• Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Content

In our latest cyber news update our team of resident cyber experts talk through the latest cyber developments and hacks including the Colonial Gas Pipeline hack over in the US, analyse the shifting view of cyber insurance, and discuss stolen identities and where your details might be used.

Content

The Get Cyber Resilient Show Episode #55 Transcript

Daniel McDermott: Hi, listeners, and welcome back to the Get Cyber Resilient Show Podcast. Today is episode 55, and we're going to take a look at the latest news that's happened in the cyber industry across the last couple of weeks. I chat with our resident cyber security experts, Brad and Gar, about a gas pipeline hack over in the US, an analysis of the shifting view on cyber insurance, and to find out about what your details might be being used for.

But before we get into this week's episode, I thought, Gar, we should just take a quick reflection on episode 54 and the first, I guess, cyber celebrity that we had on with [Dimitri 00:00:45]. And I was interested to, to see, how did you go? How did the nerves hold out in the interview process?

Garrett O'Hara: Yeah. Look, it was good. Uh, he's a, he's a, obviously, a very clever and you know, prominent figure in cyber security, so there's definitely that, that moment of imposter syndrome that kicks in. But I spent a lot of time on the, the research and put the questions together and got some help internally from Brad. So felt you know, pretty reasonable about what we were going to talk about.

But yeah. It was, once, it's like anything. I think that once you're into the conversation, like, it's all good. And he's quite a lovely man. So, yeah. It was good to get time with him.

Daniel McDermott: Yeah. Terrific. I thought you did a, a terrific job and held it together very well. And that was very insightful questioning. And think we a- all got a lot out of hearing directly from him.

So, hooking into the latest stories I think we have been faced in the last two weeks with what's been definitely the largest high profile ransomware attack of 2021 so far, and that is the Colonial Pipeline hack. it has made news headlines for all the wrong reasons in many aspects of this. I think there's a lot to unpack here.

Um, Brad, be really interested in getting your take on, on how you've seen this sort of story evolve and I guess it what we can learn from it as well.

Bradley Sing: Yes. Certainly. And, like, I remember when I first started seeing the headlines. The first thing I was thinking of was the, the Texas power outages and I guess the, you know, the terrible effects where they, they couldn't get electricity and I guess enough, enough, enough warmth for that state.

But yeah. I honestly didn't think it had anything to do with cyber initially when I saw the disruption. we saw warnings coming up at a, at a government level advising people not to fill their plastic bags with gasolines. And when I think about that, maybe that was fake news, but who knows? [laughs]

But, you know, a real-world impact, nearly everybody talking about it, but also then, you know, what is the dependency o- o- on, you know, natural gas? And then what is the dependency on that type of infrastructure to America? Like, I think even just starting there is, you know, there's a lot to unpack.

Daniel McDermott: Yeah. What d- what have you taken out of this? I mean, it's we've spoken a lot recently around national critical infrastructure and the legislation that's coming here. I think there's many layers to this one around, obviously, you know, the, the, the attack being on critical infrastructure but then also, the notion of reporting, of ransomware, paying of ransoms or not paying ransoms and what's actually happened with the group who perpetrated it and their sort of position since the social fallout as well.

Garrett O'Hara: Yeah. Look, it's a whopper, and timely as well. Right? Biden had just done his 100-day plan for critical energy infrastructure in the US, so, you know, of all the times to do this stuff huge. I mean, as Brad says first of all, like, a whopper in terms of impact, big ransom that's been paid, and big impact to the public.

And I think, you know, we were talking before we [laughs] we started recording about, talk about poking the bear, you know. This is uh, a huge thing to do for us- US citizens. And, you know, if everyone was around for, you know, previous times when people have gone after oil or interfered with oil in the US, like, it's certainly not a, maybe not, not the thing you would want to do.

Um, one of the f- uh, it's not even funny, but one of the things that I thought was interesting was how the, the group that provided the ransomware, and they do ransomware as a service, right, so they on sell this, this stuff that was used to attack Colonial, I think they've kind of realized the implications of what has just happened, and they've tried to not walk back but, you know, sort of back away a little bit from not the p- well, yeah, maybe some of the responsibility. There's a little bit of a PR exercise has gone on. I believe they've donated to charities.

They've basically said, "Hey, like, we, we were going after the money. We weren't trying to impact society." And from fr- yeah, f- from now on, they're going to moderate the, the people who are going to purchase the ransomware service from them. So, you know, there's, there's a, maybe a silver lining to this, as going forward, they're going to actually be a bit more responsible in terms of who they sell their products to.

Daniel McDermott: So the bad guys are going to be policing the bad guys to, to-

Garrett O'Hara: Yeah. [laughs]

Daniel McDermott: ... to make sure it's not done too, so it's not too bad. Right? Like-

Garrett O'Hara: It's a win for everybody. I think we-

Daniel McDermott: [laughs]

Garrett O'Hara: ... we should all feel good about this one.

Daniel McDermott: Honor among thieves, eh?

Garrett O'Hara: Yeah.

Bradley Sing: It, it is interesting, though, like, because of, like, the, you m- you made a good point there, Gar, in terms of, I guess, ransomware as a service. And whilst this was a huge, catastrophic attack, you know, like, one of the largest ones we've seen in terms of disruption, if we think about all the other attacks which hit organizations as well, it's the same. It's like phishing kits as a service. It's highly automated, highly scripted.

Um, an interesting thing in, in terms of the uncovering of this hack as well is it wa- wasn't only the five million I think Colonial paid, but in total, they found something along the lines of 19 million, I believe, in total payments across other companies, which had paid ransom via the same service.

Um, but also, the service has been taken down. no one knows who exactly did it, by a unknown [laughs] third actor, they're saying but they've taken down the service. And the rest of the Bitcoin that was sitting in that wallet has, has now disappeared as well.

Daniel McDermott: And I think that is an important point. We've spoken many times about, you know, to pay or not to pay the ransom and what happens from there. but I think there's a clear theme here that, you know, it is funding, you know, the criminal activity. and it's not just potentially the criminal activity of the ransom itself but what those funds might be used for beyond that as well.

Um it's a, it's a huge industry now. Right? It's actually like an industry in its own right. and it has very much evolved from, you know, the, the couple of hundred-dollar iTunes on, you know, personal accounts, to this corporate, you know, attack vector. and it's because the money in it is so high.

So how do we really, you know, what's the role I think as well of, of government, of looking at, you know, r- legislation? What do we need to do to try to stop this, you know, this complete scourge of ransomware and, and really halt it at the source?

Garrett O'Hara: I think there's a few things in that, Dan. you know, if, if we had a magic wand, we would invent the technology that would stop this stuff in its track or, you know, get end users doing the right thing and all that stuff. Realistically, we know that's not going to happen, because we're seeing these stories every day now.

You know, there was a time when, you know, and, you know, even last year when we, we three were kind of prepping for this, it was like, there was probably one big, big story per week. Now it feels like there's one big story per day. And, you know, you're seeing that kind of exponential increase in the, the cadence and the impact of these ransomware attacks.

And so, you know, whatever. We, I don't think we've got a technical solution any time soon. So, then you start looking at, what are the levers you have? And, yeah, government is definitely one of them. And, yeah, you can put sanctions on. You can make the, you know, the payment of Bitcoin a, an illegal activity. And that, that's fine.

I think the, the issue there is that there's going to be short term impact, because realistically and we, we've talked about this. Hey, like, if you've got a hospital or if you've got critical infrastructure, and something's locked out, and you've got the option to potentially save lives or get energy back to a city, what do you do?

You know, it's, it, it's really easy to say, "Don't pay the ransom, and that's the law." But actually, you know, if a person, somebody's going to potentially suffer or die because of that, then that gets really, really tricky.

And also, potentially organizations shut down. You know, there's times where the doors shut on an organization because they can't get their data or services back online. And this could be one example. Uh, there's been plenty examples last year where the, the logos that were impacted came back. And, and not that we've forgotten, but everything's kind of okay again. but that's, so that's one thing.

I'm not going to steal the thunder for the next story, because that, I think, may be something that is actually going to impact this more than government regulations.

Daniel McDermott: Yeah. It's a really interesting area. And I think the, the last part of this that really got brought home was regarding the notion of actually it coming to light in the first place and reporting that there had been a cyber incident. there is no, you know, mandatory reporting of a data breach in, in the US, or of a cyber incident.

Um, and so, you know, it feels as though many of these sort of attacks happen and there is impact, but they're not on such a large scale, and therefore they never actually get reported, and therefore we're actually underestimating, even, how often this is occurring and what, and h- the scale of the problem itself.

Um, obviously, in Australia, you know, we do try to have mandatory reporting to a certain degree. and the Critical Infrastructure Act and all of these things are trying to lay, you know, ground, I guess, for, for best practice to try to help overcome these things, but also to understand the size of the problem, of what we're actually trying to deal with.

Bradley Sing: I think that's where America wants to go as well. They're, like, you know, Biden's been pretty, pretty public in saying, "We want, you know, more government intervention and this, this type of thing." Been very public, even in his first 100 days about extra funding towards cyber.

But you're right. Like, I mean, a, a lot of people are looking at this company and saying, "You guys did the right thing." Right? You know, like, you publicly told everybody about it. You were honest about it. Paying the ransom, you know, potentially saved them X, you know, how much, I think over $100 million potentially, because they got up a lot quicker and running. So, did they actually do the wrong thing?

It's just a, it's, it's a very interesting situation. And, and I hope they do get similar regulation over there that we do have in here. But again, I, to your other point, I think, you know, potentially we're, we're talking about next, will kind of play a big part as well.

Garrett O'Hara: Yeah. I think, yeah, like the critical infrastructure plans in place you're seeing globally, we're at a point where [inaudible 00:10:40] that. You know, Australia's got one. The US has got one. Uh, I think the UK [crosstalk 00:10:45].

Bradley Sing: UK [crosstalk 00:10:45]. Yeah.

Garrett O'Hara: Yeah. Like, it's starting to, I think the, the light bulb has finally flicked on in [laughs] in governing you know, th- th- in the politics and the, the sort of national conversation of how important this stuff is, and, and more importantly, how unbelievably vulnerable we actually are.

And I think that's the thing that's starting to dawn on people is, you see Colonial Pipeline. Okay. That's, you know, that's bad. And every time one of these things happen, it feels like surely, you know, that's the bit where we get really serious about this.

But, you know at some point, I think that's what we need, you know. We need to kind of buckle down, get the anything that's considered critical infrastructure, get them, get them taken, get them funded, get, get security where it needs to be. And then hopefully, we can all start breathing a little bit more easily.

Bradley Sing: We, we just need to be careful as well, though. Like, we need to make sure there's not a, not too much of an overreaction as well. Like, you know, there's been some pretty controversial encryption laws and, yeah, I think we still n- still need to be mindful of that individual privacy as we, you know, get more involved in private organizations as well.

Garrett O'Hara: Yeah. I think that applies definitely for sort of healthcare and, and, you know, the, the step in legislation that you're starting to hear a little bit about. but for me, and, and w- I think we talked about this, you know, and it's the, the priority for keeping people alive or keeping energy flowing. You know, I know the, it's a well worn conversation, the issues with OT versus IT and, you know, those legacy systems that have now been exposed to the Internet.

I, you know, I'm at a point where I just feel like, yes, there's, there's a, a conversation that has to be had, but I feel like we need to go pretty hardcore if, to, to catch up. I think that's the problem. There's such a gap [crosstalk 00:12:25].

Bradley Sing: We're so far behind and, you know, there's almost-

Garrett O'Hara: Yeah.

Bradley Sing: ... no baseline so, like, you have to-

Garrett O'Hara: Exactly.

Bradley Sing: ... enforce it. Right?

Garrett O'Hara: Yeah. Because I, I mean, that's n- not to get into the weeds and the politics, but I think it's really easy for the, the sort of profits to be prioritized. And sometimes, actually, it costs a lot to do security or cyber security well, so it's easy to kind of kick that down to the next quarter because the, you know, the analysts are going to look at a company and say, "Well, oh, you know, what's going on here?" Whereas if it's forced from a regulatory perspective, it levels the playing field, and it pushes everybody to do the same thing, because you don't have a choice.

Bradley Sing: Bare minimum.

Daniel McDermott: Indeed. And as you both alluded to, I think one of the issues around the decision of whether to pay ransom or not to pay is whether you feel as though you have some cyber insurance, maybe, at the back end that might actually therefore, you know, help you know, in terms of that payout and actually help cover you as well. So and it's an area that obviously the insurance companies have been really, I guess, having to grapple with as well, as they're probably seeing a lot more clients come through and really trying to understand the policies and what they cover.

Um, and we've seen that there's been I guess a, a pullback from Axa probably one of the largest insurance companies in the world around what they will cover and then some consequences of when they when they've decided to actually change their coverage as well, Brad.

Bradley Sing: Yeah. It's uh, cyber insurance is something we've talked about for a while now, and I'm sure everyone's, you know, going through their annual reviews and agreeing to something new soon. it should come as no surprise to most that premiums have gone up.

Um, in some instances, like, across the board one, one report we're reading by insurance brokers Marsh, they're saying 30% just in the last year. we're seeing an over 30% increase of premiums in the United States as well and just under 30% in Britain with 29%. So definitely across the market.

And it s- comes as no surprise. Right? Like, I can imagine a couple of years ago, people would've loved to offer up cyber insurance with, with extended policies. But the amount of damage or cost caused by some of these cyber attacks as, as we know, is absolutely ridiculous. So it's of no surprise that some of these insurers now are, are not as, you know, willing to start paying out ransomware payments.

Garrett O'Hara: Yeah. It feels to me like we're basically all trying to get flood insurance, and we all live in a flood plain and, you know, at some point, the, the insurance companies are kind of thinking, "Yeah. This just, the math doesn't add up."

And let's be honest, you know. Of all the organizations that are out there, the insurance companies are really, really good at figuring out what you know, what are the odds, and how do we work the numbers so that we, you know, we make profits? And if they're backing away from this stuff, I mean, that points to the, the size of the problem.

And, you know, I said I didn't want to steal thunder from, you know, the, the, the previous section, but this is the thing. If they're pulling away from payment, where's that money going to come from? Because it's, so far, it's provided, I would say, maybe a little bit of a buffer.

You know, if you've got an insurance company that, and the clause happens to be something that includes you know, a payment of Bitcoin, or it turns out to be cheaper to do that than try and do remediation activities or whatever, you take that away uh, are ac- y- the organizations going to pay the, the cost themselves? Like, I, you know, is that the, the thing that pulls the rug from underneath ransomware?

Daniel McDermott: Mm. Well, do the organizations have to make a payment and then just have to, you know, write it off as a loss? which I think points more to your, your previous point that, like, it's preparedness that all of this points to. Right? Is, is that we need to be more prepared for the fact that, and, and I think a lot of commentators have said this notion, that it's, you know, it's not, it's not if, it's when. Right?

Um, and, and what was Dimitri's line? I think it's, you know, there's two types of organizations, those that know that they have been hacked and those that haven't realized yet.

Um, so I think that there's, you know, this surge of understanding that, you know, like you say, and insurance premiums is a great indicator. Right? If it is going up, that probably means that it's going to, it's happening to everybody and it's, you know, far more likely than it, than it previously was.

So I just think it points to, to preparedness. and you say it may stop the ransomware, or it might just be that companies are writing that off, but I think they've got to maybe look at moving their money into, how do they be prepared in the first place?

Because once you're, you're under attack and you're in that environment, like you say, you're at that pointy end and needing to make that decision very quickly you know, for very, you know potentially very large consequences, not just financial. Right? And that's something that when put under pressure, people will make those decisions and choices.

Bradley Sing: I mean, something like this is good for the board, though, right? Like, I mean, if you're trying to s- explain that, you know, [laughs] our premiums are going to go up if we don't invest in cyber security, it's such a tangible example of, of, of why to invest in cyber er- earlier, you know, and why that should be a priority for your business.

Um, just on the back end of that as well, so obviously, the AXX, or Axa, sorry, in France, they're stopping their coverage around ransomware payments. but four days later, their, their Asian entity got hit by ransomware quite a common one which has been doing the rounds kind of in our, our regions e- Avaddon.

Um, there was also, the, the FBI and the Australia Cyber Security Centre put a, an alert about Avaddon last week as well. So very, very topical. I wonder who does their insurance for ransomware payments.

Garrett O'Hara: It's turtles all the way down.

Bradley Sing: [laughs]

Daniel McDermott: [laughs] Uh, do you think it was coincidence, Brad? Or are we are we reading too much into it?

Bradley Sing: I think we're reading too much into it, but you never know these days.

Daniel McDermott: Everything's connected. Right? It it wouldn't surprise me at all as a warning shot across the bow. [laughs] One of the topics that we have covered previously is, is what happens to your details? So if, you know, if your details as a citizen have been breached in some way and they've been taken and, and the notion of identity theft and that, what then is, what's the consequence? What actually can happen to them?

And we've recently seen in the US, an example of, of, I guess, the outcome of how that, these details can be used in a very, I guess, practical sense for, from people, but then what that means in terms of how identity theft can be used, and then the flow on impact to the individuals as well.

Um, Brad, this is under the heading or notion of sort of stealing people's personal details in order to get gig work in the US.

Bradley Sing: Yeah. No. That's an interesting article over at Vice Motherboard and I think just kind of backing up some recent news that we j- I just got made aware of. Domain the the popular website in Australia has, has suffered a data breach as a result to a phishing email.

Um, so f- you know, talking about, you know, people's details being, you know, potentially compromised, the amount of information that you might have to apply for a house or, or get a loan, as an example, even preapproval in terms of what the story looks at, it's kind of looking at the idea that people are taking people's passports their social s- Social Security numbers in America, other sensitive information like that, selling it online or, in some instances, renting it on a monthly basis to then allow or to try and help people who are illegal immigrants in America get work and, and get gig work, really, so deliver food and Ubers and, and drive, you know, Ubers [laughs] I guess.

Um, but it is phenomenal in, in the instance that, you know, we talk a lot about the you know, how details get breached, but the real world impact of it, you know, has some quite lasting and long term effects as well and does affect a lot of people, by the looks of it.

Daniel McDermott: Definitely. And it's one that has come to light because they've actually tracked down the people that did it. And so I guess the law enforcement has stepped in to try to play that role of of, you know, shutting that down. but you wonder, like, you know, the next, you know, as a service pops up for this as well.

Bradley Sing: Yeah. I had a f- I had a friend who got popped by this years ago, and it was actually kind of in reverse. And I remember she was complaining that she was just trying to save money for something, and she kept never being able to get to that right amount she needed.

Um, and it turned out that for the past three months, somebody had been using her credit card for their Uber account in Los Angeles, just, you know, nonstop. And because it was just such small payments, you know, it comes up as Uber on your phone. Everyone uses [laughs] Uber on their phone. Right?

But it's just interesting, I guess, to think about, yeah, what people would go to, but also then the potential impact on the future. Right? So let's say I lost my job, as an example, and, you know, I needed government support. what happens if somebody had already claimed that in my name, as an example, you know, and I was destitute? Like, you know, that, that could have real world, lasting impacts and potentially affect my health and, and many other things as well.

Daniel McDermott: Yeah. Thanks, Brad. I think it's really highlighting the, the way that data can be used in so many different ways we, we don't, we wouldn't necessarily think of and, you know, that your details have been stolen, and then all of a sudden, it's being used for somebody else to get a job in order to, you know, to do a ride share [laughs] service and stuff. You wouldn't think of that.

Bradley Sing: That affects your tax as well, doesn't it? Right? Because then at tax time, it'll pop up. Yeah. It has heaps of implications.

Daniel McDermott: All these implications and flow on effects of it. So, yeah. Definitely it's an interesting area. And as you said as we've sort of gone to air recording this Domain in Australia their attack, and it's an interesting one, because the they've been sending emails to those people asking for a prepayment deposit on, for renters. so it just seems like so far, nobody has fallen for it, which is great.

Um, but certainly it's you know, a word of warning if you're in the rental market and w- and on the Domain site. beware if you get an email asking for a prepayment because it's a, it's certainly not a real thing that they're they're, they're p- pursuing.

Garrett O'Hara: That, that as an industry, you know, that, that's where such big sums of money get sort of transferred around. And we had we had the talk last week at [inaudible 00:22:16] and, and one of the, the people we had on was one of Amy's friends, talked about the, it was BEC in that case, but you know, it was a $65,000 transfer to criminals that you can't get back.

And I think, yeah, looking at industries that are ripe for these kind of attacks y- you know, real estate, it must be very close to the top of the list, just given the, the sums of money that get transferred around. And not just, you know, f- purely from the, the property buying perspective. But if they know that you've just bought a property, then are you somebody who's going to be doing renovations? And, you know, y- do you use that as a way to figure out what's going on there? And, you know, jump in and, and essentially do B, C, or, or whatever it may be?

So and it's not the first time. Right? We've seen real estate hit multiple times over the years, just given the amounts of money that get transferred.

Daniel McDermott: Yeah. Exactly. And it's I think it's going to continue to, to occur, right, unfortunately, because you say, because it is a, a profitable area for people to be really focused on and, and trying to get. And it's also that time of you know, high stress. Right?

So it's one of those things where we always know when people are under pressure, like we saw at the start of the pandemic, looking for information, or during the vaccine rollout or bush fires or all of these things where you're under pressure.

And we know that, you know, moving house is one of those times. It's a life event that people are under significant pressure, time poor, trying to make decisions, move quickly. you know, you can get caught out quite easily, unfortunately. and, and, you know, through no fault of their own. That's for sure. So it's certainly something to continue to be wary of and, and keep an eye on as as this one evolves as well.

Garrett O'Hara: Is there, you know, th- looking at that gig worker, going back to that, is there what's the solution to stuff like that in terms of, you know, validating identities? Because, like, to Bradley's point, I mean, and, and you, Dan, too, like, the, the roll on impact of this stuff is, it's not small. Actually, it's quite significant, and it's not just that somebody's bringing or del- you know, delivering food or driving people around in your name. It's the on flow to tax, to all the other things that, you know, kind of are related to employment.

Like, w- what do you think in terms of a solution to this? Is it some kind of two factor auth for Uber? Or, like, would that even work?

Bradley Sing: I mean, we're kind of, we're kind of luckier, lucky here, though, right, like, because in America, they have, like, credit reporting and that whole thing's a mess. Right? You basically have to pay to then-

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: ... You know, then, it's an absolute mess. Right? Like, in Australia, at least, I think we have a lot of good protections built in the law in place already, which I mean, that's, that being said, I haven't had my identity stolen. [laughs] And from what I hear, it is a absolute pain when it happens.

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: So I-

Garrett O'Hara: [crosstalk 00:24:51].

Bradley Sing: ... I was going to say biometrics, and I think we talked about this the other week. But I think there has to be some type of physical indication to prove that I am a, this, this is me, and this is me accessing or, or making a payment.

Garrett O'Hara: Is it, yeah, I mean, is it almost like the, you know, the, the high level authentication stuff that you've got to go to a third party with a passport s- you know, prove who you are? You know, rather than details based it's, you know, to your point, it's here I am as a human being, and here's the, you know, the government's identification that supports that, rather than they just happen to know your, your dog's name and the, the-

Bradley Sing: [laughs]

Garrett O'Hara: ... the name of the street that you grew up on and your date of birth, you know, that you, you need more to do s- stuff like this, especially when it's employment related. I, and actually, I have no idea what it takes to be an Uber driver.

Daniel McDermott: Yeah. So a couple of things on that. so w- the actual property market in Australia has done this really well as part of the digitization to, to transferring of property. So buying and selling has gone completely digital in this country and the part of that process of that is called the VOI or verification of identity process. so er- anybody who is a buyer or seller actually needs to go through that verification process in order to then be part of actually the transfer of the property itself.

Um, and so, and there's a whole range of businesses have started up around offering VOI as a service and being able to do that on behalf of, you know, law firms and conveyances around the country and provide that, that service so that it can be done reasonably, you know, more effectively, easily, because this was seen as a barrier potentially to property sales, right, if it wasn't done well and, you know, creating too much of a barrier.

So there is actually the notion in Australia around VOI services. and they're used f- specifically in that use case in that industry at the moment. but is it possible for that to expand and actually take on a broader role for verifying your identity for a range of different things, like you say? Is it, you know, do you use y- have your details as part of your VOI app? Do you use that for job applications rather than actually going through the process of trying to do it again?

Um, you know, so I think there is the opportunity to think about that authentication process, if you like, and how that might actually play out as potentially a digital service across many services in, across our economy, rather than just property at the moment.

And I think that's why the Domain one, you see they're attacking renters because they don't have the same VOI a- as part of that process and therefore, it's not as stringent and that as well. So it's, it's somewhat of an easier attack vector, if you like, rather than the buying and selling, which is probably the more lucrative part but the harder part to get into as well.

Garrett O'Hara: Yeah. Definitely. [inaudible 00:27:41] we, we [inaudible 00:27:42] to see that. I mean, when you s- when you talk about that thing of proven identity, an efficient way to do that, because I feel like, you know, so many times per year, you've got to, you know, send all these details and all th- you know, all the, the information about yourself, and you've got to have this, you know, 100 points of identity.

You know, that's sort of centralized. Do it once. Do it really, really well. And then have some way to link it back so that, you know, that's trustable. And that'll be phenomenal just in terms of, like, being efficient as a society, too.

Bradley Sing: I think this is where blockchain eventually potentially helps. Right? Like, the only way it works is it has to, it can't be too centralized. Like, it has to be decentralized. Otherwise, then it's just one entity controlling everything, which, which is part of the problem I think we're seeing with a lot of these different centralized platforms.

But then we also have too many of these platforms, so you have to sign up to [laughs] every single one. Right? Uh, we probably don't suffer from that as much in Australia, but again, if we think of credit reporting and stuff in America, it's like the wild west over there. Right?

But, no. I think, I, I mean, I agree with both of you. I think it's a good system to have for property ownership and verification in Australia, and it should be [inaudible 00:28:43] potential other applications in the real world. but it'd be good to see, you know, the government take a lead on this and, you know, potentially integrate it with smart phone technology or, or something, you know, QR c- whatever it is. Right? Like, I think we're doing a lot with technology right now, and it's probably a pretty easy link back in there somewhere.

Garrett O'Hara: I think we need to get chips implanted in our, in our heads or something [crosstalk 00:29:03] RFIDs.

Bradley Sing: Said that the other week, didn't I? Did you? Yeah.

Garrett O'Hara: Yeah. There you go. Maybe that's it. You know, at birth, you get a, a little RFID that's, you know encrypted and linked to your biometrics and can't be changed, and that's the thing that is used to authenticate.

Bradley Sing: It's, like, a 4K camera in it, too, and it just records the whole time. [laughs]

Daniel McDermott: I'm sure there's another way but we'll leave that maybe for a-

Bradley Sing: [laughs]

Garrett O'Hara: [laughs]

Daniel McDermott: ... [laughs] for another time. Uh, thank you both for your time today. Uh, Gar, looking forward to to episode 56 next week where you have Ben Jones, the founder and CEO of Jumpstart Security. So, looking forward to that conversation as well. What can you tell us about Ben?

Garrett O'Hara: Yeah. Known Ben for, for quite a while. He's a, he's a good guy. They, they've started a security company that's focusing on the sort of SMB space, which I think is quite interesting, and some of the particular challenges that happen there. Uh, my take on that is that b- b- helping SMBs helps everybody. You know, we've had that conversation multiple times, where it's all connected. So, you know, I think it's an important thing that those guys are doing.

Um, and then I'm also recording tonight with Jenny Radcliffe, who people may know as the social engineer. So she's uh, I've, we've chatted in prep for the recording, and she's a phenomenally interesting person. She was on Darknet Diaries recently, so I'm definitely looking forward to that one, too.

Daniel McDermott: Terrific. Couple of great episodes to look forward to as we as we go forward towards the end of the financial year in Australia as well. So again, thank you both for your time. Thank you all for listening. Uh, this was the Get Cyber Resilient Show for this week, and we'll be back on the airwaves soon.

Tags
Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara