A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend. My guest is Tammy Harper. She's a senior threat intelligence researcher with Flare. You can find them at fl. Now, you might have caught the last show that Tammy did with me, which was an overview of ransomware. It covered how it works, but it especially focused on the players and how they operate. If you haven't seen that, you should. There's a link in the show Notes at Tech Newsday, CA or dot com, take your pick. It's under podcasts and check it out if you can. But today, Tammy has brought us something new. Welcome, Tammy.

B

Hello. Thank you for having me again.

A

Oh, glad to have you back. So this is a surprise because I haven't seen what you're going to show us. But before we go, because some of the audience may not know you, if they don't, they should tune in because you're a regular guest on our monthly review and we do shows like this. But can you just tell us a little bit about yourself and what a senior threat intelligence researcher does?

B

Absolutely. I work for Flare. And what a senior threat intelligence researcher does is we are in the trenches on the dark web, on the deep web, on the clear web. And essentially we are always learning about the latest tactics and techniques and procedures that the threat actors and the bad guys are doing. And we basically curate this intelligence for people to use so they can better defend themselves. It is very much hands on and in the trenches. Absolutely. Great.

A

And so what have you got for us today?

B

I want to present to you and to your fantastic audience, basically a lecture that I put together for Flare Academy a couple months ago. And so this one talks about its concepts and ideas of what the future of cybercrime is going to look like. So this is going to look at like the next year to five years and we're going to look at different pillars. So we're going to look at basically extortion, ransomware, artificial intelligence, quant. So we're really going to try to look at what each pillar is going to evolve into and what we can potentially see. And so far there's already been some of these predictions have already come true. I'm very excited to present this to you. So a little bit more about myself. So I'm a cat mom, I love photography. I'M a huge astronomy nerd, and I love techno. I also love running and playing badminton and tennis. I'm part of a few clubs here in town, and I just love doing that. So I want to start off by this really good quote that puts it together for the first pillar, which is the underground. And so this is. So this quote says, whenever there is authority, there is a natural inclination for disobedience or to disobedience. And this is by Thomas Chandler Heliburton. He was a Nova Scotian politician and judge and author from 1796 to 1865. And I think that's a really good quote, right, To. To sum up what the underground can be. Because the underground is a. Basically a counteraction to what the mainstream is. And however the mainstream is doing it, the underground is going to do it a different way, for good or for bad. So let's have a look at the first pillar, which is the underground. So I want to take a step back and look at different types of undergrounds. And back during the 1980s, during the Soviet nalevo, which means the left, which is a different type of black market or black economy or underground economy that was thriving during the Soviet era. During the. This time, the main government, the mainstream, essentially establishment, couldn't necessarily supply everything that individuals needed. So what really started off was this second economy that essentially allowed individuals to barter favors to each other. And so if you needed, for example, something that would. You would need, like, parts for your farm equipment or something like that, and you knew a friend that was working in a factory, like, getting. You would get your parts directly from your friend that worked at the parts factory or at the manufacturer. If you needed, like, bread or if you needed, like, meat, or if you needed anything, really, you would just get it from someone that you knew. So this really became a favors market. And it's very much this second economy, right? And it bypassed, like, the government or the actual establishment of things. This is something that we see today with counterfeit goods, and we still see that today with bartering. We see it like, with, like, marketplaces, right? With Craigslist and Facebook and a whole bunch of different places. This is not a new econ, a new concept. It's the secondhand economy. It's the secondhand marketplace, right?

A

And in fairness here, even in North America, there's things that are sold that fell off a truck.

B

Exactly.

A

There is. There's a backyard economy as well here. But I think in the Soviet era, it was far more extreme because of the lineups and the lack of goods. And it was probably the only way to get things in the Soviet economy. There used to be a saying that they would use that says we pretend to work and they pretend to pay us. But it was all that whole thing of we're not going to get these goods. The only way to get them was the black market. And I think that made it more extreme than I think what we have here.

B

And this is where essentially like the black networks comes from. Blat, which is basically like webs of favor, right? And connections that they replaced the official rules that essentially was there in place. So this is. So this mentality was, what I'm getting to is like this mentality shaped generations. And basically we live in a world now that a lot of cybercrime comes from this mentality. It was like it was a really difficult time. And not all areas of the Soviet Union underwent such extremes, but it was very much present and it was an open secret that this whole economy existed. So the next point, which was that like Gorbachev's reforms failed because they didn't address the underlying incentives. So this is in the, in the late 80s and the 90s. And essentially even elites participated in this, the KGB participated in this, Party officials participated in this. And, and this is what basically created power structures that we see today in the post Soviet, like mafia and the oligarch structures that we see today. So this very much, this whole network of favors and paying bribes and stuff like that is essentially this whole system and economy that has started from there. So this brings us to the new underground that we see today. And the new underground that we're seeing today is essentially we, the whole world is having a really hard time trusting our governments. The whole world is having a hard time trusting media now. And like also we have a hard time entrusting institutions and like financial institutions, healthcare and stuff like that. And this all is. And only, this is only going to get exasperated by the misinformation and the disinformation that can be created so easily with artificial intelligence and botnets and things like that. So when we look at these things, we can see that how like learning how the underground works and how the underground is going to become this new beast. We can start navigating it better and understanding it. So the first thing that's going to happen, and I think this is already happening really is the decentralization of a lot of the underground forums. So a lot of the underground forums for the past like 10 years were heavily centralized in the Russian speaking forums. So like Ramp exploit. And this is specifically cybercrime. Right. And like exploit and xss, we've seen recent disruptions on XSS and there's been a disruption of exploit recently. They had to change domain, but law enforcement hasn't claimed anything yet as of the time of this recordings on exploit. That might change if news comes out. And so a lot of these like smaller forums are trying to take place and like breach forums is no longer a thing and a lot of the old guard forums have all faded.

A

Are these disruptions from North American law enforcement?

B

International law enforcement, always a collaboration.

A

Yeah, but many of these are in Russia. So are they, they're still able to disable these forums.

B

Exactly. So the essentially like for example xss, the one of the main administrators was arrested in Ukraine and that was pretty funny because I'm pretty sure like law enforcement knew who he was for a long time. And it's really interesting that one I was talking to another researcher and they said, speaking as of the administrator, it's pretty crazy that you live in a country where your government is asking for billions of dollars and for weapons and you think you're not going to get traded for that stuff, right? So he was basically like they just put him on a platter, made the arrest and gave him to French police. It's, that's going to happen and always will happen. We even saw like big arrests like Joker Joker service. Like that was a huge arrest that targeted money laundering in Russia, right? There was like 194 arrests or something. That, that was a huge operation and that happened like primarily in Russia. So like these big international law enforcement disruptions do happen, but they're rare in Russia and they only really happen in Russia when you piss off someone in the, in their local like jurisdiction. So that's only going to really be something that you see happen in that time. So anyways, what I wanted to say is they're going to start doing more and more decentralizations. We're going to see people talking to new escrows and moving to more and more towards like things like Telegram Discord. But even those get purged and they have taken down so often. Right. With the recent Scattered Spider Shiny Hunters and Last Fizz campaign that was happening, they basically were taking down a channel every day. So we're going to start to see people move more towards Matrix Signal, Nostr and different types of platforms that are harder and more decentralized and harder to take down. But the problem with those is that the ease of access for the general population isn't quite there yet. Right. Not everybody knows how to get onto Matrix even. It's pretty simple for you and I. But most people would have to look it up and how to get into. It's not something that's completely into the mainstream yet even like accessing Tor is not necessarily mainstream, but it's more mainstream than let's say I2P or zero net, right? Or free. Net. So we want to start looking at decentralized and looking at different types of networks, talking about these networks. Now the escrow world is going to change and there's. Because right now a lot of the big escrow is done through the main forums. So I'm talking about if you have a big exploit and you want to do a big transaction, you find you go on like back in the day it was breached or you would go on exploit or you go on ramp or you would go on XSS and essentially you would use their escrow. Their escrow essentially was there to, to stop scams and to make sure people were getting like pay for they do get delivered.

A

And you're using the term escrow in the same way I would. And that is you have a trusted party that holds something and releases it when something happens. So it keeps you honest. I promise I'll do this. You're going to release this money by a third party. There's even a concept of that in organized crime where they have a person who's reputed to be honest who would hold and release these things. I think that's because apparently you can't trust criminals so they find someone you can trust. Is that what you're talking about in this?

B

It's exactly what I'm talking about. And so these like back. So we saw like escrow was really done and organized by the top forums and or other like really relatively well trusted individuals in the community. But now that the forums are vetted or under more and more scrutiny, escrow is going to have to become more decentralized. So people are going to have to figure out a way to essentially create these zero knowledge roofs or these escrows that function for both the seller and for the buyer. So that's going to be a really interesting development. Are we going to look at something more akin to what the blockchain is doing or are we going to look at what more like smart contracts. But again it's all about a mix of anonymity and a mix of convenience and a mix of speed and how much the fees are. So these are all things that have to be considered and how this moves on, because without an escrow system, if you target the escrow system in the underground community, it makes it very hard for people to trust each other and actually move goods around.

A

This really makes me think. And the way law enforcement has gone after this, going after the infrastructure of these groups, this is how they function. The forums are how they recruit, it's how they make deals. It's how, as you pointed out, they guarantee payment. Without that structure, everything falls apart. And I think what I'm hearing you saying is there's new ways that structure is going to come about and you're referring to those as decentralization, but it's really just a different, a whole exploration of a number of different tools, places and things that they're going to be doing. Have I got that correctly?

B

Yeah, exactly. It's so when the law enforcement targets these forums and they take away the escrows, like you said, it really takes the wind out of their sails. Now we see there's smaller, like escrow circles. If you're part of a ransomware group, usually your ransomware group will be able to conduct escrow at a smaller scale between you and the victim. So Lockbit did this, Slack Cat did this. But I think as a general escrow, there's definitely going to be a, has to be a way for these individuals to move into a decentralized escrow. And I think smart contracts are going to be the way to do it and it's going to be making much, much more difficult and increase the technical difficulty of following these escrows.

A

Now, and for our audience who might, may or may not know what a smart contract is, what's your definition of a smart contract?

B

A smart contract is essentially something that. It's when you have a contract from the blockchain and a blockchain, the blockchain essentially allows you to pay out or purchase or sell Ether or Ethereum. When something specifically is like when you've done a specific action, but this is all conducted on the blockchain. The problem with that is that the blockchain is not anonymous and it's pseudo anonymous. It's still traceable. And it's a really, it's essentially something that makes it. There's going to be someone that's smart that's going to have to figure this out because if you can't trust the forums anymore, you can't, you can't move forward.

A

So a new type of escrow system is required. Not yet invented, but there are some evidences of it.

B

Well, it Already exists, right? It already exists in the, on the blockchain and in the crypto world. A lot of people already use crypto smart contracts and it's something that like can be used to execute purchases or it's not. But using it in more on scale and more robustly on the cybercrime world specifically like malware or things like that's going to be interesting to see. Like we haven't seen like threat actors necessarily put up their escrow on the blockchain, advertise in a forum that hey, I'm not using the guarantor or the escrow of the forum. I'm using a smart contract instead. I rather it go, I'd rather do it this way. We haven't really seen that public shift yet towards this method. But I think it's going to have to come especially when you don't have these forums to back things anymore and the trust in these forums is getting eroded every day. But I think the next topic in terms of the underground that I want to talk about is state backed sanctuaries. And this ties really importantly to the fact that a lot of nations have very aggressive and very pointed agendas and geopolitics and stuff like that. So we're looking at Russia, we're looking at North Korea. And so if you can be the type of person that can travel to these locations and you can start targeting a country that you're that country doesn't like or is essentially will turn a blind eye to you. We already see this today, the concept of cybercrime tourism or essentially just being able to as a mercenary to travel to another country, conduct attacks and then come back and then like cash out and things like that. Because a lot of the western world, the financial institutions are heavily regulated and make it very hard to withdraw your cash. So if you can go to these other countries and conduct your attacks but also cash out on your attacks in those countries and then still come back with just enough money that you don't have to declare it or again different ways of doing it but getting it into a fiat currency in different areas where like KYC or know your client isn't as aggressive can be a thing and it's already happens today. But I think this is going to be something that happens more and more especially and a lot of this is going to happen because we are seeing so many layoffs right now in the tech industry and we're seeing so many very talented people essentially looking for work or out of a job. And this type of, this line of work if you are good enough and smart enough. Like unfortunately it can be a solution that people turn to and it's not the solution. Of course crime never pays. But at the same time they might think that this is a solution essentially to go do, to do this.

A

So we think, thinking in terms of let's say Americans who are traveling back to countries that I'm not sure about, North Korea, I don't think anybody travels in and out of there but China, Russia, that they are able to move from the US or are we talking about people coming from overseas to the US and Canada?

B

No, it would be the, from the west to the other locations, to other countries essentially if you have. We're already seeing a lot of like recently China just announced that they're trying to attract more researchers with H1B H1B visas. And so with the layoffs that are happening in the west, it's definitely something that we're going to start to see like a move towards. Not necessarily because before it was like manufacturing and stuff like that went over there, but now we're going to start to see a lot of it being services and knowledge based services and cybercrime is, has, is part of all those services. It's part of the knowledge, it's part of manufacturing. We even see people just who know how to run virtual private servers like network hosts or system admins, right. Running bulletproof hosting services or essentially one of the amazing documentaries that I encourage everyone to check out, it's called Cyberbunker, it's on Netflix and it's the story about how a German, German company was hosting a literally a bulletproof hosting service out of a bunker in a small town in Germany and how law enforcement was able to take it down. So I highly encourage people to take a look at that and just to finish off on these state backed sanctuaries. But a lot of the times like these locations would not have extradition. Right? And if you get linked up with, with organized crime there like you would have access to, to being able to launder your money and things like that. It makes it really, it's again, this is extremely dangerous, right? This is, I'm not saying like this is going to be like Joe Blow is going to be able to go there and just start raking in millions. But this is if you're already connected and you can definitely this is something that's going to happen more and more. The next concept that I have here and that's called the reputation role and this is a basically just a little Bit of an extension of the escrow world that we talked about. But how do you build this concept of essentially like how do you prove who you are when you are in a zero knowledge system? Right. But this time it's reputation. And so these are really like decentralized identity networks. And do you essentially have this blockchain passport that you can say, hey, this is how much ransom I've been able to generate and this is who I am. Do you have basically like a blog that allows you to say these were my attacks and, or this is these were my campaigns or these were my projects and how do you prove who you, you are? Because a lot of the times researchers and companies and firms heavily monitor individuals based on their usernames. Right. How do you create reputation that transcends a username? And is that like, we can use like PGP signatures and a lot of people do that already, but as we saw recently with Scattered labs with Shiny Hunters, the fact that you have access to someone's private key and are able to sign PGP signatures doesn't necessarily mean you are that individual. How do you make that happen now is going to be a really interesting concept that's going to have to be tackled.

A

Yeah, we talked about this earlier. You and I had a discussion about this is once you start to break down the trust between the criminal networks, the essence of it, whether that be that state actors aren't being protected anymore, whether that be that escrow is not working anymore, whether that be the identity becomes an issue. We just, I don't want to, I'm not advocating for the survival of cybercrime, but the survival of cybercrime is in, in danger.

B

Yeah, absolutely. And that's the whole point. It's trust, right? Everything boils down to trust. And so I want to talk about the next section here. And I think this is a perfect quote to introduce this next section. And this next section is the quote is power is always dangerous. It attracts the worst and corrupts the best. And this was by Edward Abbey from 1927 to 1989, and he was an American author and essayist. And so now we go into the world of extortion. And essentially extortion as a service is what I want to talk about. So extortion as a service is this relatively new concept, right? And the first time that I saw it being discussed was with scattered lapses, Shiny Hunters, at least publicly. It's been a concept that I, researchers have been like tinkering with and theorizing about, but it was the first Time that I saw like an actual threat actor, put it into words. Cybercrime is a very interesting world where if you want to get paid, you need to take ownership of the attack. You need to claim the attack in some way, shape or form that's either by leaving a ransom note or by putting your name on the website. If it's a defacement campaign or if it's a DDoS campaign, you're going to take ownership to prove that, that you were able to take down something. So what happened with extortion as a service or es? Yes. What's really fascinating to me is that it looks like if you have a successful brand that successfully extorted a lot of money, which something like Scattered Last Space Shiny Hunters was able to do, at least in theory, then you can basically say, hey, use our name. It has weight, it has notoriety and you can claim a tax under our name. And if you become. So it's like the anonymous world, right, where anybody can be anonymous, so anybody can be that brand. And then you run into issues where if anybody can be you, then you can have some bad actors within the bad actor community that can tarnish your name and conduct attacks on some, some things that you don't necessarily agree with that can hurt your ability to gain payments later. Especially if one of the attacks under your name is so disruptive that it puts you on a sanction list. Right. So I'm looking at back in the day of 2022, 2023, with dark side targeting Colonial Pipeline. And that brought the entire might of the US government down upon them.

A

But recently there was the attack and it's not related to the same thing with the attack in the UK on a daycare and even, even cybercriminals that cross the line, buddy. And so your reputation can go. I just want to go back to the extortion. This is extortion in classic methods. Is this a I'll DDoS you or what is their, what's their push for the extortion? What's the extortion penalty?

B

This would be leaking data mainly. Or essentially it could be ransomware. It could be. But a lot like ransomware as a service is when you operate under a brand name like Dragon Force or Killin and you. Or like Nova and you essentially like you use their platform, their tools to. And then you operate with, under their guidelines to conduct your attacks. But under EAs or under extortion as a service, you can use whatever tool you want. You wouldn't be tied to a specific encryptor Right. Or a specific method methodology. You can essentially conduct your attacks however you want, and you can arrange payments for however you want. You wouldn't have to use like the ransomware as a services like negotiation page or chat or crypto wallets. You'd be in charge of everything. So the idea is to like crowdsource extortion campaigns. But again, the whole idea is once you have people conducting these attacks under your brand, you risk the. There is a significant risk of it getting tarnished relatively quickly, especially against really bad attacks like the ones that we just mentioned. For those that cannot see the slide deck that I'm showing right now, there's a screenshot that it was from Shiny Scattered Last of us Shiny Hunters. And essentially it's the note showing extortion as a service. If you want to have a look at it, it's a fairly long paragraph, so I won't necessarily read it on the air for just to keep a note of the time. But if you want to have a look at it, you can definitely take a look at it on YouTube. The. The attacks that we're seeing with like extortion as a service, just to wrap it up on. On this is like you would have access to target, not necessarily ransomware, like networks and stuff like that. You can do whatever you want. You can attack Okta through social engineering. Jira Slack M365. You would essentially be able to do whatever you want and deploy and leverage. Because Scattered Last of Shiny Hunters was able to conduct a very sophisticated counterintelligence operation in terms of like always spinning up new accounts, always spinning up new telegram channels, calling out researchers, calling out tactics that law enforcement was using to track them. It basically is a psychological warfare. And so you can leverage all of these tactics. Like these were all tests of new tactics that you can do. It's a lot of effort. But again, with this tactic was proven now by this threat actor group. And now I think what we can see, it made it generated a lot of noise. And especially in the age of artificial intelligence, we can definitely see this tactic getting revived now again and potentially getting used more and more often by other threat actors. And we're going to see copycats of this type of stuff coming back. It was successful during this campaign. For example, Scattered Last of Shiny Hunters targeted Salesforce, right? And they were able to exfiltrate almost a billion records. And they were allegedly putting them up for sale, like in batches. And they were claiming a lot of different companies. Right. This was a huge attack. And they Were basically this type of attack. They were able to go through it with using Vishing and oauth abuse and they exfiltrated everything through the API. A lot of these types of attacks basically happen because they log in and they just hit export through API or through the dashboard. It's pretty insane.

A

Yeah. And this was, this was also. This was a triumph of social engineering as well as the technical piece because I think at one point they did get a. They did get a hold of tokens, Oauth tokens and were able to technically get in. But most of this, I think you'll agree, happens because of either poor training or poor execution from people as simple places as help desk.

B

Yeah, exactly. And. But again, it's not necessarily the whole blame falls on help desk because these individuals are highly sophisticated and they're really good at manipulating people. Right. So if you fall for their social engineering, it's not necessarily your fault. This was designed to. To get you totally agree.

A

These are smart people, English speaking.

B

Yeah.

A

Very intelligent. Great. And they've honed their techniques. Exactly. And Salesforce I think was a particularly big one because I can't think of any place else you could get the quality of customer information to start more and more attacks than a Salesforce database.

B

Exactly. It was pretty crazy. And I think this is a great segue toward the next topic I want to discuss which is essentially going back a little bit towards the escrow world and the underground world. We're seeing a shift now towards more of a drive for affiliate and promoting affiliations and affiliates. So in cybercrime right now, specifically in the ransomware ecosystem, finding good affiliates and affiliates like red teamers, pen testers that can conduct an attack from a Z is getting harder and harder to find. What I mean by that is finding someone that can source initial access or spin up their own, their own like phishing botnet and or like using Quackbot or using like ice ID or using TrickBot and stuff like that, like the old school days and essentially like it was spinning up all of these networks, getting initial access, doing reconnaissance, lateral movement, privilege escalation and then exfiltration of data, if that's what you need. And then deploying the ransomware, conducting the negotiation, getting paid, mixing the launch, like all those steps is really difficult. And especially as companies now are investing, it's good. We are seeing overall the maturity of networks and infrastructure increase every year, even though cyber threat actors are getting smarter and more and more aggressive in their tactics. So there is a push now from all of these groups to make it appealing for affiliates to join them. Because the groups, what they do, right, is they provide the service. It's ransomware as a service. So they provide the service, they provide the payloads, they provide the negotiation infrastructure, the exfiltration infrastructure, the hosting services, the blog, and they get a cut. Typically that cut is an 8020 split. And so they just get to sit around and have money come in. But if you don't have affiliates conducting the attacks on your behalf, it gets harder to that that 20% to justify that 20%. Like a lot of these groups now are like bringing in a lot of tooling and they're bringing in a lot of different perks, right of being part of their, their group. So what's really interesting I think is that we're seeing groups now promote. There's two specific groups now or three groups that are promoting specific affiliates, right, and giving them a platform to shine and to basically get more visibility and more variety in the industry. So if you go to Beast, for example, Beast Ransomware, on their dedicated leak site, they list the partners or the, or the affiliates that conducted the attacks. So by doing so, it's a calling card, it's like a authorship of the attack, right? So I think that's going to be something that we see more and more with the different groups. And it also not only brings bragging rights to these affiliates, this can be used as part of your passport like concept that we talked about earlier of hey, this, these are the attacks that I conducted, right? And it's on Beast's website and basically acting like these blogs now act as forums where you can establish your, your credibility based off of these like emails or these usernames that are featured on these trusted blogs. We also see this on Nova, like Nova has Nova Ransomware has underneath each attack now they, they say who, which can, which user conducted the attack. Now a lot of these usernames can be platform specific. So not necessarily. This is not like a username that would be seen on a forum, but necessary. This can also be like a username that only members of Nova would know. We see this with Killin essentially for a little while was promoting a, an affiliate known as securotrope. And so securotrope was putting watermarks on all of the leaked images and was putting their name and their Onion site on the description of, of Killen's blog and also saying contact us directly bypassing Killin, which is, which again does. Maybe they had an arrangement for, for cuts in terms of this cross promotion because again everything's about money. But this is a really interesting development and I think we're going to see this more and more. I'm waiting to see Dragon Force do this because once I see Dragon Force do this, I know this is a trend that's going to stick around for a little bit.

A

Interesting. The with the bragging rights and it's such a two edged sword of saying on one hand we want to brag about doing this attack so we'll get reputation. On the other hand it draws attention to you. It's a curious mix, but it seems to me that right now they're struggling for affiliates. But I heard a frightening statistic and that was. And I went back to double check it, but that somewhere in the neighborhood of 500,000 young men have just dropped out of the workforce and are no longer turning up anywhere in applying for jobs or anything like that, living in their basement or whatever. And even if that number's exaggerated, there's a whole pile of people Now I heard that in the context of them trying to be recruited and brought into sort of the American right wing macho, whatever that thing is happening. But it also seems there's a perfect storm recruiting young, particularly young men into cybercrime.

B

Yeah. And cybercrime is not. It bleeds into the real world. I'm seeing a lot of ads now specifically for. For the American demographic of. For mules. A lot more. So many mules I need. Or for another. Essentially another application for mules would be to use your identity to apply somewhere for either for bank loan or something like that. And some of the requirements for these advertisements are like you can be divorced, you need to have good credit, you need to have a car. And they pay pretty well. Like they. Relatively speaking, it's 5 to 20k. Right. And again, how are you going to get that money? Escrow is a big question. And this is not only the 500,000 men that you were talking about. This is also like the highly skilled individuals that are getting laid off from Microsoft, from Amazon. We're going to see an interesting time in the next few years.

A

Well, in Ontario, where I live and where you live, there was a financial crime that was run and they managed to get people who would run by and pick up the money couriers.

B

Yep.

A

And I think an incredibly risky job. But they were doing it and they were running. They took millions out with this scam. And part of the mystique of it was they had somebody who they could recruit who would be the face of this, go pick up the money and help Them dispose of it while. Or help them take that money. So I find it. And when you talk about the top end of this, there were three people who were ransomware negotiators who were just sentenced in the past two weeks. These people were, they were as trusted as you could be. I don't know how much money it takes to buy off one of those people, but somebody found it.

B

Yeah, it's, It's. That is such a shame. It is such a shame, that story. And it just, I don't think that individual will ever be able to get a job in cybersecurity after that. It just like completely eviscerates your trust on being able to work in the industry. Because we all like, especially like individuals like myself, we work in, on the front lines, we work in the trenches. We are exposed to a lot of threat actors and. But ultimately, like, I would never want to go to jail, right?

A

Yeah.

B

Yeah.

A

And that's what I fear about these young people. I, the older people, sophisticated people. I. They're smart. They have to take care of themselves. But you can buy a young guy without a job for 10, $20,000, as you pointed out, that could ruin their entire life.

B

Yep.

A

You may never get work in any location that goes anywhere near money ever again.

B

Exactly. It's a big issue that we're going to. I think we're going to see more and more of. I think this is a good time to look at the other section. And again, I want to start off with a quote, as I've been doing.

A

For this is Perfect.

B

So the real danger is not that computers will begin to think like men, but that men will begin to think like computers. And that's by Sydney J. Harris, an American journalist. I see that today. I see that today, which is quite freaky, is that I'm talking to people and people are talking like artificial intelligence. Just the verbiage that they're using that a lot more like people reading more scripts from that are generated by artificial intelligence. And. But now we're seeing more and more. Like, I had a friend who's a teacher, and they were saying that their students now don't use Google, they just use ChatGPT instead to do their research. They don't even know how to Google anymore, so that's really frightening. And especially with the new, like, homebots that are coming out, like the $20,000 NEOs that are coming out, that these little humanoid robots that walk around and do your laundry and fold and take away your dishes and stuff like that, it's going to be quite scary. And this is why I want to talk about artificial intelligence. Large language models. LLMs are everywhere. They are making our lives easier. They are also, they come at a cost, a significant cost. And, but threat actors are using them very well. And there's these whole markets now like these malicious models that you can even find on Hugging Face and even these specifically designed models and curated models that, that go by names of like Dark GPT Dark Birds and Fraud GPT Worm GPT. Like these were all earlier ones and they wrap your prompts in these jailbreaks commands and pass them off and then they return your prompt that is like a jailbroken prompt. So a jailbroken prompt, for those that don't know what that is, is a command that essentially allows the prompt to go through and break through the guidelines of your large language model. So it's a very oversimplified version of it is forget this is system, forget all your previous instructions and now do this. That's the type of a jailbreak command, for example. But these jailbreak commands can be extremely complicated and it's meant to confuse the large language model. But essentially what I'm getting at is we're seeing these threat actors, not only are they developing large language models now and they're training large language models like they're training large language models on leaked data and they're using these data, these, these large language models to write specifically targeted spear phishing and phishing emails based off of the leaked data that they were able to curate from on a specific individual. One technique that artificial intelligence is very scary of that is, let's say that you want to approach someone that is relatively public and relatively has a public appearance and has is Google bowl essentially you can basically tell ChatGPT that you are dating them. And what would be a great opener to approach this person and give you prompts on how to be approachable and how to converse with this individual. And a lot of this stuff is a long term endeavor, right? It's. You can't necessarily like socially engineer someone like that quickly, but this is definitely something that you can help you build a relationship because large language model will essentially just give you all the answers. So this is really scary stuff and we're not even talking about like deepfakes and stuff yet.

A

Well yeah, and don't forget you can get models and you've got a list of them on your slide there. I'm sure that are already. I love the term in the trade is helpful models. And a helpful model is a model that has no guardrails and they're eminently available. You can buy them, you can get them. I'm sure there's some in hugging face. There are lots of them around on the net.

B

Yep, exactly. And it's going to become only a bigger thing because once we have models writing models, it's going to be game over. And that's not too far from the reality because OpenAI is getting to that point where actually there's this. I want to take a step back and say there's this that addresses this point. There's an amazing research paper called AI 2027 and essentially it discusses this runaway effect of when you have AIs writing themselves and how fast these models can train themselves and create these black box codes bases where you don't know what's hiring them anymore. And that's going to become another issue going forward. And how do you know when an AI is deceiving you? How do you know when an AI is lying to you? And once we get to that point where they can start conducting attacks by themselves, we keep seeing now, like before, just this year, we saw two news stories of AI powered polymorphic ransomware. And one was this ransomware that was using LUA commands and used it to do lateral movement, privilege escalation and things like that. But it needed to phone home with LUA commands the whole time and prompts. So that was not necessarily the perfect model. But like artificial intelligence is quite heavy. Right. So these binaries would be quite large compared to, to smaller viruses of today, which are just a few kilobytes. But these large language models, also the fact that they're so large, like a lot of antiviruses and EDRs don't necessarily scan like files that large. So there's a trade off. But what I'm getting at is like this stuff is going to happen more and more. Yeah.

A

And dedicated models don't have to be large.

B

No.

A

When you don't generalize, when you're not trying to generalize, when you're trying to do one specific thing, you can get a model down to a size that is actually runnable on a PC laptop and very easily. So I think we're going to see spin off agents that come out of large language models that can do a lot of things independently without having to call back to home, which, by the way, they can do in an encrypted fashion now because you have to have encryptions to protect the model. There's a flip side to everything. So I think we're Just in the beginnings of the danger zone for AI, and I've said this before, was in, we've said this in cybersecurity, that cybersecurity shouldn't be bolted on, it should be built in. We're. That's exactly what we're doing, is bolting it on. We've created the AI, now we're trying to manage it.

B

Yep.

A

Difficult piece.

B

Exactly. Just to give you an example, in 2024, a Hong Kong finance firm lost 25 million after an AI cloned an executive's voice and led to them creating a fraudulent wire transfer. So imagine stuff getting automated. When I was. Again, this is, I think I already mentioned this one, one of your. On one of your other podcasts, but in on your news segments. But there was this startup that I saw at Sector this year that basically used agentic AI for social engineering. And what it would do is that it would conduct OSINT and it would look at your online presence. And for example, if you posted on LinkedIn that Hey, I'm going to a, a conference, what it would do is that it would create a email saying that your ticket had been revoked. Please call this number. And when you would call that number, it would be another agentic AI that you would be talking to and it tried to socially engineer you. And this whole process was automated. Right. To, or at least heavily automated. So if firms are backing this now is because they have a significant amount of money and resources and talent. But once this gets easier to do and it breaks through into the, into the convenience and the threshold for criminals to be able to pull off, we aren't going to be too. This is going to become a reality. Right.

A

The tools for, for being able to do a deep fake, real time, a real conversation with a deep fake are there. The tools are all at a level of sophistication. You might be more aware of it than I am that these gangs are out there adopting these tools, but I'm betting they already are at a level of sophistication that we can't even conceive of. And whether it's taking pensioners for 25,000 or $50,000 at a time or going after corporations, I'm sure that their minds are clicking away and probably the attacks are already happen happening.

B

Exactly. So I want to talk about quantum now. And so this is a good. From one of my favorite physicists. This is essentially the quote goes, if you think you understand quantum mechanics, you don't understand quantum mechanics. And that goes for. That's Richard Feynman. And of course, we're going to talk about Quantum and what that entails. Now, I have a bit of a jaded opinion on Quantum. And there's a lot of money being poured into Quantum right now, and a lot of it is coming from governments. A lot of it is essentially an arms race right now for to basically to demonstrate the ability to crack encryption. That's the whole thing that they're trying, essentially most people are trying to do now is like trying to crack encryption. And the first country that can claim that their quantum computer cracked encryption will essentially win the arms race. And so most of these nations are doing an attack called. And they've been doing it for years. It's called Harvest now, decrypt later. And so we're storing. Every country is doing this to some extent, and we're storing exabytes of data, and we are essentially trying to store this data so that once we have the ability to decrypt it, we can leverage state secrets or even do that and attack them later.

A

Yeah.

B

So another thing is that this concept of quantum decryption, I think what's going to happen is once the news comes out that like a specific country or something that was able to decrypt or crack encryption, this is going to enter this idea that encryption is no longer like, the old encryption is no longer safe. And I think we're going to start to see scams of. Once this idea permeates into the zeitgeist of the world Led okay, encryption, it doesn't necessarily have to be factual. Like, AES is still going to be like quantum resistant. But RSA is vulnerable to quantum computers and a lot of data at rest is encrypted using AES. So even if someone says, oh, I'm going to crack your AES or just crack your data and it's AES encrypted. The thing is, like, they're going to say the I the concept of, like, you're mysterious. The fact that you don't understand that or don't know the intricacies of how the encryption and the decryption process works, you might be susceptible to the scam of, okay, my data is at risk. And a lot of these, in these threat actors might try to say, hey, we stole your data and yes, it was encrypted, but we have, we have a quantum computer and we can decrypt it. Now, this sounds a little like science fiction. Y and I agree. But again, we've seen people claim crazy things before where they were able. Remember in the early 2010s and mid-2010s. The sextortion scams that was happening where they would say found one of your old passwords and they would email you saying I have your password. I was, I hacked your account, I hacked your webcam and I have compromised images of you. And some, unfortunately, some people fell for this and it's terrible. And some people took their lives over this and they, they the fact that things like that can happen, right? So I don't think this is so far fetched to think that claiming to be able to decrypt your data later, once it enters the Zeitgeist is going to be a reality.

A

No, I think it will just take, it'll take some sort of proof of life. They'll have to find some parts of the data that they shouldn't have that they can use as evidence and you're away to the races. I mean it depends on what the data is. But like you said, you can fool people with a threat. I got one of those. Somebody actually sent me an extortion note saying I have access to your webcam. And I said show it all you want, you're not going to get a big audience. I could be flip about it, but there are other people to them that would be a terrible thing to happen. So even if the technology doesn't catch up, the ability to socially engineer always does.

B

And, and just to talk about this, like this idea of this whole marketplace, right can happen. Once we have the ability to decrypt encrypted data, people are going to want to sell it, right? So we're not necessarily going to start like this. Because of the sensitivity and the sophistication of quantum computers, regular people will not necessarily have access to them. This is not something that the mass market is going to have access to at least in their homes, right? And people are not going to have a quantum computer in their homes at least in the foreseeable future. This is going to be highly restricted, research based, government based and the having a quantum computer at room temperature in your phone is years and years and years and years away, if even possible. But the thing is like we like even at a state sponsored level, once you're able to crack it, people are going to start selling it and there's going to be a market, definitely a black market and we're going to start to see as we see today, state secrets leaking and we're going to start seeing like quantum decrypted data available on the dark web at some point once it trickles down from, from the laboratories and from the research centers.

A

And don't forget if, even if it's, even if it's nation states that decrypt it or the largest companies that have access to quantum computers, once it's unencrypted, it can be stolen.

B

Exactly, exactly.

A

And cycles on quantum computers will be able to be stolen. We never underestimate the creativity of cyber criminals.

B

Exactly. And there's also going to be on the flip side right now, NIST has published, I think three or four, don't quote me on that number, but three or four quantum resistant algorithms for encryption. They use like lattices, they use different things to encrypt, but they're slow, especially on classical computers. And so I think once we have better algorithms that are, that can, that is not AES because AES is pretty good, we can start to see also like criminals touting the fact that they can encrypt your data at a quantum level. Right, that's going to be interesting. Another thing is like if threat actors are not encrypting at a quantum level, maybe we're going to see like recovery firms rent out quantum computers to decrypt data. That could be a thing that's again, that's very imaginary. That's very like wishful thinking. But this is what this lecture is about. It's a lot of bit about, a bit about wishful thinking and having fun with some concepts and ideas. But yeah, absolutely. And one, one thing that I really like to say is like the thing that there's one thing that could crack every single type of encryption and that's time. And given enough time you can crack any encryption and that's just going through brute, brute forcing and just the fact that you can have all this old data resurface to the world that was locked away. A lot of really interesting things can happen, like old emails, old messages, war crimes, like economic or like contracts, conspiracy theories, all these things can come back up. And if there's going to be a race to encrypt the old data using quantum resistant algorithms. So for example, Canada and Australia have mentioned that they would, they want to at the, at least at the federal level that quantum resistant algorithms become the standard by 2030. And so that's going to be an interesting thing because do you, the idea is do you decrypt the old data? Right. Because not everybody has access to all the private keys of the old data or do you go over it with the new algorithm so you like doubly encrypt it or do you only encrypt data that is vulnerable to quantum decryption. So you don't like, re encrypt AES at the moment. Do you re encrypt everything? So there's gonna be a lot of interesting conversations to have, at least at the technical level and at the. At the infrastructure level of nit. How are you going to handle this, this wave of RE encryption that's gonna happen once it becomes the standard?

A

The big takeaway from this, though, is that these questions are going to come up for people who are operating in this space and they have to have some answers about them. We'll try. And if you might have some papers on this, I'll try and dig up some papers on it that we could put. I think the NIST ones are probably as good as anything. But people really do need to at least be conversant with what's realistically out there right now.

B

Yeah, exactly. And I wanted to talk about my last point here. And so this is from George Orwell, and his quote is, he who controls the past controls the future. He who controls the present controls the past. And I think that's a really interesting quote that talks about power. And that's what I want to talk about for my last piece here and my last pillar of the future of cybercrime. And my first point is digital sovereignty. So we're seeing, with so many regulations happening in the world right now, we're seeing like, from your perspective, like the Western world has its own Internet, like China has its own Internet. It's so different, it operates so differently. Right. And then Europe will have its own Internet. I strongly believe that just because of how the regulations are going to be shaping the way these things happen, and because we're going to have different Internets shaped by governments and shaped by policies and shaped by regulations that is also going to affect the way that cybercrime operates. Because if you can do one thing with crypto in one way, and you would not necessarily mean you can do crypto the other way anymore, phones function differently in certain markets now with different app stores. Right. With different laws and different things, I think it's going to be really interesting to see how threat actors evolve and how they operate across different Internets and across different webs and in open spaces like that.

A

Yeah. The weakest system loses in that. And even now the Chinese have different GPS than, than the United States. They have a different Internet. You're totally right. And how different and how these interact together is going to be. It's going to be an interesting world, particularly with Europe. And you're right, Europe's a wild card. It wants to be sovereign and have their own regulations, yet it's intricately linked with the United States in ways that are difficult to break. So this is going to be. This would be a thing to watch.

B

Exactly. I think you nailed it. And so I hope that I want Europe to succeed and to have a sovereign Internet that they can essentially break away from the United States. It would make things more complicated, but at least it would give us something that we're not dependent on the United States. And I think more choice and more openness is always a good idea and more transparency. But this doesn't necessarily just like impact, it also impacts the way that models and artificial intelligence is created. Like Switzerland right now has a model, like an artificial intelligence model that they have made public. And now public does not necessarily mean open source. Right. Because Llama from Meta is open source technically, but Llama is still created with the interests and the agenda of Meta. And so Switzerland created this model for the people, by the people. And I want to see more things like that. Right. Where open source is, helps the public a lot more and the public gets more and has more say and more power in terms of creating regulations and models as well. And so when we're looking at like the underground and all these, these like the cybercriminals and how they're going to look at this, they're the, they're going to try to like weaponize and adapt to all of these changes as well. And how that happens, it's going to be so fascinating to see how things can get localized and super targeted, yet not. Like the way things work now is like, it's very linear. Like you as a threat actor, you create this method, you create this like, methodology. You can spray it out there and target a whole bunch of systems, but your own only targeting one thing. But with like artificial intelligence, there's this mutability that happens with your attacks that can adapt and this automation that can happen. Adaptability becomes a feature of your attack. And I think that's going to be something that's quite scary that's going to happen, especially when you're trying to like combat something that's like a moving target is always harder to aim at. And criminals are going to start to do that and they're going to become much more nimble and much more effective at doing that.

A

Yeah. And the sad thing is that the dream of the universal Internet is dead. We no longer have that idea that we would have a global network of communication that is open and free to everyone and where there was a source of truth. And that may sound funny talking about the Internet because there is so much garbage on the Internet. But the fact was there were sources of truth, Wikipedia, the archives, there were places where one could go for a source of truth. Those are no longer as strong as they are. They're weakened and they're being obfuscated. I'm not a big fan of what Elon Musk is doing with Groka Media. I think, I think it's. But we're going to see more and more of that, of different versions of the truth and that's going to be, it's devastating psychologically and probably socially.

B

I'm not sure the different version truth is going to be, is going to be terrifying.

A

Yeah. But I, but again what that does to our cybersecurity, counterculture criminal culture, I'm not really certain.

B

But yeah, I'm not completely certain on that either. But I'm just like, I'm just thinking back at the old like electronic frontier days of a universal open Internet and how governments and institutions have completely taken that over. And every year we're seeing people trying to introduce backdoors and encryption and backdoors into this and backdoors into that. And should we be allowed to have, should the general population be even allowed to have encrypted messages? Like I think these conversations are definitely something that we have to continue talking about and I think it's going to only get more heated as time goes.

A

On and the magic of the Internet. I come back from the days of dial up Internet where you'd stay up all night talking to people around the world for the first time having one on one conversations with people in different places where the Internet became the way that people who were trying to fight against repressive regimes could operate. And I don't know if those days are gone or not yet. That's something that, because this whole thing of I'm going to have my own Internet, I'm going to protect. It also means I'm not going to allow anybody who is against the government organization to have an opinion. And that's a scary place to live.

B

It is. Yeah, I agree and I hope things are going to work out.

A

Me too. This was interesting, Tammy, on wide ranging discussion but I think some ideas that people could take away and start to think about and I think really just to summarize it if I've got it right is we're entering not just A new world in terms of AI, but we're entering a new world in terms of cybercrime, both enabled by technology and the fact that it is being broken down in ways that it need, that it will rebuild. We know it's not going to go away, but the question is, how's it going to resurface?

B

Yeah. And I think you nailed it. And I am. I want to see what happens. As a researcher, I'm excited to see what happens, but I'm also terrified to see what happens. And I want to hope things just work out for the best.

A

My guest has been Tammy Harper from Flare. I always say flare IO because I live in URLs, but Tammy Harper from Flare, she's a senior researcher there. And this has been our look at where cybercrime could go. Thank you so much, Tammy. I appreciate it.

B

Thank you so much for having me.

A

And that's our show. As promised. Not many answers, but a whole lot to think about. The nature of what Tammy calls the underground and cybercrime is changing and changing rapidly. How we respond to those changes will have a huge impact on our lives, careers, and potentially our society. Love to hear what you think. As always, you can reach me@technewsday ca or.com either works. Just go to the Contact Us tab and let us know what you think. And once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers a full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com CST that's meter.com CST. I'm your host, Jim Love. Thanks for listening. David Shipley will be back Monday morning with the cybersecurity news and I'll be talking to you you again Wednesday morning. Have a great weekend.