• Profile picture for user Garrett O’Hara

    Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Content

Expert opinions and insights on the biggest events making cybersecurity headlines this past fortnight

In this episode we explore what impact the change to a Labor government in Australia will have on national cyber policy, examine a 3-year-old government review calling for Australia to overhaul identity verification and make better use of biometrics, dive into the 5 key trends identified in the seminal Verizon DBIR report,  and review the latest breaches and vulnerabilities making headlines. 

Content

The Get Cyber Resilient Show Episode #99 Transcript

Dan McDermott: Welcome to episode 99 of the Get Cyber Resilient show. I'm Dan McDermott and I'll be your host for today. This week is our behind the news episode, and I'm joined all away from Ireland by our resident cyber security expert, Garrett O'Hara.

Today, we'll be looking behind the news of what it will mean for cyber under a Labor government. Next, we'll look into a leaked review of a three year old government review that called for Australia to overhaul identity verification and make better use of biometrics. Last week, we saw the release of the annual and now seminal cybersecurity review the Verizon DBIR report and look at the five key trends identified. And we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines.

Gar, let's begin by diving into what the change in federal government might mean for cyber in Australia.

Garrett O'Hara: Yeah. the top of the morning, Dan, all the way as you say from Ireland, I feel like it's obligatory when you're talking to anyone outside of Ireland to say top of the morning. it's, yeah, good, good to be uh, still recording the pod, even though it is 7:00 in the morning and we're on different sides of the world.

But, yeah, look, the, the change of government, I think this is huge, right? we, we've seen, like Tim Watts and folks like that, sitting on the sidelines, making what I would say is some valid commentary on, on things that I think you and I have spoken about at length and kind of agree, need to happen. it, it's always interesting watching, I think in any governments, the, how easy it is to kind of, you know, make the comments when you're not in power, but now it's sort of, it's time to kind of, to put up as they say.

So, seems like they, they've got big plans. the reality is, you know, of what's Albanese's comments, you know, that cyber security needs to be somebody's day job, not the last item on another minister's list to-do list, which I think kind of speaks maybe volumes. it does seem like that they will put cybersecurity front and center, you know, when you look at the national security policies, even on the, the Labor website cyber's in there. and I think Tim Watts has been really good actually on, on commenting and, know, thinking about this stuff in a sort of useful way. that, that said, you know, it's always interesting watching the machinery of government, right? And, and things that were also potentially working reasonably well with the previous governments. And I hope what we don't see is things getting ripped out purely because they were put in place by the, the previous government. So, you know, hopefully there's a rational approach to looking at the things that were, you know, on a good trajectory working in the, the right way taking the best of those. And then, and then what I think Tim Watts has called, they're looking for a step change. I think that, you know, hopefully they do get to achieve that and then sort of throw some, throw some much needed money at this stuff and, and focus on this stuff. there's a whole lot of stuff that I think becomes part of that. That, you know, they're talking about more collaboration between governments and private enterprise, which I think is a, a really kind of interesting and useful, approach. You know, there's a lot of expertise out there in the private sector.

And we're seeing that in other nations where the, you know, the governments have taken that approach of not just trying to do it all themselves and being a little bit of a, you know, circle the wagons, you know, will take care of it. But actually, you know, looking at the private sector and people who are experts out there and involving them and bringing them inside the tent to, you know, kind of help the in entire nation, so I think they'll [inaudible 00:03:32] some of that.

And, and you and I, and him, many times we've talked about the, the mandatory, ransomware bill. it'll be interesting to see if they can kind of get that through and, and get that sorted. I think that's important. That does feel like it'll be, something that will be, you know, a good, good change for, for Australia.

Dan McDermott: Yeah. I mean, for all of, I think the good things that the Liberal government were putting in place and a lot of the, the programs, the, the spending and that sort of thing, like you mentioned at the start, there was a fundamental difference in, in the view of cyber, I guess, overall with having a shadow minister in Tim Watts for cybersecurity, when there is no actual portfolio for cybersecurity. So there wasn't actually anybody in the government, yet they already had a shadow ministry for it.

So it, it showed a very different approach right out of the gates as to how, the, I guess, each party sort of thought about it. And the Liberal approach of, of trying to disseminate it into everybody, into every portfolio. And then there's merit to that, that like, you know, you can't do it centrally. It has to be, you know, everywhere. It has to be fundamental to, to everything. But you need, I think, you know, that higher level overview oversight and also leadership for what good looks like and that.

And I think that that's the opportunity that now, you know, sits, sits with Tim and, and the Albanese government to start to bring that to the fore and start to show, like you said, what does that mean in terms of, you know, that private and public partnership. we've heard a lot of these terms before. it hasn't really been something that's been overly well embraced within cyber, I have to say to date. So it is, you know, there's an opportunity I think, to, to make that step change, as you mentioned, and really take this to a new area altogether.

So, I think it's exciting. it, you never know exactly how far they can get, you know, like you say, between being in opposition is this sort of quite a bit easier, right? Than actually having to get things done. and potentially, you know, under a minority government as well, doesn't make it easy to, to move things forward necessarily as, as simply as you may wish. But at the same time, I think there's a huge opportunity in front of them.

Garrett O'Hara: Yeah, there really is. And you, it feels like it's, it's part of the zeitgeist. Now, we can see what's happening in Ukraine. There's some things that I think will help their case for, you know, investments or any kind of policies or programs or work that they do put in place because it's, it's all over the newspapers, the importance of cyber in Ukraine. So I think, you know, what's happening there. some of the, you know, stuff that's happening with our friends a little bit further north, I think all of that plays into hopefully, you know, support from the broader public. You know, bipartisan support for any kind of stuff that we would look at doing for cyber security.

It's just become so important. Like as you're talking there about the fact that, you know, this sha- shadow ministry for something that didn't actually exist in the government, that just is astonishing in 2022. You know, it just, it is-

Dan McDermott: Hmm.

Garrett O'Hara: ... quite, quite a, an amazing thing that that would be the case. And I totally agree with you by the way about the, you know, being somebody's day job. And yes, absolutely. It's a part of so many different agencies and entities in, in the government.

But one of the failings, I think is the lack of cohesion. And you even see that in the, the report to parliament, you know, the, the sort of cyber po- posture reports to the parliament, which and when you read through that stuff, how often, you know, some of the problems are just the lack of cohesive of insights into the, the status of things, because there's no centralized reporting, you know, everything is so fragmented. And I think there's opportunities there to start to, apart from the, the sort of policy and doing of things, but getting a centralized view of, of where are, where are we you know, what are the problems?

And, you know, I think that, centralized view sort of gives the opportunity then to start putting in place, programs that will benefit everybody. And I really, you know, some of the language here and the policy documents are around, you know, national resilience and, like that sort of that, that thinking. And, and even to the point, keen to get your thoughts on this one, when you read the, some of the stuff they're talking about in terms of where data sits, and I think it was actually, Anthony Albanese and they gave a speech of the Lowy Institute. And he's talking about that, you know, for some types of data, securing, it may require coding here. It may require mandating that it be kept in Australia.

And it felt like over the last many years, we were moving away from that sort of data sovereignty, data in country thinking. Like there was a little bit of loosening of, of, it felt like of the, the sort of range-

Dan McDermott: Hmm.

Garrett O'Hara: ... there given, you know, encryption and given so many cloud platforms have data everywhere. And, it feels like, I wonder, are we gonna see a little bit of a walk back where we start to see data on shore, data starting to become more important? I personally am good with that. I, I think that's, like that, that is not a bad thing, you know, having stuff on shore, processed on shore, stored on shore, assuming, you know, the DCS are here and they're the good DCS. yeah, I feel like that might be a good thing.

Dan McDermott: I don't disagree. And I think that that will be a part of it. And I, I do think it is like part of the overall platform was around sort of, you know, nation resilience, right? And-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... rebuilding some of that resilience within country. and, and data is a, is a critical part of it. We know it is, you know, really it is the, the lifeline of, of society and the economy is now, right? And so, you know, more so than oil or anything else that, that might have-

Garrett O'Hara: Hmm.

Dan McDermott: ... been in the past. So, so there's no doubting that it has to be front and center in that thinking, otherwise we're just going to get left further behind, right? So it will be a part of it. And I do think that there's a real opportunity to, to move all of those things forward. it would be interesting to see just how far it can go. and there is, look, there's several gaps, right? As we all know, I think in cyber, across the country.

I, you mentioned around sort of the government's own approach and being fractured. And so we know the benefits of, you know, oversight and governance and just good reporting to lift standards across the board. we know with the critical national infrastructure, the, the gap in small business, right? In supply chains-

Garrett O'Hara: Hmm.

Dan McDermott: ... and what that means. you know, these things have not gone away. and there is a, I think a spotlight on, on these, I think critical areas that do need an uplift across the nation. And now is that opportunity, you know, to try to centralize, have some forward thinking and put plans in place to actually rectify and address some of these challenges. you know, as we've discussed probably offline a few times, it's a pretty passionate area of ours of like looking at what can this be, doing it differently and actually really thinking outside of the square as to what is possible, at you know, at a national level. and I think that this government has that opportunity. Tim Watts, you know, had the privilege of, of meeting him before, the thinking the knowledge, the experience to sort of bring that to bear, I think, in a unique way into this portfolio. so yeah, I think it's, an exciting time. And, yeah, we'll see, we'll see how they go. And it'll be interested to watch the ride.

Garrett O'Hara: Yeah. I th- and he seems like, you know, I've heard commentary on him in the industry that he's the real deal when it comes to cyber. He's not a politician-

Dan McDermott: Yeah.

Garrett O'Hara: ... he's just been thrown, this is a portfolio, he gets it, like he actually understands the, the challenges. And, and to your point on the scale of the problem. Because, and again, you know, you and I have spent how many time, you know, many hours talking about this stuff off mic. It's a huge problem. Like it's not a-

Dan McDermott: Hmm.

Garrett O'Hara: ... it's not a trivial, easy problem to solve. It's a very big, very difficult problem to solve like resilience at a national level, especially in, I know it's a passion project of yours or passion-

Dan McDermott: [laughs].

Garrett O'Hara: ... area, like the small business, like protecting the small businesses that will help protect the medium and, and larger organizations out there. that ain't, that ain't easy. Like it's huge. But it needs to be done. I think that's the thing we can't get away from. Like, you can kick it down the road, but we need to do it.

Dan McDermott: Yeah. And, and you say, like you say, I mean, Tim acknowledges that this is his dream portfolio. It is quite funny. Like, he's, he, he's, he admits he's a geek, he's a, you know, he spent 10 years in security consulting. you know, he's worked in, in the industry. and he was, he is, and I think will over be forever grateful that, you know, had the shadow ministry when there wasn't a [laughs] it wasn't actually a portfolio, right? Like it is-

Garrett O'Hara: Yeah.

Dan McDermott: ... his dream gig. and it is, like you say, it's not just a politician wheeling in to talk about, you know, like, "Okay, I've got this portfolio and next week I'll have transport, and the week a- you know, and then in a year I'll do something else." this is what he's in it for. so I think that that's a different view and I think a different level of, I don't know, passion that comes with it, that I think-

Garrett O'Hara: Yeah.

Dan McDermott: ... will make a difference as well. So, yeah.

Garrett O'Hara: Yeah.

Dan McDermott: We'll see, we'll see how he goes. We, we will certainly wish them all the best 'cause it's a big, big gig to, to get a lot done.

Garrett O'Hara: Yeah. It really is. It really is. As you're talking there, I, I just imagining if in, in a parallel universe, if it wasn't Tim Watts, you know, the thing of a politician walking into this as a portfolio and, and, you know, asking the question, are we secure? you know, that-

Dan McDermott: [laughs].

Garrett O'Hara: ... [laughs] I don't think Tim is that guy. He [laughs] yeah.

Dan McDermott: [laughs]. Exactly. [laughs]. But yes, I'm sure there's been plenty of those conversations in the halls of, of government before.

Garrett O'Hara: Definitely.

Dan McDermott: As we look onto the next story is is, is insight into what was previously a secret review conducted by a government three years ago into the use of biometrics for identity verification and the recommendation that government make its own facial verification system available to the private sector. Gar, tell us a bit more about what has leaked out of this report and, and what can be done around biometrics and,

Garrett O'Hara: Yeah, this, this is, oh man, that's such a, a big one. you know, the, the review is basically around how, yeah, I suppose ID systems and authentication or verification, I suppose of identity is done in Australia. And yeah, not, didn't come out great. It's, it's probably the, you know, the too long; didn't read version of this. was KPMG modeling that was commissioned by the home affairs and their, their quote was more costly, inconvenient and less secure than other nations, which is not a particularly good indictment of, of where we're at. and look, anyone who's, you know, I've been here 20 odd years and, you know, identity verification, I find frustrating, you know, the 100 points of ID, the driver's license, Medicare card, passport, blah, blah, blah. Um, The push here is really the increased use of biometrics and what they would call, I think a skinny identity was the phrase they used in, in some of the reporting. That idea that you can get a stronger sort of verification with fewer data points, um, you know, more, more sort of solid data points, which I think is, is fairly reasonable thing to expect. this, this is such a big conversation, me because it, it beyonds just the utility, which is what we're going for here, right? You wanna be able to very easily verify somebody's identity. That's a good thing to be able to do. The thing, Tim for that moment, the thing that always worries me, and I think many people is that when you get to large scale biometrics, so things like, facial recognition fingerprinting, what are the implications for sort of moving through the world, and not, you know, having an anonymity, if you want to be anonymous and you know, not having everybody know exactly where you are at all times?

That I think is partly, the worry with this sort of stuff is that yes, you can use biometrics, so things like facial recognition or your fingerprints brilliant, really, really useful. but you, if there's a national database of faces, then do you get to the point where, you know, criminal, agencies can use kind of automatic facial recognition to see that, you know, Dan McDermott is now currently walking in a pedestrian mall and you know, is there's a warrant out for, I don't know, you've, you know, you [laughs] you've done something wrong? [

Dan McDermott: laughs].

Garrett O'Hara: ... like it seems like a good thing, right? I mean, everyone would naturally go, "Well, that's good, right? There's a criminal who could be caught more easily." Yeah. I don't know that just like, it's a personal thing. It's just feels a little bit funny. There was some I think it's me kind of thinking, well, where does that go wrong? And it can go wrong.

You know, there, there's, biometrics database in Afghanistan, you know, the U.S. kinda military had. And the idea was that they would have a laptop, and it was a portable system where you could, you know, use a fingerprint to identify people within the country, in that country to understand, were they, somebody who was, you know, "good or bad" as in, you know, good working with the U.S. military and-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... or were they people who maybe had, yeah, like different terrorist tendencies. so, and that's all good, right? So they're really very, very useful. It was something that actually, I think might have even started in Bosnia. So it wasn't originally started in, in Afghanistan. So great. You know, this is something that lets the military understand very quickly if this person that they're talking to is, you know, is, is safe person or not, as the case may be.

And then you see what happens when the mil- U.S. military have left Afghanistan there, but that system has fallen into the hands of the Taliban. So now take that exact same system. And all of a sudden you're in a position if you're the Taliban to start identifying well, you know, Dan McDermott actually was somebody who helped the U.S. military. So now you're in a world of trouble. so I think that's the, the stuff that, you know, kind of, we need to think about.

And, you know, I'm not saying, personal opinion, you know, I'm not saying good or bad, but it, we at least need to have the conversation about what's the fallback? What are the things that can go wrong here? And what are the kind, the mitigations that we could put in place so that, something as powerful as a national facial recognition system, which is great, it doesn't get misused? Or, you know, what are the, what are the limits we can put around it, and not just for the current government, for, you know, government that could exist 10 years from now, 15 years from-

Dan McDermott: Hmm.

Garrett O'Hara: ... now? And I think a lot of, you know, you look at the world and you know, me growing up, I looked at the U.S. and you just think that's super stable. You know, it's a democracy, everything's fine. And you look at the what's happening in the U.S. at the moment where if, you know, this is paranoid, but like, it feels sometimes like democracy's teetering, you know, that's, you know, lobbyists have so much power. There's a veering left and then veering right. And it sort of feels all over the-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... place. And you just think, if the wrong government did get into place, these kind of systems are exactly the kind of systems that you probably wouldn't want in existence, for very obvious reasons. That said, if you're somebody who's being the victim of a crime, you're, you're probably gonna be so happy that, you know, somebody who broke into a home or, you know, committed a violent act could be found very quickly-

Dan McDermott: Hmm.

Garrett O'Hara: ... through things like facial recognition. Anyway, I guess that's not the point of this. The point is like, if you're looking for a mortgage or you need to get a new bank accounts instead of messing around and, you know, the 100 points via, via identity, if there was a facial recognition system that the government made it accessible, which is what they're talking about here, by the way, kind of pay per use for private private organizations, that, you know, for authentication, they could do facial recognition. And it's quicker and actually is better as a way to kind verify that Dan McDermott is Dan McDermott and not some fraudster who's trying to, I dunno, set up a bank account, you know, fake ac-

Dan McDermott: Hmm.

Garrett O'Hara: ... account in your name, et cetera.

Dan McDermott: Yeah. They, they describe it as the facial verification system or FVS.

Garrett O'Hara: Yeah.

Dan McDermott: ... does it actually exist already? Is that-

Garrett O'Hara: Yeah.

Dan McDermott: ... is that the indication-

Garrett O'Hara: Yeah, yeah, yeah. And that's-

Dan McDermott: ... that it's actually here and, and now it's, it's, it's about its, its use really?

Garrett O'Hara: Yeah, it does. And there's, there's also a document verification system. which my assumption is that's the thing that, you know, when you put in your driver's license number-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... and all that stuff, it's the thing that goes off and checks that it's real [laughs] it's real and true. so yeah, I mean, the, the FVS does exist. One of the things that the report or the review does call out is that the, the quality of the, verification is not amazing. So they're talking about maybe having to revamp that. So it's sort of better-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... at doing the job of verification. And you, you know, you would think if it's a verification system, it's got one job to do, which is verify people, you want it to be able to do that-

Dan McDermott: Yeah.

Garrett O'Hara: ... really well. So there might be-

Dan McDermott: [laughs].

Garrett O'Hara: ... some some work to, to do there. and one of the other things is that, you know, the option for opting out, which I fe- feel like that is an important part of this. That if you don't want to be part of, a giant database of, you know, faces, that there should be an alternative, you know, some sort of fallback for people and maybe it, you know, it is the equivalent of 100 point verification system. So-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... cool, if you wanna go the easy and maybe better way to verify your identity, cool, you can be part of it, but if you don't then you, you know, you have that option also. And I think that, that's probably an important, an important part of this. But it does point towards, this march towards biometrics. you know-

Dan McDermott: Hmm.

Garrett O'Hara: ... we're seeing that obviously as verification of identity, but also with password loss authentication, which we spoke about in the last episode, that that's the, that's the move. We're starting to see more and more of that instead of people using pin codes, which feels so old schools access to your, you know, your phone, you pretty much pick it up, sees your face, or you, you know, it's a fingerprint. but you know, that, that now struggling to appear in corporate environments where people don't have to remember and secure passwords, again, really good thing. You know, it's a better version of, of, authentication and ultimately to authorization. but what's the downsides? And I think, you know, maybe my brain is just wired for that. But I always wanna think it, what's, what can go-

Dan McDermott: [laughs].

Garrett O'Hara: ... wrong here? And let's, let's think about that before they actually go wrong. [laughs].

Dan McDermott: Yeah, indeed. And, and you've, like you said, you've gotta think about the long game here. That is the thing.

Garrett O'Hara: Hmm.

Dan McDermott: It's not just the, now it is, what does that mean, ongoing, and then what's the implications of that? And what's the safeguards that are put in place? And, and-

Garrett O'Hara: Yeah.

Dan McDermott: ... those things will need to be reviewed and, you know, updated in time as well. There's no doubting that it's not a set and forget these things. think it needs to continue to evolve as society evolves and has the technology and access and what it means. So, it's going to be, an interesting one, like you say, biometrics, who we spoke about, like FIDO the, the fast identity online-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... concept last time, making it a password less world, just feels like another step in that direction. It definitely feels like it's on, on the rise. still think it will take some time. But there's no doubting that it is, you know, all things are heading that way. And I think it is those safeguards probably are, probably the thing that will slow things down a little bit, rather than the technology itself. I think the tech will get, is there, right?

Garrett O'Hara: Yeah.

Dan McDermott: it's, it's really more about how do we use it and how, and what are the u- those use cases look

Garrett O'Hara: cases we've, we've spoken about them before, but the Clearview AI, that, that, company that did all the reaping of images from social media and online and created a, like a database of trillion, 20 billion people, with information about not just, you know, it's not just recognizing them, but actually some of the kind of online behaviors and information about them as people. Like, there you go. That starts to feel a little bit funny, right? You know, there's this company that has a database of 20 billion people globally for identification of people with additional information. They've actually just got a, a fine in the UK for the approaches they're taking.

But that's it. To your point that the tech exists, like you can already do so much of this stuff. It's, it's the, do we want to, just because you can, doesn't mean you should. [laughs]. And I think that's the question in our, in the technology industry, we should be asking ourselves way more than we do. because we're generally capitalist societies where these tech companies come from. You can make a lot of money with data brokerage. And certainly when it comes to things like, yeah, facial recognition, like that is an incredibly powerful thing to be able to do. and then Clearview have backed away from, and, and maybe I probably need to check this out, think legally can't provide their services to private organizations now. So they still can do it to government organizations and work with government organizations. But I think they were, yeah, apart from the fine were sort of told to, to walk back from providing services to private organizations. but to your point, you know, that the, the [inaudible 00:24:19] a little bit on this stuff. And, I think it's, it's important to slow down now, that's fine, but it lets us go faster a little bit later, faster and safer later once we get this stuff right. But I think as we've seen this with tech in general, like social media and the greatest experiments ever, you know, is the impact of social media on humans and, and especially kids. I mean, it frightens me what they're growing up with.

But, I think if many people, if we could roll back the clock would say, "Actually, let whoa, slow down. Let's, let's figure this out because we don't know what the impact will be." and I definitely think there's, there's a lot when it comes to biometrics recognition time that your identity. I talk about GATCA all the time. But like how, how far away for you from that are we, if facial recognition or biometrics is linked to your, your citizen identity and your ability to move to the world?

We're moving towards cashless because of COVID and it was happening anyway. Like, do you get to the point where you literally can't operate in this world unless you, you know, are deemed to be okay by whatever government, is in power? Like it's, it's that. There you go. Like, you know, I mean, but it is literally that. And with with cars moving to, to the point where they're connected, transports, you know, it's almost like a, a Black Mirror episode where in reality, as you move through the world, facial recognition is everywhere. There's, camera's everywhere. your ca- your card doesn't work. You can't get in a car and drive somewhere. You can't get in a bus and go anywhere. You know-

Dan McDermott: Hmm.

Garrett O'Hara: ... that, that, that tech exists today.

Dan McDermott: Yeah. Now, definitely, definitely gonna be an interesting area. And, and one would, like you say so many societal implications ongoing.

Garrett O'Hara: Hmm.

Dan McDermott: So it will be, it will take time, but the tech is there. And so the policy's gonna have to move quickly to keep up with that as well.

Let's have a look at the final deep dive story for this week, which is a look into this year's Verizon BDIR report. Gar, what are the five top trends that have been identified for this year?

Garrett O'Hara: Yeah, it's the, the, the much weighted, DBIR. It's, it is truly one of the, the, the sort of, I suppose, events of the, the sub year, it's a well written report as well. I love the writing style. It's quite informal and, and sort of generally kind of fun. I don't, I don't think there's any huge surprises here. the, the sort of big themes, the big trends are that, the, the main pathways into, you know, kind of popping organizations, credentials, clearly that's been gone on for, for quite some time. So credential harvesting, or, your credential theft. So we see that a lot, actually even among us, when we meet security leaders or CISOs, the things they're worried about is, you know, somebody's putting in their O 365 credentials to a fake website and, you know, we all know how that one ends. you know, phishing, again, can't get away from it. [laughs] it just feels like that that conversation's never gonna change. It's the easy way in. vulnerability exploitation. I think we're gonna talk a little bit about that, later also. But again, you know, nothing particularly surprising there, and, and, and pertinent. So, know, it's the things, same things that, have been kind of going on for quite some time. Ransomware is up. And they took, made an upward-

Dan McDermott: Hmm.

Garrett O'Hara: ... trend, trend, trend and, you know, 30%, 13% rise. Again, I don't think that's, probably, no one's gonna be particularly surprised there. you've seen the kind of emergence of an industry and, you know, the, the specialization in Maxis brokerage and ransomware-as-a-service and all the things you and I have talked about so many times. So, you know, if there's money to be made, we're gonna see an increase. It's, that's how the world works. [laughs]. I don't think there's any particular surprise there. And clearly money is being made. I think we, we've seen shifts there. And I think you, you've spoken about this where the profile of the organization being attacked is starting to shift a little bit because top end of 10 is starting to get good, a protection, low end of 10, doesn't have the money to pay and there's sort of sweet spot in the middle. So, you know, it's not like it's completely static. but you know, there are changes there. supply chain, again, you know, we saw that so many times. And I think that one is the one we haven't really seen a truly huge, huge, impactful supply chain problem yet. I mean, there's been some big ones. But I th- I fee-

Dan McDermott: Hmm.

Garrett O'Hara: ... I sort of worry about that one more than any because of how digitally interconnected everything is and this kind of trust change trust change in terms of software updates or, you know, access to systems, et cetera, et cetera.

So I think that, that's starting to be interesting. And also one that, when you look at the financial motivators and, you know, linking back to the fact that this is industry, you know, it's a cyber industry these days on the bad side of things, huge multiplier effect. You know, if you can pop one organization, then get, all the downstream organizations that maybe get a software update for a particular platform, et cetera, et cetera. And that is an incredibly fast way to get to many organizations.

 We saw like, to say, thing where, you know, when it comes to ransoming, you're ransoming an organization that, you know, it's almost a proxy ransom for, you know, thousands of other organizations who are using a particular software platform, the pressure on that sort of, the focal organization. So you could say it or whatever the supply chain organization is to pay a ransom becomes significant because it's not just them, it's their customers and that, that's a whole-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... different ball game. the DBIR calls out again, you know, the, error and human error, which, you know, again is never gonna go away. I don't think as long as humans are involved, we'll see mistakes. That's the, the beauty of the world we live in. Things go wrong.

Dan McDermott: [laughs].

Garrett O'Hara: It's what makes it interesting. but yeah, like it's, that's never gonna go away. And, and it's not just sending things to the wrong person or whatever, but it's actually, you know, misconfiguring cloud services or, backend systems and all the, all the things that have been there as long as cyber security has existed. But then also the human sort of elements where, you know, people, you know, p- put their credentials into a, the, a credential harvesting website or they click on a link that's wrong or, just people making mistakes through, you know, not being malicious, but just going about their jobs.

So nothing controversial, no kind of a brand new thing that we never thought about before, but, always an incredibly good read. the, the DBIR, yeah, it's definitely one of the, the sort of richer reports that comes out each year.

Dan McDermott: Yeah. And I think it just, again, highlights the need to be doing those fundamentals well, right? Stop the pathways in, you know, that helps from a ransomware perspective to reduce the, the potential of that actually occurring to you. review supply chains, which is, I think the big vulnerability area. And make sure you s- you know, that people are across it, that there, you know, you limit the amount of errors that can be made because that is always going to exist as you say. And therefore, like the more that you can, you know you, limit that, then you're going to start to take away a whole range of vulnerabilities that you have as well.

So like you say nothing surprising. But it is about like, you know, focusing on the fundamentals, doing those well, and seeing like that these things are a sustained effort over a long period of time as well, right? And so therefore like the response to the attacks and the environment needs to, to be sustained as well and need to continue to continually, you know, challenge ourselves as cyber professionals in the industry to, to keep up to date with this as well.

Garrett O'Hara: Yeah. You're like spot on. It's not like you can just go in set, and set some stuff up and then go off and have a cup tea and a biscuit. Like it, it is ongoing-

Dan McDermott: [laughs].

Garrett O'Hara: ... never gonna stop. yeah. It's almost like fitness. I think it's, it's that, you know, you gotta, you gotta do the sit ups, you gotta go running every day. and if you don't, you very quickly start to feel the effects.

Dan McDermott: [laughs]. And, let's, wrap up this week's episode with a quick review of the latest breaches and vulnerabilities to make the headlines. Let's start with the Zoom exploit that could lead to remote code execution.

Garrett O'Hara: Yes. it was found by Google Project Zero who kind of do, kind of security research, obviously.

Dan McDermott: Hmm.

Garrett O'Hara: ... guy called, Fratric found this. an interesting one basically, there's an XML parser-

Dan McDermott: Yeah.

Garrett O'Hara: ... within Zoom. But anyway, long, long story short. Yeah. Through research, basically there was a kind of an attack chain that, got to the point where you could get remote code execution and via Zoom. which I think is, is kind of interesting. So you kind of send a particular message via Zoom and, Ivan Frat- Fratric was able to kind of get clients to connect to a middle, a man-in-the-middle server and then sort of pop a, an older version of Zoom down.

And then, you know, he was able to do things like open up. think it was Notepad or the Windows Calculator, like as, as a proof, proof of concept. you know, Zoom has kind of, has, is already gonna patch it. So I think, you know, you're good to go kind of thing.

But, yeah, an important one, just in terms of the, the huge stable of applications that are, exist in any corporate environment in any one of those at any point will see something like this. And, and think anytime you see remote code execution the [inaudible 00:34:02] should be open, people should be paying attention. It's ne- it's never, never good.

Dan McDermott: I think thing that I was most surprised is that it's taken us two years since the start of the pandemic to find, [laughs] find the vulnerabilities with the mass move to remote working. You know, I was expecting more of this to come out earlier. So it's, it's interesting that it's taken time. Hopefully, it hasn't been therefore been exploited very much because it, maybe it was not obvious and difficult. And therefore, you know, has actually not had, you know, a large impact, but it definitely is something that is patched now.

Garrett O'Hara: Yeah.

Dan McDermott: We've also seen that a number of large scale bridges across the country recently, starting with, up to 50,000 Tasmanians, potentially being impacted, following a successful phishing scam against a superannuation firm.

Garrett O'Hara: Yeah. Spirit Super was the, the organization. and yeah, it was unfortunately a phishing scan. we literally just said that, right? I mean, it just-

Dan McDermott: Yeah.

Garrett O'Hara: ... seems like every time you see one of these stories, it was a phishing link or something that, you know, somebody clicked on an email, in this case, it was a staff member. They clicked on a malicious link in an official email um, of May, sort of May 19th that's where their mailbox get breached. And the problem was that in that mailbox was a data set which was back from like sort of 2019, 2020, but have had personal information. So things like um, ages, addresses, email addresses, phone numbers, account numbers, balances, and names for, 50,000 people 50,000 Tasmanians. so that, you know, that's clearly not good. A lot of PII has been exposed, through, through that.

The, reading this story, I think one of the things that I think it points to is not just, the, the user education part of cyber security and making sure people don't click on links and all of that stuff, but where data is stored. And-

Dan McDermott: Hmm.

Garrett O'Hara: ... I, I, you know, back to, you know, very early conversation in, in this recording of the pod, the small to medium businesses, you know, medium enterprises in even large enterprises, when you look at where data is stored and how often where data is stored is completely inappropriate. You know, somebody exports an Excel file from a CRM.

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... you know, CRM can be controlled, you know, there's policies around that, but all of a sudden they can export it into an Excel file, which can be emailed or sent to, you know, a, a Google Drive or, you know, One Drive or put it in USB. That control of, data is, I mean, it's the bane of many people's lives, certainly in cyber security it is. but it's something that, you know, this story points to, the, the bit where somebody's doing something and I'm sure the person had it in their mailbox to try and maybe do their job, or, you know, there was something going on there-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... where it was an easy way to get something done. But it's amazing how often, you know, that those shortcuts, the shadow IT approaches, the, cyber desire paths, you know, the, the thing where you look for the easy way to go do something, the risk is when something goes wrong and a data set then is sitting in an unprotected you know, files somewhere like that clearly is not, is not good.

So it's outta the phishing and the breach. That was the thing for me. It's where, where do you keep data? What are the policies in place so that somebody never has a data set sitting in their mailbox? that it's stored securely somewhere that, you know, attackers ideally can't get to it.

Dan McDermott: Indeed. And then further up north, we saw Queensland send out 10,000 motor vehicle fines to the wrong people.

Garrett O'Hara: Yes.

Dan McDermott: again, mis- mismatch of data.

Garrett O'Hara: Yeah. I understand. I, I personally feel sorry for the developer. So way back when I was a really bad developer, one of the things I had-

Dan McDermott: [laughs].

Garrett O'Hara: ... Worked on back in Ireland actually was a system for sending basically grant letters to farmers. So I was given this huge database and my job was to write the, the system that would create a essentially like form letter, print all the envelopes, print the letters and, you know-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... interior automated. And I can't tell you how stressed I was about that for exactly these reasons. You know, the idea that, you know, me as a 20, early 20s developer was sitting there and-

Dan McDermott: [laughs].

Garrett O'Hara: ... potentially if I got this wrong, people were gonna get, you know, the wrong grant or somebody else's grant, amazing how stressful that could be. So, yeah, I feel sorry for whoever did this stuff. But I mean, you know, th- this is what we're talking about, printed letters going in envelopes and, you know, either a machine or somebody's gonna do that. And if it's offset by one envelope, you may not, you know, you would assume there's errors are, are probably not, not particularly difficult to, happen in that kind of situation.

But, yeah, in those letters, obviously then there's clearly gonna be information like license numbers and, you know, names and addresses and, and clearly very sensitive PII going to the wrong people. So yeah, that's never good.

Dan McDermott: Yeah, no, two large, you know, PII breaches, across the country, which isn't, like I say, definitely not a good thing. And we also spoke earlier around the fact of, you know, the 100 points of ID and we've seen in-

Garrett O'Hara: Hmm.

Dan McDermott: ... New South Wales that a security researcher has, has termed it trivial to obtain a fake license online in

Garrett O'Hara: this is yeah, this [laughs] makes me laugh because I think about, you know, young me, and if this was an option, I'm pretty sure I would've been all over it. So I could get sort of the alcohol before I [laughs] was of age. but yeah, I mean, it's the, the digital driver's license that we have in, in New South Wales.

And, yeah, basically what it looks like you can do here is look at the, the sort of local case restore of the information on the device. and because it's protected by I think it was like a four digit pin, you know, four digit code or whatever, or maybe even three, that's pretty trivial to brute force. So you can basically get a decrypted version of the data and then change essentially information like your [laughs] your age. and then kind of put it back on, on the device.

What I found really interesting is that the, the device doesn't do any kind of verification of integrity of the data set with the centralized system. So it is locally, sort of locally cash- cashed on the device. And when I was thinking about that, I was wondering if it's because there's parts of Australia where you wouldn't be able to do verification against a central-

Dan McDermott: Hmm.

Garrett O'Hara: ... system, you know, you're in the middle of nowhere with no 4 or 5G connection and no way to, you know, have the, the sort of app verify that the, the data set hasn't been altered in any way. so that, like that, you know, integrity part of the CIA triad. And I wonder is there's stuff there where if you can have a digital license, it has to work for everybody at all times? Because if a cop pulls a, a person over you, can't sort of say, "Well, I can't verify because I've got no, [laughs], I've got no-

Dan McDermott: Connection.

Garrett O'Hara: ... phone connection."

Dan McDermott: [laughs].

Garrett O'Hara: Like, you know, it breaks the utility of the device. So I, I wonder was it that, like, there was a version of, well, we have to make availability the priority here rather than integrity? clearly wasn't involved in the development, so I don't really know. But, it's certainly, yeah, young me, 16, 17 year old me, would've been all over this one. There's a way to hopefully get-

Dan McDermott: [laughs].

Garrett O'Hara: ... into pubs and nightclubs a little bit earlier. [laughs]. Should've, should have been.

Dan McDermott: Definitely sounds like a 16 year old's dream, that's for sure. So,

so one that we, we won't promote too widely. we'll end on, [

Garrett O'Hara: laughs].

Dan McDermott: ... a reminder of, I guess, you know, of where to focus your security efforts. and there has been some research around sort of where, where should teams, you know, put their time and effort into?

Garrett O'Hara: Yeah, no, no surprise here. like known vulnerabilities that they say we've been center for years, we'll continue to say it, there's a kind of asymptotic approach to, you know, 100% security. You know, you spend a lot more money as you get closer and closer to, you know, very advanced security approaches and, you know, they will certainly I'm sure help with zero-days. But actually, you know, it's, it's Pareto's law half the you're better off just focusing on the known vulnerabilities, you know, follows, following best practices, getting things patched.

 And this one is particular around sort of apt crews where they, they use known vulnerabilities. Like most of the time it isn't the, the very exotic zero-day stuff that's being used. It's actually just the kind of, you know, work a day stuff that, everybody kind of knows exists. And, that, in large part are available through, you know, good patching programs and, and keeping everything up to date, et cetera. so yeah, I mean, again, nothing sort of revolutionary here. I think everyone kind of gets it and knows that that's the, that's the case. But, yeah, there, it tends to not be the, the very interesting and expensive zero-days that are used, but actually most often it's just the stuff that we all know about all the time.

Dan McDermott: Yeah. very timely and you know, good reminder as always, Gar. So thanks again for your insights. Tell me, who do we have for our special 100th episode edition of the podcast next week?

Garrett O'Hara: Yeah, we're, we're, we're pretty lucky here. We've got, Geoff White, and many people, I think who would be listening to us will know him. He was the co-host of the Lazarus Heist podcast, which was incredibly good. so he, he did that as part of the BBC World Service and it was just a full on kind of investigation, like proper journalism, into the North Korean regimes and how they basically used technology to kind of go after organizations like Sony and, and, and a bunch of other things. highly recommend the, the podcast.

He's also an author. He wrote a book called Crime Dot Com, and, again, you know, cracking, cracking book. But he's about to release the, the book of the Lazarus Heist and which I'll definitely be getting a copy of just given how good the podcast was. you know, podcast is like 10 episodes of half hour, but a book will just give so much more background information that, you know, so many of of that caliber will have done in terms of the investigation to support the podcast. So I'm very much looking forward to the book, but also getting to, to talk to Geoff, and um, and hopefully everybody else enjoy that conversation too.

Dan McDermott: Indeed. Well, super excited for our 100th episode next week with, with Geoff as our special guest. So until next week, if we would like to continue exploring key topics in cybersecurity, please jump onto, getcyberresilient.com and check out some of the latest articles, including how leaks from the Conti gang shine a light on ransomware's darkest secrets, look, get insights into cost effective approaches to threat monitoring, are emerging and how they can help the scourge of ransomware. And there's further review of this month in security in May.

So thanks for listening. And until next time stay safe.

Tags
Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara