet, go make that thing and you've gotta do, have it done in three months.

Hmm.

Garrett O’Hara: And then there's a lot of 12-hour days as you're frantically just trying to get a thing at the door, and it's Swiss cheese when it comes to security.

[laughs]

Garrett O’Hara: so you know, my, my two cents would be very much like security. You know, we, we talk about this on the show. You move to the cloud, you still own the risk. You don't get-

Hmm.

Garrett O’Hara: ... to outsource your, your risk, and you don't get to outsource your responsibility, same applies to code.

Yeah, no, I think that's a great way of summing it up there and you know, giving, making sure we know where that responsibility does lie. And I think drawing that line and how having that clear view is fundamental as, as everybody goes forward and looks to utilize, you know, like you say, the great things that are out there, but do it with you know, open, open eyes and open mind to that as well.

Garrett O’Hara: Absolutely.

Just pivoting to some of the pretty big, real world events that are going on at the moment with some really major cyber implications. Let's start with the Beijing Winter Olympics. Where it was fantastic to Australia, see Australia win gold medal in the women's moguls, it's been about 12 years since the last time we won a gold. So fantastic to see that at the Winter Olympics. But similarly to the Tokyo summer games last year, this event comes with some pretty significant cyber risks as well.

Garrett O’Hara: Yeah, it definitely does, Dan. Our, our threat intelligence team have put together a, a sort of threat intel risk briefing much the same as they did with the, the summer Olympics, and calling out some stuff. Obviously it's a, it's a bit of an interesting one this year in that you know, again, no kind of external spectators going. So a lot of people are kind of then funneled into a sort of digital mode to engage with the games.

Look, pretty much what we see all the time. Like it's that trend. COVID push people into digital for retail, therefore the attacks increase in digital.

Hmm.

Garrett O’Hara: It's, it's kind of a no brainer. And then, you know, the, the threats that are being highlighted there, there's many, but the ones, I suppose, to focus on would be really around fake websites.

You know, again, clearly with the move to digital as a delivery for you know, interacting with the games in, in whatever sort of manner these fake websites will be sort of there. You'll, you'll see the usual stuff like typographical errors, homograph and homographs of, of kind of real websites. And the, the aim of the game here will be, as it always is, to either steal your money or steal your your information.

And also the potential for BEC is not to be kind of, I suppose, under estimated. And I know this is something you've written about recently but given the supply chains that will be involved in something like the Olympics, you know, huge potential for BEC.

Fake streaming sites is another one. Given that's how people will, will interact with the games is, is through kind of obviously online. You're gonna see potentially a lot of, you know, fake streaming sites, again, you know, fake pay walls using social media to kind of push people towards these kind of, you know, potentially, you know, free place to watch the games. And you know, what you're, what you're looking at then potentially could be, you know, credential harvesting all the usual things potentially links that are gonna install a malware. And then the last part is obviously then around directly around malware.

And then, you know, we've seen that in other games things like ransomware attacks, not insignificant given the huge pressure to kind of deliver on an event. And I know talking to some, some of the folks who are involved in the the Commonwealth Games here in Australia, the massive, massive, massive amount of resources that goes into protecting games. I think, you know, I've, I've seen the stats where you're talking about half a billion attacks. I think it was through the the Summer Olympics, which were obviously because of security controls in place. You know, we didn't really see anything significant. So it will, I'm sure it'll be the same this summer end.

Yeah, it's like you said, the, the volume i-is quite phenomenal, right? And because it is one of those times where the whole globe have their eyes on the, on the same thing at the same time. So it definitely escalates in terms of that. And definitely means that, you know, that, that, that risk does increase and during that.

Like you said, from Tokyo though, we did see, you know, you know, nothing significant really come out of that, which, you know [laughs] it's hard, right? When you when a win doesn't make the news it's, it doesn't it's hard to, you know, celebrate that success. Right? But, I mean, that is actually what it is, is keeping these things out of the news actually means it was successful and that security actually had a win in that time. It's when we see all of the headlines that that is actually when, my guess, failures have occurred.

Garrett O’Hara: Uh, a 1000% that. Um, you you know, it's like the Y2K bug for those who are, you know-

[laughs]

Garrett O’Hara: ... long enough from the tooth to remember that. That whole time, I mean, you know, the world was falling apart, a huge amount of time and effort went into fixing whole so many systems. And, you know, when, when it kind of rolled around to January, the, the first, I think everyone was waiting with bated breath for airplanes to fall out of the sky and, you know, toasters to jump up-

[laughs]

Garrett O’Hara: ... jump up and become sentient and attack us, and then nothing happened. That, that's because a huge amount of money was spent in making sure nothing happened. You know, I descri- uh, I've I've heard somebody describe the best cyber security is like a, you know, a train journey that you don't remember because there was no delays, the train ran on time and everything was fine. You know, what you wanna, what you want is the forgettable journey, and, and cyber is a little bit like that. So yeah, spot on, like great news that nothing happened, but it wasn't by accident.

Yeah, agree. So let's hope that yeah, in a, in a couple of weeks time when we're on the next episode around Behind the News that we're not needing to discuss anything that has gone wrong with the, with the Winter Olympic. So that would be terrific outcome.

Garrett O’Hara: Definitely. I'm always just amazed by the way, and I think it, it kind of reminds me of the Cool Runnings movie. Every time I hear, you know, Australia in the Winter Olympics, I know we've got [inaudible 00:12:51]. Uh, It just blows my mind, given a country that is so sunburnt as Australia that, you know, we're in, we're in their winning medals. It's, it's kind of cool.

Yeah, I think that's definitely one of the sites said that, "For every gold medal we win at the Winter Olympics, we win 26 at the summer." So [laughter] so they are pretty rare as hen's teeth, and that's why they deserve it. It's a big deal when they do happen as well.

Moving to the rather concerning global event of the tensions between Russia and the Ukraine at the moment. We know that Russia have moved troops to the Ukrainian border, but before any actual military warfare begins, we've seen an escalation on the cyber front, Gar, this reminds me about some of the great guests you had on the show last year, discussing cyber warfare, but also discussing cyber resilience at a nationalistic level. What's happening on the cyber front in the Ukraine at the moment?

Garrett O’Hara: Yeah, it's, it's such a, it's a funny one. I've been reading bits and bombs in kind of mainstream media and then some of the kind of commenta- commenta- commentary in, you know, our industry around this whole thing. And you know, I think the reality that's accepted, certainly in the sort of mainstream media and some of the cybers is that, clearly it's gonna be, I feel like if stuff happens, it will be as they call, call them in, in academic world, it's like kinetic you know, kinetic response as in, they'll be rolling tanks and planes and, and, you know, boots on ground, which is what you're kind of seeing in the amassing of Russian forces.

But it's, it's also, we know, from, from history, that cyber will play a part here as it did, you know, back with NotPetya, you know. And people will remember if that was, you know, the Russia uh, Russia-Ukraine tension there. And the, the targeting really of, of Ukraine through M.E.Docs, which was that kind of financial application. And they, you know, we, we, actually we, we just talked about supply chain. You know, you roll back to, to when that happened, and that's exactly what M- M- NotPetya was. You know, they compromised M.E.Docs and then that went around the world.

And I think, when I think about this stuff, that's the real worry with cyber warfare is that it's very, very hard to contain to your intended target. And, you know, you see it all the time where the thing that was, it was used to target a particular organization or a particular nation or state ends up in the world. And that happened with NotPetya, and we saw so many, very global organizations crippled, absolutely crippled. And, you know, footage of you know trucks backed up at ports because, you know logistics companies just weren't operational. And, and all, all that came from there.

And yeah, you're right. I mean, Dr. Chase Cunningham was on last year and he talked about this, that you know, when it comes to, to sort of cyber warfare, it's kind of ongoing and, and is in play right now. And I think he said something along the lines of, "If you're firing rounds, then you're already kind of, you know, behind, or you, you've already lost."

[laughs]

Garrett O’Hara: And I think there maybe is an element of truth to, to that. You know, we, we, we're seeing some of that stuff happen, you know, al-already. There's, there's kind of stuff that's been pointed to you as potentially false flag or not as the case may be.

I think Australia is in a an interesting position. We were on record, we're providing assistance to Ukraine for cyber, and, and we've been training them for a year. From what I understand, Ukraine has kind of said no to boots on the ground from Australia, but they're happy to take our help with cyber, which is, I suppose, makes sense.

And there's an interesting, I think politics here because of the page 17 flight. And, you know, what we know to have happened there and that, you know, 38 Australians lost their lives in that one. So politically I think there's, there's a lot of you know, political weight behind supporting any support of Ukraine if that makes sense.

Hmm.

Garrett O’Hara: yeah, it's an interesting one. You know, when it comes back to the conversation, you and I have had so many times around critical national infrastructure and the value of protecting that because, you know, this is kind of what we're talking about. It's the bit where in addition to tanks and, and fire planes and whatever people do to, to do the kinetic response, will, what about the critical national infrastructure in Ukraine and how is that protected? As, as I would say is the same for Australia.

Yeah, indeed. Look, it's, it's certainly a frightening, you know, scenario, I think that's playing there and and will continue to sort of, I guess, watch in the... It's interesting, I didn't realize Australia's role in some of that, and, and the cyber support that we are su- you know, providing to the Ukraine and that now. Which is great to hear, you know, that, I guess, you know, our talent is on a global scale and the way that we're able to, you know, support others uh, is part of that, certainly is you know, an, an interesting aspect of it.

I think it, you know, it is just going to be interesting to see how it plays out and, and, you know, it is very frightening in, you know, very real world for the people there. And, you know, whether, you know, a cyber attack comes first and then they roll in the troops you can't help but feel like, that that might be the way that things go. But we'll wait and see, and hopefully, you know, they're able to find a, a diplomatic, you know, response to this.

Garrett O’Hara: Yeah, look, you, you would hope so. Yeah, like, I mean, that's always the, the, the hope is, it gets, it's soft and, you know, with our voices and paper rather than, Hmm.

Garrett O’Hara: ... you know, aggression. But it does. I mean, it, it harks back to the conversation with Joe Carson many moons ago it feels now, but you know, his, his kind of, our conversation about Estonia and, you know, they, the lengths that they had to go to protect themselves from clearly the cyber attack side of things but also that when you do, do kind of roll tanks through a country the potential for damaging data. So like, you know, kind of medical and law.

But the you know, the data embassies where they, they landed DCs in other countries with a view to, if the worst did happen and there was an invasion and there was bombs blowing up DCs that, well, the data was still protected and then resilience was built in at a sort of state or, or nation state level. So I'm sure Ukraine is kind of, is potentially looking at Estonia and maybe thinking along those lines as well.

Yeah, indeed. And which brings us, I think, you know, back to looking at things onshore here domestically. And the notion of, you know, privacy and, and the rights of citizens is something that is really interesting of what's being played out through the Australian federal government at the moment. And they've actually taken some significance steps lately under what's known as the Surveillance Legislation Amendment [Identity and Disrupt] Act.

So obviously a piece of legislation there and it started to be activated. We've seen the first move being the issuing of warrants to allow federal police to take control of people's online accounts and disrupt their data. So this is designed to fight criminal activity and combat the growing threat caused by increasing usage of anonymizing technologies. Which leads into the second move, which is that, the government is pushing back strongly against some of the social media giants desire to introduce end-to-end encryption on their platforms.

So Gar, this is a high-stakes battle in trying to strike the balance between personal data rights and the risks of anonymized communications in criminal activity.

Garrett O’Hara: it is a nightmare. Like, like, you know, there's, there's no other way to, to describe it. Like I'm reading through this stuff and look, I can only really talk at a personal level here. I'm really uncomfortable with the moves that are being made by our government. And I, I question the sort of efficacy in terms of outcomes. I, I understand what we're trying to get to, which is, you know, more secure society. The problem is the cost and the efficacy side of things.

And I haven't really seen any numbers that support powers that are this far reaching. And uh, you know, I would say, you know, the account takeover data sort of, and jumping into a sort of network data level but then the ability to change things like posts or, you know, stuff within a, an online account, I just don't, I personally find that really disturbing. And also the intend the po- the potential to try and erode end-to-end encryption, I find just, just bizarre.

The reason I say that is, quite often in politics, you know, it doesn't take a genius to see that if politicians wanna get something through, they, they basically tell you it's gonna affect jobs, or if you don't support it, then you do support child pornography or, you know, child abuse. And they, they set up this false choice where you're either with us or you support child abuse. And it's ridiculous. There's, you know, there's an absolute middle ground there. And you can be absolutely, I mean, on, on record-

Yeah.

Garrett O’Hara: ... weirdly against child abuse.

[laughs]

Garrett O’Hara: So what a crazy thing to have to say out loud.

Hmm.

Garrett O’Hara: I'm also really against interfering with end-to-end encryption, because what the cost of society is, to me, far outweighs the, you know, the, the helpfulness of that as a, a tool for law enforcement.

What I would say is, what you really wanna get is, onto the endpoint. Um, if you're on the endpoint, you know, whatever, that's fine, um, get in there, install something, whatever that, you know, that, that's it for law enforcement to do. What I'll get a real problem with is, breaking into an encryption for everybody so that you potentially can go after, you know, a very, very small fraction of the communications that happens over those channels.

The other one, which I think is pointing at the bleeding obvious, if you're serious as a criminal organization, you're, you've got your own thing going on. There, it's a very trivial thing to set up, end-to-end encryption. That has got nothing to do with WhatsApp or Instagram or any of those platforms. So if you're actually serious about drugs or weapons or child abuse or any of those things, it's trivial, absolutely trivial to set up end-to-end encryption.

So, and you saw the operational in Saudi. There was a reason that was successful, which was, the criminals were looking for encryption outside of kind of, you know, the, the standard channels.

Hmm.

Garrett O’Hara: Now, it just happened in that case that they bought, [laughs] that they, that they bought that from law enforcement. So I still can't wait for that movie to come out. That's gonna be an amazing movie when, when they make it. But I guess the point here is, I'm, I'm absolutely not convinced that this helps us as a society. And I question the, I question the intent here.

And I, I certainly think that it, it feels like overreach, and it's been rushed in much the same way as the Patriot Act was in the US. And we saw how that went. Um, And it took Edward Snowden to, you know, put his whole life where it is right now for that to come end.

We, we know how this ends. Like, like, I just don't get why or who, who would wanna do it. And I saw one quote, which is just, you know, the, the need for regulatory frameworks that prioritize child and community safety, safety over business. And I, I'm gonna say it's amazing how that's important when it comes to this, but maybe it was, in some states, less important when COVID was happening for political reasons. So you know, if that is really important, can we apply that everywhere rather than just, you know, something that gives what I think is intrusive rights to our government.

Oh God, thi- this is a tough one. You know, playing devil's advocate for a moment just around some of the, I guess, the way that I think the Australian government does think about things and the governance that's in place say versus the Patriots Act, which was, listen to everything, hope to find a needle in the haystack and go from there.

I think that this is more designed around when, you know, there's people that you want to know what they're communicating about um, you need to to be able to actually, first of all, apply to and get a warrant as part of the process. So there is judicial process, I guess, before anything takes place rather than, I think, a broad-based approach that you people may have seen else.

Garrett O’Hara: Yeah. The, the funny thing is though the approvement process doesn't as I understand, it doesn't go through that sort of what we would consider proper judicial process. It actually goes through a different body versus, you know, a, a sort of well versed judge. I, I just tend to be corrected on that, but I'm, I'm fairly sure that that was one of the things The Greens pushed back on, it was how that-

Ru-rubber stamping, are you saying the [crosstalk 00:25:12]

Garrett O’Hara: Um, like I don't, I don't know.

Yeah.

Garrett O’Hara: And I would say when I saw the definition of the, they changed the definition of where this warrant would apply to, you know, "make it more stringent." And when I saw the more stringent version, I'm, I'm sort of thinking, well, it's, it's all very loose language rather than you know, it's something like just- justifiable suspicion or, you know, some, some legalese-

Yeah. Hmm.

Garrett O’Hara: ... or a little bit like serious harm. Actually, when you think about the OAIC, you know, the notifiable data breach?

Hmm.

Garrett O’Hara: How much hassle that caused, what, what does serious harm mean? And that's what it feels like a little bit here is that, the process for approval for those warrants doesn't get overseen in the way that it should. And to use your words, it, you know, potentially rubber stamped. And then the definition for where they can be applied to is so loose that it's up to interpretation.

And then you do say they're overreach, we've seen this already, you know was it last year? I can't even remember when it was now, but what do we mean? Maybe it was more, maybe about 18 months ago when they went back over the data for the warrants that were related to, I don't know, I'm gonna have to go back on that. There was a massive overreach. There was a huge amount of times where the legislation like this-

Hmm.

Garrett O’Hara: ... was used for places where it wasn't actually designed to be used. And like that just happens all the time. And that, that's the thing. We, we shouldn't be surprised when we see the data on this. And it turns out actually it's been used all the time or often, not all the time, but often for things it was never designed for.

