The latest cyber news and resilience insights - 21/9/21

In this week’s news update our team of cyber experts unpack and discuss this year’s newly published Australian Cyber Threat Report. The ACSC received over 67,500 cybercrime reports last year - that equates to one in every eight minutes! 

The team also explore the potential legislation that will force banks and insurers to pay out victims of data breaches, how a local council (City of Stonnington) are bringing their systems back online two weeks after an attempted cyber attack, and also the zero day patch released by Apple last week to patch a security flaw across all its devices.

The Get Cyber Resilient Show Episode #72 Transcript

Dan McDermott: Welcome to Episode 72 of The Get Cyber Resilient Show. I'm Dan McDermott and I'll be your host for today.

This week is our in the News episode, and I'm joined by our resident cybersecurity experts, Bradley Sing and Garrett O'Hara, and we will start by unpacking the ACSC, or the Australian Cyber Security Centre’s annual Cyber Threat Report, highlighting that a cyber attack is reported every eight minutes in Australia. That's right, every eight minutes. We'll also explore how Australian insurers and banks are alarmed at potential legislation, forcing them to pay victims whose data has been breached. We'll look at how a local council in Melbourne, the City of Stonnington, are bringing their systems back online two weeks after an attempted cyber attack. And we'll close out with a public service announcement from Apple who have patched a zero-day flaw affecting all devices.

So, Brad, let's kick things off by getting stuck into the ACSC's Cyber Threat Report. There's a bit to cover here.

Bradley Sing: Oh, absolutely, a fantastic amount to cover, but also a plethora, I think, of awesome stats in terms of really, what's been happening and what we've been talking about over the past kind of six to 12 months. Um, that stat you mentioned there, I think it was... What was it? One every eight minutes, a ransomware... or sorry a cyber report is made.

Dan McDermott: Yeah, that's right, every eight minutes.

Bradley Sing: What about the ones which aren't reported? We have to wonder though, right? Like it must be double, triple, quadruple that. Um, I think what's good to see from this, though, it does seem like there is an increase in terms of reporting to the different kind of, you know, relevant bodies. Um, in total, self-reported losses from cyber crime totaled more than 33 billion this year across Australia, which is absolutely ridiculous. Um, approximately one-quarter of reported cybersecurity incidents affected enti- entities associated with Australia's critical infrastructure.

Now, if we think about that as a theme, that plays directly back into what we've seen around things like critical services being kind of breached and, and, and encrypted around the world, but also back to the the national critical infrastructure bills that we've been talking on. And then finally, from my end, before I kind of open it up a bit as well, um there's been a huge increase in kind of personal online style of attacks as well, so not going for businesses or large BC types of kind of, kind of dollar attacks, but also just the, the kind of constant going after personal people older- elderly people, Facebook, etc.

Garrett O'Hara: Yeah, it's it's such a kind of rich source of data this one, isn't it? And I think the thing that strikes me is it just correlates with all the industry reports, and you know, the vendors produce their own, sort of Horizon and CrowdStrike, everyone's saying the same thing of, all the things you'd want to see come down are actually going up in, in large, large numbers as well.

I think that's the, the other thing it's not just that they're increasing, but the rate of increase is increasing as well, which I think is particularly frightening especially when you're, you know, as you say, Bradley, the the CNI stuff at the moment is just so topical, and that definitely is it seems like a much larger proportion compared to previous years, you know, things that are... I think they call them category fours.

Dan McDermott: It's also quite interesting I, I think if we look at the, the kind of five themes. So, the report highlights five different areas, first one being exploitation of the pandemic environment, and I think we've all kind of felt that, that personally, but also from, from kind of a, a work-life as well. Um, the second or kind of third one, as I call it, is disruption of the central services and critical infrastructure.

Um, and there's a really good stat here, actually. Approximately one-quarter of cyber incidents reported to the ACSC, during the reporting period, was associated with Australia's critical infrastructure or essential services. That's a huge stat, like one-quarter. And they're talking about here this... what the... the descriptor or describer is it could be the vulnerability of critical infrastructure to significant disruption in central services, or loss of revenue, or the potential or harm or loss of life. And I think that bit at the end there is kind of the key one there too.

Garrett O'Hara: And it's going to, it's going to flip, right, from potential at some point. Uh, that's going to be the pivot point where we see this report and it'll be actual, you know, harm or loss of life life, you know. And we, you know, we've seen little into that around the world already, but I think that's the thing everyone's kind of holding their breath for, and, and not, not in a good way.

Bradley Sing: Uh, indeed. And like you said, Garrett, it's like it's a whole report that validates everything that we've spoken about over the last year, right? And then we've seen come through in so many ways through the news, through industry reports, and certainly the pandemic one out of the, all of those reports that are made for every day, are, are associated with actual cyber, malicious cyber activity related to the pandemic. I mean, and that's just huge, and, and preying on the, on people's vulnerabilities and that constant issue of sort of what we've been living through certainly has been a, a ripe ground for the cyber criminals out there.

Garrett O'Hara: It definitely has, and, you know, one of the things that we've spoken about many times, probably nearly every episode is just how, like on the, on the sort of protection side of things, you know, one of the things we always talk about is how the, the pressure is to respond more and more quickly. You know, it's gone from responses of days, hours into, you know, ideally milliseconds, but the same thing is happening on the the attack side where as vulnerabilities are, are kind of being discovered or, or being published, they just get, they get used so, so quickly, they're exploited in just such a, an incredibly quick amount of time.

Um, that, that's a real worry, that, that sort of increasing the speed of execution or expectation of those security vulnerabilities as we go along, and it's clearly playing into the, I mean, the absolute tsunami of ransomware that is hitting the world as well. You know, that's, that's how getting in half the time.

Dan McDermott: Well, that, back to your point, that's the next key theme on the report, and I'm not sure if you're reading it verbatim, but rapid exploitation of security vulnerabilities. So, the ACSC call that out as, you know, I think one of the, one of the rising things we've seen.

And the final two kind of key themes, I call it, just to kind of bring it up with, I guess, our listeners is the idea of supply chain fraud becoming one of the huge areas of risk, and I think it's something we've just seen constantly over the past few years. Um, and it's always that conversation of, "Hey, my supplier got hit, they got breached, they sent me a dodgy email, they sent us a fake payment." How do you solve that situation? Who's... I mean, obviously, that's the whole conversation itself, but then finally, business email compromise. So again, that social engineering aspect and more using the soft skills opposed to brute forcing and getting a virus in it, let's start a conversation, you know, try a more social human approach.

Garrett O'Hara: And I know we said this, I think we said this in the last episode, but the cost of BEC is actually way, way bigger than the cost of ransomware. Um, it just, it just happens to be that ransomware gets more coverage probably because it's much more of a, what's more impactful, you know, when a service goes down, or a company gets hit, I mean, that's, that's, it feels like a big thing. But the actual, you know, cost as far as cyber goes, is actually much higher for business email compromise.

Dan McDermott: Well, and it's interesting that coinciding with this one of our friends of the show, CrowdStrike, have put out a report as well today talking about attribution as well, and talking about the rise of sort of the, the state actors, right, that was spoken about before, and who are perpetrating a lot of these attacks, and also, a lot of the, I guess techniques that are being used. Um, what you would have seen from sort of a, a cyber criminal is now being used by a, a state actor. A state actor is, you know, is, is sort of sharing almost their wills and skillset with, with cyber criminals as well.

And so so we're seeing this increase in terms of activity and being sponsored by, you know, by large sums of money in the background, so that are actually, you know, allowing this to happen at scale, and we're seeing, you know, ransomware, you know, on the rise. It says a 15% rise year over year you know, and like you say, Brad, that's of the reported ones, right? So, we know the impact that this is happening on a, on a very big scale.

Garrett O'Hara: You make an important point there, Dan, as well about the complexity of where, I suppose, the tech tool sets are coming from, because they go both ways, right? I mean, they go from, you know, private enterprise of, of the cyber world, so the, you know, whatever, you know, pure play hackers to state, and then they also go the other way around, you know, that's the thing. You see, um you know, exploits and things that were used by state state based actors trickle down and then be used in the, you know, the run of the mill, common day criminal activities, and, and it's flowing both ways.

And I think part of the complexity is the, um... you know, we were talking be- before we started recording about this idea of cyber warfare and just how complex this whole sort of landscape has become where, you know, false flag operations where it looks like it's just a, you know, hacking group in, you know... it looks like they're just, they got together to do a bad thing, but actually, they're, in the background, they're sponsored by and paid for by a nation state. Um, and nation states have been very, very good sometimes that actually making it look like it was some other country or, you know, an, an attack group that's well-known, one of those APT crews that have, you know, those interesting names like Dancing Bear and Funny, Funny Clown, and you know, all the things that we're used to.

Bradley Sing: Crazy Bear.

Garrett O'Hara: Busy Bear, yeah, there you go. Um, but it's, it's just feels like a mess. Like it feels like the worst reality TV show on the planet where there's just, you know, so much crossover, so much complexity, and it's yeah, it just mind boggling how complex it's becoming.

Um, the guys from from dah, dah, dah, CrowdStrike... or actually it was Palo, when, um Damien Lewke was on, that's a while back now, we, we took him I think big game hunting and how crews are coming together, but you don't have to be an expert on anything anymore, you just need to know how to do a particular part of an attack, and you get paid for that, and that's how you make your money whether that's access broker or whether that's, you know, ransomware as a service or blah, blah, blah. And presumably, the same things are, you know, happening at a state state level. So, you know, everything's flowing everywhere, it just feels like, yeah, I want to lay down, I want to lay down and have a nap sometimes.

Dan McDermott: And Brad, you mentioned that like one of the things is about the exploitation of vu- security vulnerabilities in the first place, and CrowdStrike have made that point as well that they've seen in the last three months, that 68% of all breaches aren't actually using any malicious software. Um, so they're actually getting in on the ground floor, if you like and therefore making it also very difficult to track and be caught in any way.

Bradley Sing: Yeah, I think that you hit the nail on the head also right there when you said track and be caught, like that elusiveness. Um, if we think back to nearly any of the most high profile breaches, and really, the successful ones, the fascinating thing is that they are almost like secret agents, right? They're going in, they're getting access, they're waiting, they're spending six months, 12 months doing that recon/intelligence phase, and I guess this is also why we can keep kind of making it akin to the military, because it's kind of cyber warfare because it is that early reconnaissance to then kind of launch a further attack.

Um, interesting, interestingly, one thing we have seen that com- that's come out of the report in terms of the types of Australian organizations that have increased their targeting is that the number one industry does appear to be professional, scientific and technical services, so professional services, IT companies. Um, secondly, healthcare and social assistance, which obviously, during a pandemic, is absolutely huge. And hopefully, our hospital system will do quite well with the, you know, I guess, the kind of upcoming expected load on it. But the last thing we need is a ransomware in the middle of something like that as well.

And then finally, kind of rounding out the top five, we've got manufacturing education and training, and then finally state territory and local government making the fifth most targeted sector. And sorry, when I say targeted, this is um, organizations who have reported receiving ransomware.

Dan McDermott: And on that cyber warfare piece, Garrett, I mean, you have, you have mentioned before that, like, you know... what is the quote? Bullets are being fired, it's, it's a bit of, it's sort of too late that, you know, the frontier and the first line has to be around cyber and what needs to be happening there. And part of the recent sort of, I guess, strengthening of alliance between Australia, the US, and the UK as well.

Garrett O'Hara: Yeah, absolutely. I mean, that's, on, on the day of recording was the, you know, the big announcements in that alliance between the Australia, the UK and the US, and you know, seeing the, the three leaders of those countries get up and do a, a simulcast, or whatever it's called, where, you know, they, they presumably were all talking to their nations at the same time, you know, Boris Johnson Joe Biden, and our own Scott Morrison, and, you know, that looks like it's a broad military kind of collaboration.

And, you know, the first thing they're going to do is, obviously, look at the, the nuclear powered subs, but as part of that and going forward is cyber warfare and collaboration between those three countries, and presumably, that extends on Five Eyes and all the other work. They, they were at great, great pains to make sure that nobody's toes felt stepped on and as they sort of talked through it, but it does feel like we're we're, we're potentially getting closer into lockstep with certainly the UK and the US being, let's be honest, probably the most powerful nation when it comes to cyber warfare on the planet in terms of resourcing and then some of the stuff that we know is happening with those three letter agencies.

So, it'll be interesting to see what that means for Australia in this region, you know, just given some of the very dramatic announcements that our PM has come out and made about, you know, sustained attacks and, and all that stuff. But it's a sign of where we are, I suppose, right now, you know, that, that sort of political landscape that we as a, as a nation that is fairly isolated in a, you know, in the part of the world that we are, and some of the kind of nations that I think we all know are, are sort of persistently and consistently using cyber as their means to attack Australia.

Dan McDermott: And it certainly ties into that, you know, defense against state sponsored attacks, right. And you know, if, if that's as high as is being reported, as potentially as high as 80% of all attacks being state sponsored, then you do need, you know, a huge sort of defense and mechanism around that. So you know, there's no doubting that that is also, you know, an indication of, of that strengthening of alliances against that, those attacks that are coming in on, on a too frequent basis, and as we said, and with, with a quarter of those aimed at critical infrastructure. So, we know the impacts you know, from Colonial Pipeline and, and others around the world what that means and, and the sort of ripple effect throughout society.

Garrett O'Hara: Yeah, it's a, it's a clear and present danger. You know, we just need Harrison Ford to kind of arrive and, and help us out, but, but you know, you know, I'm kind of trying to be a little bit funny, but it's, it is so serious, you know, it's so, so serious what could happen.

And I think, you know, I think all three of us at some point have said, you know, we're just waiting for the really bad thing to happen, and, and you know, no one wants that to, to be the case, but it, it does feel like we're just going to have this, just... Like I'm dreading the day, but we're probably going to have an episode of this this news conversation where there's just been a gut wrenching horrible thing that has happened, and almost circling back, it's not you know, potential harm to human life or, or loss of human life, but we actually are talking about the bit where people pay the ultimate price, like it's, it frightens me.

Dan McDermott: I'm not sure if it ends too well for Han Solo, so I'm not sure if that was the best analogy, but I can't remember Star Wars too well, but just one thing on that. Like, if you think about Australia, we really have weird borders and a weird way to defend ourselves, and we've got a huge amount of water between that. So, from a risk perspective, submarines are pretty good, but cyber warfare, it's like the easiest way to gain access to our country, it's the easiest way to spread information or misinformation rather, and I feel like this announcement, from all three leaders really is that kind of reco- recognization that or realization that, "Hey, we need to take this ri- risk seriously."

I also do wonder what timezone they broadcast that in, because I can't imagine it would have been very good for Australia.

Garrett O'Hara: Well, it was at 7:00 AM it was actually just before 7:00 AM, and I just, yeah, had to click on the, the news on my phone, I was doing something else, and the, the folks were saying, "Yeah, we're going to have the announcement in seconds." But you know the tone of voice where, where you kind of go, "Oh, hang on, this is, this, this is big."

Dan McDermott: You're in trouble. Something bad's happened.

Garrett O'Hara: Yeah, like something's, something's going on here and yeah, I mean, the, the way they were talking about it on the, the news program was that it was, yeah, this is a big, big announcements and historic you know. I think when the word historic gets thrown out then you kind of know that it's worth paying attention to. Um, but look, it's huge.

We're probably going to burn a whole lot of time that we don't want to, but I mean, the whole cyber warfare thing, I mean, maybe at some stage, we have a, an episode on that one, because it is a whopper you know, information attacks you know, there's so many things there that I would love to have a proper yarn on. Maybe we do that as a theme one of the days.

Dan McDermott: Yeah, indeed. And as you said, Garrett, it feels as though we're sort of building towards that, that big one, right? And, and you know, on the anniv- 20th anniversary of, of 9/11, it feels a little akin to that, right? That, you know, that all things are pointing towards building up to something that you, you can't actually see right up until it does happen, because you don't know what, what it's going to be, but it just has that sense about it at the moment, and which is a bit of a, a, a state of dread, unfortunately, but like, I think that yeah, we, we hope that we can keep the protection up but it, it's all sort of pointing in that direction, I feel.

Garrett O'Hara: Yeah, that, that 9/11 analogy is perfect. Like that, that's exactly what it is, right? I mean, a year beforehand, no one would have thought-

Dan McDermott: Yeah.

Garrett O'Hara: ... and then everything changed afterwards. Um, yeah, that's, that's an incredibly good analogy.

Dan McDermott: Thanks, Garrett. I appreciate the feedback [laughs].

Garrett O'Hara: [laughs].

Dan McDermott: So, I think moving on to our next story we're looking at Aus- Australia's insurers and, and banks being alarmed at the, the prospect of having to pay victims for any data breaches. Uh, Brad, what can you tell us about this?

Bradley Sing: Uh, insurer- insurers love paying out their clients and their victims, but it's kind of interesting. So, so what this is, right, so this was back, technically, it was under proposal backed by the Home Affairs Office in July, and the whole idea is they want banks and insurers to effectively have to compensate consumers who have had their privacy potentially breached or there's been a violation of some law. Um, the idea is that the insurer then effectively um, compensates the consumer. So, I assume the companies would be taking out liability around it.

But it feels like it's a kind of a, a weird way of doing things like GDPR and, and stronger privacy laws, like it's almost like a, a kind of a weird way to retrofit it instead of building it into practice, which everybody has to follow. And then it... like, it doesn't seem to have any kind of flow on back to governance, and what happens if, you know, if your details have breached with a government department, as an example, it seems to completely ignore that. So I think ultimately, it's good, like people should be responsible, and you know, if it is a an insurer taking on the risk to take on that liability, fantastic, but yeah, it does seem a little bit haphazard, from my perspective.

Garrett O'Hara: Yeah, I kind of wonder at this one, when you think about class actions, and it feels like a fundamental right to get compensation, if you're the customer of an organization who doesn't do what they're supposed to do to protect you. Um, I think we use fridges all the time as the sample, and you know, where if your fridge goes in far, like you, you deserve compensation for that because the people who make the fringe didn't do their job building the fridge properly or testing it properly and, and...

So, there's a part of me that kind of sees the, the value but, you know, the logic in a law or a piece of legislation like this where, you know... and, and we've talked about this how many times, like the, the lever of regulation to make organizations do the right thing because they probably won't otherwise, you know, the competitive advantage to not doing security well is so insignificant. And then the flip side, to your point Bradley, like it's just a... I mean, what a whopper of an exposure for, for companies and insurance companies.

Like it, it could be just enormous in terms of payouts, depending on, you know, what the, the impact to an individual was. Um, like, you know, cool, cool, but you know, if it's, if it's a privacy breach and your data gets leaked, it's not amazing, and it can be really horrible sometimes, let's be honest, but I mean, there's potentially much more serious things that you know, could happen, and [inaudible 00:21:03] with the devil is always in the language, like, what does affected individuals mean in this case, and if you're affected, how? You know, what... it's like serious harm, you know, with the NDB legislation where, okay, like, what, what exactly the serious harm mean? And I think that was one of the biggest issues with that when that came out.

And yeah, I mean, it's, it's, it just feels like a whopper but I kind of get the logic of it. I partly kind of think there's an analogy in, in, in normal consumer goods, but does that, does that translate to the world of cyber?

Dan McDermott: Well, from a consumer perspective, I think it does. And just a quick spoiler alert, but in the Mimecast we're about to relea- release a brand trust report and just one of the aspects of that is is that that comes through is that consumers expect brands, organizations to take on the full responsibility if they've been compromised, that means compensating the deceived consumers, right? So, failure to handle cyber incidents effectively will do long term damage against organizations as well. And they are expecting that it is actually the companies themselves that are responsible for that no matter how the incident or breach or whatever may occur, they're saying it is the responsibility of the organization to, to be able to protect them and protect them, you know, their information, their data and their, you know, sort of cyber credentials, if you like.

Bradley Sing: I think it's the right approach. I just think we need to be careful in how we approach this. Like, we don't want to get in a situation where we're a lot closer to America where we're now suddenly suing companies left, right, and center around data privacy. But like, if, if it was more backed by something like similar to GDPR where there's a lot of legislation framework, processes in place for end users, consumers, where data is being held to have access to it, I'd be... I'm all for that, and ultimately, yeah, I think, I think it's a good idea. But it just seems like an interesting way to do it and I think one of the challenges is at the moment that how the anyone's underwriting things like ransomware, and premiums are going up, something like this is just going to make it even more harder for you know Australian organizations to seek coverage.

Garrett O'Hara: Yeah, definitely. The other, the other part of this is the... like, what are they called? Unintended consequences. I think we, we, when we three were talking about the ransomware, the private bill, you know, that, that sort of mandatory reporting of ransomware, like one of the thoughts or the, one of the, the worries there is that if you make it mandatory, you, you sort of drive it underground in a way because you know, the, the, the potential impact to a business's reputation or, you know, let's just break the law and, and sort of try and get away with it.

And, and that is one of the other things here is that, if, if you do get to the point where it's a right to sort of do a civil lawsuit to get money for a bad thing that's happened because of a cyber incident, does that then make companies not want to disclose issues or try and hide them or sort of brush them under the rug? You know, potentially.

And then, you know, to, to kind of reframe what you were saying, Bradley that's, that, to me, is maybe the difference, where like a civil lawsuit is just a, it's an uncapped and unknown quantity of financial risk, and that maybe is untenable, but if you look at legislation where it's fine to, to kind of, you know, expand on what you were saying, Bradley, like a GDPR fine is not as is in NDB fine, we know how much that is. It's a fine and it's a set amount. It should be punitive.

I do believe like, it can't be one of those things that just becomes a business expense, but it feels like maybe that's a cleaner way to get the outcome because it's quantified, it's not a, you know, uncapped, who knows what's going to happen, blah, blah, blah, kind of thing, but it's a, it's enough to make the change happen but in a clean one hit way, plus you know, and the government gets money and we get better playgrounds and schools and health care, right?

Bradley Sing: Are you saying it's a better punishment? Like the reality is like, you know, we, we've seen GDPR fines, or some of the biggest companies in the world be fined by GDPR, and so what? They, they'll go on and get fined again, and then by the time they get fined again, their company will probably be worth wha- worth far more than the 4% they have to pay.

Garrett O'Hara: Yeah, we've seen... we've talked about it, was it probably four or five episodes ago now, you know, the, the some of the stuff that happened out of Sweden, wasn't it? Where there was a, a fine out of the GDPR, and that was substantial. You know, it was a, it was big enough to make the news. Um, and I think you're, you're right, Brad. I mean, that's part of the problem with some of these is that the fines, to your point, they're just part of doing business.

They're probably, you know, Jeff Bezo's pocket money for a Saturday morning, it doesn't really matter but it feels like the solution isn't we make it civil lawsuits, but the solution is potentially that we make better fines, but you know, it's, it's kind of regulated rather than a free for all, like, as you say, it just ends up in litigation nightmare, and, and that's it. I would say a hamper then to innovations, to industry, and the things that, you know, pay for new subs.

Dan McDermott: What about criminal um, liability for negligence?

Garrett O'Hara: Yeah, like, I mean, that, and that is a thing, but, you know, if, if it is negligence [crosstalk 00:26:01]-

Dan McDermott: It's harder in security there, right? Like it's, it's all over the place. And that's why, that's why we're doing what we're doing, right? Like, we, we need better standards so that we have some type of sense to hold our peers and, and the industry accountable to.

Garrett O'Hara: Yeah. Like, and we don't normally talk about this like Mimecast on the show, but the, the Beyond 21 talks, the one on cyber insurance t's got nothing to do with Mimecast as a platform, it's actually industry practitioners from the insurance space. So worth listening to for anyone who's kind of out there. Maybe we, we can probably include that in the show notes as a direct link to the talk.

Dan McDermott: Yeah.

Garrett O'Hara: Phenomenal. And it was a, it was a perspective on the value of cyber insurance companies and underwriters and what they do and their role in terms of incident response and all of that kind of good stuff. That's it's probably worth checking out too.

Dan McDermott: And I think all of this though still points to the fact of, you know, work, when do you start investing in, in the prevention mechanisms in order to not have to worry about, you know, being breached and not having to insurance and pay out and all those sorts of things.

But it's yeah, I think that that's got to be part of the, the whole solution in all of this. And I guess that's the thing is, is that this is trying to be a bit of the stick in some ways in order to sort of, you know, un- uh, unleash some of that investment as well, but it's, it's, it's difficult and it's a fast moving space right, and we see the volume of attack, so you know, how certain can you ever be that you're going to be ahead of it when you don't know what's coming tomorrow?

We'll move on to the next story [inaudible 00:27:29], but it was, I thought it was interesting that Garrett thought that he doesn't want to have to use his credit card to pay out you know, any fines from data breaches, but so it might be, might be okay on your card, to get it out of it should be fine, but-

Garrett O'Hara: My card is maxed out at the moment on retail therapy all the way through COVID.

Dan McDermott: [laughs] Exactly. Um, the next one is looking at one of the local councils in Melbourne, the City of Stonnington who have had systems offline for a couple of weeks and they're starting to bring things back onto line now. But Brad, the interesting words in this to me is, is, is that it's an attempted cyber attack. Um, how long would they have been down for if they actually had a cyber attack, like let alone just a minor attempted version?

Bradley Sing: Yeah, it's interesting. I mean, they're still kind of down I think, like for the most part, or some of their online systems are, but I think the thing that got me is the original story which broke towards the end of August, end of last month was, um Melbourne Council is experiencing a major disruption to its IT services after it was infiltrated in a, in a suspected cyber attack. And I believe the CEO of it went on Channel 7, made a statement about that as well.

Um, interestingly enough, it doesn't look like any council detail or kind of rate pay information or anything was affected. Um, really, it seems like the, the big thing now, at least the story is around the disruption in terms of how long we've been down. Thankfully, it seems like they've been able to revert to things like paper systems, as an example, but we've just seen from that, that report that was released, I think local councils and government were number five in terms of the most targeted vector for things like ransomware.

You also have to wonder, though, like Garrett, you were just speaking about this before, you were talking about that idea of we need to make companies, we need to make businesses accountable to it, but if you're one of those 110,000 residents of, um City of Stonnington, you can't really move Councils, can you, right? Like it's like, what do you do?

Garrett O'Hara: Because of the biometrics of cybersecurity worlds, you can't, you can't change councils easily. Yeah, spot on.

Look, you, I, it's an interesting thing you picked up on, Dan, there with the, the language on attempted attack, which to be honest with you, it kind of sailed past me, I didn't even pick up on that, but it, it is interesting and, and to me, it almost goes back to basics, because if you think about the CIA triad, like availability has been impacted, so it's... I mean, it's been successful in terms of impacting availability of services from the council. So, I'm not sure what the attempted means unless it's an interpretation of like there wasn't data breached or, you know, something like that.

Dan McDermott: I'm thinking that's what they're alluding to-

Garrett O'Hara: Yeah.

Dan McDermott: ... and the loads who aren't in Melbourne. I mean Stonnington is like the richest Council in Australia pretty much, I think, so, um-

Garrett O'Hara: Oh, really?

Dan McDermott: Yeah. Is that where you've got your, your second mansion?

Bradley Sing: Yeah, yeah, exactly. I I'm not sure it's... it's not even within my five K's to drive to, so but I had... uh, it, it certainly you know, I think that's what they're trying to alleviate, the con- the concern of residents and very high profile, wealthy residents. Um, I doubt, you know, that maybe, you know, there hasn't been any actual data breaches and information, you know, regarding those people I guess, that's sort of exfiltrated out of this. Um, but as you say, it obviously was successful from the point of view of shutting down systems and, and impacting on services. So, yeah, I just, I found that a, a strange way of sort of saying, "We've been down for two weeks, but it was only an attempt, like nothing to see here."

Garrett O'Hara: Yeah. The other, I mean, the other thing, as you say, two weeks there, is that I think quite often when it comes to attacks, there's this perception that once the attack is over, and maybe if you've done kind of remediating activities, you just, you know, there's a big switch to turn on and everything comes back up, and away, and away you go.

And was it... I think Laurie Joyce talked about it when he was on... talking about the, the sort of breach that they'd gone through, but it, it's come up quite a few times where the recovery parts can be very, very complex, because it's the order of systems that you bring up, and it's, you know, this system is dependent on that, so it won't boot or it'll boot in, you know, it'll go into an error mode, or it's got dependencies on X, Y, Z.

And having talked to people who've been through this stuff, it just sounds like an absolute nightmare and something that I probably didn't have a very good handle on in terms of complexity, you know, just the order, the order of getting a, an organization back up and running, even the simplest sounds like an absolute nightmare. And then when you actually get to healthcare, it's even worse. You know, there's, there's just so many legacy systems and, and things that have to be turned on in a certain way at a certain time after this other system, and that other system need these two other ones, and yeah, complex.

Dan McDermott: Indeed. So, it's certainly a, a bit... hopefully, there was no, no data breach associated with it, and certainly something that they're working on obviously, getting all of those systems back up and running, and including their consumer facing ones that are, are still being worked on at the moment.

The final story for this week's episode is one that I'm sure everyone has heard about by now. Um, certainly, if you own an Apple product which I think most of us do, um is is that you've had to release a new patch for a zero-day flaw. So, obviously, everyone's heard about it, Brad, probably hopefully most people have taken action by now to upgrade, if not, please do so. But what can you tell us in addition about this and what that vulnerability looked like?

Bradley Sing: Well, before we get into it, it's kind of interesting, right? So, we've got a Flubot targeting every Android phone in Australia, it seems, and Apple... seems like every Apple phone in the world is potentially at risk now, so maybe we need to launch our line of phone or, or move back to Symbian OS or Windows PC, Pocket PC. Blackberry, we were all talking about Blackberry the other week.

Garrett O'Hara: You're making, you're making me so nostalgic right there. So, I've got one of the banana phones. They've re- This is totally off topic, but they, you know, Nokia re-released the banana phone, and-

Dan McDermott: Like a flip phone?

Garrett O'Hara: Yeah. It's... well, it's got the, it's got the sliding thing, and yeah, amazing.

Dan McDermott: Oh.

Garrett O'Hara: Uh, just... I mean, the battery lasts for... like it feels like a month, you know. Remember those days [laughs]?

Bradley Sing: You don't have any apps on it or anything, do you? That's why it lasts a week.

Garrett O'Hara: So, you can get WhatsApp for it, and, but as I... my heart sank when I realized you can't... I didn't realize this, but you can't change WhatsApp between phones.

Dan McDermott: It's one per phone. It's unique and it's one. Yeah.

Garrett O'Hara: Yeah. And when you change it, they basically give you a big warning saying like, "If you change it again, we're going to de- you know deactivate you." And so yeah, my excitement with the banana phone was very short lived because yeah, WhatsApp was probably the one app that I really needed. Anyway, this has got nothing to do with this story.

Dan McDermott: You have to jump onto Telegram, but we can talk about encrypted messaging some other time. Um, so this is a huge one and it's actually really akin to what we were talking about at the very start in terms of the whole idea of nation states hacking tools falling into the right hands, hacking tools being sold, potentially to the wrong people. Apple haven't come out and publicly said it, but there is a lot of news on the internet kind of indicating that it was related to the the NSO Group, or they Israeli cyber surveillance company who basically they had that tool, that Pegasus program which could zero-day or one hack into any device around the world if, if you paid the the company a, a large amount of money.

Um, the vulnerability has been disclosed or the codename was called Forced Entry or CVE-2021-30860. Um, Apple described the vulnerability as a proc- processing a maliciously crafted PDF may lead to arbitrary code execution. And for the record, PDFs can be executables in a lot of different ways, like PDFs have a lot of potential active content which can run. But I think this is ultimately, potentially at least the closure of one of the biggest zero-days which has been active in, you know, potentially at least for you year maybe, like it's been ar- around for a long time.

Garrett O'Hara: And they automate a lot of money from it. Um, you know, a zero-day like that it's, you're talking, what? I think a minimum of a mil. They go for big, big money. So you know, you wonder like who's used it? I think you said it was mid July. Um, am I right there? Did you say it was mid July or something like that?

Dan McDermott: I think it's like February and stuff.

Garrett O'Hara: February.

Dan McDermott: So like it, it was used against things like journalists, as an example, and, and some of the rumors, you know, it was like a million or 1.5 million in Bitcoin. But I think even then, um-

Garrett O'Hara: What's that worth these days, Brad? Is that like $10 or 10 billion dollars in Bitcoin.

Bradley Sing: This week is pretty good. Last week, it wasn't so good, but next week-

Garrett O'Hara: [laughs_.

Bradley Sing: Did you see... I think there's now an economy in South America, which is backed by Bitcoin so we'll just see how that goes through.

Garrett O'Hara: Yeah, I saw that, yeah.

Bradley Sing: Um, but yeah, I think, I think this is huge, this is ridiculous, right? Like this has been an open exploit, which has been out for so long, that the sophistication behind it as well. And what I just have to say to our listeners is, this is what we know about it, right? Like, at the end of the day, we've seen this before the NSA, they had a huge... they had an amazing set of hacking tools.

As soon as that fell into the wrong hands, the internet then had to suffer for it for the next three years. We're going to start, we're going to keep seeing stuff like this, and it's going to... it has to come back to disclosure, right? Like, we can't have secrets around big platforms like this, there has to be a lot more visibility, and there may be even needs to be a sense of... I don't know... whether it's embargoes or whatever it is, but can companies sell stuff like this? Like, should they be allowed to sell this type of technology?

Garrett O'Hara: I don't know. And the questions were, you know, Hacking Group had really similar, similar question marks over some of the, the stuff that goes on.

And then, you know, it, it feels like the, the catch call when that stuff is used, it, you know, tends to be terrorists, pedophiles you know, it's that stuff, and, and I'm su- I ma sure that's the thing, I'm sure it does get used for some of that, but it also feels like... and this, this sounds horrible, but if you're a terrorist worth your salt, you're probably using a bespoke encrypted application or you're using, you know, something that is potentially open source and with strong keys, and you're, you know, maybe not going to use a, you know, third, third party application to expose yourself. Um, I don't know. I mean, I don't work in counter-terrorism so I haven't really got a clue, but it just seems like if I was a terrorist, and I'm not, the fact that I am not-

Bradley Sing: [laughs] [crosstalk 00:37:24] what you say.

Garrett O'Hara: Yeah.

Bradley Sing: Right. And operation [inaudible 00:37:28], that was a great example there where-

Garrett O'Hara: Yeah.

Bradley Sing: ... [crosstalk 00:37:31] criminals with a baby calculator.

Garrett O'Hara: That was unbelievable. Yeah.

Bradley Sing: But again, they couldn't do that in the UK or the U- US because of their privacy laws, so I wonder as well would be, based effectively what's happening now with that cybersecurity treaty as well, you know, we'll see even more interesting tools used to surveil citizens.

Garrett O'Hara: Yeah, no doubt, no doubt. Yeah, you, you got to assume that the phone calls have already started, and yeah, the- the- there's a bunch of people in Australia right now who are... you know that moment in the... is it The Matrix, where you take the blue pill and the red pill, and you know, the- there's a bunch of people I'm sure who are taking the whichever color pill and, and, you know, their eyes are all wide open with, you know, the, the stuff that's going on in the background..

Dan McDermott: Well, on that note of knowing again, that Garrett's secret obsession is to become a cyber spy and I think it isn't probably any more [crosstalk 00:38:21] [laughs]-

Garrett O'Hara: It's not a secret anymore [laughs].

Dan McDermott: Definitely not.

Bradley Sing: You just failed.

Dan McDermott: The first rule of being a spy, but anyway. Well thank you, gentlemen, both for your insights as always. Um, looking forward to next week. Garrett, who's our special guest for next week's episode?

Garrett O'Hara: So, we have Anthony Caruana from Media-Wize, and this is a, this is... so this conversation Amy Holden and myself met with Anthony when we were at All Sorts, so we're going to be on the All Sorts Pods I think in December. And while we were doing that, Anthony he just started... we, we got into a conversation about crisis comms, and, and you know, my ears perked up, I was like, "Oh, okay. That's kind of an interesting thing. I haven't really sort of had that conversation before."

So, yeah, we get to, we get to talk about the new ones, the detail in terms of when things are going wrong, not the technical side of the response, but actually, what does communication look like? Who do you involve? Like, at what time? All of those kind of things. So, a little bit of a different episode, but yeah, I mean, Anthony's a, he's a good talker, so yeah, it was a, a good conversation.

Dan McDermott: Terrific. Looking forward to it and I think, yeah, critical element of your response plan is, is that comms part of it for sure.

Garrett O'Hara: Yeah.

Dan McDermott: So, that brings this week's episode to a close. If you'd like to continue exploring key topics in cybersecurity, please jump onto the getcyberresilient.com website and check out some of the hottest articles, including how to build a threat intelligence program that actually works, from Garrett himself, a look at why manufacturers should fear ransomware, as penned by Brad, and even have a bit of a laugh at our You've Got Mail comics. So, thanks for listening, and until next time, stay safe.