In this mini-episode, hosts Gregor Jeffery and Garrett O'Hara talk through a host of interesting developments in the world of cyber security.
#1. Twitter has drafted a policy to deal with “synthetic and manipulated” media – looking for public feedback
#2. Two Sydney women have been charged over their alleged involvement in a $500,000 business email compromise scam
#3. NAB security team chases down investment scam sites
#4. New legislation has been drafted for a data matching scheme for the Department of Health
If you enjoyed The Get Cyber Resilient Show, head over to GetCyberResilient.com, a new online destination for cyber professionals in Australia and New Zealand.
The Get Cyber Resilient Show is brought to you by mimecast.com.
The Get Cyber Resilient Show Episode #3
Gregor Jeffrey: [00:00:00] We know it can be challenging to secure your business, especially when you have limited time. The Get Cyber Resilient Show, brought to you by Mimecast, is the perfect way to stay up to date with the latest cyber developments across Australia and New Zealand.
Whether you're listening to this podcast commuting, cycling, jogging, or walking the dog on the way Kent, you'll hear real stories from IT and security leaders, just like you.
Don't get angry at downtime and data breaches; get cyber resilient.
Hi there, and welcome to this episode of The Get Cyber Resilient Show. My name is Gregor Jeffrey. In this episode, my colleague Garrett O'Hara and I, we catch up on the latest cyber security news across Australia and New Zealand.
Welcome, Garrett, to this episode of The Get Cyber Resilient Show. How are you today?
Garrett O'Hara: [00:00:51] I'm doing really well, Gregor. It's Friday, so you know, I've got my Friday face on.
Gregor Jeffrey: [00:00:55] It looks very happy.
Garrett O'Hara: [00:00:57] Thank you [laughs].
Gregor Jeffrey: [00:00:58] What vendor socks you wearing today? 'Cause I'm rocking a pair. I'm rocking the Illumio socks. Uh-
Garrett O'Hara: [00:01:05] Very nice. [crosstalk 00:01:06]
Gregor Jeffrey: [00:01:06] ... security. Network security.
Garrett O'Hara: [00:01:08] Have a sip of my tea. I have no idea. Look at the nice wavy pattern at the top, and I suspect they are vendor socks. But I can't see a logo, so I'm going to h- have to take a pass on this one.
Gregor Jeffrey: [00:01:17] Got to be careful where you put that logo on the socks.
Garrett O'Hara: [00:01:20] I know it [laughs].
Gregor Jeffrey: [00:01:21] Okay. Uh, look. In today's session, we're going to go through a few, uh, current news stories, uh, in the media.
The first story we have is that Twitter has put together a deepfake Policy. They're looking for feedback, uh, from the public, um, to deal with what they call synthetic and manipulated media.
Uh, so Twitter defines deepfakes as any photo, audio, or video that has been significantly altered or fabricated in a way that intends to mislead people or changes its original meaning.
So, interesting that, uh, I, I guess this is being driven from the commercial, uh, side of the discussion, uh, rather than sort of governments leading on legislating against deepfakes. Uh, what's your take on this?
Garrett O'Hara: [00:02:05] It's funny how that happens. So, you know, you kind of have that balance between governments doing regulations and, and, like my personal take, is that's quite often required. Because, uh, the costs for some of the stuff that, like the larger web properties and, and platforms.
Some of the things they do, they externalize costs, and, uh, you know, we've seen some of that with kind of things like, I don't know, voting manipulation and, and those kind of things.
And, uh, like it's interesting to see Twitter be proactive on this, and, and go after kind of deepfakes and, and try; I don't know how successful they'll be, but at least try to, to kind of mitigate some of the problems that they can cause.
I think my, I think it's a beautiful thought and sentiment. I just wonder how effectively you can do that. And, you know, with the policy; like, how do you get it tight enough to, to do what you need it to, uh, you know, with the, with the definition you just said there.
That, in- you know, that interpretation. Yeah, you'll get deepfakes.
Gregor Jeffrey: [00:03:00] It's pretty broad.
Garrett O'Hara: [00:03:00] But you're probably going to get a bunch of other stuff as well. And you know, we've seen a huge amount of misuse of, uh, policies in terms and conditions, uh, I would say, across multiple platforms. And, you know, they end up being used for things that they weren't originally intended for.
So, I think it's a, a, it's an interesting and useful approach. But I think, I wonder how successful it will be. Um, the thing that I don't know, I mentioned this to you previously, of, I was at the Forrester, uh, Predictions for 2020. And, uh, Jinan, ah, Budge gave a, a talk about sort of risk and cyber security. And she called it out. She, you know, the, the idea of deepfakes being a, a huge problem. And how easy it is to actually go and do that.
You know, and it's almost like, you know, we've had the conversation about Ransomware as a service. You can do deepfake as a service. You know, you, you don't really need to own the equipment or have any expertise. Pretty easy to do, uh, using various websites; and you can, you know, buy a service that will do that for you.
So, uh, I think one to watch, and I'm definitely keen to see how it plays out. But yeah, I suspect it may be trickier than just having a policy to t- try and protect us against that stuff.
Gregor Jeffrey: [00:04:05] Yeah, I, I find it interesting that Twitter's taken the lead, uh, on, you know, taking a stand against deepfakes. Uh, is it part of, you know, Twitter trying to, uh, you know, uh, reinvent themselves, uh, be that, uh, social, social platform that is thinking of the people?
Uh, recently we saw that they're banning, uh, political advertising from the platform. Which is a pretty bold step, uh, considering, uh, the U.S. 2020 election is coming up. And you, you know [laughs], the sheer volume of, of money that's poured into advertising, uh, from political parties.
Garrett O'Hara: [00:04:40] Yeah, absolutely. And, and there's other platforms that will, I suppose remain nameless, that probably could take a leaf out of their book.
Um, l- look, it's an interesting collision, isn't it? This huge technology and the, the technology Pandora's Box that we've opened, I would say, at a, and, you know, we've talked about it at the global and societal level, where I don't think we ever really understood the reach of these platforms and the influence that they could have.
And, it's kind of hard to get the toothpaste back in the, the tube, to choose the, the clean version of that, uh- [laughs].
Gregor Jeffrey: [00:05:09] [laughs].
Garrett O'Hara: [00:05:10] ... that saying. Um, but you know, I think that's the point we're at. And, and like I'd say, g- good on Twitter for at least trying to do that, and, and to pull the, the political advertising. And I'll be honest; I wish other platforms would, would take a leaf from their book.
Gregor Jeffrey: [00:05:22] Look, I, I think that almost leads us into our next story. National Australia Bank, uh, security team, they're attempting to t- take down scam websites that are featuring the former New South Wales premier, uh, and now [inaudible 00:05:34] Chief Customer Officer of Consumer Banking, Mike Baird.
A couple of weeks ago, mining magnate Andrew Forrest, he also, uh, revealed that he'd sent a letter out to, uh, Facebook founder Mark Zuckerberg on the same issue.
Uh, so, you know, we're seeing these, uh, you know, companies as well as, you know, executives calling out these fake websites.
Uh, you know, do you think they've got a chance at getting these taken down? Uh, what, what's the onus on hosting companies? Or, uh, advertising platforms that allow such websites to run their ads?
Garrett O'Hara: [00:06:10] Look, it's tricky. And, you know, it is, it's almost like there, is it a publishing site? Is it a platform? There's all these nuances and again, uh, it's almost back to that Pandora's Box of technology, where we probably didn't really get where we would end up.
And I think with a lot of the, the automation with the advertising, I, m- my suspicion is quite often that people, there's no bit where a human looks at the ad and says, "Yeah, actually that's okay." And nobody's checking to, a particular person, you know, celebrity, politician, give the okay for their likeness to be used in an, in an ad.
And, and look, that's not a new problem, right? That's something that existed in print media. And, and, you know, there's been cases where, uh, celebrities will sue because their images have been used to advertise something that they never really agreed to; or, you know, maybe their words have been taken out of context. So, I don't think it's new. But I think it's almost that scale of stuff that can have happen. That's the scary part.
And, and the fact that it is automated, so you know, if you're a scammer, you're probably going to have a way; you know, a vehicle or a channel to get to a very broad, uh, audience, consumers, and, and scam just way more people than you ever could before.
And it's almost like, uh, you know, the, the old scam emails, uh, Nigerian scams. You don't need a whole lot of people to respond. You just need enough to make it profitable and then that will continue.
So, uh [laughs], look, I don't know how you control it. I suppose there is an element of policing the stuff probably more, more closely, more tightly. And, and then your comments around, you know, deepfake, that's, that's true as well.
Like, what if you're generating video or voice likeness of a celebrity or a well-known person? Like, at what point, at what point is it, is it really their voice?
So, you know, if you took say, Gregor Jeffrey's a famous person. And, they, you know, they use a deepfake voice of Gregor Jeffrey to advertise, uh, toothpaste or clothing brands. You, it's not your voice. So can you really say, "Hey, you, y- you know, you're not allowed to use that"? I don't, I don't really know the answer to that.
Gregor Jeffrey: [00:08:07] It's, look, it's a really difficult one. Uh, and, I don't think, even in the, a couple of weeks ago when we did our original story on that deepfake, uh, CEO voice impersonation, uh, it just seems to be gathering more and more momentum.
Uh, which, uh, it's ... deepfakes seem to be, you know, for entertainment purposes, uh, you know, when you first saw them online. Uh, but unfortunately, with [laughs] any technology they get, it gets used for nefarious purposes.
Garrett O'Hara: [00:08:35] And that's it. And, and we covered that story of the, the payment that was made, when somebody got a phone call from their, you know, fake v- uh, CEO. Uh, the German CEO into the, the, he was the general manager of a, an organization in the U.K.
Uh, so, you know, it's, this isn't imaginary stuff. It's happening right now. And th- there's potentially happening more than we realize. Uh, because, you know, we hear about the stories when they're caught. What about the times when they're, when they're not? They've flown under the radar. So, yeah, definitely, you have to be one to watch.
Gregor Jeffrey: [00:09:03] So, uh, do you think there's a way that companies can verify content, uh, with a, you know, some kind of digital stamp? Uh, I know for some websites they have been sort of verified by VISA or, uh, I think, you know, some of them were, um, verified by a security company that put that little badge at the bottom of the shopping site.
And, um, actually, just today, I received an email from Adobe Marketing. Uh, and they've got a new feature. I think, uh, for Adobe PDF, whereby it validates that a PDF is in fact, is in fact, um, yeah, the real deal. Especially when you're sending contracts around, and, and such.
Garrett O'Hara: [00:09:39] Yeah, I'd love to see, s- ... but I think the big thing there is it needs to some sort of global agreement in how that works.
Because I think what you'll end up is that there'll be so many different verification types that, as a person just going about their day, it becomes really difficult to know, like, "Okay, this is how Adobe works. Yeah. And this is in my email client. This is how I know this is real."
Um, you know, we've got so many different channels of communication: email, web, uh, all the apps on our phones. Um, even QR codes. I mean, you've probably heard those stories about people putting, uh, printed QR codes over the real advertisement.
So that when people, you know, use their phone to, what they go to what they think is a, you know, an offer for, a discount on some product, actually what they go to is a fake website, which is, is going to try and attack them. So-
Gregor Jeffrey: [00:10:24] Yes.
Garrett O'Hara: [00:10:24] ... and I think it would be, it would be amazing. Um, but it's going to take a lot of collaboration to get us to the point where it's usable as a society, because you don't have to know 50 different things to, to know if something is real or not.
Gregor Jeffrey: [00:10:37] In our next story, two Sydney women have been charged over their alleged involvement in a $500,000 business email compromise scam against interstate businesses, and a Sydney-based university.
New South Wales police said detectives from the State Crime Commands Cybercrime Squad charged the women under Strike Force Belltree. Also, I guess it's good to see that Laura [Goldsmith 00:10:58], that being able to crack down on some of these scams in Australia. Typically we think of, uh, these online scams and perpetrators as being untraceable, uh, or, you know, in a far-off, uh, land overseas.
Uh, however, I think, you know, Laura Goldsmith, uh, had more resources, more understanding of what's going on. What's your take on local law enforcement pursuing cyber crime, Gar?
Garrett O'Hara: [00:11:20] Yeah. And so, here's the thing. I had this conversation with my wife this morning. So she runs a, a, um, an organization that does kind of building certifications. And, I've been saying to her for a while; she, she basically runs that organization, so she's a, to me, kind of somebody who would be at risk for, uh, fraud and, and this BEC compromise.
And this morning over coffee, I feel like when I'm, I'm talking to you, I'm referring to conversations that I've had. And I always seem to be talking about cyber security. I do have [laughs] a l- a life, and so this stuff is a [laughs] ...
Uh, but anyway, so we're having coffee this morning, and, um, she mentioned one of her kind of peers. Uh, good friend of hers, who is a, who is also a CEO, had been done for, for BEC, or, you know, business email compromise, and had lost a, a, a sum of money.
The point there is actually, this is becoming much more common. And when I, I said this to Laura this morning, she was already across it, because I, I'd sort of mentioned BEC. And she said, "Yeah, we, we have a process that we'll only ever change a bank account if we call the organization and we verify, uh, with them."
And, and I think we're starting to see; I know, I'm guessing it's probably the same for you. This is obviously a huge concern, and it will continue. There's a huge amount of m- money being made from it. Ah, more than ransomware-
Gregor Jeffrey: [00:12:35] Hm.
Garrett O'Hara: [00:12:35] ... according to the AIG report back in July.
But I also do feel like it's starting to become part of the, you know, the conversation that is happening with business leaders who are, they know that this is a business risk rather than a cyber risk. You know, it's old-school fraud.
And, and it sort of feels like, based on, you know, conversation with my wife [laughs], and other people in, in the industry, that it, it's sort of bubbles at the top, and people kind of know that it's there.
So th- there's probably going to be a lag. But, you know, being optimistic, what I would hope is that, um, more organizations will put processes in place; use technology definitely, absolutely, that will catch a lot of this.
But then also, have the processes so that it does take a phone call to the organization for bank account detail change, or, you know, an invoice that you weren't expecting or an, any of those other things.
Gregor Jeffrey: [00:13:22] And this leads into another news story this week, where an IT manager at a [TAFE 00:13:26] has been locked up for eight years, uh, for admitting to a number of frauds against, uh, the institution. Uh, so he, you know, set up his own fake cloud services, uh, to run from his own home server. Uh, and he was charging, uh, his organization for [laughs] those cloud services.
It also included a bunch of other dodgy IT purchases, uh, that didn't quite exist for IT hardware and software, uh, to the tune of $1.7 million.
Uh, so we're seeing authorities have the power to be able to chase down these, uh, you know ... uh, I don't think 10 years ago, it, except for serious cyber crime, uh, it was, it was really on the radar for a lot of, uh, a lot of law enforcement services.
So, do you think they will get more funding to chase after crimes like this? Uh, and, as I said earlier, it is quite often overseas criminal gangs. Uh, do you think we'll see any collaboration between nations on, on chasing down the, these smaller sort of crime, uh, scenarios?
Garrett O'Hara: [00:14:29] It, it probably depends on the size. Uh, but back to your point, um, you know, probably there's probably a critical mass in terms of how big the fraud is before that collaboration would happen.
And I think one of the traditional problems with, with cyber crime is that you can operate from a jurisdiction that is maybe not well policed. And or if it is policed at all, and you are caught, well, that's, that's fine. You get, you know, maybe it's some prison time or something happens.
But you're playing whack-a-mole. Uh, and it, to me, it almost comes down to economics in some areas. Because yes, you might be able to get a job that's very low paid and, and just about gets you by week by week.
And, or, you could, maybe you could go to work in a, air quotes, call center. And, and do, air quotes, work, that gets you more money and, uh, and I think that's part of the issue.
There's places in the world where you have people are, are probably good people. But, they also have to feed their families and some ... and I'm not for a second saying that that stuff is okay. Uh, but I think it's com- I think it's more complex than, I think we sometimes maybe think it is.
You know, it is absolutely cyber crime, organized criminals. But there are kind of lower-level players that we take advantage of, just how ubiquitous technology is, to, to ... it sounds weird, but maybe just feed their families. You know, I don't ... I don't think everyone is uh, in a big mansion, uh, like Scarface.
Gregor Jeffrey: [00:15:48] [laughs].
Garrett O'Hara: [00:15:48] Uh, you know, with, uh, zoo animals and, you know, minted. So, th- there's probably a spectrum there. I think you're right, though. I'd love to see the, the collaboration across borders to, to also protect the people who get caught.
You know, it's on both sides. And, just a lot of low-income people who are losing money to scammers and, that's incredibly unfortunate as well. So I think it's just one of those messy complex human problems.
Gregor Jeffrey: [00:16:13] Do you think we'd ever see online police? So we have that bots that interact with you on different websites. We have, you know, all the talk of AI and machine learning. Do you think we could have some kind of online police?
Garrett O'Hara: [00:16:25] Maybe we could even get Tom, uh, Tom Cruise to play the lead, lead cyber boss? [laughs]. Like- [crosstalk 00:16:32]
Gregor Jeffrey: [00:16:32] Just use his voice.
Garrett O'Hara: [00:16:33] Yeah, there, well, you, you could just deepfake his voice. You wouldn't even have to pay the actor. Gregor, I think we've just come up with an amazing business plan here [laughs].
Gregor Jeffrey: [00:16:41] That's a great business plan.
Next story, in September, new legislation has been drafted, uh, for a data matching scheme for the Department of Health. Uh, so, privacy concerns have been raised with proposed laws that would see Medicare data matching activities expanded to better detect fraudulent or incorrect claims.
And I, I think the scary part of it is that access to the data could be opened up to other federal government agencies, uh, for both Medicare compliance purposes, and also to, in air quotes, assist them in performing their functions.
Seems like a pretty broad, uh, spec. What do you think, Gar?
Garrett O'Hara: [00:17:20] I think that's it, right? It's, it is the broad spec, and s- there's a few organizations have raised their concerns, uh, over this.
And, look, a, a, a personal opinion is I think sometimes that with the best intentions, uh, policymakers and, um, folks who, who kind of push for this kind of move, uh, they've got a, a view on what the benefits to society will be. And there are, there obviously are some. And, uh, I get that.
My concern is that when you think about doing things like data matching and, and just how difficult and fraught with complexity that stuff actually is; it's got risks. And, and those risks tend to be around privacy.
And some of the stuff that's, you know, inadvertently, uh, potentially exposed for people. And, um, it's that slippery slope. I think it, it's that for me. That's my concern, is that there's a great outcome described. You know, you match the data and you can look for compliance issues.
The, the question would be, what else? And so that's where, I think, the, the risks, you need to kind of build into a tighter policies around privacy. And, and, you know, what the impacts to, I suppose, Australian citen- citizens, actually would be.
So, I think it, it's a great idea. And I do worry about the execution.
Gregor Jeffrey: [00:18:33] I, I guess the one that concerns me is to, uh, you know, in air quotes, as I said, to assist them in performing their functions. Uh, you know, do they have a requirement to be, uh, uh, ... do some of these departments almost need to drive revenue from their activities? Uh, or, or do they need to integrate with private health companies?
Uh, you know, this rich amount of data they have access to really gives them access, uh, to monetize such information. Uh, or to share that with other money-making, uh, companies in the industry, such as, uh, private, private health cover companies.
Garrett O'Hara: [00:19:10] Yeah, I mean that's it, right? You, you do data matching and, depending on where this goes, you've got potentially insurance companies charging more for insurance, or denying insurance, ah, because of something that's been uncovered, s- in a, in, you know, separate data set. So, uh, like it's complex.
And, you know, it, I don't really know the answer. Uh, I suppose I, anytime money is introduced to any kind of policy or [inaudible 00:19:37] program like this, I think it, it inevitably leads to, uh, undesired consequences.
Gregor Jeffrey: [00:19:43] Yes. It is concerning, where our data does end up at the end of the day.
And that's all we've got time for in today's episode of Get Cyber Resilient, an update on cyber news. Thanks a lot for your time, Gar.
Garrett O'Hara: [00:19:55] Likewise; great to talk to you, and, uh, I'm sure we'll talk again next week.
Gregor Jeffrey: [00:19:59] We will. Cheers.
Garrett O'Hara: [00:20:01] Cheers, Gregor.
Gregor Jeffrey: [00:20:07] If you enjoyed The Get Cyber Resilient Show, head over to getcyberresilient.com, a new online destination for cyber professionals in Australia and New Zealand.
We all know the constant battles and challenges of addressing cyber security. Getcyberresilient.com is a place that brings together the local cyber community to problem solve together on innovative solutions, on how we can all be more resilient to the challenges and risks that exist online.
Point your favorite web browser to getcyberresilient.com.