And in terms of the end-to-end encryption of the, of the social media platforms, and that i-is obviously the argument is around trying to reduce proliferation of, of, of, you know, criminal activities. So these are like, you know, maybe it's not the, you know, the hi- you know, the highly organized criminal gangs, right? That might be that their targeting narrative is that, how is this seeping, you know, more broadly throughout society? Do you think that there's a role there, or is it, you know, in terms of that? Or is it sort of still, you know, the risks are, you know, of actual intrusion and, you know, data privacy and personal privacy being overreached, you know, outweighs any potential benefit that there might be of stopping the potential proliferation of those activities?

Garrett O’Hara: Uh, the second one. So it feels to me like it's, it's just not worth it. And there's other ways to tackle this problem. That's the thing.

Hmm.

Garrett O’Hara: I'd go back to where data is stored, and you know, the potential for being able to identify images, for example, that are illegal in nature. And and, and that's the thing. For not one second am I saying that we don't need to fix these problems and fight as hard as we possibly can against them, I just don't, I'm not convinced that breaking end-to-end encryption um, or the government stepping in the way of that is the way that we're gonna fix those problems, or if it truly returns results.

And that's the thing. I-if somebody could show me data that says, "Here's the amazing results we've gotten in the past from these kind of approaches." Okay. And, and then going back once the approval process isn't rubber stamping but actually is done correctly and has proper oversight. O-okay. Maybe is there a co- conversation to be had? Right now, we have a, a government that's in my opinion, has a track record of, of really, oh God, this sounds absolutely tenfold hatty, but we are slowly marching to, tell me how it's not a dystopian surveillance state.

You know, we've got AI facial recognition. If we're gonna break encryption, at what point is it where privacy truly exists? You can't pay cash anymore because of COVID. So this, you know, we're, we're not a million miles from [inaudible 00:28:47] right now, and this just brings us closer.

Yeah. It's look, I think, as we steamroll towards a federal election, it's gonna be interesting to see if this gets further coverage, a-and what sort of positioning, you know. I mean, the government's clear in their positioning but I do think it's gonna, like you said, because of the, you know, the headline ramifications, it's very hard to fight against as well. So it'd be interest to see what approach the opposition are able to take, and whether we do get a balance view, as you say, in terms of this conversation, or whether it will continue to sort of, you know, steamroll along in terms of what the government is is trying to get through?

Garrett O’Hara: Even the killer to your point Dan is, "This is complex." Like so many things that politicians rely on, they'll, they'll go for the populous, you know, highly emotive you know, supporters or you support child porn, you know. And it's just, it's that ridiculous stuff we've been through in Australia many times before.

And, you know, the data retention laws. I remember I was, one of the many reasons I left Facebook was just having these conversations where people who clearly didn't understand privacy saying just really damn things like, you know, "If you've got nothing to hide, you should have no problem." And it's like, "Okay, well, tell me your email passwords, you know, leave your front door open." It's just, it's just ridiculous.

Hmm.

Garrett O’Hara: But what you will see in the run up to the election is highly emotive highly emotional statements that really set up a fake dichotomy between you know, supporting this sort of legislation or supporting child porn or job loss, or, you know, what politicians normally do.

Hmm. Yeah, definitely a big one that will continue to be a story, I think as we go through the next several months. We'll wrap up this week's episode with a review of some of the latest breaches to make the headlines. Let's start with the International Committee of the Red Cross. We've seen 500,000 records of people globally accessed by hackers.

Garrett O’Hara: Yes, on look, this is just, it's sad.

Hmm.

Garrett O’Hara: I don't know what it is particularly about hospitals not-for-profits, and, you know, organizations in the world trying to do good things and then seeing, yeah, seeing any kind of breach. And even if nothing bad comes from this, which, you know, we, I think it's, at the moment, we don't know if the, the data has been ef- exfiltrated, and I think there was a statement saying that it hadn't been altered.

But fundamentally what it's taken is resources away from people doing their core jobs. So obviously all the, the analysis that goes into understanding what exactly has happened. And I know from reading around on this, that the local Australian Red Cross have had, have had to stop some of the functions that they would do because they can't access things like case notes and case information.

It, you know, it just blows my mind that people who are already so incredibly vulnerable, so people you know, in immigration camps or in, in places where they might have lost contact with their family. And by the way, that, that is the data that being compromised here.

Hmm.

Garrett O’Hara: It's the data they used to try and link up missing people with their families. I mean, to get away, I don't know, I mean, I'm kind of lost for words, getting in the way that just seems like just an incredibly, incredibly awful thing to to do. And, you know, is it somebody who didn't realize where they were? I mean, who, who knows? But yeah, it's just heartbreaking to see.

Yes, indeed. Like you said, like, I mean, the, the people affected here is, is like they're most vulnerable in that.

Garrett O’Hara: Yeah.

And, and so definitely you know, very sad stories, not, you know, this isn't the blood donor part that we've seen before and that sort of thing. This is, you know, people, you know, missing people and stuff around the world. I guess the only thing is, is, is whether is somebody, you know, searching themselves and trying to do it for good and looking for information is the only, [laughs] you know, maybe silver lining, but you just can't see that being the case, unfortunately.

Garrett O’Hara: Yeah, I'm, I'm with you on that. I don't, I don't know that it is if any did. The other thing, it does point back to what we spoke about a little bit earlier in this episode, rant know, the risk and supply chain of, of all types, but the the data was attacked. It was an external company in Switzerland where the the data was stored and they were contracted by the ICOC. So, you know, it, again, points back to that whole thing that, you can't ou-outsource the risk. You know, ultimately the impact is on the organization that's built the you know, the strategy and the infrastructure ecosystem within that particular organization.

Hmm, indeed. Well, we certainly can't go an episode these days without a ransomware attack being in the headlines. The most recent one reported is uh, a British food producer, KP Snacks who have been impacted. Gar, what happened here?

Garrett O’Hara: literally exactly what you've, you've just said-

[laughs]

Garrett O’Hara: ... it's a ransomware attack. As we see pretty much every day, multiple times a day this time on, yeah, KP Snacks. I have to say, huge fan of their dry roasted peanuts. So, you know-

[laughs]

Garrett O’Hara: ... I don't know if we're at a point where we have big enough reach that that's meaningful to KP Snacks, but happy to take a box of their dry roasted peanuts. They're amazing. Anyway [laughs]

You're now, you're now an influencer for snacks as well [crosstalk 00:33:55]

Garrett O’Hara: ... I'm all over that if uh, if, if only [laughs] if only. So yeah, look, it was the Conti Ransomware Group that popped them. And it's been reported by one of the sort of, I suppose retail media outlets, however, that the you know, the company has already told sellers, and I quote here that, "No orders will be being placed or delivered for a couple of weeks, at least, and service could be affected until the end of March at the earliest."

And, you know, the reason I'm reading that out verbatim from, from this site that I got this from, that, that, like that points to the impact of ransomware. Like that is not a small amount of time where, you know, we're fairly close to the start of February. So you're talking about potentially a two-month supply impact for, you know, a very well-known brand.

Yeah, one of those things of ransomware, this is why we talk about it all the time, because, and I know you, you've actually just written about BEC, and that, you know, how much money gets lost to BEC. 64 times more according to the FBI versus ransomware. I've been talking about this in terms of getting in a car versus getting on a plane. You know, the plane feels risky because when you read about the plane going down, it's very emotional and evocative, and it's God, it's horrible to say, but it's, if, if you're in a plane crash, chances are you're-

Yeah.

Garrett O’Hara: ... you know, you're, you're sort of done for this world. Whereas car crash, we get in them all the time at far, far, far, far, far more risky. Uh, But we rationalize that somehow because you know, chances are, hopefully there's a good chance you could walk away or it's injury versus the, the really bad things.

But yeah, that's it. Ransomware is just I'd say Conti by the way is the one that popped in the HSE, the Health Service Executive in Ireland. So you know, they're, that they're, i-it seems like they're everywhere at the moment. They've hit a bunch of universities, healthcare organizations in the US. And actually, I, I think I mentioned this earlier, in some cases, the Conti Ransomware crew using Log4Shell as a way to get the ransomware in seriously a little bit across over there.

Yeah, definitely. And like you say, it's, it's the impact of ransomware as to why, you know, it continues to make the headlines for all the wrong reasons. The final story that we'll review for today is one that did capture my attention over the break. And I sent you a, a text on it. It was regarding a Sydney family who nearly lost their life savings and their home in an email-based convincing scam. Pretty sophisticated one this one, and one that luckily they they didn't fall victim to.

Garrett O’Hara: Yeah, absolutely Dan. It reminds me of we had Laura Jeffrey on. I can't remember the episode number. But yeah, if you scroll back, you know, if you're listening to this brilliant insight into the personal side of, you know, how it feels, the, the emotions of trying to navigate this stuff as the, the victim of this kind of fraud, almost exactly the same slightly different, but, you know, kind of the same deal.

I, you know, I was thinking about this as we were, you know, we were discussing this, and obviously, you know, you, as you said, you, you didn't take a full break because in the middle of, [laughs]

Garrett O’Hara: ... our, our Christmas, [laugh] time off. You, you definitely sent that story across. You know, I'm, I'm thinking more and more, this is a case where a process could be the thing that saves us. And, you know, I look at how this played out, and I think that if the lawyer um, the solicitor firm at the start provided a, a printed pack, when you meet face-to-face on there's the bank account details, and the instructions are, "At no point ever pay into a different account. And secondly, if you get an email from saying to any kind of payment, and there's bank account details, check them against these. This is your goal, put this in a secure drawer, and don't let that go anywhere. And if it's ever changed then, you know, you kind of know there's something going wrong there."

I, I, the reason I think that would work is because it's not technical.

Hmm.

Garrett O’Hara: It's really well, and, you know, very easily understood by hopefully, you know, anybody who would be going through a house purchase or sale, that you just go to the folder, that's the bank account details you choose. If we're ever gonna send you a different bank account, come in and see us, and we'll do it that way. Just give me the amount of money. Yeah, 1.1 million in this case, which, you know, luckily I think it was frozen huge amounts of money.

The way this played out and, and what I read and here's where complexity arrives. Who's responsible? Um, Is it the bank? Is it the solicitor? Is it the person who's being hacked and doesn't realize it? Is it the person who pays the hacked account and didn't do the check to make sure that it's the right bank account deal, details? There are so many parties. And, you know, we know from Laura Jeff- Jeffrey's episode, this stuff gets very complex very quickly-

Hmm.

Garrett O’Hara: ... and you get into jurisdictions even within Australia where multiple states-

Yeah.

Garrett O’Hara: ... can be evolved. And the handover between one police force to another becomes a nightmare, and you're almost starting from scratch again. Yeah, absolute nightmare.

This is really close to me, by the way, Dan. I don't know if you realized that. Like the Northern, I'm sorry, Beacon Hill, our friends live there. We, you know, we're there all the time. It's literally five minutes in the car from us. So kind of really apart from the amount of time we spent talking about this, the, the, the physical proximity of this was like, "Ooh it can happen to anybody." [laughs]

Weird. Yeah, you look at the, you look at the window and it could be you right there, right?

Garrett O’Hara: Yeah, that's it.

Yeah, that is definitely the old man in the middle of sort of the attack there, right? Like-

Garrett O’Hara: Yeah.

... you know, they have got in between, you know, what would be a, a trusted relationship between the solicitor and, and the consumer in making that house purchase and have impersonated them. And, you know, we know, you know, buying a house and looking to move very emotional. You know, stress, there's, you know, your time, commitments, all of these sort of things that are, all bring to bear the notion of, why, at that time, it can be something that you can fall for as well. Like you said, I like your printed gold pack. I think that that's a, that's a nice, you know, neat solution that anybody could you know, take advantage of as well.

Garrett O’Hara: Yeah, that's it. And I think it's, you know, we, we talk about this a lot, the low tech simple solutions, they don't always have to be an expensive technology platform. And actually as I say, expensive technology platform. Well, think about solicitors, they tend to be relatively small, you know, you could consider them SMBs. They're one or two people-

Hmm.

Garrett O’Hara: ... Organizations. And here you go will they know what DMARC is? Probably not. But, you know, if this was a scammer who used a solicitor's exact domain, something like DMARC is, that's exactly what that's for. But, you know, if, if I, I would put good money that if I went to your average solicitor and said, "Hey, do you guys, do you use DMARC?" you know, they might think I'm talking about an 80's band or something like that-

[laughs]

Garrett O’Hara: ... but they, they wouldn't be thinking technology. So this is important, SMB protection to protect us all. You know, there's a, there's a bigger conversation here.

Yeah, indeed. Well that brings this, this episode to a close. Gar, thank you again for all your fantastic insights and deep dive behind the scenes of what's been happening in the news. Continue to stay up to date with our getcyberresilient.com. You'll a number of articles being back up and running for this year, including the one as Gar referenced, produced by myself regarding BEC and the cost of that versus ransomware.

Next week, we will have an in-depth interview with a cybersecurity expert. And Gar, really looking forward to the guest you'll bring to the show throughout the year as well. Until then, and as always, stay safe.