• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

Gar O’Hara is back again with Dan McDermott for the May monthly roundup episode. This month Gar and Dan are also joined by Mimecast’s very own Bradley Sing, an active contributor to the Get Cyber Resilient blog and a cyber resilience renaissance man. In this roundup episode, Gar and Dan discuss some of the key learnings recent guests have brought to the show, Dan and Brad discuss the latest in cyber security news and Gar and Dan finish up the episode by diving into a very popular security question — are our phones listening to us? To read the article that prompted this question, please follow the link below. 

John McMahon: Is Your Phone Listening To You? We Ask The Experts - https://bit.ly/3eF6jnc

#getcyberresilient #cybersecurity #cyberresilience #cyberresilient 


The Get Cyber Resilient Show Episode #17 Transcript

Gar O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara, and this is our monthly roundup episode. Today we're joined by co-host, Dan McDermott, and we're excited to have a new voice with us for the news roundup session. Bradley Sing is a contributing author to the Get Cyber Resilient blog, where he's covered Emotet, the business impact of 0365 [inaudible 00:00:26], Victorian hospitals being targeted by ransomware, and data governance for Royal Commission. So a bit of a renaissance man. Dan will lead us through this episode, starting with a recap of our guests, where we discuss the key learnings. Then the news with Bradley, where they talk about Toll, Service New South Wales, and the COVIDSafe app. Then, Dan and I cover something a little bit different. Are our phones listening to us? We'll include to an article by John [McMaddon 00:00:51] in [inaudible 00:00:52], which is a great read. That article actually prompted us to cover the topic today. So please enjoy.

Dan McDermott: [00:00:59] Hi, Gar. Uh, welcome to, uh, this episode of the Get Cyber Resilient Show. Um, great to, uh, join you again this month as we, uh, we get the chance to sort of look back on the show, what's been happening, some of the key topics in the industry, um, and, uh, and what's happening across sort of the market in cybersecurity in Australia and New Zealand. So, um, welcome back.

Gar O'Hara: [00:01:22] Thank you. Yeah, good to be here, um, and I, I will say in advance, there is people doing constructions in the apartment today, so apologies if there's any weird sounds in the background. [laughs].

Dan McDermott: [00:01:32] [laughs]. No problems. Uh, uh, this is an exciting episode as well, as it's, uh, gonna be the close of season one. Um, but, uh, so we'll sort of wrap up the season, uh, as it is and then, uh, uh... but no fear. Um, we've got a whole bunch of guests lined up for, uh, going forward, um, and be able to launch into, into season two as well, which will, uh, which will be great. And, uh, so I think, uh, thank you to you and then for all of our guests, uh, for, for making it what is has been so far, and, um, and giving us the opportunity to, to continue into a new season as well.

Gar O'Hara: [00:02:05] Yeah, thank you. Who- whoever thought we would make it to a second season? Absolutely stoked. [laughs].

Dan McDermott: [00:02:10] [laughs]. And in the last month, um, again, we continue with some of the great guests, right, that we've, uh, been able to have on the show. Um, first one was, uh, was Kendal Watt from Recorded Future where, uh, the two of you discussed the, the sort of, I guess, the threat intelligence world and, uh, and what's happening and how to try to get ahead of the threat landscape, rather than always, uh, being reactive, which is how we always feel in cyber, right, is there's that, like something happens and then we've gotta react. Um, what's your take on sort of how, how can the industry start to get ahead of, of, of the, the bad actors?

Gar O'Hara: [00:02:45] Yeah, I think Kendal is spot on, um, in his breakdown... well, first of all, of the operational versus strategic threat intel, which was probably new, uh... I was aware of, but probably didn't appreciate the importance of. Um, but I think that stuff is gonna play a bigger and bigger part as we go forward, and the reality is that any stock analyst out there will say they spend a huge amount of time, um, doing the threat intel research. Like, that's part of any remediation or, um, incident response. It's kinda trying to figure out what the hell this thing is, uh, what the damage it's gonna cause, you know, what's the information I need? So, um, see more and more the threat intel, uh, has become m- m- more of a almost mandatory at this point, though many organizations don't have the luxury. But, um, I think if you're gonna do a, a good job of bringing down the mean time to responds, um, you know, I, I can't see a way around getting good threat intel into an organization to, to make... as you say, to make it proactive.

