Ep 89 | Behind the Cyber News: 8th of March 2022

Expert opinions and insights on the biggest events making cybersecurity headlines this past fortnight.

This week we’ll be looking behind the cyber situation in the Ukraine and the call to arms for a ‘cyber army’ to volunteer, we’ll dive into the somewhat creepy world of ‘stalkerware’, the pros and cons of data gathering from our intelligence communities, and review the latest breaches to making headlines including the impact on Toyota’s factory operations after a supply chain attack. 

The Get Cyber Resilient Show Episode #89 Transcript

Dan McDermott: Welcome to episode 89 of the Get Cyber Resilient show. I'm Dan McDermott, and I'll be your host for today. This week is our Behind the News episode, and I'm joined by our resident cyber security expert, Garrett O'Hara. Today we'll be looking behind the cyber situation in the Ukraine, and the call to arms for a cyber army to volunteer. We'll dive into the somewhat creepy world of stalkerware. We'll review the pros and cons of data gathering from our intelligence communities, and we'll end with a wrap of the latest breaches to make the headlines. Gar, let's begin with a review of the developments from a cyber front in the Ukraine.

Garrett O'Hara: Well what a, what a whopper. Yeah [laughing], we, we were talking before we, we started recording on just how much there is here, that we could spend three hours talking about it and probably not even scratch the surface. It's moving quickly Dan, is, is kinda, I suppose, the fairly obvious statement. You know, you're seeing the Ukrainians' Deputy Prime Minister come out and ask for folks to volunteer for the IT army, which I think is the first time that's ever happened. You know, kind of an official government's call for, yeah, really a sort of volunteer army for cyber.

Interesting to see how that pans out, and what it actually means, because on the surface of it you know, I think broadly, there's a pr- support for you- Ukraine. So where my head was at was, you know, like, how many people will volunteer, because it's far easier to do that from home, right. You know, you can sit at home, in whatever jurisdiction you are, and, and, you know, think you're helping, and, and try and jump into assist with that IT army versus, and you've probably seen the, the stories of individuals who are making their way to, you know, through Poland, to actually physically fight for Ukraine. I've seen one guy from the, from Britain, some of the US guys, like, it's, it's happening where people for whatever reason feel strongly about it, so they're heading over there. But I, you know, I think very easy to jump online and take direction. They've got a telegram channel, which I'm sure you're across, to kinda direct the, the troops, air quote, troops.

Dan McDermott: [laughs].

Garrett O'Hara: It, I don't- like, how, how do you do that? Like, as a, you know, as an IT army or whatever you wanna call it, that seems like the, the potential for mishap is not small.

Dan McDermott: Mm.

Garrett O'Hara: ... you know, people thinking they're helping, or maybe not as experienced as they think they may be, and that's the worry, you know, that there's a call to action, and that goes wrong, and then you see that kinda collateral damage that we talked about last time, you know, where you wanna do one thing and then people not knowing exactly what they're doing, maybe cause a DDoS attack that brings to something else, and all of a sudden we've got bigger issues than you know, the sort of physical fighting. And, and interesting to see the, the IT army at the same time as Anonymous came out and, and kinda of said, "Hey, you know, we're we're now in a cyber war with Russia, and we're able to, apparently take over some of the state sponsored TV channels, and, you know, put Ukrainian contents and then sorta memes on there," which is, it, it seems like movie stuff.

Dan McDermott: Mm.

Garrett O'Hara: ... Conti have jumped in, like, honestly it just, it feels like a cyber brawl more than a cyber warfare, it's, you know, all these, all these kind of yeah, sorta gangs that are coming in, and, and sort of saying, [inaudible 00:03:25] legion too, and, and, you know, then threatening everybody else kinda thing. Os, yeah, god, it feels scary, and very, very messy.

Dan McDermott: Indeed, and I think, you know, you've just referenced sorta two of the, sorta more well known sort of cyber gangs, right. A- and one has sort of landed on each side of of the equation here, with Anonymous very much sort of on the Ukrainian side, and trying to, I guess, really use their their abilities to bery- basically infiltrate the media, right, in Russia, and actually start to show Russians some of the, the news from the other side, if you like because it is so heavily controlled there particularly sort of through TV, and that. So so they're obviously looking at that front, and how to actually, you know, allow for more information to be shared, and therefore, you know, for Russians to be able to, I guess, be more informed themselves. And on the other front, we have Conti, who are throwing their support behind the Russian government, and say that, oh, you know, look at doing cyber attacks to to, to on, I guess, pursue a, you know, I guess a digital warfare on that front as well.

Garrett O'Hara: Yeah, it is it's quite frightening. The, the thing that does occur to me, and, and you and I have, we've been talking about this for weeks now but it's the, you know, the value of critical national infrastructure and how much of a conversation that is globally, certainly here in Australia, but I, I think many of us had, you know, sort of bated breath, waiting to see the lights get switched out in Ukraine, which hasn't really happened so far. And I think there's some kinda raised eyebrows about that, because I think there was, not an expectation, but it certainly seemed in the realms of possibility, given all the other stuff that is actually happening, you know, the, where, were sort of bombs are dropping, and, and the, you know, kinetic response really of actual physical warfare that's happening. It didn't seem like it was beyond the bounds of reality that, yeah, you would see a large outage power, or, you know, healthcare, or, yeah, communications.

That hasn't happened so far, and I've heard some kind of questions and commentary in the media around why that is, and it's a little bit maybe like colonial, where, you know, you, you sorta poke the bear, and you probably realize you di- [laughs] you shouldn't. But it, you know, is there an element of if the, hate to even use this expression now, but the, like the nuclear option of cyber attacks came in, and you did, like, literally bring down the critical infrastructure of a country, is that going too far, and would that cause a retaliation from, you know, other interested parties in the war? You know, I'm not, not really sure there, but yeah, it's sort of a relief I think if nothing else.

And, and you probably saw the Ukraine folk getting ahead of the potential for communications outage, and, you know, tweeted for [inaudible 00:06:10] [laughing] Elon Musk to get Starling rolled out there, which, which they did, which I thought, you know, that's kind of that's an interesting thing. You know, get, get Starling going, get the infrastructure in place, where even if there is a, an attack on, you know, the traditional communications infrastructure that you've got the satellite connectivity in to at least keep the communications with the outside world open. So, I mean, we saw that in, seen that in a bunch of places, right, Egypt you know, kinda forget all the places, but, you know, when-

Dan McDermott: Mm.

Garrett O'Hara: ... stuff like this stats happening one of the first things you often see is communications just get dropped and you know, that's so people can't organize, and, and sort of you know, figure out where the attack front is, and how to organize troops, et cetera, et cetera, so it's complex, isn't it? I mean, I just, I don't remember ever feeling like there was so much going on here in terms of cyber when, when two countries were going at each other.

Dan McDermott: No, definitely not. A- and, and maybe it has before, but it's certainly just, you know, it's definitely more prominent now, right, and it's much more in our, in our social consciousness, and, and, you know, it makes mainstream, media and those sort of things. But I, I think it's a fascinating area that we, you know, we haven't seen that massive cyber attack, and let's hope we don't, right.

Garrett O'Hara: Yeah.

Dan McDermott: And, and I think you said, there's, there's a few interesting elements to that, as to, you know, why that might be, and, and what sorta happens if it does. You know, I think there has been talk a little bit around the notion of, you know, the Geneva conensh- convention from a, you know, from a war perspective, and the way that, you know you meant to tr- you know have humanitarian rights, still, during a, you know, during a battle, and, that you know, does some of that, you know, consciousness from, you know, from, like you say, the kinetic sort of world, actually flow into cyber as well, and influence, you know, the way that people think? I think, you know, the, potentially, but maybe that's [laughs] putting too much, you know, goodwill into, into what's actually happening.

I think the other one though, is, is exactly what you said, is, is that what is the flow on from that in terms of retaliation, right? And, you know, there has also been talk around the fact that, you know, can a cyber attack actually trigger a clause for NATO to respond? So, we know that the Ukraine is not a, a member of NATO, not one of the nations protected there, but what if a cyber attack, you know, flowed through the Ukraine, and hit Poland's national infrastructure and who are part of NATO and then therefore what does that mean in terms of NATO having a response, whether that's cyber or more, right? Because all of a sudden they feel like they've actually been brought into, you know, into the war itself. So look, it's a, an incredibly fascinating area one that, you know, sadly, you know, we're sorta watching play out in front of our eyes, right. And, and, and with bated breath, like, I think just because it hasn't happened so far doesn't mean that tomorrow's not the day that, you know, that that attack comes, and that and that, you know, things are, you know, impacted significantly from a, from a critical infrastructure perspective.

Garrett O'Hara: Yeah. Spot on. And yeah, I mean, the cyber Geneva convention, it's a work in progress. There's, there are people as you, I'm sure you know, like, working to, to get that done. And it just, it really does make sense these days, like it, it seems, seems less of a nice to have, and much of a, we really need to get that in place, because yeah, the, the thoughts of, you know, hospitals, getting popped, or the power getting out, I mean, that means, it, it's go- you know, I mean, its very, very significant impact to, and, and ultimately probably loss of human life. So, you know, at some point, you kinda, you know, we need to have that conversation.

And, and totally agree on the, yeah, article five with the we- within NATO and reading, you know, some about that the, I think the problem is the ambiguity. Pin- apparently the only other time it's actually been triggered was for 9/11 over in the US. So when September 9/11 happened, it got triggered, but that's the only time I believe that article five has kinda kicked in, so yeah, it'll be interesting to see. And I love your example actually, you know, it is a bleed over into another country, and if you see, you know, significant impact, I mean, I certainly don't know the wording for article five, but the fact that it's even being talked about sorta points to the, how many people have eyes on this, and the cyber side of things, and the fact that you could be talking about a, a triggering of the same thing that 9/11 triggered in this context, sorta points to how important cyber has actually become.

Dan McDermott: And it's, we've seen it before, right, in terms of that, you know, flowing out from, you know, one where an attack starts and where it ends, right.

Garrett O'Hara: Yeah.

Dan McDermott: It happened only a few years ago, with with, with NotPetya, right?

Garrett O'Hara: Yeah, I mean, same two countries,

Dan McDermott: Yeah.

Garrett O'Hara: ... so many similarities that it's frightening really, isn't it? History repeats itself, apparently that's a f- a saying, but you know, here we are. Same two countries yeah, and that was it you know, they were going after Ukraine went for an organization, or a platform called M.E.Doc, and you know, which is, you- Ukrainian, and you know, successfully popped it, but 20% of the folks who were using that particular application or product were outside of Ukraine, and happened to be very large logistics companies. So you saw as, as, you know, everyone woulda seen in the media, the trucks backed up at ports, and the, the huge impact to logistics globally. The worry there is that given all the other stuff that the world is dealing with, with COVID and supply chain, and certainly in Australia, you know, we've got all the floods that are happening with, you know, there's a lot of stuff happening around the world where the last thing we need is another NotPetya. We, we just, we just don't need that. So, fingers crossed.

Dan McDermott: Yeah, but it's definitely, it certainly could happen at any stage, and-

Garrett O'Hara: Yeah.

Dan McDermott: ... and I guess we, we continue to to, to keep an eye on things, see how it evolves. But like you said, started this conversation with the d- the call to arms, right, around it as well which will be interesting to see. I mean, they are saying it's, you know, they're calling to arms Ukrainians, saying that there's a lot of talented Ukrainians around the world, and how can they help, and that. But like you say, there might be plenty of other people that decide that they want to try to help but, you know, is, a- are they really helping, how can they stay coordinated and certainly don't wanna have people getting in the way either. So, it's a, it's a, it's a tricky balance again.

Well, Gar, I think we, like you said, we could certainly talk about the situation for a- for hours but I think probably leave it there for today, and and I'm sure we'll continue to to revise, you know, where this is at, and where it evolves to in the coming weeks as well.

Garrett O'Hara: Yeah, absolutely.

Dan McDermott: So, the next story that we wanted to take a look into is the consumer grade spyware called stalkerware. Gar, let's, let's begin with a look into what is stalkerware and why is it making some of the headlines at the moment?

Garrett O'Hara: Yeah, it's, man, this is, this is the creepy stuff. You know, s- stalkerware basically is it's, it's an app, generally, that will go on your phone, so whatever device your using. And the, the, look, there are things that are purportedly for things like looking after your child, so if they've got a mobile phone, that you could sneakily install this, you know, essentially spyware/stalkerware in the device, with a view to collecting data from the device, it just let's you kinda know what the, the kid is up to. So, network traffic GPS data, g- audio access, so you can get access to the microphone, cameras, et cetera, et cetera. You can see where this is gonna go before I-

Dan McDermott: [laughs].

Garrett O'Hara: ... you know, be- before you [laughing], you even kind of finish any of the sentences here. Clearly this is stuff that will be then misused for stalkers, and people with nefarious purposes in kind, thus the name stalkerware.

Dan McDermott: Mm.

Garrett O'Hara: So the [inaudible 00:14:24] here is that if you get this stuff on your phone, you don't even necessarily know that it's there, right. So it's designed to sorta run in the background, look like a system process it's got an insane level of permissions, so, you know, your photos, browsing history, network activity who you're calling access to the, the microphone, to the camera, like just huge, huge amount of stuff to be able to look at and, and, and often in real time. So, you know, you can physically see where somebody is. So, you know, if you've got physical access to a device, I think that's one of the things to kinda know about it generally, it's side loaded. So, they're trying to get rid of this stuff from the stores-

Dan McDermott: [laughs].

Garrett O'Hara: ... for very obvious reasons. But the reality is that quite a lot of people who suffer things like domestic abuse will report that they have been tracked by their, their stalkers, their abusers, whatever you wanna call them, via stalkerware, so this is a very, very real problem.

Dan McDermott: Mm.

Garrett O'Hara: It's not one of those, you know, we t- we talk about cyber stuff all- you know, a lot where the impact is money it's, it's you know, it, it's that, it's, you know, business impact. This is stuff that will actually affect human safety. So, there's clearly a, a problem here. Many people are trying to get it, you know, get this stuff classified, and I think rightly, as malware. You know, it's, it, it, it feels like that to me. Doesn't feel like there's any, I'm not a parent, so maybe I, you know, I can't speak.

Dan McDermott: [laughs].

Garrett O'Hara: You are, maybe you've got a better, you know, better gauge on whether this seems like something reasonable to do, but I grew up in area where you could leave the house at seven in the morning, and come home at seven at night, and no one knew where we were, what we were doing, and here we all are, we survived. So, I probably just have a, yeah, f- it makes me feel funny. But yeah, it's, it's in the news TechCrunch have done a cracking article actually on the downside of this, like you need another one, is that the company, companies who produce this, if they get popped, then your data can then, sorta end up in the hands of, of hackers, or, you know, even worse people than the stalker, if that's even possible.

Dan McDermott: Mm.

Garrett O'Hara: And that's, you know, partly how this ended up kinda on the radar was just the TechCrunch article was autum- was awesome, where they, they did a really, kinda deep sorta journalistic job of, of pulling apart a particular organization that was producing stalkerware, tied together a bunch of organizations that were kind of obfuscating themselves, it sounds like. But there as a vulnerability that essentially allowed the leaking of hundreds of thousands of people's data because the, the, you know, the core application which multiple stalkerware apps were built on-

Dan McDermott: Mm.

Garrett O'Hara: ... so, you know, a foundational piece of software almost, you know, bringing back to the problem with, in this case it's not opensource, but it's the same problem, you know, one app is using a, you know, or sorry-

Dan McDermott: Yeah.

Garrett O'Hara: ... multiple apps using the same core core code base, and you know, with the result being that a, you know, bunch of people get their data leaked.

Dan McDermott: Yeah, except [inaudible 00:17:15] look, it's, it's one of those ones where like you say, it's like as a, as a parent, you sort of have this notion of, "Do we need eyes and ears on everything?" Like, you know, like, it feels like, [inaudible 00:17:26] very different world these days that, that the kids are in, and that one that just feels, I don't know, with a greater, a great deal of trepidation around what can go wrong all the time. You feel a, like, that, like, there is something, and that, you know, and that they are just glued to their devices, like, it is, like, it's a constant battle, as any parent knows, and and so you just, you don't know what's happening a lot of the time. And so you can see the appeal for these things from that type of perspective of thinking, "I'm actually, you know, I'm, I'm helping, I'm doing the right thing." You know that's questionable in its own right, right, and probably need to talk to your, talk to them first and and probably unders- try to understand what's going on. But that's, that's much easier said than done.

Like, so I have no, no doubt that, you know, there would be a lot of people doing this, you know, with the right intentions, right, and trying to do the right thing, and that type of thing. But, you know, so that's, you know, I guess a personal decision, and, and I guess personal sort of, you know, values and that, that people will need to weigh up, but I think it's the last point that you say is is that, where does this information go, who's storing it, and then at scale what does that mean? And if these organizations are creating this, like, were they, have they created it with all the best intentions in the world in terms of the software, or is it, you know, they're data gathering, and therefore, you know you know, they might make a little bit of money out of, you know, a few parents installing it, how much money do they ake outta selling it, you know, in the dark web, so that's, maybe I'm going too far, but that's the concern, right, is, is what happens, you know, whether that's intentionally or through them being, you know, compromised, and hacked themselves. But that's where it goes from, you know, individual sort of concern, one to one to one, to, you know, a mass concern all of a sudden.

Garrett O'Hara: Yeah, yeah, and the, the, that idea of the mass concern is, like, certainly where my head ends up with this stuff is that the, yeah, I mean the collection of data, you, you probably get a sense I'm not a huge fan of that ever, really unless there's very, very good reasons to do it. 'cause you just ended up having to protect it long term, right, it's the biggest mistake most organizations, whether that's government or private enterprise make is that they just collect too much data, and then they've gotta pay a bunch of money to protect it, where if you just don't collect it in the first place, you're probably in a better position. When you think about stalkerware, and it's raison d'etre, is literally the collection of data to, you know, in, as you said, in theory provide it to one other person, but if its gotta be stored somewhere-

Dan McDermott: Mm.

Garrett O'Hara: ... And these companies they, they've got a history already of being attacked by generally hacktivists that are unhappy with, you know, what stalkerware stands for, and the-

Dan McDermott: Mm-hmm [affirmative].

Garrett O'Hara: ... the sort of the risk to human life, or human safety given the amount of, of, of users that have, you know, kind of reported having stalkerware on their phones. I've j- I find it just so astonishing creepy actually only, it's a couple of years ago, [inaudible 00:20:25] labs re- released reports, and it's the US, Russia and Brazil were the three countries most affected by stalkerware. So kinda interesting that there's, you know, there's a a podium for, for this stuff, but, you know, I wonder what does that sorta s- yeah, I don't know if there's any correlation to other things there. It was interesting three countries, and not necessarily the ones that I would have thought were top of the, top of the list. Maybe one of them I'm not so surprised, but yeah, it's just kind of interesting.

Dan McDermott: Yeah, indeed. And I think it's it leads nicely into our next story which is I guess a review of, of the notion of the [utalitarian 00:21:05] of allowing Australia's intelligence agencies to expand their data gathering powers. But we know that there's inherent risks in the latest report from the commonwealth ombudsmen find that breaches continue to occur across many agencies, when it comes to the handling of both stored communication, and in transit, or telecommunication data. So this tension between access to the data for good, versus the inherent risk of misuse doesn't seem to be going anywhere.

Garrett O'Hara: Yeah, like, it, it doesn't. And you can probably hear the sigh of resignation, 'cause I feel like, you know-

Dan McDermott: [laughs].

Garrett O'Hara: ... we, we have this conversation over and over and over again, and it's some version of it's really important for everybody's safety that we, you know, have the ability to get this data or intercept this data, or you know, fill in the blank, you know, we'll, we will only use it for very specific cases, and, and that's kind of it. And, you know, it'll be all, it'll be all kosher, and you know, well managed in terms of processes. And then at some point, there's a review, or an audit, and the audit will say, "There's been massive overreach, they're not following processes, people are accessing data in a way that they probably shouldn't," and and rinse and repeat.

You know, we just, and it's not just Australia, it's, it's kind of everywhere, right and, yeah, again, same old conversation you and I have had a million times. The, the, the internal conflict where you, you want people to be safe, and you want, my friends who are cops, you know I want their job to be easier than it sometimes, 'cause I've heard how difficult it actually can be for them to do the right thing, and to actually find the information that they need to pursue the, the bad guys.

But it's the bit where I, I think there's a trust issue here, and that to me is at its core where we need, we're at a time I would say in the world, not just in Australia, but in so many countries where we actually really need to be building trust with the populace when it comes to this stuff, rather than eroding it. So it almost feels like some of these agencies and some of the ones that were criticized, instead of ending up in the ombudsman reports, that you almost go overboard in terms of following process, and in terms of making sure that you've done the right thing so that there is no, there is no conversation like this, where we literally don't have the conversation because the agencies that are involved followed the, the, you know, the right processes have got the policies in place so that the correct people are authorizing any kind of interception or access to data that they've got the policies and the things in place to store data correctly, if they do if they are granted access to that data. So, there's not kinda mishandling, there's no booboos, we're not gonna be, you know, dealing with some [laughs], some podcast episode were we talk about the fact that the data that was intercepted was then popped somewhere else, or leaked somewhere else, blah, blah, blah.

So, yeah, it's, look, it is such a tricky one, because I think fundamentally it almost goes back to the Ukraine conversation where the reality is so much stuff has shifted to a digital format that crime has followed it, so you sorta need to be able to do stuff in that realm as well, in which the same way as people can get a search warrants, or, you know, do any of those kinda things, that they can do in the physical world, like, we need to be able to have a sensible conversation around what that meas in terms of the cyber cyber realm.

The worry is that if, if there's rails put in place, they're there for a reason, and I think any time you go outside of those rails, all it does is erode the trust, and then when we actually do need the stuff, everyone kinda gets up in arms. People [laughs], people like me get freaked out, because it's like, "Well hang on, you've, you know, last time around this happened, and last time around this happened, and last time around this happened," and it seems like it would just be easier for everybody if yeah, if the right thing was done from the start, rather than waiting to be audited or have an ombudsman report come out to say, "Well actually this, you know, here's these agencies at a federal level that have kid of done the wrong thing."

Dan McDermott: Mm. Yeah, look [crosstalk 00:25:02], yeah, to me, look I think you, you've probably hit on two, two [inaudible 00:25:06] points there that I think are just fundamental to this. The, the first one is, you know, the procedures and governance internally in each agency to get access. You know, what does that mean? What is the oversights? What can actually need- what is the process that needs to be followed? Who has the authorization? How do they allow that to occur? That is fundamental, because like you say we can't, I don't think we can go to a world where we say we're not collecting, and we're not monitoring, and we're not doing these things, because because then, you know, something happens on a, on a large scale, and everyone says, "Shouldn't we have dealt with that, and-

Garrett O'Hara: Mm.

Dan McDermott: ... been able to protect," right? So, so, I don't, I think we've moved beyond, you know, saying we ca- we, we, no monitoring is, is the answer, that's not the case. But it is how do you actually govern that effectively?

And, you know, there's again back to, you know, a lot of the cyber world has mirrored what's happened in the real world. You know, for years there's been, there governance around rules and evidence, and how you collect it, and all those sort of thing in the physical world, and time, and time, and time again you know, that's, that's hasn't been followed. And that has jeopardized cases, you know it's jeopardized, you know, law enforcement across the board. And unfortunately I guess it's, its human nature that sometimes under pressure, time, all of those sort of things, and, and often, often people try to do the right thing, but just overreaching, right and not allowing for the process that's been set up.

So, how do we get that balance of, you know, of governance, but not bureaucracy, right? Because these things often are going to be time critical as well, they're gonna have to move at pace, so decisions, and people need to be at, on the ball, on the money, knowing what to do, and being able to share the data so that it can be used, you know, in, for all the right intents and purposes that we, that we want it to be. So, and, and that's the area to me, and it's, you know, and then that's subject to people, right, and human nature around human error, and everything else that goes with it. So, that's the hard one because at the end of the day we could put as much processes in place as you like, but it's going to do, come down to the people involved, and that's gonna ha- you know, continue to be, you know, I guess, challenged I think.

Garrett O'Hara: Yeah, 100%. I mean, it's like control grift- drift, or policy drift in an organization right? I mean you might put the, the processes in place, and then over time, they get a little bit lax, and, you know, people s- sort of slightly [inaudible 00:27:35] rails, and then a little bit more, a little bit more, next thing you know you've got some, some issues.

I mean, some of the articles are reporting that yeah, the office [inaudible 00:27:45] I'm quoting here, the office found journalists information warrants were misused, and there as an issue with sufficient seniority of authorized officers. And, you know, again, I know, I joke about being tinfoil hatty, but, like, any time I see journalists getting sort of trapped into stuff like this, I find that a real, yeah, that's, that's kinda the canary in the coal mine in some ways, you know. Of all the things we need to protect, it's that journalist, and, and the media if, to be able to go and do their jobs without fear of data interception putting their sources at risk. Or you know, and, you know, w- whatever it may be that anything there, there's a chilling affect on journalism, or any self editing, which I think already happens for other reasons, like, we just, yeah, nas- we kinda don't need that, I would say.

The other thing I think about, Dan, is this information, and this is a question, right, it definitely is not a statement, but certainly back when you know, the Patriot Act was happening, and the mass, surveillance of the US, and, you know, Mr Snowden came out and, and sort of said, "Hey, well actually [laughing], here's what [inaudible 00:28:47] blah, blah, blah." One of the big things that came out of that was, out of all the information that was being collected, how ineffective it actually was in terms of, like, proactively identifying, you know, the baddies, or the bad people that actually it's just a tremendous amount of noise, and a lot of stuff that you get cau- you know, you capture, but actually very hard to draw a line between the mass surveillance and good security outcomes for a country.

That is, that is not a statement, I have no idea, I don't work in this, I'm not a, I've never been part of any of the three letter organizations-

Dan McDermott: [laughs].

Garrett O'Hara: ... and there's a bunch of stuff I've no doubt happens, that I've no idea about. But I would love at some point just to see here's the ROI for this stuff, like, we don't need, you know, details, but we just need some numbers saying, "Hey, look, we're able to stop XYZ number of these type of crimes. We're able to stop five of these things, four of these," you know, the, the, the big s- scary important stuff that would probably make us all feel better about this stuff.

Dan McDermott: You made a good study, right, of, of-

Garrett O'Hara: Yeah [laughing].

Dan McDermott: ... [laughing] [crosstalk 00:29:49] of whe- where it works well. And look, I think it also then goes to that notion of the second point that you raised, Gar, around like, you know, again, there might be collected for a point in time, but how long do you have to hold on to it and what does that mean? And does that create inherent risks of it being, you know, being attacked, and then being breached you know, down the track and that as well? Again, so I think it's just inherent, you know, notion around, you know, security resilience, and, you know, and, and ensuring that these things are as secure as possible. Because, you know, it is gonna be collected and that does mean that it becomes, you know, a large target for somebody at some point in time as well.

Garrett O'Hara: Yeah, no, absolutely. So, the, and that's the thing, and yeah, it's, and, and, and I know what we're talking about is not mass surveillance, right, it's,

Dan McDermott: Mm.

Garrett O'Hara: ... in, in theory, you know, niche cases, or, you know, very specific warrant based, or case based in data interception and whatnot, but I think there's, there's just an interesting trend to more and more, more and more power to, you know, s- look at data, look at people online, and, and actually alter and manipulate people's social presence online. But it feels like you're getting to do more with less oversight, it feels like that's the trend, which I don't think that ends well.

Dan McDermott: Mm. Well, let's let's wrap up today's episode with a quick review of the latest breaches to make the headlines, starting with a look at the impact on Toyota's factory operations after a supply chain attack.

Garrett O'Hara: Yeah, so Toyota, unfortunately they got popped, and as a result there's 14 plants in Japan, so I think that's about, a third from e- [laughs] from memory, about a third of their production capabilities is, is being impacted. And, you know, this is again, this is where a cyber and the real world are just tied so closely together these days, because anyone who's trying to buy a car at the moment in Australia, certainly will know that pretty much every brand has a waiting list of six months, 12 months, 18 months, depending on what you're trying to buy. And the second hand market as a result has just gone off the, gone off the charts completely. It's nearly as good as the housing market in Australia.

Dan McDermott: [laughs].

Garrett O'Hara: So, at some point yeah, like a RAV4 is gonna cost the same as a three bedroom apartment in Bondi.

Dan McDermott: [laughs].

Garrett O'Hara: But it's, it's kind of a, it's a scary one, right, the the, they had sorta cyber attacks hit, and as a result they're, they're currently experiencing production haltages in in their facilities. So that's gonna mean a- clearly there'll be an impact to yeah, given an impact to production, you'll assume an impact to the ability to buy Toyota cars unless they can do some sorta catch up, but I very much doubt that they will be able to just given the supply chain issues that are, yeah, already sorta happening. There was a question in, in some of the articles around this that, you know, given the timing, was Japan kinda throwing its lot in with, you know, the, sort of pro Ukraine sides here, and, and, you know, does that mean it was, you know, was it related to that? I don't think there's any smoking gun, or no one's really pointing to it, it's more a question at the moment could become... And this is the problem now, Dan, isn't it? Everything that happens, we'll be gong, "Hm, is this, is this related to [laughing] what's happening in Ukraine?"

Dan McDermott: Yeah. Indeed, it's a, yeah, and obviously Toyota also, you know, famous for just in time manufacturing, right, they've been doing it for a long time. And sort of pioneered that whole approach but when your supply chain, you know, comes to a halt it grinds everything to a halt, because you don't have anything, you know, in the backlog to actually sort of go, and, and sort of, you know take out a storage if you like. So so yeah, it definitely has a, an immediate impact as well, I think that's the thing, on, on their actual production.

Garrett O'Hara: That, you what you've just said there is so important, and more broadly to Toyota than I would say to everybody. Forget about cyber, but the JIT supply chain stuff, it's so brittle that, you know, you see f- forget about cyber, like I say, but like COVID-

Dan McDermott: Mm.

Garrett O'Hara: ... hits, and all of sudden, you know, ba- supply chain is impacted around the world, because everything is shipped to, you know, be ready to go, as you say, just in time. And, and a- like do you see, like, is there a tie where we go back to some sort of a buffer locally for things that we can, you know, where we, like, nation state prepper [laughs], prepper basements, you know, somewhere under Parliament House maybe, with a, you know, bunch of canned beans, and, you know, the things that we need to continue as a, as a country. But I think, yeah, there's some big questions that I would hope are being asked at the top levels of every government around what it needs to be, what it, yeah, what's needed to be resilient in today's world.

Dan McDermott: Yeah, indeed, big question there, Gar, that's for sure. The next headline that we saw was Nvidia, the global multi-billion dollar manufacturer of graphics chips announce that its internal systems were completely compromised by a potential cyber attack that has taken part of it business offline for a couple of days. What happened at Nvidia, Gar?

Garrett O'Hara: Yeah, like, I, I don't know that anyone fully knows, like, who was behind the attack, but it was certainly a whopper. You know, these are the, the, the, the folks who make a lot of the world's graphics cards, which I'm not a, do a little bit of gaming, not that much, but these things have just rocketed in value through a combination of people working from home, and then sorta gaming more at home [laughing] I suspect. And then also with the emergence of cryptocurrencies, their graphics cards tend to be really good at sorta doing the thing of mining, and is able to crunch numbers in a way that your kind of, your core CPU, and the onboard chips within most computers ca- you know, they're not as good at that.

So, you know, the, the thing happens, they, they got done just at the end of February, and yeah, as I said, it was, it was pretty impactful. A lot of systems down, developer tools impacted, lot of outages. What's come to light since then is some of the information that has been extracted, which is kinda worry actually so things like code signing certificates that have been, I think they were part of a, like a 20 gig, you know, proof of we've got you. But yeah, part of what came out of that was the sorta so- source code API documentation and then these code signing certs, and what that means is there's a potential for an attacker to basically, you know, kinda get in at a driver level, so you're talking about c- kinda [kern 00:36:34] level attacks which is, it's never a good thing, not surprisingly. So, there's obviously concerns about that. And also part of what was in the trove was the, so part of what Nvidia had done with some of the graphics cards was deliberately throttle them when they detected they were mining Ethereum, sorta one of the kinda cryptocurrencies.

Dan McDermott: Mm-hmm [affirmative].

Garrett O'Hara: So the idea there was you limit the ability for crypto miners to use them, and then get them back into the hands of just regular you know, Bob and Alice who wanna sit at home and play Call- Call of Duty. I've probably aged myself really badly there.

Dan McDermott: [laughs].

Garrett O'Hara: There's probably some awesome game everybody's playing these days, that I, I don't know, it's not Minecraft, whatever, [

Dan McDermott: laughs].

Garrett O'Hara: ... but, you know, they, they wanted to get the, the cards back in their hands so they deliberately throttle the cards when they detect that they're being sued for Ethereum mining. Part of what's come out in the, the breach apparently is the code that's done, that does that, so you can now bypass the Ethereum throttling for Nvidia cards, which, you know, again, has a roll on effect to people who are just wanting to buy a card to play a game. So, yeah, bunch of things have, have come out in that first tranche of data that they've, they've released. So, yeah, kinda remains to be seen what else is, yeah, is gonna be, is gonna be part of that.

Dan McDermott: Yeah, based on wat you have shared there, it feels like this one's not over, right?

Garrett O'Hara: No.

Dan McDermott: It's not just the attack on them you know, l- as often is, is, you know, it's the impact on that organization, but where is this gonna go from here? Yeah. Let's keep a watching brief on that one.

Garrett O'Hara: Yeah, definitely.

Dan McDermott: The final story is the OAIC have released the latest six-month review from the notifiable data breaches scheme with somewhat surprising data in there, this time, Gar.

Garrett O'Hara: Yeah, I think look, it's such a f- a funny one to me Dan, if I'm honest. The, like, when the NDB legislation came in, I feel like we [laughs], I was certainly slightly obsesses with it. You know, it was kinda waiting for the report to come out, and, I think many people in our industry were, we th- I think we, we thought we were gonna get a barometer for, you know, cyber attacks in general. But yeah, like, as, as it happens, it's, it feels like the excitement is kinda dropped away, and now you're just into the, to, to the numbers. So, you know, the reporting that there was six 464 Australian data breaches that were reported in the second half of 2021. Which, you know, that, that's the number that's the absolute number, what was interesting though was that there was a drop of almost 10% in that six months leading into December, which I'm hoping that's a good thing. Like, you know, optimist me says that that's because organizations are getting better, they're spending the money on controls, like, stuff is starting to go in the right direction when it comes to protecting data breaches. That's optimist me, that's, that's kinda what I'm-

Dan McDermott: [laughs].

Garrett O'Hara: ... hoping and thinking is going on there. Yeah, it's just a little bit of an interesting one to see a drop any time these days when you see a drop in things like privacy breaches, or notifications, I should say, yeah, the instant thing is, well, hang on, everything is trending up, how is this going down-

Dan McDermott: Mm.

Garrett O'Hara: ... so yeah, definitely surprising.

Dan McDermott: I- indeed, I mean, I think that's the thing, it, it feels wrong, right?

Garrett O'Hara: Mm.

Dan McDermott: Like, to have a drop, it just feels wrong based on everything else that we're seeing in the market. SO so yeah, definitely one to keep an eye on, it'd be interesting to see in six months time what happens in the, in the first half of 2022.

Garrett O'Hara: Yeah, definitely. I mean, there was a bump in the breaches due to human error if you saw that data, like, that's, that's up 43% [laughing].

Dan McDermott: [laughs].

Garrett O'Hara: So, kinda swings and roundabouts,

Dan McDermott: Mm.

Garrett O'Hara: ... and that, I suppose I'm not massively surprised by that, because people are working from home, and probably in a mental state and still very distracted, you know, despite being two years into COVID. Yeah, I think more and more that that one has become the, the hot button for many organizations, how do we fix the human error issue? You know, 43% increase there is, you know, that's not, not insignificant.

Dan McDermott: Indeed. Well, thanks, Gar, I appreciate your insights as always. I'm already excited for next week's in depth interview with a great cyber practitioner.

Garrett O'Hara: Yeah, Dan, so next week, we've got Sara Abak, from DuluxGroup, who's joining, and anyway, it's kind of across that [inaudible 00:40:53] area, she's pretty awesome actually. She's got a lot to say. We get into conversations around cyber awareness fatigue the, the, the talent conversation, so kind of attracting and retaining cyber talent. Some very, very cool insights there from Sara actually on that one. And then we talk a little bit about sorta big business of e-comm as well. So, fairly broad conversation, but yeah, Sara's a pretty awesome person to get to talk to, so really good episode.

Dan McDermott: Indeed it will be. And I don't do this often, but I will take a moment to quickly cross promote an event run by Mimecast last week, called Mimecast Connect 2022. You can watch the replay in demand at your leisure, with great insights from a former Prime Minister, and ex FBI cyber agent, a futurist, and real life insights from Sara and other [cytos 00:41:40] as well. So, do check out Mimecast Connect 2022, there's something for everyone.

Until next week, if you would like to continue exploring key topics in cyber security, please jump onto getcyberresilient.com, and check out some of the latest articles, including maturity versus risk, choosing the right cyber security model for your business, a look at how social engineering attacks are evolving, and how to beat them, and how to make cloud security part of your organization's DNA.

Thanks for listening, and until next time, stay safe.