Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Expert opinions and insights on the biggest events making cybersecurity headlines this past fortnight.
This week we take a look behind the news that password-less security has finally arrived through the FIDO alliance, dig into the change to mandatory IoT security standards in Australia, review the latest cyber updates regarding the war in the Ukraine, review cyber’s role in the upcoming Australian election and beyond, and review the latest breaches making headlines.
The Get Cyber Resilient Show Episode #97 Transcript
Dan McDermott: Welcome to episode 97 of The Get Cyber Resilient Show. I'm Dan McDermott and I'll be your host for today. This week is our Behind the News episode and I'm joined by our resident cybersecurity expert, Garrett O'Hara. Today, we'll be looking behind the news that the era of password-less security has finally arrived through the FIDO Alliance. We'll dig into how the voluntary IoT security standards announced last year are now mandatory in Australia. We'll review the latest cyber updates regarding the war in the Ukraine, including the Viasat attack, impacting critical national infrastructure for more than a month with 2000 wind turbines offline across Europe. It's election week here in Australia, and we'll review cyber's role in the election and beyond, and we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines. So Gar, let's begin by diving into the potentially password killing scheme devised by the FIDO Alliance. What can you tell us about the FIDO Alliance and how will this improve security?
Garrett O’Hara: Yeah, it's the the era, I think you said it already of password-less. You know, we've heard this conversation or, you know, that, that phrase be bandied around for quite some time. I think passwords, like, is a little bit of scene setting context. [laughs].
Garrett O’Hara: ... passwords are the absolute bane of most security professionals' lives. And even just us as human beings going around our day you know, how many different platforms require password. And one of my personal frustrations is the thing where I just wanna maybe buy something online, but they force me to create an account and yet another password and yet another service. And, Hmm.
Garrett O’Hara: ... I think that's what the behavior that that's kind of forced is people choosing either a very simple password, which is very easy to brute force or using the same password time and time again. And you may you're, you're probably aware of like ISO 27001. And, and some of the, the kind of security standards that are out there, like, kind of require timeline time, what you call lifetimes for passwords. So, you know, they have to be recycled-
Garrett O’Hara: ... or reset or recreated every three months, which actually creates just terrible behaviors 'cause people choose the same password and then, you know, tap, I mean, tap on two le- numbers at the end and then just increment the numbers. So, you know, really one of those things where the intent of not having the same password is good. But actually it just, it makes for complete another beep show. I was gonna curse there, but we, we won't be able to do-
Garrett O’Hara: ... that post-edit so... So you know, what, what are the suggestions, you know, incremental improvements in, in security? Certainly things like MFA are really good. The problem you runs in, run into there is, you know, if I look at my phone, I've got probably four or five different types of authenticators on my phone. I've got some one from-
Garrett O’Hara: ... Symantec, I've got one from Forti- F- yeah, Forti- Tokens. I've got a Google one. There's just tons of them. And you end up, you know, with a fairly disparate set of solutions. I'm trying to remember which one is used for which application, blah, blah, blah. So that's like annoying. You've heard me ba- you know, battle on about password managers for a long time. Yeah, awesome. Again, incremental improvement in security, but still, you know, require passwords. So the promise of FIDO, and this is o- okay, I think this is really actually quite an important one is be- because of who's involved in this. You've got Apple, Google and Microsoft basically working on this and committing to basically supporting it as a standard.
So first of all, you get that cohesion into a standard that's I think always a good thing because it starts to get out of the way of all of the problems that comes with you know, disparate solutions. So that's the first really good sort of good news piece. And that's great, you know, that that's cool. Easier times to roll this out, if you're, if you're designing a platform or you're retrofitting this kind of authentication, it, it, it should be easier and less troublesome than other approaches. It has been, apparently it's had the, the crap kicked out of it by security experts. So, you know, the implementation is good. It's being reviewed. It's not one of those kind of things that's just bespoken and, you know, randomly come up. It's, it's, a lot of work has got into this.
Fundamentally, what it gets to is the point where you don't need to use a password. You basically can authenticate using things like biometrics. So a fingerprint or facial recognition as, you know, two examples, but the idea would be that using, say a mobile device, when you try to log into something, maybe an online platform that you get a prompt, you know, sort of push notification on your phone and putting in, you know, the thumbprint and you're, you're done. That's pretty much it. It's very, very elegant from a user's perspective. And also very secure because what's being stored on the device is a, a thing called a pass key. And what's good about that is you can actually store that pass key on multiple devices so they always can flow across a variety of different platforms using that same pass key, if that makes sense. So the, the promise here is like, you can see me, we... Well, the listeners can't see me, I'm smiling because I think it sounds amazing.
Garrett O’Hara: I, I personally feel like my shoulder's relaxing and, you know, sense of calm and peace arriving as I think about not having to remember 50 million passwords or use a password manager ever again. Like if I thought I could just log in and just, you know, biometrics, I mean, how good is that? Another another small part about this is just the proximity of the authenticating device. One of the things that it will get rid of-
Garrett O’Hara: ... from a phish attack perspective, you know, I'm sure everyone's familiar with man-in-the-middle attacks where you basically stick a website in the middle of an authentication, get the SMS, you know, you know, one time use key or code and do a pass through to the, to the real site. So you can kind of do a man in the middle or person-in-the-middle attack. Yeah, this gets rid of that. I mean, there's, there's a bunch of other things, but one of them being the proximity detection using Bluetooth. So if I go to authenticate to something that I basically I can detect proximity. So I know it's not somebody in the other side of the world using an a code that's been SMSed as one example. So yeah, sorry, lots of thought has gone into this, but I'm, I'm very, very excited about the potential for, you know, truly ease, better security and easier use. I mean, those, that's the, the sort of amazing combo we're looking at here.
Yeah. Some really broad implications of this, right? And I think the, one of the explanations, like you said, there, that has been explained around sort of the pass key concept is, is using two elements. One of something of what you have, which is your phone, then everyone's got their phone with them all the time. And then the other part is who you are. And so that's where something like biometrics and that comes in, and the combination of those two things is to say with proximity means that, you know, somebody can't be attacking you remotely because they can't get access to that.
So I think it's a really, yeah, it's an interesting concept. Some of the implications, I guess, Gar, that sort of come to mind, right? Is as we know, as, as a, as the world, we've moved to a lot of these mega services and platforms, right? And providers, where we know the benefits of doing those things and this as, as password-less, as a, as a, you know, one centralized provider, but does that create a big target for that? And does it mean that, you know, again, like they become the tar- the target of actually hacking into a system like this and hacking once gets access to everybody. So it becomes the prizes are much greater as well.
Garrett O’Hara: Yeah. I don't, I don't think it'll work that way. Yeah. The, like the pass keys will be distributed. I mean, it's basically how much of the internet works today, which is, you know, there's some version of cryptography, PKI. And that's what, what you're generally relying on in situations like this is that the algorithms can be known, and it doesn't matter because of the math involved, the, the security comes from the math involved rather than you know, obfuscation or, you know, where something is stored. So I think it'll be the same in this case.
Garrett O’Hara: I mean, one of the things that I'm sure people will think about is the security of biometrics in general. You, we've talked about this, you know, that, that idea of the use of things like algorith- ML and AI to, you know, basically brute force things like fingerprints, which there's been studies done on that, and academics have, have done some stuff that's, you know, sort of frightening when you think you can't really change your fingerprint, right? It's not like a password where you can-
Garrett O’Hara: ... go and change it. Like your fingerprints are for life as is your, yeah, your face. And it's, we, maybe they give out vouchers for plastic surgery is the, the solution to that if you get a facial recognition, but you know, that, that's one of the things to, I suppose, that we do need to consider is that if we get to the point where the biometrics part of it becomes insecure for some reason, then where does that leave us? You know, so, so far so good. And I think there's a lot of things that ma- can make biometrics better. But because of how they work, there's, you know, there's whole, there's a perfect balance between false positive, false negatives. And again, which we, you know, we've spoken about before and you sort of, you want to get the ease of use, which means you have a potential for a higher false negative, right? I always get there my-
Garrett O’Hara: When I'm under pressure, I always get negative-
Garrett O’Hara: ... and positive mixed up in the same situations.
Garrett O’Hara: But you know what I mean? It's, it's one of those things where-
Like left hand, right.
Garrett O’Hara: Yeah. I can, I just, the amount of times-
Garrett O’Hara: ... I go, go, go wrong in the car is unbelievable. But yeah, I mean, that's, that's the one concern I suppose, is the reliance in biometrics. And there's some very clever people that think about this, right? So, you know not, now I feel like we're in safe hands, but if something happened in the future, where compromising biometrics or, you know, mimicking somebody because the machines have gotten really good, then, you know, that's sort of, where does that leave us? But I'm sure by then we'll all have chips embedded in our temples and [inaudible 00:09:53].
[laughs] Yeah, let's not go that far. No, no.
Garrett O’Hara: [laughs].
So I guess my last question on this is, is like this, it does sound revolutionary, right? In terms of what it really does mean to, to move away from a, have a password-less s- society which is easier on every individual, but also improving security at the same time. What's a timeframe of, you know, likelihood of being able to start to implement this and sort of see its success and, and it becoming, you know, ubiquitous for us?
Garrett O’Hara: So they're actually talking about like this, starting this year. So this is a real thing. It's not, you know, this isn't an, you know, an academic study that's been done and, you know, is 10 years away. I mean, it's, it's basically, you know, the, the news hit this week because they're committed to the, to the standard and, and it's basically pretty much ready to go, as I understand it. I think it's yeah, later this year, I think is when we'll start to see this get taken up. And I, I, you know, we've talked about stuff like this before, where you can have really good security, but the, the, the friction is always the ease of use. So there's no kind of commercial outcome.
Garrett O’Hara: So organizations could go for amazing security and lose customers or annoy their customers and watch their, [laughs] their NPS score tank, even though-
Garrett O’Hara: ... they're, they're doing the right thing for their customers. This seems like a winner in that, you know, if you think about a usability perspective where it, you know, almost becomes competitive baseline if all of your competitor platforms allow you to log in by just kind of, you know, s- literally hitting your finger off your phone, all of a sudden that becomes a real commercial driver, I would say, for adoption. So it feels like one of those ones that, because it, it does the better security and better usability at the same time-
Garrett O’Hara: ... I think, you know, maybe, maybe me being very optimistic here, but I feel like it's gonna be something that will see adoption very quickly.
Fascinating area, one that, yeah, if we can see adoption quickly, will make a big difference. There's obviously gonna be implications, like you said, you've got a whole bunch of, you know, services on your phone already. So those companies will be interesting to see, you know, that MFA world and what that's meant and that sort of thing, 'cause, you know, a lot of that goes away, right? I mean, that's the thing, you move to, you know, pass keys and and we move to FIDO, which I don't think we said w- it stands for Fast Identity Online. So F-I-D-O if anybody's looking it up and wanna do some of their own research on this, because it is something that is coming and we'll have, you know, broad array of implications, I think for every security professional.
Garrett O’Hara: Yeah, absolutely. Absolutely. It's exciting. And yeah, as I say smiling, you can't see it on the [laughs] on the recording, but it's it's really good news, I think.
Yeah, we can hear it in your voice, Gar.
Garrett O’Hara: [laughs] There you go.
The next story is an update of a news item we covered previously regarding the security of the Internet of Things or IoT devices, and how Australia has taken its voluntary standards to now being mandatory. So this seems like a good progression, as we said, last time, Gar, that when something's voluntary, we know how well-
Garrett O’Hara: Hmm.
... compliance is. So moving it to a mandatory standard feels as though progression in the right direction.
Garrett O’Hara: Totally agree with you, Dan. Yeah, totally agree with you. IoT in particular, given how many things are driven, you know, the, the profits for organizations selling IoT devices are gonna be driven by basically, you know, producing cheap stuff and getting scale. So, you know, I mean, you walk around most supermarkets now or, you know, even hardware stores, there's IoT everything, like they've, they've created [laughing] internet enabled things where you c- really scratching your head kind of think of what, like, why? [laughing] Like what's the... Why, you know, why do I need that actually connected to the internet in some way? And often you're produced with absolutely no thought to standards. So functionality being the absolute focus and then, you know, some token gesture towards security, if you're lucky that's a big problem, right? You know, where people are plugging these things into networks at home or even in, in in corporate environments.
And there's a hugely famous story of the fish tank IoT breach back in, you know, Las Vegas, where they were able to pop that and get that as a way into... Find out the personal details for the, the whales, the, you know, the high rollers over in the-
Garrett O’Hara: ... Casino. It's a problem. The U.S. moved, it's a couple years ago now from memory and correct me if I'm wrong here, but you know, for IoT use in governments, it ha- like they had a mandatory sort of security standard that had to be met. I think that's a good driver. And yeah, was a 2020, I think the coalition kind of came out with the, the voluntary principles. I think there was 13 of them and, you know, it was kinda like, yeah, it'd be great if you could do this to your point, you know, if you're a manufacturer and you can do something cheap cheaply to and sell it to generally consumers who are not particularly, you know... Cybersecurity isn't what people are thinking when they're in the hardware store, looking at a, you know, internet enabled toaster, you know, like they're just not-
Garrett O’Hara: ... they're thinking about, oh, look, I can use an app on my phone to make, change the, the toasting setting or something. Let's say, you know-
Garrett O’Hara: ... it's just the novelly value but they're not thinking about what does that mean for my home security or like any of those things, right? I think that's the problem. So making it mandatory, to your, you know, initial point, is the thing that starts to level the playing field and force organizations, if they're gonna sell these things into Australian citize- citizens that they have to be, you know, set up s- securely or at least make an effort to do that. And the, the stuff is really obvious. It's things like default passwords. I mean, y- you know, the kind of thing that you would assume, you know, just would be, would be something that organizations would actually look at just as a, a standard practice, but, you know, that kind of says everything you need to know, right? You can connect things with a default password from, in a network and they're just wide open. And then, so yeah, I think this is, I think this is really good. Yeah.
It it does make me laugh a little bit of a, a mutual friend of ours who has the internet enabled skipping rope. I think that went really well, so [laughing].
Garrett O’Hara: We, we both know who that is that person who shall, [laughing] shall remain nameless. I, I, I was kind of very funny when they were talking about that at the start of COVID and they bought Bluetooth everything, and then it showed the number as they skipped. [laughs] It was very funny.
It's it is funny. And it's I wonder how secure minded it was, Garrett O’Hara: Uh-huh.
... [laughs] in some of those purchases as well.
Garrett O’Hara: No, for sure. Yeah, I've got, and we've, you know, people who work in Mimecast who are very into things like home automation and yeah, that's a huge IoT space. And luckily, you know, if you're in Mimecast you probably [laughs] security's gonna be-
Garrett O’Hara: ... on your radar, but like that's a huge hobby area for many people at the moment is automating everything, you know, garage doors opening, lights coming on, air conditioning, like literally your life is or your, you know, your, your house is run by an app on your phone. And often, you know, the, the sensors, the physical components are like che- pretty cheap things that are bought you know, in bulk from our friends further north. So-
Garrett O’Hara: ... Yeah, good to see some sort of mandatory standards here. I think it's, it's definitely a good thing.
Yes. Again, another good, I think two good news stories there that we've led off with, I guess, of, you know, that improvement of of insecurity in terms of where we're going and, and these things are not going away, right? And the proliferation will continue. So definitely a, a, a good area for for the government to, to be doubling down on there.
Garrett O’Hara: Yeah, definitely.
Again, sadly, the conflict in Ukraine continues and a quote from Paul Chichester, the director of operations at the UK National Cyber Security Center described the cyber clash as the most sustained set of cyber operations coming up against the best collective defenses we've ever seen. So a prime example of this is the Viasat attack, would occurred over a month ago. So tell us, what's the latest on the cyber front in the Ukraine crisis?
Garrett O’Hara: Yeah, sort of ongoing yeah, Paul's, Paul's quote, it actually sounds like a tagline from a movie or something, doesn't it?
Garrett O’Hara: This summer, the most sustained set of cyber operations coming... Sort of feels like has that vibe to it. But you know man, I don't wanna make lie to what's going on over there, obviously. Incredibly sad. It's still an incredibly serious, you know, we've, we've talked about this on I think on every episode since this all started, right? I mean, it's hard not to. Yeah, ongoing there's, there's still quite a few things going on. They're seeing wiper and in some of their some of their departments and agencies over there. So you know, that, that stuff is still happening that, the Russian wiper malware, and then the, the Viasat. This is interesting 'cause I think we, both of us were talking probably in the first time we talked about Ukraine on the part about how how easy the attacks kind of bleed out into the sort of the two countries that are involved.
So, you know, it, it's Ukraine versus Russia, but in reality as you saw in [inaudible 00:18:46], you know, it impacts in that case it was 25% of the organiz- organizations impacted were not in Ukraine, right? So, and, and-
Garrett O’Hara: ... had massive implications and with the Via- Viasat attack, it's, it's similar in that basically it's a satellite for those who are not across it that is used in Ukraine and actually across Europe. And it's used as a sort of means for, I suppose, interconnectivity to to various places. Part of what's happened here with the the attack is that it's taken out things like wind turbines in places like Germany. So again, you know, this ties into the CNI conversation that you, we've had-
Garrett O’Hara: ... many times. And this is, you know, this is an example where the hack on, on Viasat... Viasat's the company, by the way the company that provides the kind of the comms to the, the satellite. But yeah, I think it's, it's one of those scary ones where we're seeing the, the attack obviously impacting Ukraine, but then actually impacting countries and, and sort of operations outside of Ukraine. Yeah, including those kind of wind turbines in, in Germany. And I believe it's still going on. But the Poland, France yeah, people all over Europe had their satellite internet connections knocked out as well.
Yeah. It's like you say, it's like the, these things, the attack is often very widespread. It's not just, you know, the first intended target, right? And then there's the flow on from there. So we're seeing that, I think it plays to so many things that we've spoken about over, over the time around critical national infrastructure and what that means and how do you protect that nation, states and how, you know, when they, when they go after somebody, you can be, it can be unintended consequences and you can be an unintended victim of that as well. What does that mean? There's so many angles of how to actually sort of combat against this. I do think as well, like you said, that that quote is very interesting around, you know, that there is probably so much that we're not hearing-
Garrett O’Hara: Hmm.
... right? That's not making the news, which is a good thing because of the defenses that are in place and that the, and what is it being able to be stopped as well. So I think that what we're sort of seeing from this is, is sometimes maybe not as much news as what we may have thought, but that's also because of, you know, the great defense that's been in place as well.
Garrett O’Hara: Yeah, absolutely. It, it's, it feels like it's coming in waves a little bit. Hmm.
Garrett O’Hara: ... I think both of us were pretty much primed for, [laughs] you know, huge stories to be coming out of Ukraine at a pretty consistent basis. And then it felt like there was this kind of calm where, you know, everyone's kind of waiting f- like what's going on. We're not actually hearing, you know, this stuff is, is happening. And to your point, it was, and, you know, the Microsoft report we spoke about last time-
Garrett O’Hara: ... You know, clearly showed that there had been stuff going on and not just during the, you know, the kinetic sort of movements or the on-ground attacks, but actually a year running into the, you know, the, the stuff that's going on in Ukraine. So yeah, it definitely feels like it's coming in waves, but yeah, they've done... This Viasat one is, it's pretty high profile. Just given, you know, what it was pretty el- you know, I hate using the expression, but pretty elegant to attack from, from what I understand, but also the the fact that it did, im- impact, you know, non-Ukrainian entities and, and people just around Europe who rely on satellite interconnectivity, all of a sudden, you know, the, the sort of lights go out.
Yeah, no, it's still very scary situation, obviously, you know, the highest of stakes involved as well. So, Garrett O’Hara: Hmm.
... you know, I guess like the low one good news taking away from it is, is, you know, how well, I guess, those sub defenses have held up under that sustained attack as well.
Garrett O’Hara: Yep. Yeah. There's, I mean, there, there's talented people there, right? And I think to your point and very savvy cybersecurity operators in, in Ukraine, certainly in Russia too, but it's yeah, I think, I think that's what you're, you're spot on. We're seeing the talents of people yeah, operate their cyber resilience at, at a nation state level. It's, you know, still, it's like Estonia, but you know, this is war time, Hmm.
Garrett O’Hara: ... so yeah.
And looking at that national level it is election week here in Australia-
Garrett O’Hara: Hmm.
... and one item that hasn't made the headlines very much during the campaign itself is cyber no major s- policy announcements during the campaign. But we did see a lot leading up to it as well. But the other, the good news as well has been that there hasn't been much reporting on things like fake news and electoral interference from a cyber perspective. We still got a week to go, so [laughs] we, you never know, but but that's also what I think is, is that, you know, cyber has played a much bigger role in politics in the last couple of years in Australia. And following Saturday, we'll have a clear review on the next evolution in our national cyber policy and the frameworks that will be supported. So it'd be interesting to see what the future looks like. And obviously a lot of groundwork's been laid and a lot of things have been promised and money laid out-
Garrett O’Hara: Hmm.
... for the future. But we'll have a clearer direction of, of where to next.
Garrett O’Hara: Yeah. That, and, and I mean, you wonder about the machinery of governments, you know, given that we're looking at a potential change, you know, what, [laughs] that's the thing you worry about, right? Come in and maybe unwind some of the things that are working well or whatever, but yeah, hopefully it all sort of stays on track.
It is that change, right? That is the, the big thing.
Garrett O’Hara: Yeah.
You're exactly right in that is there is, if there is a change in government, it is, don't throw the baby out with the bath water, right?
Garrett O’Hara: Yeah.
And particularly in this, in this case, where is lots of good, you know, policies and, and money set aside and programs that are, you know, set up in order to continue to improve our, our, our cyber resilience as a nation. So we don't, you know, obviously lose any of those things no matter who wins and we wanna continue to expand on them and improve them as we go forward. So yes, well, good luck for all involved for the weekend. And and then come Saturday night we might have a clear review on our, on where to next.
Garrett O’Hara: Mm-hmm. Hopefully.
[laughs] Finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make their headlines. We'll start with a report on the cost of business email compromise, or BEC to Victorians.
Garrett O’Hara: Yeah, this is I mean, this is a pretty quick one included really just for the, the number I suppose, was-
Garrett O’Hara: ... it was kind of an interesting one, but it's 31.9 million was lost to business email compromise in, in 2021 apparently. And that comes from some VPNs that are apparently cooperating with the Vic Police cyber crime squad. So yeah, that's not a, not a small amount of money could certainly, you know, keep me in, in socks and, and, you know, shirts and whatnot for a little while. But yeah, like lot, lot of money, I suppose, getting, getting fleeced from Victorians.
Yes. Well, obviously being Victorian, it's a frightening number, but it's also interesting to see sort of that level of reporting happening and that, you know, that we've even got at state level, like Vic Police getting involved and that type of thing. So it is at so many layers of where, you know, I guess, the response is coming from, right? And, and where, what we're trying to look to do to, to help, you know, protect all citizens as much as possible. So yeah, but yeah, worrying numbers again.
Garrett O’Hara: Yeah. They really are. And, you know, it's, what I would like [inaudible 00:26:01] to see as part of the data is the what's the mean size for the, the losses? Like, what's the distribution?-
Garrett O’Hara: you know, 'cause you see 31.9 million, that's a lot of money, but you know, we, we've, we've talked about this quite a lot. There's some big chunky numbers going around, especially in the things like the yeah, real estate industry. I mean they, you could-
Garrett O’Hara: ... rack up 31.9 million pretty quickly actually, and just given-
Garrett O’Hara: ... the the amount of money sloshing around there. But I suspect it's probably made up of quite a lot, l- a long tail of small payments also. So yeah, be, be interested to see if there was, you know, a second version of this data where they looked at that.
Indeed. The next story is one that's a little bit too familiar in terms of a breach and that is WordPress has been pinged again.
Garrett O’Hara: Yeah. Yeah, like you almost feel like you could just records a placeholder for WordPress side hacks, but-
Garrett O’Hara: ... Look again, you know I'm sort of a fan of WordPress. I used it for quite a, a few things that I did over the years. It's a, I mean, it's a very, very useful content management system for for, you know, producing, you know, blogs, newsletters websites these days and it's got so many plugins available. So, you know, it's quite an appealing CMS for, for many people. That said, it, it does have a bit of a reputation for kind of getting popped. It's, it's almost like, you know, Microsoft in that way because so many people use it. It becomes a really appealing target you know, hit that critical mass where you know, everybody uses Microsoft. Clearly, you're gonna see attackers go after that kind of, you know, platform, OSs, et cetera.
Indeed, a good public service announcement for anybody running WordPress sites, which as we know, there's millions of them, right?
Garrett O’Hara: Yeah.
So it's it's definitely one that needs to to be secured at the back end as well. We'll finish with the news of global furniture retailer, IKEA who have been breached in Canada.
Garrett O’Hara: Yeah. They yeah, IKEA Canada got got popped in apparently 95,000 customers are being notified. It looks like one of their internal employees was able to access data that in theory they shouldn't have been able to. And they, IKEA Canada basically notified it, I believe the equivalent of the, you know, the OAIC here, Mm-hmm.
Garrett O’Hara: ... so there's sort of privacy commissioner in Canada and let them know. So then, you know, kind of did all the right things and I don't believe anything untoward has happened so far. So, you know, that has, that has been breached. But no particular impact from what I understand just yet.
Well, let's hope that that's the end of that story then, right? And we don't have to review it again when reviewing the, the notion of what actually might have happened with that data as well.
Garrett O’Hara: Yeah, definitely. Well, they've, they, they, as you know, all good companies would have done the thing of kind of remediating the kind of the situation. So looking, you know, ho- how did this happen and then making the changes appropriately to make sure that it doesn't happen again. And that's, that's just cybersecurity in large part, you know, do the best for planning and then when stuff goes wrong, just make sure it [laughs] doesn't go wrong again. I think you know, you can forgive some, you know, most organizations for, for one sort of "mistake" but if, you know, see the same mistake happening multiple times, then that's where you gotta start worrying.
Indeed. Well, let's let's hope that all of those things are covered off and and we don't see those vulnerabilities again. Well, thank you Gar, I really appreciate your insights as always. Who do you have for us as our special guest next week?
Garrett O’Hara: Next week is Dan Gregory. Which is an exciting one for me. Just [laughs] absolutely rip over a conversation with Dan, that was a couple of weeks ago now, actually it's been recorded. He's just, I mean, he's a phenomenal guy. He's the CEO of The Impossible Institute, but people probably know more for things like The Gruen Transfer, so he's on TV quite a lot. And he's just, he's ju- A, an entertaining character and B, just a very sort of thoughtful, insightful sort of commentator and, and sort of expert on human behavior and engagement. He's, he's made, he... We, we've talked about this. I saw him years ago at a cybersecurity conference. Little bit hungover in one of the mornings and, and went along-
Garrett O’Hara: ... to see what this guy from Gruen Transfer could possibly have to say. And it was just really, really good. It's, it's still rated as one of the best cybersecurity talks I've ever seen, and it was about human behavior. So really loved it and the conversation. We obviously get into that. So we talk about, you know, h- how to really get people en- engaged when it comes to this conversation of cybersecurity. And Dan makes that comment that you kind of need to assume that most people won't care about cybersecurity as much as we do.
Garrett O’Hara: And, you know, he, he comes from that perspective. He's got some really good stuff about how to engage people, so things like not telling them what to do, but how you tackle that problem together. If that makes sense. So like how to change comms and behavior change programs to really get people bought in sort of buying sorry, designing security programs with, you know, the end users in mind in terms of getting them engaged and actually having an outcome. You know, we talk about things like optimum, optimism, biases, trust, trust in society in general, like it was a phenomenal conversation one that I've been hoping to have for probably a couple of years, if I'm honest, since we started the pod and, and yeah, felt like, you know, a good, good one to, to get in the can. So yeah, look forward to that being released.
Yeah. Fantastic. Can't wait. Always Garrett, I think when there is that human side of cybersecurity and what that means, it's a fascinating conversation and one that we all know that we are, we struggle with and or everybody has those challenges of how, of how to get better in that regard. So really looking forward to it.
Until next week, if you would like to continue exploring key topics in cybersecurity, please jump on to getcyberresilient.com and check out some of the latest articles, including insights from privacy awareness week before FIDO how do you defy brute-force password attacks? And to look into why the metaverse could be a hackers haven. Thanks for listening. And until next time, stay safe.