Dan McDermott: [00:03:41] Yeah. It's, uh, definitely a critical element and I think, um, everyone across the industry is, is struggling with, to some degree, but, um, it's great to see progress being made and the opportunity for that to, to come to life and be real for, uh, for organizations out there. Our second guest, uh, in the last month, was, uh, Bill Tanner, um, who I know, um, as, um, day job working at Minecast, uh, he's part of our customer advisory board. And, um, and, uh, so Bill actually reached out to us. Um, he's... He has a really interesting role, so he's the CIO in a major law firm, at Allens, and, um, so he comes with these great insights and views around, um, not only technology and what's happening, but also gets a lot of insight from, from working in a law firm and working with the legal teams on privacy and data issues.

Um, and he actually reached out to us to say that he'd like to, you know, discuss and debunk some of the things around the COVIDSafe app and what's happening, and, and provide, you know, that he's been involved in many reviews, um, and offering sort of his view on, I guess, the security and data privacy of what's been happening around that. So, um, it was great that, uh, that he did reach out to us and, um, and I think you were able to sort of cover a lot of that debunking of, um, some of the, the fake news that might have been of hearing at the time around, uh, the COVIDSafe app.

Gar O'Hara: [00:05:02] Yeah, spot on. And it's sort of interesting to me, 'cause I think my big learning from that whole thing was how healthy the security community is in Australia. Um, there's a lot of talent here. I don't think there's any sort of surprises there. Massive amount of talent in this country. But there is this kind of healthy, um, questioning, um, I would, [laughs] I would call it, about what, what does this mean? What does it actually do? And, um, you know, some of the things that, uh, Bill talked about was the, the, you know, the website that's actually tracking the COVIDSafe app to say, you know, is it, is it risky, is it not? What are the privacy concerns?

Um, and that's done by a bunch of people voluntarily, um, who are very, very sharp and very kinda smart people. So, uh, funnily enough, like sort of the technology and the legal stuff, that was my big kinda learning, actually. This stuff is, is really good. There was a healthy conversation on LinkedIn and there was people with different opinions. That's great. You know, at least we can have those conversations. We're not kind of, um, yeah, I suppose, stuck in our echo chambers, which is what you see in, in many other areas of modern life. So, um, yeah, I, I, I embrace it and I thought that was... Yeah, like I say, that's a really good discussion around what does it all mean. So that, that was kinda me being positive, but that's what I took out of that, uh, [laughs] that whole conversation.

Dan McDermott: [00:06:15] Australians being cynical. That's, uh, n- not [crosstalk 00:06:17]-

Gar O'Hara: [00:06:19] [crosstalk 00:06:18]. What? [laughs].

Dan McDermott: [00:06:20] [laughs].

Gar O'Hara: [00:06:20] That's the Irish people's job, yeah.

Dan McDermott: [00:06:23] [laughs].

Gar O'Hara: [00:06:24] You guys [crosstalk 00:06:23]. We can't, we can't compete on that.

Dan McDermott: [00:06:26] Ah, yeah, you brought that over with you as well.

Gar O'Hara: [00:06:31] [laughs].

Dan McDermott: [00:06:31] So, uh, that's a big part of our DNA too, that's for sure. [laughs]. Um, but it was, it was great. It was great of, uh, Bill to, to reach out and offer his time to, to do that as well, so we're really appreciative of that. Um, one of the, I, I think, almost sort of superstars of the, the cybersecurity industry, um, in recent times, uh, was the final guest, uh, last week, Phil Zongo, um, who, uh, is, is really well-regarded and I think, you know, obviously author of, uh, the book, um, Five Anchors of Cyber Resilience, as well as having the, the [inaudible 00:07:03] book that you, uh, you covered as well, some of the key things that [inaudible 00:07:06] in that. But I like the notion of... um, it sort of struck a chord with me... the, the cyber savvy workforce-

Gar O'Hara: [00:07:14] Mm-hmm [affirmative].

Dan McDermott: [00:07:14] ... and, and creating a savvy workforce. I think it's something that, uh, uh, I think resonates really well with, uh, with, with all sort of, you know, employees and workforces out there. Um, what was your take in your, your discussion with Phil?

Gar O'Hara: [00:07:27] Yeah. He... Ph- Phil, like you, I'm a bit of a fanboy. It's not like there's any secrets there. He's, uh, he's seen the photos, uh, from the, the talks where I've used his book as a, a backdrop for some of the conversation around kinda conin- ... uh, communications in boards and, um, and those kind of topics. Um, yeah, th- that book, The Five Anchors of Cyber Resilience, I think it's done something really, really good, which is take the topic of cyber resilience and, and do a really good job of bringing it into the business world, if that makes sense. So, you know, it's not one of the ones where, um, it's a bunch of, um, cyber security, um, three letter acronyms and lots of, you know, impenetrable data. Just it's actually more... In my mind, it's more of a business book... which, uh, hopefully Phil would agree with... than a cyber resilience book, um, which is what, to me, makes it so useful.

Um, look, my big learning from, from Phil, in general, but in certainly the episode, was around the importance of people management, um, at all levels. And by that I mean kinda stakeholder management probably more than anything else. So, how do you get the, uh, buy in from the broader business. Um, and that kind of mature approach to, you know, treating cyber security, cyber resilience, as a, a function and a critical function within a business, but approaching it through that lens. You know, what's the... Uh, you know, Phil talked about what's the, the target set and getting agreement across the business for what that looks like, um, and not probably over-promising on that. You know, being realistic about what's the business outcomes we're gonna deliver, um, so that you've got buy in from the finance teams and the, the project teams and, um, you know, all the, all the stakeholders that exist within any complex organization these days.

So, it, it feels to me, when I talk to Phil, like he's just a very clear-thinking, uh, rational person when it comes to cyber resilience. Um, and he, he manages to do a good job of, like, keeping a foot in both camps. You know, the, the sort of technical side, but actually also the, the kind of more practical business side as well.

Dan McDermott: [00:09:22] Yeah. Look, it's, uh, I think that the area of, you know, how do we make cyber resilience a topic at an executive level and at a board level? Um, it's, it's something that we often are challenged by, right, and how do we have those conversations, but that approach enables that, right, and puts it front and center, as a, as a critical, uh, business need and business sort of function, if you like. Um, and therefore, uh, has the attention of, you know, of senior management, um, and to, to sort of, you know, risk committees and, and boards, as well.

So I think that that, uh, puts it in a, in a completely different light and, um, and sheds, uh, I guess that light onto, onto its importance in, in, in the organization as well, which is, uh, which is fantastic in how it makes, uh, the role for everybody and, and all their jobs, uh, becoming easier from there as well. Well, thanks, Gar. It was great to reflect on some of those, uh, those interviews. Um, really excited about the list of people we've got lined up, uh, for season two as well. Um, so, uh, looking forward to it.

Gar O'Hara: [00:10:24] Yeah, it's, it's gonna be great, I reckon, but I'm probably biased.

Dan McDermott: [00:10:31] [laughs]. Moving, uh, into the next phase, uh, normally what we do here is we sort of transition to, uh, reviewing and sort of discussing some of the key topics, uh, in the news from cyber in the last month. Um, today I'll be joined by, uh, Bradley Sing, who outside of, uh, his day job as a, is a tech consultant, um, is the author of our monthly article on the Get Cyber Resilient site, called This Month in Security. Um, so to unpack, uh, this month's, uh, articles and the key topics in the news, uh, welcome Brad to the Get Cyber Resilient Show.

Bradley Sing: [00:11:06] Hey there. Hey there, Dan. How are you?

Dan McDermott: [00:11:09] Very good, and, uh, great to have a, a new voice on the show and, uh, and to highlight some of the, I think, the great work that you've been doing for, for several months for us in, uh, in sort of giving that summary and reflection of, uh, what's happening in, in cyber in Australia as well. So, uh, really appreciate you being here. Um, as you, as you covered and as we... as everyone has discussed, the COVIDSafe app has been probably the biggest discussion point in the market, um, over the last period of time. I'm just wondering, like, what's your take on, on where things are at? Um, you know, how's it, how's it going in terms of its applicability and use? Um, um, there were things like iPhones and, and the challenges that might be there. Um, so yeah, was interested in your take on where, where that's at and, uh, and your views.

