• Garrett O’Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Garrett O’Hara

The Get Cyber Resilient Show Episode #13

Content

Dan McDermott and Gar O’Hara are together again with the latest news in cyber security from Zoom Doom to the Australian Government's COVIDSafe app. The two also take a quick look back at some of the incredible guests they’ve had on the show from Craig Ford (A Hacker I Am) to Shamane Tan (Cyber Risk Meetups) and the insights that these guests have brought to the show.

#cybersecurity #cyberresilience #getcyberresilient

Content

The Get Cyber Resilient Show Episode #13 Transcript

Dan McDermott: [00:00:00] Welcome, [Gar 00:00:08], to the latest edition of the Get Cyber Resilient Show. Uh, here we are at the, uh, in the beginning of May. Um, quite amazing. It's been quite a few weeks since, uh, we've caught up, uh, in this environment, Gar is recording from one of our, from one of the shows.

Um, it's great to see you and, uh, good to, good to, I think, have a chat and reflect back on, um, on what's been happening across the industry, but also an opportunity for us to, uh, to reflect back on, uh, podcast Tuesday as we've, uh, as we now have it, uh, releasing one of these every week, which has been fantastic and, um, some amazing guests that have been a, a part of it as well.

So how are you doing in sunny Sydney today?

Garrett O'Hara: [00:00:48] I'm doing well. Yeah. And it is. It's, we were just chatting before we started recording, beautiful weather here in Sydney. So definitely, uh, I feel like we've got one up on Melbourne for once. You know, you guys get better coffee. Today, we've got better weather. [laughs]

Dan McDermott: [00:01:01] Well, well, that's for sure. The sing- single figures, uh, cold, hailing, um, it's, uh, it's all happening down here at the moment. So it's, uh, it's adding to sort of the, the lockdown cabin fever, I think [laughs] as well across, uh, across our household, that's for sure. So, uh, so to co- [inaudible 00:01:18] to, uh, to cope with that as well on top of everything else.

Well, like I said, I think, uh, I think it would be nice to just have a, a quick look back on some of the, uh, the amazing guests that, um, you've had on the show over, over the last several weeks, um, you know, a range of, uh, authors, speakers, people who run their own podcasts and that type of thing as well. And, um, people who haven't had a chance to have a listen, uh, w- we'll do a quick recap and then, uh, give, uh, people an opportunity to maybe dig in and, uh, have a listen to some of those, uh, those previous episodes as well.

Uh, you kicked off with, uh, Craig Ford, uh, with, who got the book A Hacker I Am, which is an interesting title in its own right.

Garrett O'Hara: [00:01:57] Yeah. And he's actually just released, uh, volume two, so that's out, uh, about two weeks now. And, um, yeah. I think it's doing pretty well. The artwork has changed a little bit from last time, and he's actually now the character that's on the cover of it. Um, but, um, yeah.

And I kind of joked with him when he was on the show that it's a great toilet book, and I stick by that, because it's an absolute compliment and, and really just means that it's a, a book you can dip into and dip out of. Um, you know, you don't have to sit down and kind of invest two hours at a time. Um, and I, I love that style of book.

Um, it's a little bit like having a really long, high quality magazine. Um, so I, I really love that kind of approach. And the articles are, are fantastic and very broad as well, which is, is awesome.

Dan McDermott: [00:02:36] I haven't seen the new artwork. Is he, uh, is he in a hoodie, at least, on the cover [crosstalk 00:02:40] being a hacker?

Garrett O'Hara: [00:02:40] [laughs] Yeah. Yeah. He isn't. And, and I have to say, I, I think we're, we're escalating in the, uh, the hoodie memes in cybersecurity, so, and I think actually, I might have sent you a, an image that was in a, um, one of the, the sort of well known media, um, you know, publishing things for cyber. And the, the attacker was not only wearing a hoodie but also had a helmet on.

And, uh, I just, I really scratched my head thinking, like, "What, what exactly are hackers or attackers doing that they need to wear a helmet while they're at the keyboard?" That's, that's some pretty hardcore stuff.

Dan McDermott: [00:03:13] [laughs] Indeed. That's right. And, uh, and then you caught up with, uh, Damian from, um, Palo Alto Networks, um, and an interesting chat around even the use of sort of AI and machine learning and where, and its role in, in cybersecurity.

Garrett O'Hara: [00:03:28] Yeah. Damien, he's a high energy guy. He's actually become a pretty good friend and, um, and, well, I actually met him at a, uh, he was talking at an event that I was at. And, um, he just, he was like a, he rocked the house kind of thing. Um, but he backed it up [laughs] with a-

Dan McDermott: [00:03:41] [laughs]

Garrett O'Hara: [00:03:42] ... A really kind of deep insight into cyber. And, um, yeah. That was a, that was a cracking conversation, um, and I think I even said it in the, the post on LinkedIn. The highlight for me was the bit where [laughs] he talked about using, uh, orchestration to order pizza. Uh, I think we've reached peak cyber when we're able to do that, and that's going to save a lot of-

Dan McDermott: [00:03:59] [laughs]

Garrett O'Hara: [00:03:59] ... SecOps people, um, uh, or [laughs] or security analysts a lot of time ordering pizza.

Dan McDermott: [00:04:06] Indeed. That's right. And, uh, and then a slightly more serious topic with, uh, with, uh, Blake, uh, Blake Deakin from, uh, Cyber Insurance Australia, but, um, I think one that, uh, I do find, you know, like, you can sort of argue that insurance is quite dry and, and stuff.

But it, it is really interesting in this space, I find, because do you need it? Will it cover you? Will it cover you? How do you protect against the unknowns and stuff as well? So it's, um, um, I think that's a, that's an interesting area to explore and for everybody to, to start to get a better handle on and understand what their, uh, their risk and their liability looks like.

Garrett O'Hara: [00:04:42] Yeah. I totally agree. Um, and, and Blake is a sharp guy. He, uh, he's, he's able to walk that fine line. As you say, insurance is not necessarily the most interesting topic, but, um, luckily, you've got somebody like him, and, and he can kind of light it up.

Um, and, and it's funny to me. It actually does become interesting, because you look at, uh, things like the Mondelez, uh, lawsuit and, and how important and kind of tricky, uh, cyber insurance can actually be. And as you say, Dan, like, the, the gotchas that are in some of the, the policies out there. Um, but I think Blake did an awesome job of just kind of saying, "Hey, look. This is why it's important, and this is what to look out for."

Dan McDermott: [00:05:17] Then you caught up with another, uh, rockstar of the, uh, [laughs] the cyber security industry, in Shamane Tan. Um, I think we sort of said it's, it's perhaps the busiest person in, in cyber. Uh, um, she certainly be found everywhere and, uh, from books to podcasts, meetups, um, has taken the meetups, uh, virtually in this environment as well and is, uh, doing a great job of running those, too.

Garrett O'Hara: [00:05:40] Yeah. Just a total powerhouse. Um, like, I genuinely wonder if she's got one of those magic stones or whatever from Harry Potter where you can be in, you know, multiple places and, you know, everything, because Hermione, Hermione? I don't know. I'm not a big [laughs] Harry Potter fan, but-

Dan McDermott: [00:05:53] [laughs]

Garrett O'Hara: [00:05:53] ... I know, I know he went off and did multiple classes and, you know, was able to be extra productive and, uh, it does feel like Shamane is like that sometimes. Uh, every time I sort of see something on LinkedIn, it's another conference. And, um, and they're all good.

And that's the, that's the interesting thing there is that it's, you know, there's a huge amount of output, but actually, it's all really good stuff. Um, it's a, an amazing thing she's, she's doing for the industry. And I think her meetups are, you know, a testament to that. Um, very popular.

Dan McDermott: [00:06:18] Hm.

Garrett O'Hara: [00:06:19] And, uh, and not, you know, not without good reason.

Dan McDermott: [00:06:22] Yeah. Definitely. And, and I think sort of rounding out sort of the notion of, of cyber being this community, I think, of coming together and, and that as well, you caught up with, uh, Karissa Breen from KB Industries, who obviously runs her own podcast around cyber as well. And, um, I think, you know, a really different take on, I guess, you know, I guess entry into the industry and her journey in that as well. Um, but definitely, uh, you know, a key member of, um, of the cyber security industry here, here in Australia.

Garrett O'Hara: [00:06:51] Yeah. Absolutely. And, and so sharp. Um, you know, I, I think her time back in the kind of banking world and, um, and as you say, that journey into sort of kind of running her own, uh, company at the moment, um, you know, it, it, it shows in the conversation. Um, loved what she had to say about the kind of messaging and, and how important that can be back into the business, um, and how to navigate that.

You know, we, we talk about it a lot, but, um, it felt like, yeah, Karissa was able to distill a lot of that kind of, you know, wisdom she's picked up o- over the years and, and kind of put it all into a, a fairly [laughs] brief conversation. You know, 25 minutes. It's amazing how much ground you can cover.

Dan McDermott: [00:07:27] Yeah. And I think that, um, you know, across all of those guests, just an amazing variety of sort of topics and interests and areas. And, and like you say, like, a number of them have their own, um, outputs in that as well.

So, uh, you know, I really encourage people to, to obviously have a listen to, to the Get Cyber Resilient Shows featuring these people, but also then to, to dig into their content and understand sort of where they're coming from and become part of that, that community, because it's something that I think is growing locally, um, has a real strength to it and has, you know, a wonderful array of voices that I think is, uh, is something that, uh, we can all connect to, which is, uh, which has been terrific.

So looking forward to, uh, continuing the next round of guests. Um, you f- you've set the bar very high, so we're going to have to, uh, work hard to continue to, uh, to get the same sort of caliber of people through, um, and having a conversation with.

Garrett O'Hara: [00:08:15] Yeah. We've, we've got some humdingers in the pipeline, um, so I'd say-

Dan McDermott: [00:08:19] [laughs]

Garrett O'Hara: [00:08:19] ... Definitely watch this space. And, um, yeah. We, we'll, you'll see some teasers from Dan and myself, I'm sure, over the next, uh, next couple of weeks. Yeah. Some good stuff coming up.

Dan McDermott: [00:08:28] Yeah. Definitely. I guess one of the things in this environment that we've all sort of been facing is the notion a bit of, uh, Zoom doom. Um, you know-

Garrett O'Hara: [00:08:37] Yeah. [laughs]

Dan McDermott: [00:08:37] ... I think, uh, I think looking at this little screen all day every day, um, [inaudible 00:08:42] probably noticed that I now wear glasses, um, almost permanently-

Garrett O'Hara: [00:08:46] [laughs]

Dan McDermott: [00:08:46] ... Uh, when I'm working. Um, you know, combining looking at the screen and old age, uh, it's all sort of coming together very quickly [laughs] um, over the last few weeks. And, uh, it certainly has changed that, that from my perspective.

But it's also, you know, raised a really interesting issue around, um, all of the video conferencing platforms and, and whether there's security vulnerabilities and, you know, Zoom bombing and all of these sort of things. And there's been this, you know, very, you know, large reaction around, uh, particularly around Zoom, um, and, and, you know, is it safe? And is it, you know, can you use it? And for what purposes? And, you know, there's a whole range of, you know, people that are starting to reject it quite almost violently [laughs] right? No. They'd say, you know, "Oh, no, no. Can't use Zoom."

Um, what's your take on, on sort of, I guess, the security side of, of these video conferencing platforms and, and where, you know, is it hysteria, or is it reality that we're dealing with?

Garrett O'Hara: [00:09:41] Uh, I think it's somewhere in the middle, if I'm honest. And, um, when I, when I think about Zoom, a lot of the things that people are complaining about, um, and, look, maybe rightly, but a lot of them are things that are actually configuration options rather than intrinsic platform issues.

Uh, like Zoom bombing, for example, a lot of the time, um, not all of the time, but a lot of the time what was happening there was people were using things like their personal links. Um, they were posting them potentially in public places, not using passwords for meetings, and then, you know, obviously, you know, we've got these people around the world who have nothing to [laughs] better to do than-

Dan McDermott: [00:10:14] [laughs]

Garrett O'Hara: [00:10:14] ... Show up unannounced and kind of, you know, crash the party. Um, I've been listening a lot to, uh, Alex Stam- Stamos, actually, um, on this one. So he's, he's kind of had the conversations with, uh, Eric Yuan, who's the CEO over at Zoom. And y- that, to me, is kind of interesting, because there's a choice for somebody to come in and, and work with you on, uh, security of your platform.

Like, he's an interesting character, right? He's a guy who left Yahoo! because he wasn't happy with, um, the government intelligence agencies in the US doing analysis of inbound emails to Yahoo! He left Facebook because he wasn't happy with the, the Russian meddling stuff. He's a very, he's kind of like a guy you don't want to hire [laughs] unless you've kind of are committed to doing the right thing by security, in my opinion. Like, he seems like he's got that kind of form.

And, and I, I started thinking about this. Is this, and you and I have talked about this, I think, a fair bit, that, you know, are we starting to see a pivot where it's now, like, trust has become an investment in profit and security actually becomes a, you know, a kind of thing that you can market?

And obviously, they're, they're starting from a little bit behind the eight ball in this case, because as you say, Dan, like, there was a huge amount of, um, coverage on the, you know, the problems with Zoom. And let's be honest. That, that's kind of what happens in, in these sort of day and age, and especially with cyber security. I- It, the story almost becomes bigger than the story really is.

And, and I'm not for a second saying, like, there isn't. Uh, you know, there, there is. Like, there's stuff intrinsic in the platform, um, that will require a b- bug fixes. There's, there's kind of probably code problems, and that is a work in progress, as it is for every single company out there.

Um, but then a lot of the stuff, when you look at this, it basically went from really what was an enterprise or commercial VC solution into, like, people are running yoga classes on it. Myself and my wife, three times a week, do our, our boot camp session via Zoom and an iPad in the local park. Uh, you know, that wasn't-

Dan McDermott: [00:12:06] [laughs]

Garrett O'Hara: [00:12:06] ... I'm sure when the developers were sitting down, they, they weren't kind of going, "How are we going to deal with, uh, you know, COVID and people kind of, you know, pushing weights around in a park?"

Um, so listening to, um, to Alex Stamos talk about it, like, th- they get it. And I think part of the work that they have ahead of them is how do they make it so that that stuff is easier to configure? And instead of, you know, being an IT sort of tool where you've got to kind of know how to go into settings, and what does this mean, you can actually just, like, click a button that says, "Go super conservative," um, because I use Zoom for hanging out with my friends or-

Dan McDermott: [00:12:46] Mm-hmm [affirmative].

Garrett O'Hara: [00:12:49] ... Running a yoga class or whatever. Um, and he, like, he, he's got his kind of tip that he's given out to kind of the world, and it's, it's the basic stuff. Like, Zoom have already said this. It was probably [laughs] a good s- security practice anyway. You know, put your settings on the most conservative settings for what you're using Zoom for. Use, for example, use webinars rather than meeting rooms for certain use cases. Don't use your personal link. Turn on waiting rooms. Um, when the meeting starts, lock the room.

And it all seems like a lot of it just is just common sense, and it's not necessarily that the platform is broken. It's just that it was used in a way that it probably wasn't initially designed for. So it's a little bit of a rant, but you know, I, I think to your, you know, is it reality or hype, I think it's somewhere in the middle. But probably, in my opinion-

Dan McDermott: [00:13:22] Mm.

Garrett O'Hara: [00:13:23] ... Maybe veers a little bit towards the hype.

Dan McDermott: [00:13:26] Yeah. Well, uh, I think in this household, we've, uh, we obviously use Zoom. Um, we also have one, one child on Webex, uh, one doing Zoom, using Zoom for guitar lessons, um, and another one using Microsoft Teams as a, as a video and collaboration tool with their class. So it's a [laughs] it is a lot going on, um, often sometimes all at the same time. Uh, and so, uh, competing, competing platforms and competing, uh, interests, uh, just locally in the McDermott household as well.

I think, uh, the notion of, of hype and security hype, I don't think... Zoom's obviously been one. Um, I don't think, though, there's been any bigger in, in the last sort of week or so [inaudible 00:14:09] around the Covidsafe app, um, and-

Garrett O'Hara: [00:14:11] Yeah.

Dan McDermott: [00:14:11] ... You know, uh, the reaction to, to that, um, which I think overall has been fairly positive. Um, uh, and then [inaudible 00:14:19] we can get into that, but I think that, you know, the, the security reaction around, like, is, is it safe, is, is a big question. What's your take on, I guess, you know, the call for, you know, uh, sharing, sharing the code and, and sh- and being able to actually, you know, dig into it and have people actually look at whether this is something that is, uh, built from a, from a security best practice point of view?

Garrett O'Hara: [00:14:43] Yeah. It was such an interesting conversation on, uh, LinkedIn. And I have to say, like, I'm Irish. I love that stuff. I love, uh, you know, sitting down with a pint and, and kind of having a, a good old, you know, sort of disagreement or argument, you know, about, about stuff like this.

Um, and it was pretty divisive, you know, as I looked on the comments and the threads that were happening on Link, uh, yeah, LinkedIn, mostly for me, um, it, it was divisive. And I, I absolutely get the lack of trust. You know, if you look at the, the sort of history of [laughs] Australia recently, um, and, you know, we probably don't need to get into it, but there's been a lot of things where you do sort of question, um, the, uh, the notion of privacy and, and data protection for citizens.

Um, and then you also have some awesome stuff like the NDB legislation coming in specifically to help with, you know, the, the citizens when data is breached. So it's, it's kind of a weird, uh, position we find ourselves in.

I, I think for me, the, the Covidsafe app, it suffers from, I think, a lack of understanding of what it is. And, you know, even, even yesterday, I was hearing comments from people saying, like, "It tracks location." And it doesn't. It doesn't actually track your location at all. It just tracks your proximity to other people who have the app. And that is a very, very, very different thing to, to think about.

Um, you know, if you look at, uh, Israel, for example, they, they went with a much more kind of, uh, heavy handed option, which was that they would actually track the cell phones. So, you know, no opt in. It was just basically where is this person? Where are they moving to? Um, and they had to kind of back away from that for privacy reasons.

Like, here, what you're, you're actually talking about is a, an application. Um, it uses Bluetooth LE, so that's the, you know, the low energy protocol-

Dan McDermott: [00:16:22] Mm-hmm [affirmative].

Garrett O'Hara: [00:16:22] ... For Bluetooth. It's the same thing that connects, like, your, um, like, your, your g- your smartwatch, um, your Apple Watch or whatever, uh, to your phone. And all it does is it broadcasts a, uh, Bluetooth LE or BLE, it's a Covidsafe SSID, so very similar to your wifi at home where it's got a, you know, an, a wifi name.

So the Bluetooth app has a, has a name. Um, it, it broadcasts that, not your device name. So if you had named your, your phone, you know, Dan's iPhone, it doesn't even show that. It, it literally just shows the, the Covidsafe, um, SSID.

Um, the data isn't uploaded unless you give it consent, and that's via PIN, so it actually sends a PIN code back to your device before it'll ever go to the cloud. Um, and when it is sent to the cloud, it goes via HTTPS to AWS.

Uh, um, you know, without kind of getting into the politics, like, if there is any controversy that I might agree with, it's not necessarily choice of AWS from a security perspective, but, um, James Riley over at InnovationAus, uh, wrote a piece about, you know, was there an option to use a local provider that was actually capable? And, you know, maybe there's a question mark on that.

But in terms of the security of this thing, you know, it doesn't track your location, and let me repeat that. It d- [laughs] it does not track your location.

Dan McDermott: [00:17:33] [laughs]

Garrett O'Hara: [00:17:33] It, all it does is report your proximity to other users of the Covidsafe app. And you can uninstall it. You can, you know, turn off Bluetooth. Um.

Dan McDermott: [00:17:43] Hm.

Garrett O'Hara: [00:17:43] The amount of data and the stuff that's being collected in this thing, it asks for a name, which you can make up. So you could use a pseudonym. Um, it asks your date range and your post code, um, and I think your mobile number. And anybody who's on, you know, any of the big social media platforms on a daily basis, they're giving away more information than that.

Um, and, and honestly, if you go into many of the malls in Australia, and I don't know if people know this, but actually, some of them will have, on the door, uh, what equates to a terms and conditions. Um, basically it says, "As you walk in here, you agree to us collecting information on your location within the store, and, you know, we're using Bluetooth beacons."

And if you've got wifi Bluetooth turned on, as you walk around the, the various kind of stores within, you know, your local, um, mall, they know you're visiting the store. They can actually do a heat map of where you're walking within the, the mall. And, uh, you know, that, that's happening on a daily basis.

So, yeah, like, my take, the, you know, the, the, the safety of the citizenry in this case, um, like, to me, it just, it kind of wins out. I, I just don't see-

Dan McDermott: [00:18:47] Hm.

Garrett O'Hara: [00:18:48] ... In this case, um, that the data is being sort of put out there. And actually, to your point, around the, the sort of, uh, source code being produced, it actually doesn't matter.

It's been pulled apart. And, um, that, that hit the, the sort of Twittersphere pretty quickly where, um, you know, local, uh, coding guns were able to pull it apart and actually do the analysis on exactly what this thing was doing. And there was no code obfuscation. They hadn't gone to that length. It, it's, you know, it's basically a derivation of an open source platform that was used in Singapore, so we kind of know what it is.

And, um, to your point, like, it does feel, again, you know, the, the reaction is, is correct. And, you know, we h- you and I were talking about this just before we started recording. It's right to not trust in security. Like, that's the right mentality to come at all of this stuff.

But as you read into it, and as you gather evidence, my opinion is that you should be able to get to the point where you go, "Yeah. Look, in this instance, this is okay." On balance, you know, the, the risk-

Dan McDermott: [00:19:43] Mm.

Garrett O'Hara: [00:19:43] ... Versus reward of us getting past the, or flattening the curve and getting back to normality.

Dan McDermott: [00:19:50] Look, I, I know. I don't disagree at all in terms of I think the, the people that have done the reverse engineering and the digging into this, from a security perspective, i- it seems solid. I guess-

Garrett O'Hara: [00:20:01] Mm-hmm [affirmative].

Dan McDermott: [00:20:01] ... As a citizen and certainly not, not talking as an employee at the moment, um, but, uh, uh, my concern is more, I guess, around what, what happens afterwards with the data? Um, and I'm no criminal mastermind, so I can't work out why people would want this data and what they could do with it, but I'm sure somebody will come up with some, some way of, you know, being able to try to exploit and get money or, um, you know, hold people to ransom for, for something around it.

Um, and more it is th- my concern, I guess, is a little bit around the fact that, yes, so it's, it's designed for COVID today, but then the data is stored. Governments change. Policies change. Um, we, we go back to being able to travel internationally. Um, you know, will the app, you know, be interoperable with the apps that are being developed in other countries, um, which then have different legislation, um, different ways of looking at data, um, and the way that they would look at, you know, I guess the privacy and, and the control that they have in certain countries over citizens?

It is, it's that side of things around the data privacy that, that just has this question mark in the back of my mind of, what could go wrong? Not that I think anything will today, um, but it's is, is there a way that this gets, you know, used for, for evil rather than good at some point down the track that nobody, you know, just like we couldn't have predicted a few months ago that we would be [inaudible 00:21:29] situation. Have people thought about what, what are the, the gotcha scenarios in, in three years' time of the, having this data?

Um, so that's the part that I think needs, I think, more thinking, uh, and more debate. And having, you know, and I think being open about that and, and sort of making sure that there is the provisions and the sort of things in place to ensure that the data privacy side of things is paramount, because it's, like I say, I don't think it's the problem with today and with the app. It is with the data long term, and what does that mean?

Garrett O'Hara: [00:22:02] Yeah. Definitely. And I totally agree with that. Um, like I say, I, I believe, yeah, being cynical and, uh, doubtful about this stuff, that's h- has to be the mindset to come at it. Um, from what I understand, the, the legislation for the use of the app and the data has inclusions around data deletion, and that is part of the kind of, it's got a life span. And, uh, I c- like, off the top of my head, I cannot remember what it is, but from memory, it's-

Dan McDermott: [00:22:27] Mm-hmm [affirmative].

Garrett O'Hara: [00:22:27] ... It felt like the right amount of time. Um, it wasn't ridiculously long, and it was short enough to, to kind of be useful. Um, but you're, like, you're so spot on with, um, like, the emergence of usefulness from, you know, individually not useful pieces of data. And, uh, I actually spoke to-

Dan McDermott: [00:22:45] Mm.

Garrett O'Hara: [00:22:45] ... It was Gregor on this, uh, it would have been last year, um, when we were chatting through this stuff. And, um, I think we, the, the story we were talking about was where, I think it was in Victoria, actually, they had published anonymized data around, uh, travel, you know, and the, the kind of train system in Victoria. There's lots of other cases of this, um, where you can very easily de-anonymize that data, and then it becomes useful. So you can find out, who are people traveling with? Um, when are they at home or not?

And, you know, the, the famous example of that is the one in, in the UK, where, um, they, you know, trying to provide useful data, gave the, the black cab GPS data out to the world. It's a huge data set, and, you know, it's, it's great for analysis, right? You can see where, where the hot spots for cabs are used. You could probably use it as a proxy for night life and, you know, lots, lots of kind of maybe interesting things that you could, uh, apply AI technology to.

Um, and then what somebody realized was, within that data, what they could do is cross correlate that with the paparazzi photos and what they were [laughs] what they were able to do then is, like, find a, a photo of, you know, Brad Pitt leaving club, some club somewhere in, in, um, SoHo or whatever in London and, uh, correlate that with the GPS data and then literally find out where that person, you know, that, that celebrity lives.

So there you go. Like, individually, you know, a photo of a celeb doesn't matter.

Dan McDermott: [00:24:05] Mm.

Garrett O'Hara: [00:24:06] And GPS data, you can't use it. Put them together, and then you're kind of in trouble. So, yeah. Defin- Definitely take it. Um, but, yeah. A- Assuming that the legislation does do the, the deletion of data, which I'm, I'm pretty sure from memory it does, then, you know, I, I think that part of it is, uh, yeah, in my mind, anyway, partly, and I [laughs] I would, I will just say-

Dan McDermott: [00:24:28] [laughs]

Garrett O'Hara: [00:24:28] ... Partly allays my fears there. But I'm naturally, uh, a bit of a tin foil hat person. Like, my phone, I don't have any apps. Um, you know, I, the apps I have, I have to have, I've got one, one page in my phone. You don't scroll left or right. There is no, there is no more apps. I don't use Facebook. I don't use, uh, you know, and I, if I do use any of those platforms, it's on the website rather than the app, so...

Dan McDermott: [00:24:51] But, uh, uh, what we had to say is, it's, is s- almost immediately, right, uh, the scammers were at it. Um, you know, there was, uh, SMS, um, with spoofing, um, you know, down, you know, click this link, um, go to, you know, the my gov page. Um, you know, that's my.gov rather than my gov. Um, and we're seeing them sort of ex- trying to exploit sort of the ability to, you know, access your superannuation early, that type of thing.

So there's a whole range of scams around that. Um, plenty of information on scam watch and, um, on the Australian Cyber Security Centre, um, pages, um, around that. And really we, you know, encourage people to take a look at all those sort of things and just remember best practice and, and doing th- doing those things.

Uh, um, you know, w- even people are, you know, social engineering, calling up and saying, "Uh, we can, I can help, you know, acce- you know, work out whether you can access your super early. Let me, uh, just give me your details-"

Garrett O'Hara: [00:25:45] Mm.

Dan McDermott: [00:25:45] "... And I'll w- I'll do the analysis and provide advice for you." And [inaudible 00:25:49] like sounds helpful [laughs] um, except for, except of course, we know that it's not. So, um, [inaudible 00:25:56] just sort of always, I think, beware of these things. And it's just amazing how quickly they always come up, right? Like, as soon as something, you know, legitimate is available, the, uh, the nefarious version is, uh, is out there, um, you know, and widely spread as well.

Garrett O'Hara: [00:26:13] And spot on. Like, that's, that's something y- we probably haven't really talked about, is the, the fake apps that will inevitably appear. They'll be on the app store, and, um, and you're spot on. You know, as soon as you get the real thing, there will be versions of Covidsafe, presumably, and, um, they will be dangerous, and they will steal your information. So that's probably a, a tip that, um, I hadn't really thought of. But, yeah. You want to make sure it's the right [laughs] the right Covidsafe app.

Dan McDermott: [00:26:39] Y- Yeah. [laughs] Exactly. And as I was saying, it certainly would be not too safe very quickly. That's right. Uh, uh, Gar, I think that covered a lot of, uh, I, I think the ground of what's sort of happening in the market at the moment and, uh, and coverage. Um, I will put in one, uh, one, one plug. Um, if people do need another, uh, if you've finished, uh, A Hacker [inaudible 00:27:02] another good toilet book, um, and a, a read over this time as y- uh, we're stuck in lockdown, uh, do dig out the Cyber Resilience for Dummies Guide. Um.

Garrett O'Hara: [00:27:12] Yeah.

Dan McDermott: [00:27:12] Published, uh, in Australia, um, uh, for, uh, for our market. So, uh, I would encourage anybody to, to have a quick read. It doesn't take long, but it, uh, I think provides a good overview of all the things that, you know, the industry and as a whole that we're trying to discuss and get out. So, um, yeah. If anybody, uh, take a look at that, uh, you can get the, the free eBook, and there's a hard copy version if, uh, if you so desire as well.

Garrett O'Hara: [00:27:35] Awesome. Good stuff.

Dan McDermott: [00:27:38] Perfect. Well, uh, thank you. Continue to stay safe and, and COVID safe. And, um, and, uh, until next time, I'm looking forward to, uh, the next array of, uh, the guests that we have lined up for, uh, for the Get Cyber Resilient Show. So, uh, take care and, uh, thanks to everybody for listening and, um, we'll be, uh, back with, uh, podcast Tuesday next week as well. All the best.

Garrett O'Hara: [00:28:00] Cheers, Dan.

Principal Technical Consultant, Mimecast

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara