The latest cyber news and resilience insights: 21/06/21

In our latest news update our team of resident experts talk through the latest cyber security developments including the ransomware attack that shut down 35 hospitals in Ireland, the Australian government’s new ransomware awareness program, the Commonwealth Cyber Security Posture in 2020 report, and the 780 gigabytes of data stolen by hackers who breached Electronics Arts. 

The Get Cyber Resilient Show Episode #59 Transcript

Daniel McDermott: Welcome back to The Get Cyber Resilient Show. Today's episode is our fortnightly review of the hottest topics from around the industry. I'm Dan McDermott, your host for today, and I'll be joined by our resident, cybersecurity experts, Garrett O'Hara, and Bradley Sing. Today we will explore the ransomware attack and data breach that occurred at the Health Service Executive in Ireland. On the topic of ransomware, we will review the Australian federal government's new public awareness campaign, Act now, stay secure. Staying on the government theme we'll review the commonwealth cybersecurity posture and its cyber hygiene improvement program, AKA CHIPs. And we'll finish today's episode in the world of gaming with the hack of Electronic Arts and stealing their source code. Let's kick off with an attack that occurred in Gar's motherland, and the cyber attack on the Health Service Executive in Ireland. Brad, I can't believe the health sector has been the subject of another attack. What happened over in Ireland?

Bradley Sing: Yeah, I mean, Dan, this is a, another ransomware attack against a, a large organization. Obviously, we've heard a lot in the news about colonial pipeline, JBS recently as well. but this time being, I guess, more of a government organization they were, it seems like the threat actor behind it was a- a group called Wizard Spider, which is a fantastic name as always. Wizard Spider have been known to use things like Trickbot, and Ryuk, and Conti, in the past, so we're talking like kind of more off the shelf ransomware kits. I guess the, the crippling thing for, I mean, there's a couple of things here, but one the health service has publicly said they won't pay the ransom.

Um, which is, I guess, quite contradictory in terms of what we've seen quite recently w- with other large companies. and the other point there is there was a large disruption to their hospital services. And I think to this day there still is some disruption. They manage over, I think, 40 hospitals in, in Ireland and we're talking about key bookings and critical, you know care. it was interesting to see though that things like COVID vaccines and, and that kind of booking service still remained up during the time. So it looks like there's a bit of resilience of separation there too.

Daniel McDermott: Yeah. You're going to have to help us out here. And what, who, what is the prime minister's name that that actually said they wouldn't pay the ransom?

Garrett O'Hara: Oh, his name? His name is Mo Michael Martin. but yeah, I I think what you're referring to is-

Daniel McDermott: [laughs].

Garrett O'Hara: ... uh, what we call our Taoiseach. So that's the equivalent of our prime minister. Uh, we were joking before we kind of started recording, how harsh, the harsh language, it's like they designed it to be difficult based on the, the spelling. But yeah, the Taoiseach is the our prime minister. And he's actually the guy who said that they, they wouldn't pay. I think it's an interesting one. Uh, Bradley, you know, you kinda mention it, it sort of maybe diverges from what we've seen in some other organizations. And, you know, I do think it's a function of the fact that it's a, you know, it's a national healthcare service and it sort of puts you in a position of, yeah, you don't pay the, you know, pay the terrorists or you don't negotiate with them.

So you know, I wonder, was there a conversation that happened in the background about, do we or do we not? But I suspect there, there was no real option there given it's a, you know, it's a nation state being attacked that they can't really pay the ransom in this case. And it was funny when this happened, I mean, given I'm from there you know, we- we've talked on the show, how many times about how mainstream cyber security has become and this stuff is hitting the news. But my phone went crazy the day that this, this hit, you know, all the people back in Ireland and, and my friends here all sorta saying, "Hey, did you see this?" so yeah, it's another one of those really, really awful yeah, attacks on, on healthcare. It's so pre- prevalent, you know, we've seen stuff up in Queensland, Victoria last year, the US, so many health care organizations. like it's just a really, really high value target for ransomware for very obvious reasons, you know. We, we've spoken about that before.

Daniel McDermott: Yeah. And I guess not paying the ransom note, although now there has been release of some of like patient records and, and things have actually occurred off the back of it. It's, you know, they sort of can't win, right? They're in a no win situation here, no matter sort of what approach they take. And it's interesting, we spoke about like, you know, are the bad guys starting to get a- a bit of a social conscience? And, you know, we saw giving away keys for an attack earlier on healthcare sector and that as well. But now it's like straightaway they're back doing the, the same cyber, I guess, criminal activity as we've seen previously.

Bradley Sing: This is also the largest yeah, this is the largest health related kind of disruption attack. Like the largest one before this, I think was WannaCry with the NHS over in the UK. But outside of that, this is the largest attack we've seen ever in the history [laughs] of cyber security against a healthcare organization. And you have to think of some of the ethics involved, right? So the, those private companies, you know, the gas pipeline, as an example, you know, people with that power, they want to get people up and running again. Obviously it is a government agency, so they have standards, but if you've got people who are or clients or patients rather, who are potentially at risk, do you pay the ransom and get them back online? And we saw the first death from potentially first ransomware cyber secure related death last year, where that lady couldn't get to the hospital, went to the wrong hospital, whatever it was. So we know it's real and also the other aspect is if we look at Colonial Pipeline paying the ransom, they actually did get their money back with the help of authorities. So are we maybe gonna see some stuff like that in the future, where they almost go on the offensive and, and, you know, try and use the bait and switch tactic?

Garrett O'Hara: Certainly, you know, like guys, I think what may be an interesting thing here, and it's almost back to what you were saying, Brad, about the fact that this was sort of off the shelf ransomware. And one of the things I'm starting to think, to think about is how often are these attacks targeted or are they just kind of folks who are getting caught up in, you know sort of spray and pray ransomware attack type stuff? because I think what sometimes this points to is the, those different types. And actually Bradley and myself were talking about this the other day, that the spray and pray stuff that, you know, it is kind of vanilla, but it's still out there and it's still bringing down organizations with the ransomware versus the, you know, the big game hunting stuff where you're really taking advantage of the, the you know, the attacker ecosystem, you know, where they've got ransomware as a service, they've got payment services, they've got customer success or customer service for people who were trying to pay, you know, Bitcoins.

Um, and it's hard to know sometimes which one, you know, which one, or which bucket this stuff falls into. and, you know, Bradley, you made the point about paying the, or the, the ransom being retrieved. And I think there's maybe a comment about some of the, that sort of maybe disparity we'll see in the ability for countries to, to go after funds. You know, when you think about the US whether it's the NSA, the FBI you know, I love Ireland, but we don't have those kind of resources at our disposal. So I wonder when it comes down to it, you know, how effective the Garda Síochána, another sort of two words. By the way, if you saw them written down bear no correlation to what I just said, but the Garda Síochána is our police force.

Bradley Sing: [laughs].

Garrett O'Hara: but yeah, but [laughs], yeah, I wonder how they would go, you know, with retrieval of funds. And, you know, we've talked about this in the show, what's the level of cooperation we start to see with you know, other countries where maybe the US does work with the with the, our with Ireland's? With the view to, you know, all of us going in and after this stuff together because it, it's a global problem, right?

Bradley Sing: Yeah. And if you don't have that capability locally, it's like, you know, maybe, maybe the NSA, they come in and they help you, they, they help you respond to a breach. And I mean, we've got things like the, the Five Eyes security arrangement with like the UK-

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: ... I think it's with US and New Zealand. So-

Garrett O'Hara: Yeah.

Bradley Sing: ... there are those partnerships in place. But you're right. It does start to become a, yeah, almost how to say the west versus certain parts of the world, but, but it becomes a a multi-country uh, bigger problem, doesn't it?

Garrett O'Hara: It does. It's, it's what, you know, Dan, we, you know, we've talked about the SME, you know, supply chain stuff. And, you know, if you overlay countries, is Ireland the SME of [laughing] of this problem where we need you know, we need the support of those bigger nations, because we just don't have the resources potentially as a smaller nation. You know, that's a conversation we probably all have to have as well.

Daniel McDermott: Yeah. It definitely makes sense. The idea of pooling resources, right, to be able to I guess, protect and also fight back, right? And I think we're seeing, you know, lots of activity in the federal government here in Australia around this as well. The topic of ransomware is huge, it's becoming mainstream, right? The- the amount of news coverage that it's getting and what's happening. And we're seeing a first I guess, response publicly from, to this from the federal government around a public awareness campaign, as we said, called Act now, stay secure. which has been launched by the Assistant Minister for Defense, Andrew Hastie. So it is looking as though they're, they're trying to do things and putting an initiative in place. Brad, what can you tell us about this initiative and- and is it going far enough in terms of what's required to, I guess, get this ransomware scourge under, under control?

Bradley Sing: Yeah certainly. So we, I think we talk about awareness a lot in- in cybersecurity, like just in terms of training and educating our staff and, and obviously making sure that, that that human kind of layer understands the risks. But I think what we're starting to see and really across the media and through different government campaigns is the acknowledgement that cyber security is a challenge, the government's going to be investing taxpayer money into it, you know, it's going to be a- a contentious topic around elections as well. but also the reality is, you know, we're incredibly vulnerable. there's a lot of campaigns going on right now in terms of getting people vaccinated and kind of like ad stuff around that as well. And I think maybe it's a bit hard for us because we're kind of in cybersecurity and we live and breathe it. So I'd almost wanna ask our main chat, you know, someone outside of our s- sphere, what they see of it that I think it's great that we're starting to see some initiatives. and I believe we, like you've even got a few emails yourself, Dan, a couple of alerts which may be part of this campaign.

Daniel McDermott: Yeah. I, I do subscribe to the ACSC. So just got the first email through the other day launching their campaign. and as you say though, I mean, I subscribe because I know who the ACSC are and then want to stay abreast of these things. I'm not sure that's obviously going to be enough to, to get to the general public. So I'm sure there'll be a lot more to come as we start to sort of see this unfold.

Garrett O'Hara: Uh, I think so right to call that the audience for the ACSC, right? Because I think what we really need is the campaign going to, to the boards, to the exec, to the business. It's not, you know, the- the people who are generally on the ACSC and other cyber mailing lists, they already know this stuff, you know, it's not, this isn't new information. You know, if you look at the campaign, it's around doing things like you know, automated updates, it's two-factor auth, regular backups, you know, none of it is exotic security controls, [laughing] like it's all the stuff that, you know, the three of us talk about all the time. And I think that's potentially something that I've seen is that the, you know, we- we were talking before we started recording, you know, 60 Minutes is going to cover this on Sunday, I think it was, or whatever-

Daniel McDermott: Yeah, Sunday, 20th of June. So if you haven't seen 60 Minutes from this week yet definitely take a look.

Garrett O'Hara: Yeah. But doesn't, doesn't that like point to the fact that this is now a mainstream conversation? And I think, yes, you know, the ACSC and, and federal campaigns needs to be broader, but it needs to be aimed at the right audience because it isn't enough just to go to the cybersecurity community. We already know this stuff we need, we need the change in the mindsets of, I would say, you know, the air quotes, business side of organizations to start, you know, really taking this stuff seriously, building it into and aligning it to their organizational strategies and critical infrastructure, you know, business plans, all of that stuff. Like this stuff has to be core to how every business, how every organization kind of moves forwards. And, you know, ransomware is just everywhere.

Bradley Sing: Mm-hmm [affirmative].

Garrett O'Hara: You know, if we were to like, let's be honest, I mean, if we, if we tried to cover every single ransomware story that pops every, what, we do this every two weeks? We, you know, this show is what five hours long, and we probably would only hit the surface. [laughing].

Daniel McDermott: No, exactly. And I think the, the key aspect here is, is a lot of the commentary around, like is this going far enough? Does the government need to become more proactive as well? and actually you sort of look at getting on the front foot, and we actually discussed last time that Rachel Noble from the head of the ASD did speak about the fact that they are doing that, that we've seen it in the media industry. they've, they've implemented people into department of health as we spoke about healthcare being such a- a strong attacked sector. so they certainly are doing some things, I guess it's hard to know whether that's enough when, when it does keep hitting the news all the time as well.

I think I'd like to see maybe almost a renouncement of the notifiable data breach laws, like that is something which has a, you know, potentially personal level of accountability for a board and executive team. And I feel like we haven't really, you obviously get the, the data breach reports around it. I'm just trying to think of the best format for this advertising. Is it a targeted ad in the contest land, as an example, saying rans, fix your ransomware issues or otherwise, you know, you'll be in trouble. But yeah, it's definitely an interesting topic.

Garrett O'Hara: Could we, could we like rent one of those helicopters that tows, the, you know, the banner in the sky after it?

Bradley Sing: [laughs].

Daniel McDermott: Oh, yeah.

Garrett O'Hara: And it like it, it, but it's such an important point. It's, it's the, the channels of communication, the language used. I think, you know, that's a conversation we three have had, that the industry has been talking about for so long is how do we make this kind of real for the folks who, you know, open the purse spring purse strings to fund projects, to fund capabilities from a security perspective. Because I think there's not a single security practitioner out there who doesn't know the problem of ransomware and probably doesn't have a really good idea how to solve it but, sorry, solve it. That's ridiculous what I just said, but you know what I mean.

Daniel McDermott: [laughs].

Garrett O'Hara: Like the controls that you would assume are kind of baseline and then maybe some more kind of exotic or advanced ones. But it's not that we don't know what to do. From a security co- controls perspective we do, but it takes money, it takes spend, and it takes kind of resources. And then I think that national conversation, like to me, it is a national strategy it has you know, in personal opinion, but it has to come from that level and then trickle down to something that's cohesive because it's, it's a societal level problem. It's not one organization, it's not one a agency, one entity, it's, it's all of us, you know, and it's a huge impact to GDP, like this stuff is costing a lot of money.

Daniel McDermott: Mm-hmm [affirmative]. And, I guess, Brad, I mean, we have spoken to the government a few times regarding running sort of a, a general awareness campaign, you know, akin to sort of Slip-Slop-Slap from you know, a can, some cancer awareness perspective or a, a life being it for those that may remember, um earlier in time around sort of fitness and health in Australia. And one of the challenges that you actually called out is, is how do you reach the audience these days? So trying... once upon a time, it was enough to put the ads on TV and maybe a couple of billboards around and you'd get, you'd pretty much cover everybody. Now with diversification of media and the way that people consume media changing so much and, and it being so fractured now and to so many channels you've got to be really clear on who, who your audience is and how do you actually reach them, you know, and, and even executives, right?

Like, you know, the old Qantas lounge sort of idea that you said, you know, doesn't hold true as nobody's flying anymore, right? So again, it's another challenge on top of how do you reach that audience in a, in a really effective way? So I think that while a general, you know, consumer, if you like, end-user campaigns going to be important, like you say, it's like, how do you actually target the executives get them to really buy in. And I think that that's a, you know, it's going to be a multi-layered and multilevel approach because one thing won't cover everybody anymore. and we just don't, don't have that ability to sort of reach the masses, if you like, in the same way as might've been as easily possible in the past.

Garrett O'Hara: Does it feel like it's changed? I mean, it sort of does to me a little bit in a positive way, given that, you know, we've got both sides of the political divide talking about this stuff at a national level, we've got it feels like regulations coming in to, to maybe push some change. We've got cyber insurance companies upping premiums for, you know, not doing good security controls. Like I get a sense that stuff is moving. Uh, 'cause, you know, we like, we've all been having this conversation for years and it's like, "Hey, you know, we [laughing]... this, this is going to be huge, we need to think about this." But it feels like something's become, something that was frozen has become unstuck and there's there's momentum or movements.

Daniel McDermott: Yeah.

Garrett O'Hara: I don't know if that's just me, or.

Daniel McDermott: The day of reckoning has-

Garrett O'Hara: Yeah.

Daniel McDermott: ... has arrived, right-

Garrett O'Hara: Yep.

Daniel McDermott: ... is, is how it feels, definitely. Uh, it sounds like a, a good opportunity to maybe hear from the government, Gar, I think on on the Get Cyber Resilient Show would be a, a worthwhile exercise.

Garrett O'Hara: Yeah, definitely. I think that's a beautiful debate that we could have. There's a couple of people we have in mind for that, I think, would be fantastic.

Bradley Sing: I think the Irish, Irish Prime Minister, I can't remember what his name was [laughing].

Garrett O'Hara: You never know. Ireland is really small, Brad, we all know each other, you know, there's only, there's only like 15 of us so.

Bradley Sing: Well, it'd be good to have comment, you know, about the, the health services situation.

Garrett O'Hara: Yeah. I'll give him a call later. I'll let you know how that goes. [laughing] Speak WhatsApp.

Daniel McDermott: And also from the government side of things, they've recently look at the, The Commonwealth Cybersecurity Posture report and and looked at their Cyber Hygiene Improvement Program or, or CHIPs, which is, I think a, a much better name for it. Brad, what can you tell us about The Cybersecurity Posture from the Commonwealth?

Bradley Sing: Uh, yeah. Posture seems like a strange way to lead a report, and hygiene is feels like we're cleaning ourselves with it, we're very dirty. but look it, I don't, I believe it is an annual report, but effectively it's a report which, which has come out around government, government agencies, what they're doing when it comes to cybersecurity. Some really g- great stats in there in terms of changes to existing programs. Like things like IRAP assessment, as an example, also some great stats in terms of the movement of things like DNS authentication. So looking at things like SPF as an example, it looks like SPF adoption is actually slightly fell. However, DMARC adoption has gone up from 17 to 25%. So quite significant to see that at kind of a- a government, governmental level.

Garrett O'Hara: Yeah, this is this is like the Verizon [inaudible 00:18:25] from the Australian government, you know, everyone kinda waits for it to land each year. it's, it's funny 'cause I read through it on Friday and like as Brad said, like there's some positive changes. And then there's some stuff where, you know, if you look at the, the problems they've highlighted you know, when they're looking at things that are impacting the entities you know, under this report's ability to achieve cyber maturity, it's sort of the same laundry list of things that we saw last year. and I, you know, personal opinion, I would have loved to have seen some of that kind of change or see some positive news there, the kind of things they're talking about is, you know, obsolete legacy tech.

I think we actually spoke about this last year when the report came out, the, you know, the problem with self-managed internet facing services versus cloud-based. the fact that ICT modernization cycles are broken in many of these entities. how the essential aid is either misunderstood, misinterpreted or even applied within the organizations. And then the whole problem with staffing where you know, I think traditionally government roles potentially pay less than the private sector. So you're competing for talents in an already competitive environments. And, you know, that then plays into how cybersecurity plans are executed within these entities. And it's just money, you know, like every time it seems to just come back to it costs money to do this stuff well.

Daniel McDermott: You know, I'll have to admit, I haven't read the posture report. But you know-

Garrett O'Hara: Well, you're missing out, Dan.

Daniel McDermott: Yes. Off, off the back of last year though, right, it wasn't the idea of money being freed up as part of this, you know, came to bear you know, the, the talk of billions of dollars being invested. are we seeing traction with that? And, and where is that being applied in order to, to, I guess, make some meaningful difference to, so that next years report when it comes out we take a look and actually don't have, you know, and isn't riddled with all the same problems that we've seen in the past.

Garrett O'Hara: Like you say, billions, right? And yeah, yeah. It was 1.7 billion, is the number I have in my head. But it's over 10 years.

Daniel McDermott: Hmm.

Garrett O'Hara: And that's the thing. When you, like when you do the math, that actually doesn't break down to a huge amount of money, in my opinion, you know for a, an-

Daniel McDermott: Hmm. It sounds like a problem, yeah.

Garrett O'Hara: Yeah. For an entire country, like that is not a lot of money over 10 years for something that is-

Bradley Sing: It's like four dollars per person per year.

Garrett O'Hara: Yeah.

Bradley Sing: [laughs].

Garrett O'Hara: I mean, you're talking about something that is literally the, you know, it's often listed as, as one of the highest risks, you know, climate change, cybersecurity, like these are the things that make the top five for, for countries. so it feels like we probably just have to swallow a bitter pill and, and spend some more money on this stuff. yeah. I mean, it, I- I don't see any other easy way around it, you know, it's a resourcing thing and... and, you know, by the way, that's part of the problem, right? There's a whole lot of stuff outside of just spending money, it's like, it's a bigger problem than, than that. But I do think that's a, it's an important starting point.

Bradley Sing: Well, I mean, you know, since COVID there's a couple of things in, in the report, which purely talk about COVID. Uh, one thing which isn't really mentioned there but I just thought of was obviously it's hard to get into Australia, whether you live here or you don't live here. How hard would it be to get a cybersecurity job or hire, you know, get someone in? So there's obviously that aspect of it as well. But there's a couple of interesting things that were called out in the report in terms of the government effectively coming in and helping hospitals with more funding during that time conducting COVID disruption, offenses, cyber operations to combat COVID-19 themed malicious cyber activity. So I think that's a pretty interesting statement there, and I'd love to understand more about what that looked like. Was that, you know, taking down websites, was that going on the dark web? But I'm not too sure. And there's also a program too, working with Telstra and Services Australia to pilot an SMS blocking program. So all those SMS games that you're getting all day, I mean, I feel like they've increased for me, at least personally.

Garrett O'Hara: Hmm.

Bradley Sing: It's good to see that there's some statement, or at least a governmental look in terms of, you know, how do we protect and regulate this more?

Garrett O'Hara: Yeah, there's a lot, and just that's the thing. Sorry, I mean, if it sounded negative that's just 'cause I'm Irish and that's how we are. [laughing] But like there's lots of good news, lots of good news in there too. Uh, you know, the stuff they're doing about the protective name domain name system stuff, and, and there was some good wins in there. Uh, so it's definitely, you know there's no attempt to be negative about this stuff, but I, I do think the problem is so big that we just need to spend spend some coin. And I love the CHIPs, I love the name of that program. just it sounds so cool. We, we, you know, when we're chatting about what to talk about, the, the for those who remember the old TV show, when the Pacific highway patrol over in the US, it was definitely one of my favorites growing up. So in my head, I see Poncherello, you know, working in the Australian government doing, doing the good work, fighting cyber crime.

Daniel McDermott: We're clearly the same vintage [inaudible 00:22:55] so, uh-

Garrett O'Hara: Yeah. [laughing].

Daniel McDermott: Uh-huh [affirmative]. It was great. I remember it well as as a child as well. It's very good.

Garrett O'Hara: But he- he'd be like an IRAP assessor 'cause-

Daniel McDermott: Yeah.

Garrett O'Hara: ... you know, there's, there's definitely more of those around as well in the expansion of that program. That's, that's an interesting one to me guys. 'cause I think that's, that's kind of important, right? You know, that there was so many issues with IRAP and how long it was taking to get assessments done, and the value of a local kind of the local ISM and alignment to that. so it's definitely interesting, you know, to see that the pool has grown to 140 from 128 assessors, which is, is kind of nice. yeah, interesting to see how that kind of goes going forward.

Bradley Sing: It shows the government, and I think industry is serious about IRAP. Like-

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: ... I mean as an outsider to IRAP and, and not knowing too much detail, like, you know, you look at ISO 27001, you look at all these other standards and, you know, a lot of companies work towards those, but why would I, you know, bother going for IRAP? You know, it's all this extra work, and this two or three year waiting list, you know, there's a whole bunch of dynamics. But this isn't an acknowledgement that, you know, we're going to have our own set of localized standards and we're going to try and make Australian businesses work towards them. It's absolutely fantastic. And I, I think it shows that, you know, we're trying to be a thought leader in this space as well.

Garrett O'Hara: Yeah.

Daniel McDermott: Indeed. Sounds like another good area to explore with with your government friends coming up, Gar, as well.

Garrett O'Hara: Definitely, Dan, definitely [laughs].

Daniel McDermott: Well, in today's episode we're looking at our final story, which is more in- in your world, Brad, um-

Bradley Sing: Right.

Daniel McDermott: ... knowing that, uh-

Bradley Sing: Yeah.

Daniel McDermott: ... [laughing] getting on your gaming chair there as we're recording this. But what happened to Electronic Arts and that, and the breach there not only is this, you know, I guess a- a breach and an attack on them, but the notion of their source code, which is the secret sauce, right, I guess, to, to running their games actually being stolen as well.

Bradley Sing: Yeah, yeah. So like we've probably gone a few generations ahead of CHIPs and eighties television, but we're now in 2021. [laughing] so we're, we're looking at, at Electronic Arts, one of the biggest video game publishers and developers around the world. they make games like FIFA, Madden Battlefield, if anyone's played any of those. But the big thing here is that these entertainment companies, really the amount of money they put into production and the development behind their engines is their life and blood, they will then go into license that to tens of 20, 30 other developers. They get recurring subscriptions between them from, from them as well in royalties. It's huge business. And there's only a few companies in the world which have this level of sophistication proprietary. We could see it being, it could be knockoff copies made out of the source code. Uh, the- the problem or challenge is, is actually very expensive and very hard to make a video game.

So the reality is like, could anything, anybody do anything with that data? Probably not. but could there be exploits because now they know some of the service side code, so maybe they could reverse engineer it to get access to a database there's proprietary and intellectual property in all those platforms, you know, there's sports, sporting teams involved, it's logos, brands. I think there's a whole gambit and, you know, potentially the, the capabilities also still details of some of that information. But in total, I think it was around 780 gig uploaded online. And yeah, I guess you can run your own FIFA video game. [laughs].

Garrett O'Hara: Yeah. I mean the- the thing that pops into my head is how many people are going to be trying to look for ways to get that, you know, millisecond advantage when they're playing computer games that I believe everybody's obsessed with so that they can, you know, they can win. It's sort of in, it's kind of an interesting one. My, when I saw this, I was, my biggest worry was that Minesweeper would be affected by this, you know, the game that comes with with Windows.

Bradley Sing: Mm-hmm [affirmative].

Garrett O'Hara: 'Cause that's probably like how, how advanced I get when it comes to, to gaming.

Bradley Sing: Well, the big, the big thing here is especially really fascinating. So when it comes to the dark side of gaming, there's always been this community of, of hackers and there's always been this community like people, your normal people playing the game, right? And the development in terms of the world we see in hacking, a lot of it has come from the same kind of groups originally, 4chan, these Discord channels, these type of places you can only access via the dark web. So a lot of things like doxing, DDoS-ing other players, so literally cutting out someone's other internet connection so you can get an edge in the game happens all the time. And it happens for quantities worth hundreds of millions of dollars as well [laughs]. what we're also seeing is we're seeing, we've seen it for a long time, but automation botting.

So for these online services related games, you can basically run programs or a fleet of programs to play the video game for you. And FIFA [inaudible 00:27:19] know example. There's a virtual currency which you can physically buy with a credit card from, through Electronic Arts, or you can go to a Chinese website and buy it for a fraction of the cost. So there's real world money involved as well. Something which a research organization did recently is they made an AI to play basically to play- play a video game called StarCraft. And they then pitted it against the best StarCraft players in the world. The AI won four out of five times. So we're starting [laughs] to get to this world where all the problems of AI are- are really starting to transfer and ultimately just lead to this kind of boiling point of, yeah, starting to become really hard to figure out who's real and who's not online.

Garrett O'Hara: Scary stuff.

Daniel McDermott: And like you said, the world of e-sports is, is, you know, a multi-billion dollar industry in its own right now, right? So there is big money at stake. But after the end of the episode, Brad, you- you might need to tell me about that Chinese website.

Bradley Sing: [laughs].

Daniel McDermott: That might save me some money of all the FIFA, FIFA bucks and V-Bucks that I need to buy for the kids as well so.

Garrett O'Hara: W- wasn't there something that's just like, funny to me, but when they looked at the source code, I think somebody realized that they're, they're using the same code for flickering lights in games that they were using like 20 years ago. And I thought that was like just incredible that somebody spotted that. I don't even know how you work that out, but yeah. Code reuse. It is it's quite funny.

Bradley Sing: I mean, that's what it is, right? So the Frostbite Engine, the one which was stolen, I think it's in like iteration, I wanna say like five or six, I could be wrong. But again, it's one of the proprietary ones so it's really hard to know. it's gone through iterations over the past 20 years to get where it is.

Garrett O'Hara: Hmm.

Bradley Sing: So you know, it's probably just an amalgamation of- of a lot of that.

Daniel McDermott: Indeed. Well thank you both gentlemen, for a, another insightful episode of looking back on the last fortnight. Gar, I believe we have one more episode in season two coming up and then we'll we'll take a short break for a couple of weeks and then kick off mid-July with our season three. So who have you got for the last episode of season two for us?

Garrett O'Hara: So Joseph Blankenship is the VP for research for security and risk at Forrester really, really good conversation with him, this day last week actually. just an incredibly interesting chap who's been in cyber for a really long time, been a couple of decades and a great conversation where the guy has such a broad depth of, depth of knowledge across so many different areas. And we talk about things like you know, EDR and its utility zero trust. How to use analysts, which is actually for folks who are interested in cyber resilience, kind of important. And they're just a really good shortcut to you know, understanding markets, what's important just given the avalanche of information that we all have to deal with. So yeah, really awesome conversation with Joseph, just a lovely human and very, very clever chap.

Daniel McDermott: Terrific. Well, looking forward to that conversation with Joseph on June 29th to round out season two. Thank you all again for listening and yeah, be back again next week. And then for season four in July. Speak to you all soon.