Bradley Sing: [00:11:54] Oh, boy. It's, uh... Look, it's definitely been a busy month in security and I think COVIDSafe, to your point, has definitely been [laughs] if not one of the most topical, uh, things in, in the local cyber security community. Um, it has been a bit of a journey and a, and a bit of a roller coaster. I think we've seen, um, government trying to do a lot of good, uh, for the health crisis in, in a very short period of time, uh, and trying to use digital technology in a meaningful way. The reality is, we, we should be using technology to, to save lives and do this kind of stuff. I think what we're starting to see as well is, is the legislation filing up as well. Uh, as of recently, I believe there's something new mandates in terms of how long the data can be kept for. Um, there was also I think some issues at the start in terms of who had access to the data.

I think what we're starting to see though is, um, a little bit less focus on the app from the government, though. And it seems actually to have fallen a little bit to the s- ... to, to the wayside. And I think the reason for that is if we have a look or think about it in terms of how the, the application runs, so the DTA or the Digital Transformation, Transformation Agency, um, part of their plan was to create a decentralized app, so away from the hands of Google, Apple and, you know, other, other, other forms or other powers, effectively. And so by doing that, the, the challenge is that Google and Apple both have very different APIs, so in fact, it's quite hard for the application to function correctly across both platforms.

I believe one of the current limitations is if your iPhone screen is locked, as an example, the app won't, um, function correctly. So there are some limitations there, and I think that the challenge of the conversation now is how do they get it into a workable state if they want everybody using the app? Um, and the discussions are, you know, working with Google, working with Apple, to use more of their specific APIs, and that goes away from that conversation of decentralized app. So I think we've got a pretty powerful tool and I think we've got some good legislation around it, but I think there's still a lot of uncertainty in terms of the actual application of it and is it actually gonna be useful for us to, you know, to roll out?

Dan McDermott: [00:13:49] Yeah, thanks for those insights and, um, and some of the technical challenges that are, that are coming with it. But I think, uh, you know, I was even, I was watching, uh, Barry Cassidy last night and, um, and talking about, you know, I think the, the role of government in... through the whole pandemic has been about, you know, building trust and then having consistent communication, um, in that. Um, which overall, I think, you know, has been, you know, done to an extremely well level, right? Like, we, we, we're one of the success cases of the world, um, at the moment, in terms of the control of the pandemic and then hopefully the role of technology, um, as you say, of being a part of that.

But the role of trust in government is, is just fundamental, right? Um, and, um, and as government moves in... on their digital transformation agenda, um, and moves towards, you know, all things being digital, that trust can be broken. Um, and unfortunately, uh, we've seen the breach at Service New South Wales and as citizens, when these sort of things happen, we do become concerned. Like, you know, what, what, what does that mean for us? How extensive is that breach? Um, will it happen again? What happens to my data? Uh, all just natural responses and that. But, um, interested in your thoughts on the Service New South Wales breach and how that's gone about sort of managing and handling that, um, and not erode the trust that they've built in now across citizens as well.

Bradley Sing: [00:15:13] Yeah, yeah. Look, uh, if I think about Services New South Wales, uh, kind of interesting, I guess, as an organization. So they, they do vehicle registrations, but they're also one of the few entities, if, if not the only s- state entity I know of, that, um, have moved towards digital licenses. So you can now have your drivers license on your iPhone. You don't have to carry it around anymore. Absolutely great. I forget mine all the time. Um, so you've got an organization which is going through this awesome process, digitizing technology, making us carry less stuff around and, you know, it's great stuff for us an individuals, but you've also got this... I guess this looming cyber security pandemic at the same time, where we, we have to be even more accountable, and we have to build trust, because if we wanna do things like COVIDSafe or we wanna have applications which hold our drivers licenses, you need, need, you need the trust of the public.

Um, I think if we think specifically about, you know, what constitutes to a data breach, um, the reality of this data breach, it looks like it affected about 47 email accounts. And so what it would have been, it would have been customer service staff, it would have been contacts where people have called up the service center or maybe face to face interactions. So it wasn't like they, they gained access to a backend system. Um, it appears that the, that the Services New South Wales have made efforts to contact everyone they believe affected.

Um, they don't believe that there's any data in there... Um, I mean, it's hard, right? There could be data in there which could be potentially sensitive, but the reality is, there wa- ... a breach scenario did, did take place, but if we think about the impacts of breach or, or what that data could be used for, um, there is a conversation to understand, could that data actually used to cause serious harm? It seems like it was only 47 email accounts that were compromised, so it's generally going to be communications with their service desk and I think [inaudible 00:16:51] reading off their website, it was communications with people phoning up about their license registration. So, it is unfortunate that, that people's data got breached, but I think we have to also understand that, you know, what is the sensitivity behind that?

Um, Services New South Wales as well, as a response to this, have come out and said cyber security is, is, you know, one of their number one priorities as well. And I think given some of the comments earlier about, uh, you know, the digital license and, and some of the great stuff they're trying to do, I think it's a, a good wake up call, I think, a bit of a warning, um, to, to them, and, and, I guess to people as well, that, um, there's some awesome things we can get out of technology, but we just have to be mindful in terms of how we secure those as well.

Dan McDermott: [00:17:30] Yeah, thanks, Brad. And I think that you're right. I think that it seems as though it's been contained. Um, I think they've done a good job of trying to get on the front foot and, and, and curtail, um, I guess, the, the spread of the information and any misinformation and try to, you know, handle it quite well. So, you know, I think, you know, breaches do happen. These things occur. And now that is the response that you take, the communication that you have, um, to your key stakeholders which in this case is to the public, um, in general of New South Wales. I think they've done, um, you know, a, a pretty standup job on that. Um, then hopefully it is contained and something that, you know, um, doesn't, you know, lead to any serious harm and those type of things, and can quickly rebuild that trust as well. So now, you know, probably I'd say at this stage, hats off to them in terms of the way they've gone about managing, um, to this stage as well, which is great.

Unfortunately, sometimes, uh, an attack doesn't happen just once. Um, I, I really feel sorry for the guys at Toll, um, like, um, we've seen there now a second time that, uh, uh, ransomware's occurred. Um, we've seen that now being, uh, sold on the Dark Web. Not quite sure how people know that it's on the Dark Web if you're not on the Dark Web, but anyway... But, like, the, the data is actually being released and being, you know, potentially sold and that type of thing as well. So, what's your take on Toll and, and the second round of, uh, attack they've, uh, they've had to face?

Bradley Sing: [00:18:54] Oh, bra- ... like, whoa. I mean, we're, we're all talking about Toll, I think, when, when the first attack happened and it's just such a... it's a, it's a crazy landscape right now. And I think, like, in security we always talk about these big events and, and breaches and there's a lot of FUD and there's a lot of fake news out there round it, but this stuff happens and, and it happens a lot. Um, I think the, the fascinating thing about the Toll one is the fact that it happened a second time, but one thing I do wanna call out is that Toll are the victims here, regardless of, of, of how you look at it. At the end of the day, they're the victims of this, and it's caused huge disruption, uh, to their, to their business, to their supply chains, and also a lot of businesses across Australia.

I mean, we were talking about iPhones working with COVIDSafe earlier. I think I waited two months to get an iPhone, uh, from Toll, through this, uh, this crisis. Um, so it does cause disruption, um, but I think the challenge with the second attack as well is that it, it's a lot more serious than the first attack, in the sense that this second attack, they, they got data. Um, the group behind it, or the, the ransom [inaudible 00:19:52] malware Nefilim, uh, which is... I think is the, the offspring of God, uh, fallen angels, if you will. I remember that from my days reading high fantasy novels.

Um, but the idea behind, um, uh, this ransomware, is it's kind of like... it's, it's, it's, it's a private ransomware. So it looks like the same group behind it was in charge of effectively ransomware as a service, which was very popular on the Dark Web, which you can effectively buy and sell, and basically make your own hack. Um, the big difference between this one and the open source one is that the, the open source one didn't really have a streamlined payment system. It seems like this one, it's a lot easier to actually pay the ransom. So, the group's most likely out there for profit.

Um, the public sharing stuff is, is quite unfortunate and it looks like the, the 200 gigabytes of data that was leaked does contain in- information such as salary, superannuation, employee details. Uh, Toll have made the effort to reach out to every... any info- ... any former employees which were, were affected. Um, but there were... like, the, the hackers, they're, they're being bold. I was reading through some threat samples earlier in which they've got lines in there calling out pretty much every security vendor saying how the... [laughs] they failed to stop it, by name. Um, and I think we've seen this, this before as well.

So the group beyond this rans-, uh, this, this ransomware has, has been known for hacking infrastructure, they've been known for hacking large organizations. They, uh, did quite a high profile hack last year against a [inaudible 00:21:14] manufacturer, uh, which was actually charged with doing most of the lingerie production for Victoria's Secret and, uh, some other brand, Beyonce's brand, as well. Um, but in terms of disruption to supply chain, like, that completely crippled that business as well.

So, we definitely, we definitely see it on a global scale, um, and, and I have to wonder, I guess you have to wonder w- ... who's behind this? Is it for profit solely, or is, is there a bigger disruption play at cause? I think the general theme of kind of everything we've been seeing at Get Cyber Resilient is, is disruption, uh, whether it's for profit or for chaos.

Dan McDermott: [00:21:47] Yeah, and it's, um... I think it is... There's two concerns I have, I guess, coming out of that, Bradley, is the increased sophistication of the attackers, right? So, as you said, you know, ransomware, they didn't have an easy payment system. They've been able to improve on that, so it's like, it's great that they're, uh, doing, uh, continuous improvement and innovation in, in the ransomware world, but it doesn't-

Bradley Sing: [00:22:09] [laughs].

Dan McDermott: [00:22:09] ... really help the rest of us, right? Um, so it's, uh, it's [inaudible 00:22:14] to one thing. The other is, is that notion of is it about individual companies or is it a bigger attack vector, um, looking at, uh, you know, supply chains in general. Um, obviously Toll's, um, in the logistics business, but I've also seen, like, Blue Scope, uh, recently breached as well, and sort of thinking where they sit in the supply chain that it's, it's very early phase for a lot of things and a lot of, um, I guess, exporting to... into key markets like China and others as well. Um, do you see that this is something that is broader than just, you know, company by company and it's more around sort of supply chain and critical infrastructure across, uh, across the country as well?

Bradley Sing: [00:22:54] Oh, that... I think, look, at the end of the day, there's definitely profit to be made by targeting individual organizations and, and we see a lot of that, but I, I think you're 100% correct in the fact that it, it's a, it's a larger scale conversation and it's, it's a larger attack that's happening. Um, I guess given the, given the, the, I guess, the, the challenges today and a bit of trade war going on, we've got cold wars in certain fronts of the world, um, it's very easy to, to launch a cyber attack, and it's very easy to generate revenue in countries which have embargoes against them with things such as cyber attacks. Like, it's effectively commoditized industry. Now if we look at, uh, I guess Australia as a, as a, as a country, do, do a crisis or a pandemic, uh, scenario situation, uh, industries such as services and tourism no longer exist, or effectively our f- ... our, our reliance on those, those industry... so we can't have reliance on those industries, effectively.

So when we look at things like manufacturing or mining, those industries which we are seeing getting even more targeted recently, it starts to really raise questions in terms of, okay, how do we protect some of these key industries? And, and I might seem a little bit nationalistic, but I think we're seeing the same kind of thing all around the world. We're seeing it the same in terms of business ownership laws. Um, moving forward, I guess, in terms of, you know, what this means, I still... I see this as, as a continuous battlefront, but I think we'll continue to see attacks against infrastructure based organizations, supply chains, manufacturing, uh, to the level it exists in Australia today and in the future.

Um, and I think, like, you know, it's something which organizations will need help from the government as well. Like, you know, working with, with government agencies, working with the Australian Federal Police. And if you think about the Toll one as well, like, they've been really good in terms of trying to communicate and share samples and working with the ACS and, and notifying the public. Um, so I think if we continue to communicate and kind of work as a good local network, we've got a good chance of kind of getting ahead of these things, but our tier point as well, I think we need to have a bigger awareness in terms of that we're, we're, we're [inaudible 00:24:52] a target. We're a high value target and our, our underlying industries and infrastructure, um, are so vulnerable, uh, to, to large-scale cyber attacks.

Dan McDermott: [00:25:01] Yeah, it's, uh, it's definitely a concern, um, you know, at a nation level, Brad, and I think that's the thing where, where you do have to continue to invest in this and then, you know, all be diligent... vigilant, sorry, um, in terms of our approach and how we, uh, look at help, uh, secure those industries. Um, um, and it's, you know, critically important. So, Brad, thank you for, uh, spending the time with us to reflect back on, on the month that's been. Uh, we'll do this again next month, um, and pick up the conversation. And, uh, here's to a, a, a safe and healthy, uh, June, moving forward.

Bradley Sing: [00:25:32] Thanks for having me.

Dan McDermott: [00:25:36] So the final part of today's episode, um, is a chance to, uh, reconnect with, uh, with Gar and discuss, uh, a slightly side topic but one that, uh, is, is interesting from a cyber security perspective. Um, [inaudible 00:25:50], you know, is your phone listening to you, and what's the implications of, of that, um, in terms of, uh, targeted advertising, um, in terms of, uh, the sort of information that people have and who has this information and how will it be used and can it be used for good, rather than evil? Um, Gar, what's your take?

Gar O'Hara: [00:26:08] Yeah, we've, we've jumped from the helicopter to the microscope, eh? It's like the, uh, you know, national infrastructure right down to the phones in our pockets. Um, and all that says, if my phone is listening right now, all it's gonna hear is Kango hammers in the background, so again, apologies for that. Um, look, my, my take it, despite the stories, and there are some, you know, where we know that, um, for example, some of the stuff that Siri records, or Alexa, is sent to humans to analyze and understand if the AI is doing a good job of kind of interpreting what has been said.

Um, I think the reality is the amount of processing that would be required for our phones to actually listen in real-time to what we are saying all the time is, is stunning. Like, it's... I don't think it's available on the planet even to the NSA. So I think there's probably just a technical barrier that exists to that. Um, and actually I think what we're seeing is the fact that digital footprints are just incredibly good right now. And, and people may think, "Oh, that's what I do in my browser." Um, it's really not. It's, uh, what you do with your browser. It's where you walk in a mall, if you've got Bluetur- ... uh, Bluetooth turned on and there's beacon tracking in that store or wifi tracking. Uh, it's what you spend on your credit card. Uh, it's what you tap when you use your loyalty card at, uh, your local grocery store.

These are all data points that, that brokers will triangulate to understand, you know, who is Dan McDermott? What, what's his next move in life? What's... Is he about to buy a Ferrari? Is he about to, um, you know, get a new degree in something else? Um, it's, it's that good. And I think that's what people are seeing, is [laughs] they can tell you when you're getting your... yeah, [laughs], when you're getting your Ferrar- Ferrari. Um, but I think as, as humans, like, that's the thing, right? It's really easy to, um, to, to do the thing that humans do, which is look for the simple solution, "My phone is listening to me," um, when in reality, like, the actual answer is probably much more creepy and scary, which is, all the things that you do online, all the things that these days you do offline, uh, are feeding into data brokers that are doing an incredible good job of understanding us.

The reality is, when you start looking into this, people don't even really understand the machine learning, you know, how it's doing what it's doing, quite often. Um, like for example, Facebook, uh, photo recognition. You know, AI does that, but there's no human that actually understands, you know, in the background what the AI has actually figured out in a way to recognize faces. Um, so we're, we're in this kind of weird place that, um, yeah, it feels like we're being spied on through microphones, but actually the answer in some ways is simpler, but in a lot of ways is just much more creepy.

Um, and actually one, one of the things, um, that we, we talked about was the fact that for those who were around in the old days with rotary telephones, you know, you'd walk over to the phone to, to call your granny or, you know, uh, sort of an aunt or an uncle, and the phone would ring at that exact moment. Um, that was a thing, back in the day. You know, when you go, "Oh, my God. Like, what a, what a weird thing. I must be psychic or, you know, there's some kind of like telekinesis happening." But it's, it's not. It's just a... It's a human thing. It's a psychology issue called, uh... I think it's called a Baader-Meinhof, um, phenomena, but it's that you only ever remember the things that are linked.

So people talk about all the time, like, "My phone, uh, was listening because I said I was going to go on a holiday to Bali, or I was thinking about it, and the next day, you know, on my stream on whatever social media I was seeing ads for fo- ... you know, uh, for, uh, holidays in Bali." You only r- ... You remember the times when those two things happened together, but you don't remember the 50 or 100 times where you mentioned holidays in Bali and nothing happened. So there's a lot of, like, psychology at play there. But, yeah, I, I suppose I've blabbed on a little bit, but my, my short answer is, I don't think our phones are listening to us in that way. They are, but not in the way we think they are.

Dan McDermott: [00:30:01] Mm-hmm [affirmative]. That is scary, though. I mean, the... just the amount of data and information that is being able to be collected and, and you know, one of the things that sort of got out of the article that you were a part of on Boss Hunting was the voice cricket.

Gar O'Hara: [00:30:14] Mm-hmm [affirmative].

Dan McDermott: [00:30:14] So, like, we all know sort of like, you know, "Hey, Siri," but, um, um, apparently there's thousands of others that can trigger, you know, that they're listening as well, which are... which we don't know what they are, so we don't know when this is actually occurring. So I think that's part of it. Um, there's quite a lot we won't cover now, but I was fortunate to, uh, to meet, um, former CIO of Google, um, think he was one of sort of the first 15 employees and, you know, obviously, pretty smart guy. And, um, he knows, he knows a lot about this.

And he even spoke then about, um, about the ethical, uh, considerations that go into releasing new products and new applications at Google, um, because even sort of five, 10 years ago, they were in a position where they had so much information and so much data and so much then AI coming in over the top of it, that the biggest consideration that they feel is... that, that they have is, is what is the ethical concerns around this and how do you actually, you know, not, not become too creepy, not gr- ... you know, step over that line where it goes too far?

Um, and I think that, you know, we've seen, you know, the explosion of, you know, Facebook and the potential, you know, advertising revenues, uh, that is has that underpins the, the growth of that business from a financial perspective, um, is, is in that sort of situation as well, where I fear it's like, you know, they want to be able to gather this information and as a marketer, it is to try to do the right thing, which is, you know, serve interesting information at the right point in time for people. Um, but that can... There's a fine line in that, and it can overstep, right?

So, I do feel like it is an, an interesting area that, like, is your phone listening to you? Hmm, you'd say maybe not, but I say, it may be, but it's also then even if these things are happening, it's what happens in the background with it. And, and the ethical concerns and the views of these organizations, um, it's going to be critical in going forward, because if they overstep, um, you know, we spoke about trusting government before, it would be trust in these large organizations would be eroded through them going too far in some of those, uh, activities as well.

Gar O'Hara: [00:32:26] And, and it probably already is, is the reality, you know? I think when you think about a lot of the not tinfoil hat approaches, but, you know, the, the, the amount of skepticism there is around privacy and what happens to data. I was listening to a couple of, uh, academics this morning, actually, talking about, um... Uh, it was a different topic in that it was around sort of the societal impacts of this very targeted, uh, digital footprint stuff, um, and it was an excellent analogy. They were talking about the amount of disinformation that's out there, and, you know, COVID is a perfect example. You know, we're seeing a lot of, you know, COVID lures used for compromising businesses, but there's a lot of other disinformation out there.

And the analogy was brilliant. It was, you know, we, we were, at one point, um, as societies, you could walk past somebody shouting something crazy on the street corner and that was fine. It was very open and everyone heard the same message. But now when you've got is the ability for, uh, organizations, um, they could be political or, you know, private enterprise, to essentially whisper in individual people's ears with a message that is very targeted, based on A/B testing because they've seen, you know, "For this demographic, this exact word works better than this other word. Now, and this image, when we change it slightly, has a better effect."

And that, that's a huge amount of power to wield in a society, I would say. Um, so yeah, like, I, I... Yeah, it's funny 'cause... and I'm sure you're aware, like, the terms and conditions for many of the providers actually covers their ability to record. So, you know, legally some of this stuff is doable, um, I wonder if the technical hurdles weren't there, would that be a thing? I... Yeah, I don't know. Um, big, big question mark. Um, yeah. [laughs].

Dan McDermott: [00:34:04] [laughs]. Yeah, but it, uh, it... I think it is one of those things of, uh, it's for almost to, to continue to somewhat try to understand and know sort of what is happening, um, but also, like, you know, working in the industry is one that is the ethical considerations of what you do with information and the data that is available. Because, you know, the reality is we're gonna continue as society to get more information, more data's available, more joining the dots on, um, on these digital sort of breadcrumbs that are around, around people and, and what's available. Um, so it's how do we actually utilize those, um, you know, create new and effective and interesting services to go, like, out of it, um, that, that supports society rather than, uh, you know, undermine the confidence and trust, as well. So, it's, uh, lots, lots ahead of us, that's for sure, as, um, as I think as a society and as a, as a cyber community as well.

Gar O'Hara: [00:34:54] Absolutely.

Dan McDermott: [00:34:56] Great. Well, uh, thank you for raising that topic for us, uh, for, for consideration and review as well. So I really appreciate it. So, uh, just to wrap up. Thank you, Gar. Thank you, Brad. Uh, really appreciate the time today. Um, hope everybody enjoyed the effort, so, um... and we'll speak again soon.


Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara