• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara
Content

The big story for this week’s podcast is the recent news that the Federal Bureau of Investigation held the keys for the REvil ransomware attacks that have affected hundreds of businesses but held back in providing them to affected organisations. Was the FBI’s decision unethical or was it the right move? 

We also discuss the announcement from the Victorian Government to commit over $50M to uplift their cyber security and resilience posture, the VMware vCenter instances that are under active attack, and the ongoing Pegasus spyware saga that has now been found on the phone of 5 French cabinet ministers.  

Content

The Get Cyber Resilient Show Episode #74 Transcript

Dan McDermott: Welcome to episode 74 of the Get Cyber Resilient Show. I'm Dan McDermott and I'll be your host for today. This week is our in the news episode, and I'm joined by our resident cyber security experts, Bradley Sing and Garrett O'Hara, and we will start with the latest PSA, or public service announcement, advising organisations to urgently patch their VMware vCenter instances that are under active attack. Next, we will explore the recent announcement that the FBI, yes, the Federal Bureau of Investigation actually had the keys for the REvil ransomware, but held back in providing them to effected organisations. On a positive note, we'll unpack the announcement from the Victorian Government to commit over 50 million dollars to uplift their cyber security and resilience posture, and we will end with the latest from the ongoing Pegasus spyware saga that has now been found on the phone of five French cabinet ministers.

So, Brad, let's kick off this week by looking at the vulnerability identified in the VMware vCenter product.

Bradley Sing: Yeah, certainly, Dan, I think it's been a, another busy week or two in cyber security as usual, which is the new normal, or the current norm. But I think one think we, we have noticed or have started to see in reoccurrence is vendors getting popped. Um, important to note, so this is for, it, it looks like it is patched, but it's for VMware vCenter. So, for those of you that don't know, it's effectively virtualisation software. Haven't used it for a very long time, but I remember my original kind of IT training, going through ESXI and all that kind of stuff and, and learning how to use the software.

It's very powerful in terms of being able to control large amounts of remote server farms, manage servers, it's incredibly powerful. But I think one of the most interesting things we've seen is that I saw a post on Twitter actually, it was a, it was a, somebody who set up a range of honey pots just all around the world and they're constantly getting hit by this, so it seems like there's somebody out there actively exploiting it. So, for anybody who's running a VMware vCenter, you know, definitely recommend looking at the- their [inaudible 00:02:02].

Garrett O'Hara: Yeah, I think I think organisations running this platform are probably well conditioned to purging, given the run VMware has had this year, February saw them have a, a CV of 9.8 which is fairly widely reported. In May they had two, a 9.8 and a 6.5 and this advisory is actually part of 19 new vulnerabilities that have come out this year, and I kind of went through th- went through their website and was looking at them and f- they have them ordered from sort of most critical down and there are relatively high numbers in there, you know, nine, 9.8, 8.8, there's, there's a lot of sort of critical and high, according to the CVSS ratings.

So definitely one to, to pay attention to. And it looks pretty, pretty sort of, pretty hectic too, I mean, it's, it's remote code code exploitation, so, you know, pretty, pretty intense if you're using that as a platform.

Bradley Sing: Well, I think once you, once you're in one of those platforms as well, and this is what we've seen with [inaudible 00:03:02] and some of those others, they provide such great levels of access into a company and they help manage things because that's the whole idea of the technology. But same situation again where it's suddenly exposing huge amounts of risk.

Garrett O'Hara: And that's it, and, I mean, given it's managing like as you said, Bradley, like, virtual machines and then stuff like Kubernetes as well yeah, I mean, the, the use cases here, when you see this as a platform and play in an enterprise, yeah, it- it's certainly one that you're probably not gonna be too happy to see. Um, I think, you know, riffing on this though, I think we spoke about this last time as I was kind of looking back through the, the previous kind of vulnerabilities for VMware this year, there is definitely a, a little bit of a race for the kind of good guys or the researchers as they discover this stuff, tryna get the patches out before the, you know, the POCs or the proof of exploits proof of concepts of the exploits kind of get published.

Uh, I mean, it seems like it's happened a couple of time where the companies have held off sort of trying to get people, and, you know, as you said, managed to go out and get the patches done, but actually they get gazumped and, you know, s- some third party or some- somebody in, in a region who maybe doesn't care so much goes and releases the the exploit and then you just see this scramble to try and get the, you know, the, these these platforms patched in time. And I think that was maybe part of where the honey pot stuff was coming when, when it sort of got put out there, the, the amount of traffic just spiked obviously as they were seeing people try and use the exploit. Scary stuff.

Dan McDermott: So, Garrett, did, did you mention there that people are actually publishing the exploits and putting them out so that then they can be, what, then used by others and then other cyber criminals around the world?

Garrett O'Hara: Yeah, that's ... Unfortunately, it is happening more and more and yeah, they, they call them proof of concepts, and sometimes they may redact part of it to, you know, air quotes, make it seems like it's a little bit safer but, you know, anyone who works in that sort of space and worth their souls can probably figure out, if not the ex- you know, exactly what to do, th- it's enough of a hint to kind of be able to figure the rest out themselves and you see that sort of time and again. And I think the one ... I, I may get this wrong, but it was either the one in May or February there was an organisation, whose name escapes me right now [laughs], had figured it out, held off and then it was actually, I think it was a Chinese security researcher then published a, you know, air quotes, proof of concept that was the, you know, le- you know, the cat out of the bag publication, 'cause once you saw that, then everyone kind of realised that the exploit existed and they could, they could sort of figure it out from there.

Bradley Sing: But that's the right thing to do, right, like, we should be disclosing ... And this is the same as Kali Linux, right, like, we should be disclosing public exploits which have vulnerabilities and patches, otherwise they don't get patched.

Garrett O'Hara: Yeah, I think there's a responsible disclosure, though I think-

Bradley Sing: Mm.

Garrett O'Hara: ... if you discover it, you go to the vendor, you get, you get time for them to create a, you know, an official patch and get that rolled out to as many people as you can. You probably won't get 100% coverage, but you would hope for something that's a 9.8, you know, the, the bat phone rings and people freak out and get it done but the bit where, you know, it pops up on a Twitter feed and then b- you don't have time, right, you've d- you, and you don't have a patch, that's the problem, you know, the exploit is out there before the ability to remediate or to protect against it.

Bradley Sing: Yeah, sorry, I thought the patch was out before the POC was announced for this one, but, yeah.

Garrett O'Hara: Oh, for this one, maybe. I think, you know, I think it was maybe the one, I, I'm gonna say the one in February, it was the other way around, yeah.

Dan McDermott: Well, it's it's definitely, it's pretty scary, right, that it's like, yeah, th- these things are getting out and then getting exploited even further. So, it's not even the first exploit that seems to be, you know, the only problem, right? It's the fact that it's then shared and then utilised by so many others that it it, it proliferates and just gets worse and worse and I'm not really understanding the the scale that you're using there, ga- 9.8, 8.8, just reminds me of the earthquake we recently had in, in Melbourne and just, sort of, w- dealing with the Richter scale and th- and after shocks of that. So, if that's an analogy that works, I certainly attest to that.

Garrett O'Hara: Well, e- t- if this is earthquake stuff, I mean, there, I have the CVS three, version three CVSS version three ratings, so, like, none is a zero, low is one, sorry .1 to 3.9, medium is a four to 6.9, high is a seven to an 8.9. And we're talking about a 9.8 and critical goes from nine to 10, so it's, you know, this is not a, the saucer fell off table type stuff, this is buildings collapsing, water pipes you know, it's, it's an end of the work catastrophe movie.

Dan McDermott: Mm. And yes, no, I know, we definitely had a, a couple of photo frames fall down and that was, uh-

Garrett O'Hara: [laughs]

Dan McDermott: ... that seemed to be the extent of it, thankfully.

Garrett O'Hara: Sydney's thoughts and prayers were with you, Dan.

Dan McDermott: Oh, thank you very much, Garrett.

Garrett O'Hara: [laughs]

Dan McDermott: [laughs]. Moving on to the next story, which is one that seems somewhat unbelievable and, and it is n- going back into the realms of, of cyber warfare and then what is happening in this new age with the FBI sort of coming out and actually admitting that they held keys for a ransomware attack, the REvil ransomware type but they weren't able to release it or they didn't release it and they chose not to at that point in time to actually help some of those effected organisations. Guys, like, how can we have an intelligence agency of this magnitude with the keys to the kingdom and then not using it for good?

Bradley Sing: I don't think they admitted it just as well, by the way. That was reported by investigative journalism, so that's a, an interesting concept as well. But what was the name of that alliance we just launched? Was it ORCAS? ORCAS, right? So, this has come off ... Well, interesting timing, but it does seem a little unethical though, doesn't it, guys?

Garrett O'Hara: I don't think so. Actually it's-

Bradley Sing: No?

Garrett O'Hara: ... it's the right move. Um, yeah, like, I think th- the thing is, this is bigger picture stuff that the three letter organisations are dealing with and I was thinking about what's a good analogy, you know, before we started recording, and I don't know if I have one, but I was thinking about, you know, the, the movies where the, there's two cops and it's like a buddy movie, and then one of them gets shot and the cop has to either stay with their buddy, who's, you know, in a bad way or run after the criminal and, and you kind of go on either side, depending on what what way you're wired, you know, you kind of want them to stay and do the right thing, help their buddy or go and, and catch the criminal.

Or, you know The Wire, right, the TV show, like, you put in The Wire, you're watching the crims, and stuff is happening that you could jump in on early and prevent a crime, and sometimes they're awful and they're confronting and they're horrible things, and I think even in that show, there was some stuff where I suppose they deliberately wrote it to make the audience feel like, what, what, you know, it's, you know, you gotta go and, and help the person. But actually, they've put all this time and effort into building out a sort of surveillance plan to see who are the king pins and what's the bigger problem. And that's what ... I suspect that's all that this is. It's, it's, they've got a piece of evidence that if they pop and, and give the key away, they don't have a chance to go after the, the people behind the actually the REvil crew, like, you just don't because they know the decryption key is out there.

So, like that, I think it's big picture stuff. I don't, I don't think it's laziness, I don't think it's you know, anything other than going after the bigger fish.

Bradley Sing: I, I don't think it's that at all, no, no. So, I think th- the comment's more that if you've got allies who have, you know, allies of America like Australia who have encrypted data which is sitting there, which that tends to need access to, it's not the FBI's decision alone as an agency to kind of make that decision. So, it's kind of, where's the line start and who is actually responsible for this, and I think that's probably a good reflection of probably a- if you look at the intelligence agencies in America, how a lot of them are kind of dipping their toes into cyber security, but where does the responsibility actually lie and, yeah, I mean, if I was an Australian company which was, you know, suffered victim to that ransomware, I'd be asking questions. And it wasn't until I think the offender publicly released a, a, a tool months later till a lot of people you know, finally got their data back.

Garrett O'Hara: Yeah, but, but if you take out the crew that, you know, is the, the core part of this ... Actually, in, in the sort of stuff that we, we had for the kind of research in this piece- ... Uh, Dmitri Alperovitch actually commented, he wrote a piece in The New York Times about, about this thing and, and sort of supported the, the approach that they've taken because it is going after ... I can't remember the exact quotes, it's like, the personnel, the money, you know, the funds behind this is a problem, and I think that's the perspective of the, the agencies involved here. You know, in this case it was reported as the FBI, but that's what they're tryna do, it's, they're tryna get to the people who are causing the problem, rather than, you know, putting a bandage on everybody who gets shot, they're tryna find the shooter and, you know, if they move too quickly, then, you know, the shooter knows that that's, they, they, they have them located and they'll run away.

And I think it's that that's going on here. Um, and it must be a hard decision, right. I'm, I'm sure they didn't take it lightly to have companies that were ... And actually, not just companies, right, there was healthcare organisations, there was some serious stuff here where by not providing the key, there was, there was a reasonably big impact. But the, yeah, I mean, it's one of those decisions that I'm guessing is tough to make where if you're tryna get after the, the person holding the, the gun, that's, it's, it is a hard decision.

Bradley Sing: It, it may u- end up in court though 'cause it's the third party doctrine which we're talking about here specifically, which kind of, yeah, it's an interesting thing and I, I guess none of us are really versed in American law or [laughs] constitutional law or anything like that, but it does seem like there is a ethical line which potentially the FBI may have crossed by not letting people, certain people know, because it wasn't just the FBI not so much just America was being targeted yeah. Interesting [crosstalk 00:12:49].

Garrett O'Hara: I thought that was the point that was made though, because it was a collaborative decision, they didn't have the right to go, like, shout go, go, go and release the key, but actually they, they had to, you know, to collaborate with, not just America agencies, and I'm guessing there was other three letter a- agencies involved, but actually was in, it was international and, you know, that- that's the other thing, like, they ... Who knows, behind the scenes, those international, you know, the ORCA stuff, the international collaboration where if they were the ones who released it, it causes more friction at a bigger scale.

Dan McDermott: And as you said, Garrett, I mean, this has been a tactic in organised crime for, for a long, long time, right, in terms of, of, you know, infiltrating at a certain level, but not giving the bigger game away in order to work their way up to, to what you say, like, the money man right at the top of tree, to actually then create a, a way to stop, stop the proliferation overall, and actually stop it at the source, rather than, like you say, tryna keep patching all, all the time.

It is difficult though, right, when there is, you know, significant, you know, implications in the short term, and if you are on the end of one of those, like, you, you would feel aggrieved, I think there's no doubting that, that you would feel like, how come we didn't get the help that we needed? And I think, as you say, particularly if you're, you know, critical infrastructure or healthcare and some of these providers is certainly, you know, they would definitely be on, on on the angle of I think where Brad's coming from, which is, you know, help now, you've got an answer for now, solve for, for the problem that exists right here and now and allow that, allow people to, you know, get back to providing the services that they do, get back to their lives and actually get back to their, their livelihood.

So, it- it's a, definitely a balancing against and one that, you know, is, is difficult and, and, you know, that we've all seen play out in, in spy movies and and TV and that, but difficult to actually comprehend, like, probably the magnitude of what's going on here.

Garrett O'Hara: Definitely. I- Is there an analogy, you know, we three have talked about the pay or not pay when it comes to ransomware-

Bradley Sing: Mm.

Garrett O'Hara: ... and it feels a little bit like it's a bigger version of that, right-

Bradley Sing: Mm.

Garrett O'Hara: ... where you pay the ransomware, cool, like, you get to move on as an organisation, but actually, you're just con- you're contributing to the problem, and I think it's, it's sort of a version of that and spot on, you know, it's ... I think if I was one of the organisations, you'd be so annoying. You would be absolutely-

Bradley Sing: Yeah.

Garrett O'Hara: ... devastated and, and many businesses from [inaudible 00:15:10] came close to closing their doors-

Bradley Sing: Huge.

Garrett O'Hara: ... [crosstalk 00:15:13], a huge deal, but it- it's one of those difficult, difficult decisions that I'm guessing we- we're probably gonna have to make more of. And that's the other thing, like, as we go forward in this stuff, like, there's gonna be a lot of these. This is not gonna be the only one where it looks like the wrong decision was made because so many people are hurt, but there's a longer play to solve the, you know, I mean, the ransomware problem, right?

Bradley Sing: I, I think you're 100% right, Gar, like, you, if we keep feeding the beast it, it just grows bigger, we- we've learnt that already. I would just say, like, I feel like there's a little bit of messy oversight in terms of this process, and I agree, we need to be fighting back and we need to be making the tough decision, which unfortunately I think impacts the now. But, yeah, I th- I think there is something there in terms of letting allies know as well and just making sure there's, there's proper communication, 'cause at the end of the day, like, you know, it's, it's real stuff, it's real businesses, like, hundreds of stores were effected and businesses all around. So, we wanna make sure we're doing the right thing as well.

Dan McDermott: I think both of you have touched on the issue that ... And what comes out in some of the articles and the research that we've done is is that it wasn't necessarily the FBI that found the keys and actually had it. So, in some ways, they felt constrained as to, like, was it their information how had they acquired that and were they able to share it? So, it probably has come from somewhere else as well and it's, like, and then we get into international disclosure, cross agency disclosures, all of those sort of things, and then who actually has the right of, of that, because the, the implications are that, you know, if you breach that once, you won't get the information again.

And so, intelligence sharing would stop, right if we actually got to that sort of level. So, i- it's, it's so complication and, and so many implications and moving parts around this. But I think it definitely shows the escalation of, of ransomware and as cyber attacks a- as an issue, getting to that issue of, you know, money laundering, you know, drug cartels, you know, these sort of, you know, in- international arms races, like, it is getting to that sort of level, and the same sort of agencies are now tryna, to use some of the same tactics that they have and you've gotta wonder ... And I think, Brad, you made a good point of, like, you know, when does disclosure need to happen? How can you contain it? Is there, is there new methods and new ways of actually dealing with this in a cyber world that might be different to the way that they've traditionally gone about some of those, I guess, you know, tangible, real world sort of criminal activities as well.

I was gonna say, I didn't know if the cartel wars or drug war's going too well, so [laughs], I hope we don't mimic that.

Garrett O'Hara: Did we win the war on drugs?

Dan McDermott: [laughs]

Bradley Sing: [laughs]

Garrett O'Hara: 'Cause you get them everywhere.

Bradley Sing: Is, is it still going, or?

Garrett O'Hara: [crosstalk 00:17:50]

Dan McDermott: [laughs]

Bradley Sing: [laughs]

Garrett O'Hara: Uh, one, maybe one last point on the you know, that disclosure, and one of the things I did read, and it was sort of, it, it was buried a little bit was the potential exposure of the people who helped with the ge- you know, getting the keys, and that was another thing which I think you sort of referred to, th- there just just then, Dan, that potentially by going early with disclosing the fact that the FBI did have the keys, the people who maybe got them were exposed and, you know, there might a consideration of th- the human side of this also, you know, the people who actually did the work to get the keys, who were potentially f- [inaudible 00:18:31] was in Russia, you know, and they were sitting on Russian servers, so there could've been exposure there at a human level.

Dan McDermott: Mm. Yeah. No, many implications and just the ... One thing that we'll add in to the show notes Brad, you, you mentioned Bitdefender has actually provided a, a universal decrypter, so we'll include a link to that as well and make sure that, you know, if anybody unfortunately has been effected and then haven't seen this so far that they are able to to, to get some relief as well from that public disclosure that has happened.

Bradley Sing: And to play devil's advocate, they Bitdefender said they were supported by one anonymous intelligence agency, so potentially was the FBI who helped, helped everyone in the end.

Dan McDermott: [laughs]. We will probably never know exactly, right, the area of spy warfare. Coming back a little bit more local and looking at what I said a- at the start, there's a bit of a good news story and, and the fact that we've spoken a lot about governments at all levels, federal, state and local, and what they need to do in terms of their cyber security, sort of, posture and, and what they can actually do to take control of this, because we know it's one of the most attacked sectors and industries that we have in the country. And the Vic government have, have deployed sort of a 50 million dollar plan around this really, I think, to get started, right, I think rather than actually being the end game. But, guys, what can you tell us about what the, what the Vic government's doing and, and hopefully how that will actually impact and make things better for for the people of, of Victoria?

Bradley Sing: Yeah. So, look, this is a fantastic announcement as a, as a Victorian, and it's always great to see more investment into the local region as well. What it appears to be is, is the start of a five year strategy. So it follows a, I think in the past, quite a lot of announcements, but really not for a, from the start of the year I think it was 50 million dollars announced, but since then, there hasn't been too much at a local level. Um, some of the things I find personally interesting from the plan is it includes things like training government board members, so arou- like, around cyber security. And so, they've done, I think, 60 this year, they plan to do another 55 next year. I had no idea there were that many board members [laughs] in the state government.

Um, but it really, I think, does start to show that they're, they're thinking about how do we change the culture and decision making, because cyber security's such an important thing, and in terms of actual tangibles, and we can get into the details about this, but they've called out things like essential eight a- and DMARC as well, which is absolutely fascinating in terms of things that agencies should be out working towards.

Garrett O'Hara: I think the big question I'd be asking is, like, in the grand scheme of things, 50.8 million investment, I, I mean, it's, it sounds like a big number, but it, it probably isn't when you spread it out over a bunch of agencies and different types of initiatives and, and functions. Um, I'd be very interested to, to sort of dig into that to see exactly where it is the money go and on, and on what.

Bradley Sing: No, sorry, this is another 300 million on top of the 50 million they announced earlier in the year.

Garrett O'Hara: Oh, there you go.

Bradley Sing: But still, you- you're right, like, I mean, regardless of the number, like, I feel like we almost need to be in the billions here, right? Like, it, it-

Garrett O'Hara: Yep.

Bradley Sing: ... it is ... And then it starts to raise the question, the whole state versus, I guess, federal responsibilities around some of this stuff. But I think we know very well, like, it, you know, it's good to see the state governments, kind of improving their resilience.

Garrett O'Hara: Yeah, it'd be cool to ... Like, even 300 million in the grand scheme of things still doesn't feel like a huge amount of money, to your point, Brad, you probably need the B rather than an [laughs], an M in the number given, you know, where everything's at. But, I mean, if you can get efficiencies across all those different sort of agencies and, you know, councils etc, I mean, you, you start to see some pretty big returns and as a tax payer, not a Victorian tax payer, but tax payer in general, like, you wanna see your money spent well and I, I suppose I've always kind of questioned why it's so fragmented when it comes to, to governments and there's so many inconsistencies in terms of, like, where people are at with their cyber maturity you know, depending on what type of agency or organisation they are.

Um, and it'll be interesting to to see where they land with the essential eights 'cause I, like, it's, it's a funny one, I think we hold that up as a, if you do that, you're good, good to go, and so I know there's plenty people in the, the industry that kind of have question marks over how, sort of, valid that is as the bible for whether you're in a good position from a cyber security perspective. But, like, it's good, I think it's, it's definitely good news, right.

Dan McDermott: For, sure and I, I definitely like the tagline of making a cyber safe Victoria, so, that's a, that's something that I think is, you know, is at least aspirational as well, that it isn't necessarily an end game and that this, like you say, Brad, is just part of a, a, more of a journey and a five year plan and how do they actually, you know, collaborate with you know, some of the national agencies. Obviously they'll work with the Australia Cyber Security Center and others as well that that, to get best practices and sort of start to uplift across all the agencies. Like you say, Gar, I think that one of the things that, that is a struggle in, in all aspects of, I think, the economy, but into, into government as well, is the haves and have nots, right? Like, the-

Garrett O'Hara: Mm.

Dan McDermott: ... the agencies that are very well funded and that are very well sophisticated in their approach versus those that, you know, maybe don't have the same level of funding and resourcing and capability to, to get to that same level. So, how do we, how do we get a rising tide to to rise all boats and then make sure that everybody's, you know, is improving along that journey I think is, is something that, you know, they're looking at and starting to make some of those sort of investments and, I guess, hopefully start to make some strides into that area.

Garrett O'Hara: You must be happy, Dan, are you to see ... 'Cause I know you've banged the drum for cyber crime messaging and education programs, I know you've been a huge advocate for that for, for quite a few years, you must you must feel good about that.

Dan McDermott: Yeah, I, I ... Look, it's ... I, I think that it's still got so much room to go, right?

Garrett O'Hara: Yep.

Dan McDermott: Like, I still believe fundamentally that we need, you know, bigger national level sort of campaigns around awareness and what's happening and they need to then be supported by, by actual implementation and delivery of services, you know, at a, at a cheaper rate for those that can't afford it. So, in particular, SMB or smaller organisations, to uplift their posture, so rather than cyber security being a burden for them or seen as a cost, right, doing business, it's actually seen as an enabler and allows them to be part of bigger supply chains and, and actually fuel their business.

But can we expect small businesses to be taking that burden on when we see the complexities that go on and, and what's happening? So, how do we get a bigger awareness level and I always think back to you know, slip, slop, slap from a-

Garrett O'Hara: Mm.

Dan McDermott: ... skin cancer point of view, or life be in it from a fitness point of view and these things sort of bo- born interest he 80s and became massive, you know, institution and, and, and life changing sort of programs. I think cyber is getting to that point-

Garrett O'Hara: Mm.

Dan McDermott: ... and it needs something similar, and like I say, but awareness alone won't change it, right, just being aware won't actually stop all the things that are happening. So, there does need to be, I think, some sort of mechanism in place that helps uplift everybody and, and I think that's akin to, you know, a, a government type, Medicare type program.

Garrett O'Hara: Mm.

Dan McDermott: Not exactly the same implementation if you like, but the notion of, of having an agency or a mechanism and a, a funding mechanism that supports the uplift and provides universal cyber health for everybody, you know, I think is something that is that needs to be explored and goes well beyond, you know, the investments that a, a state government level that can make and those type of things.

Garrett O'Hara: I just, I had a vision of myself going into, you know, a retail store with my cyber care cards and getting a discount on, um-

Dan McDermott: [laughs]

Garrett O'Hara: ... you know, anti virus software or whatever. So, it's so true, man, such, it seems like such a solid idea to me.

Dan McDermott: Well, we, we will see. We have submitted it into our government responses of late and some of these ideas to try to change some of the thinking and provoke new ways of, of doing things and hopefully we'll be able to talk about maybe some of the, the outcomes of that in upcoming episodes of maybe making some progress. But if not, we'll keep we'll keep the drum beat rolling anyway.

The final story for today is, is one that we've touched on a few times over recent episodes and it looks at spyware, in particular, using the, the spyware called Pegasus. And this time, it's been announced that it's been found onto the phones of five French cabinet ministers. Um, so obviously extremely serious, highest level of government that you can get in France. Um, Brad, this has been a topic of, of great concern and one that you've, you know, taught us a lot about over recent times, how is this still going on and what's happening in France at the moment?

Bradley Sing: Yeah. So, this is it's Pegasus again, but I th- we covered it in the, in the patch notes from Apple, right? So, it was the forced entry one, so technically has been publicly patched. But I guess what we've learned about patching is not everyone has their updates, right, especially end users. Um, the interesting thing with this one, and I'm not sure if anyone knows, but pretty sure France just went through a election, didn't they? Um, and so did Canada. So, it's obviously a very politically charged time around the world as ... But we're seeing, yeah, we- we- we've seen evidence that five senior cabinet ministers ha- ministers had their phones infected with Pegasus.

Um, there's no evidence yet to suggest whether or not they actually gained access to the phones. Interestingly enough, Macron himself, the, the president, he, he changed phones a few weeks ago just before the stuff was announced and in response to all this. Um, but I think there's also some interesting commentary there in terms of, I guess, just the, the raw dollar value and who's actually making these targets. We've now heard reports that drug cartels, back to cartels again, in Mexico have been using them to target journalists. Um, we're also seeing that, from an ethics perspective, hackers are having a hard time going to Apple's bug bounty program and taking ... I think the maximum payout's $200,000, when they can get a few million dollars for a zero-day iOS exploit on the, on the dark web.

So, from an economies and scale perspective, it doesn't seem like there's much to target. But I think it's kind of like the Panama Papers leak, I think you're gonna start to see more and more coming out from it. Um, Israel themselves have said that they take the they take the allegations very seriously, so hopefully we'll see something, I guess at least at a national level and potentially even some investigation into the group itself.

Garrett O'Hara: Yeah, it's astonishingly worrying stuff. And I wonder, you know, we know about Pegasus, but, you know, you know there's other stuff well, I say that so confidently, but, you know, you could be fairly sure that there's other stuff that we just don't know about not just you know, [inaudible 00:29:35], like, hacking group. And we've seen so many of those things that every time it feels like it couldn't be more like a Jason Bourne movie, it's more like a Jason Bourne movie and, you know, it, it just gets scarier and scarier with some of the um, the exploits.

And to your point, Brad, the ec- you know, the economics of it are astonishing. The amount of money that you will, that gets paid out, it's like, I mean, for some people, winning the lottery, especially depending on where you live. Um, and it almost points to the, what'd you call it, the hom- homogenisation's the wrong word, but the kind of level playing field that the, sort of, researchers are around the world. All you need is a computer and the sort of intellectual chops to figure this stuff out. And depending on where you live, you know, a million dollars is absolutely life changing huge, huge money.

So, the incentives to, to go figure this stuff out are just enormous. Um, and to your point, it's, you know, like a really important point that you've made I think about the the balance of incentives from the, you know, the vendors versus, you know, groups like NSO or hacking group or, or name your group and, you know, there's plenty of others out there that do this stuff, but unless you get that right I mean, we're gonna see more and more of this stuff also, I would say.

Bradley Sing: It's so much co- more connected, right? And maybe 20, 30 years ago it was a little bit more gated before we all had internet and we all had computers or, yeah, they were more common use. But I think you touched on a really good point there where if you've got a computer, you've got time, you can learn how to do this stuff. Like, people are doing it actively and they're managing to beat the world's best vendors who have done this for years and years and years and it's, anybody in the world can literally, you know, start learning this capability.

So, I think it's a bit of a reality check for, I guess, probably for every vendor or an- anybody out there who produces software but also, we need to think better in terms of how we incentivize these incredibly smart people because, yes, they're reaching and hacking into iPhones, but anybody who could do that could probably come up with the next Facebook or Apple themselves. So, that is probably a missed, missed opportunity there too, as well.

Garrett O'Hara: Yeah, let's get them into the ASD or the NSA or the ACSC or a- like, any of those organisations, but, I mean, this is-

Bradley Sing: Th- They don't pay enough [laughs].

Garrett O'Hara: Oh, that's ... You stole the words out of my mouth. I, I took a breath in to say th- the horrible thing, which is, the good guys just don't pay as well as the bad guys.

Dan McDermott: Well, I think th- this is akin, again, we've said to sort of things that have been around for a long time and just are moving to a cyber world, you know, that we've known for a long time, control the information, control the media, you can, you can control the politics in many ways, right, and and, and this is the new ground for getting that information and getting that control. Um, so, it- it's definitely scary stuff, but it's at such a massive scale and huge implications around the world. So, lots to, lots to do and I'm sure, like you say, there'll be the next one, you know, the next Pegasus, unfortunately we'll probably be talking about shortly as well.

Garrett O'Hara: 100%. And this mi- might be a super early teaser for the conversation I had this morning but one of the things I spoke to Dr. Chase Cunningham about, who's an absolute gun in this stuff, but has written a book on cyber warfare but he'd talk about what you just mentioned there, Dan influence attacks so we kind of get into that a little bit in the conversation. So, that's a, a very, very early teaser for that one. I don't know when it- wh- what episode that will be or when it's getting released, but we recorded this morning and it was cracking conversation.

Dan McDermott: I think a couple of weeks away, I think it's episode 77 off the type of my head, Gars, in-

Garrett O'Hara: There you go.

Dan McDermott: ... a few weeks time.

Garrett O'Hara: [laughs]

Dan McDermott: But, uh [crosstalk 00:33:04]-

Garrett O'Hara: [crosstalk 00:33:04] right amount of episodes down.

Dan McDermott: [laughs]

Garrett O'Hara: [crosstalk 00:33:06] [laughs].

Dan McDermott: Well, we'll bring this episode to a close, and I'll thank you, Brad and Garry, again, appreciate all of your insights, as always, and looking forward to, to next week. Uh, Gar, we have s- a special edition with some global guests discussing ransomware. Can you tell us more?

Garrett O'Hara: Yeah. This is, this is quite an exciting one actually when, when you sort of sent it across. Um, it's actually The Economist and you know, I don't think they need any explanation who The Ec- [laughs] The Economist is.

Dan McDermott: [laughs]

Garrett O'Hara: Um, but it's a long form interview that we have via The Economist with Ciaran Martin, who people will probably know as the head of cyber for GCHQ or ex head but a very, very eloquent, talented, insightful man. I've seen him speak on a couple of events here in Australia and he is somebody who I, you know, fan is the wrong word, but I've v- taken a lot of insights and, and learned a lot from the conversations that I've, I've heard him have with other people. Um, so it's a little bit of a different one and yeah, I reckon it's gonna be a ripper of a conversation with the interviewer from The Economist.

Dan McDermott: Yeah, terrific. Looking forward to that. So as I said, that brings this week's episode to a close. As a quick note, our website that has sprouted the podcast and delivers ongoing articles on the hottest cyber security topics called getcyberresilient.com is celebrating its second birthday this week. So, thanks to you all who have listened, read and subscribed to our newsletter. The idea was to be a local voice of the industry, and it's been an honor to deliver these insights. Please jump online and subscribe to keep up with the latest and keep us going to be able to deliver this for you. Thanks for listening. Until next time, stay safe.

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara