Cybersecurity Month in Review: Key Insights and Emerging Threats July 11, 2025 - Cybersecurity Today

Summary7 min read

Podcast Summary: Cybersecurity Today – Cybersecurity Month in Review: Key Insights and Emerging Threats

Episode Details:

Title: Cybersecurity Today
Host: Jim Love
Release Date: July 12, 2025
Episode: Cybersecurity Month in Review: Key Insights and Emerging Threats

Introduction of Panelists

Jim Love kicks off the episode by introducing the panel of experts who delve into the significant cybersecurity events of the past month. The returning panelists include Laura Payne, CEO of Whitetuque; David Shipley, CEO of Boseron Security; and Tammy Harper, a senior threat intelligence researcher at Flare. A newcomer, Tammy, is warmly welcomed to the discussion.

[00:01] Jim Love: "Welcome to Cybersecurity Today’s month in review show. This is where our panel of experts looks at big stories in cybersecurity from the past month and gives them a bit of a deep dive."

Major Cyber Crime Arrests: Montreal Scam Targeting Seniors

Laura Payne leads the discussion by detailing a significant law enforcement achievement in Montreal. Gareth West, identified as the leader of a scam targeting seniors and extracting approximately $30 million, was arrested along with other accomplices. The scheme involved setting up legitimate front businesses that concealed call centers actively deceiving elderly individuals into parting with their money under false pretenses.

[04:14] Laura Payne: "We have a gentleman by the name of Gareth West... leading a scam that disburses grandparents and other seniors about $30 million."

Jim Love expresses personal outrage, sharing a poignant anecdote about his father falling victim to such scams, emphasizing the severe emotional and financial toll on victims.

[05:55] Jim Love: "This is a scam that we have to shut down... Anybody who thinks that the it's because they're seniors, they, they should feel embarrassed, they should not feel embarrassed."

Tammy Harper underscores the gravity of the arrest, noting the strategic mistakes made by the criminals, such as operating within Canada, which facilitated their downfall due to extradition protocols.

[07:23] Tammy Harper: "This is not small amounts, this is 30 million in total... This individual should be actually found guilty of the crimes they are alleged to have committed."

Rise of Fraud in Cybercrime

The panel shifts focus to the alarming trend of fraud within cybercrime, highlighting that fraud accounted for a staggering $13.5 billion out of the $16.6 billion in reported cybercrime in the U.S. last year. Tammy emphasizes the persistent and evolving nature of fraud schemes, particularly targeting small businesses through sophisticated techniques like manipulating payment devices to process unauthorized refunds.

[10:16] Tammy Harper: "13.5 billion of the 16.6 billion in US reported cybercrime last year was all tied to fraud."

David Shipley adds to the conversation by pointing out the systemic issues within help desk operations that inadvertently facilitate such fraud, advocating for improved standards and training.

[12:16] David Shipley: "And I point my finger squarely at you, ITIL... fix your standards for help desks because that's the role that you could play in actually fixing this."

The Scattered Spider Group and Social Engineering Tactics

A significant portion of the discussion centers around the Scattered Spider group, a loosely affiliated cybercriminal network known for its advanced social engineering tactics. The group meticulously researches targets using platforms like LinkedIn and ZoomInfo to craft convincing scams aimed at manipulating help desk personnel into granting unauthorized access.

[13:38] Tammy Harper: "Scattered Spider was a name given by Crowdstrike to a loosely affiliated group... They will look you up on LinkedIn, they will look you up on Google..."

Jim Love highlights the group's adaptability and deep understanding of corporate structures, which enhances their ability to deceive even seasoned professionals.

[15:52] Jim Love: "They know how companies work... they speak English and can absolutely socially engineer their way into tricking someone who's not expecting to be tricked."

Youth Recruitment and Socioeconomic Drivers in Cybercrime

The panel delves into the troubling trend of cybercriminal organizations recruiting younger individuals, exacerbated by high youth unemployment rates and the allure of quick financial gains through crypto payments. Tammy Harper links this phenomenon to broader socioeconomic challenges, such as the displacement of entry-level jobs by AI and the resultant increase in youth disenfranchisement.

[17:15] Tammy Harper: "Unemployment rates in the west for people under 25 are a lot higher than the national average... AI wiping out entry-level jobs... driving people into the arms of these gangs."

David Shipley echoes the sentiment, drawing connections between the lack of opportunities for the younger generation and their susceptibility to recruitment by sophisticated cybercriminal groups.

[26:05] David Shipley: "Groups are now trying to promote themselves to attract as many of the top-level talent as possible."

Recent Ransomware Attacks and Responses: Ingram Micro Case

Jim Love discusses the rapid recovery of Ingram Micro following a ransomware attack, praising their swift response and recovery efforts despite initial communication shortcomings. The incident underscores the evolving tactics of ransomware groups, which are becoming more aggressive and adaptable in their approaches.

[32:36] Jim Love: "Ingram Micro got back up and running four days later. I believe that's a record."

Tammy Harper compares this to other high-profile breaches, noting the importance of transparent and effective communication during and after such incidents.

[34:01] Tammy Harper: "They had quite the list... they started a rebrand, and that rebrand is called World Leaks."

AI and Cybersecurity: Risks and Vulnerabilities

In the latter part of the episode, the conversation shifts to the intersection of Artificial Intelligence and cybersecurity. Jim Love raises concerns about the security vulnerabilities inherent in agentic AI systems and the rapid integration of AI into enterprise infrastructures without adequate safeguards.

[49:07] Jim Love: "We've gone way beyond... the models are much, much more sophisticated than simple predictors... we don't know what's happening in the model."

Tammy Harper and Laura Payne further discuss the ethical implications and the necessity for transparency in AI implementations, advocating for frameworks like AI Boss to ensure responsible deployment.

[58:53] Tammy Harper: "There's an equivalent of a garbage dump... that's what they're selling us."

Laura Payne highlights ongoing efforts by organizations like OWASP to develop AI-specific security guidelines, emphasizing the importance of applying these frameworks diligently.

[55:40] Laura Payne: "OWASP launched its AI testing guide this month... it's just one example of many..."

Concluding Thoughts

Jim Love wraps up the discussion by urging cybersecurity professionals and organizations to proactively address the challenges posed by emerging threats and AI vulnerabilities. The panel underscores the critical need for education, robust frameworks, and ethical considerations to navigate the complex cybersecurity landscape effectively.

[68:10] Jim Love: "If you're a CISO and you do have any sway, sit down and tell people this is coming... you have to start having intelligent discussions about the dangers of AI used improperly and how it links to the enterprise."

The episode concludes with reflections on the necessity of collaboration and forward-thinking strategies to combat the ever-evolving threats in the cybersecurity domain.

Key Takeaways:

Significant law enforcement efforts are successfully targeting large-scale cyber scams, particularly those exploiting vulnerable populations like seniors.
Fraud remains a dominant and swiftly evolving aspect of cybercrime, necessitating enhanced standards and training within organizations.
Cybercriminal groups like Scattered Spider are leveraging advanced social engineering techniques, making them increasingly difficult to thwart.
Socioeconomic factors, including youth unemployment and AI-driven job displacement, are contributing to the recruitment of young individuals into cybercrime.
The integration of AI into enterprise systems presents new cybersecurity vulnerabilities that require immediate and thoughtful attention.
Proactive measures, including the adoption of robust AI frameworks and continuous education, are essential in mitigating emerging cybersecurity threats.

Notable Quotes:

[05:55] Jim Love: "Anybody who thinks that it's because they're seniors, they should feel embarrassed, they should not feel embarrassed. They should report this."
[13:38] Tammy Harper: "They will put our elbows up for all our friends."
[17:15] Tammy Harper: "We are putting in place the macro socioeconomic conditions that are driving people into the arms of these gangs."
[49:07] Jim Love: "We're running a little too fast on this. But that... we have to start having intelligent discussions about the dangers of AI used improperly."
[58:53] Tammy Harper: "This is the equivalent of a garbage dump... built on top of the garbage dump."

Conclusion

This episode of Cybersecurity Today provides an in-depth analysis of the latest cybersecurity threats, successful law enforcement actions, evolving cybercrime tactics, and the pressing challenges posed by AI integration. The panelists emphasize the need for proactive strategies, robust training, and ethical frameworks to safeguard against the dynamic landscape of cyber threats.

Loading summary

Transcript209 lines

[00:01]
Jim Love
Welcome to Cybersecurity, Today's month in review show. This is where our panel of experts looks at big stories in cybersecurity from the past month and gives them a bit of a deep dive. And speaking of panels, we have our returning panelists. I'm going to give you a quick introduction to the person, which is their name, and then I'm going to let them give us a couple lines about who they are and what they do. And that's more fun than me introducing them, theoretically, at least. So we're going to start with Laura Payne. Laura, welcome back.
[00:30]
Laura Payne
Thanks, Jim. Great to be here. And honor of you asking us the question, I will say that I am currently the CEO and head of consulting at Whitetuque. We are a a unique cybersecurity company and we do services and consulting based in Canada and we have some footprint in the US for our friendly neighbors to the south. And I will leave it at that.
[00:56]
Jim Love
Be nice. Yeah, yeah. Cybersecurity with your elbows up. It's good. But we have friends. Good. Okay.
[01:01]
Laura Payne
Put our elbows up for all our friends.
[01:03]
Jim Love
There you go. David Shipley. Welcome, David.
[01:07]
David Shipley
Thanks for having me back, Jim. Always, always fun to be here. And for those who don't know me, I'm the CEO of Boseron Security, which is the only Canadian owned cybersecurity behavior.
[01:18]
Tammy Harper
Change and culture platform. So we do the anti fishing fun stuff. And I am a passionate amateur neuroscientist, cognitive scientist and the resident culture critic for all things cybersecurity today.
[01:31]
Jim Love
And the host of Monday's Cyber Security Today show. Which means Jim gets a day off. Yeah. And we have a new guest. Welcome, Tammy. Because you're new, we're going to give you four lines to describe yourself. Take all the time you want. Welcome, Tammy.
[01:46]
David Shipley
Hi, everyone.
[01:47]
Unknown
Thank you very much for having me. My name is Tammy Harper. I am a senior threat intelligence researcher at Flare. Flare is a Canadian company that specializes in threat intelligence, external attack surface management, continuous monitoring for clear web and dark web. And I'm very excited to be here.
[02:04]
Jim Love
You're a researcher. We were talking about this before the show because we hadn't met before. Tell us a little bit about that.
[02:09]
Unknown
Yeah, so I specialize in ransomware and cybercrime. And so I really focus on how threat actors are developing new techniques, tactics and procedures. How are they recruiting, how are they developing their tool sets and how are they finding access into companies or into organizations or enterprises. Are they developing in house like zero days or are they purchasing access from initial access brokers? So I try to stay on top of all of their new techniques and.
[02:39]
Tammy Harper
Tactics because it's Tammy's first time in the panel. I just want to say I had the chance to be on a panel with Tammy at the the National Cybersecurity Consortium inaugural conference in Banff, which, yes, is gorgeous, but the conference was amazing. Laura was actually there as well, so we got to meet IRL and hang out with the scenery. And she was also White Duke was a sponsor for this event, which was phenomenal. Some of the top research and really cool, cool stuff. I was like a nerd in a candy shop because they had the poster boards up. And so I was reading everybody's research.
[03:14]
David Shipley
It was amazing and Tammy's outstanding. And it had a friend of mine.
[03:17]
Tammy Harper
Benoit Dupont, who runs the criminology department at the University of Montreal, was highly complimentary of Tammy. I believe he something along the effect of a national treasure.
[03:26]
David Shipley
But I, I have certainly, since signing up and getting to know Tammy, I've.
[03:31]
Tammy Harper
Now reading her stuff on LinkedIn and it's now part of my daily required reading because you got a banger of a LinkedIn post out now about a.
[03:39]
David Shipley
New cybercrime gang has increased their KYAC Know Thy Customer rules for their affiliates. They're, quote unquote, raising their standards, which, like I say, I read it like five minutes before the show. But now I'm reading Tammy stuff all the time.
[03:53]
Tammy Harper
So there we go.
[03:54]
Jim Love
I'll check it out. We'll put a link in the show notes too. You can never learn too much about this stuff. You don't sleep well, but you can never learn too much about this stuff. So welcome to the show, guys. I want to get you started. Who's going to be first? Laura, we can we put you on the hotspot for the first story.
[04:14]
David Shipley
Oh, boy.
[04:15]
Laura Payne
Actually, the one I, I had first on my list was the arrest in Montreal. We have a gentleman by the name of Gareth West. He was identified as a heavily wanted person for being the leader of a scam that disabused grandparents and other seniors about $30 million. So he was wanted in June and as of this week, they've now arrested him along with a few others. There's still another person out there who is wanted as part of this. But this was one of these cases where legitimate front businesses were set up. And about 20, 21 they had been floundering and then suddenly they like started looking like they were really doing well. And that's an interesting year to start doing really well in a real estate maybe was reasonable. But fitness seemed like an odd choice for a business to do really well in 2021 and so on. So that was where he was fronting things. But behind the scenes he had set up a number of call centers in the Montreal area who were actively targeting and, and tricking seniors into giving them thousands of dollars notionally for the support of their grandchildren, getting out of scrapes and so on. So it's, it's a, it's about a four year, three to four years that it took to get the person at the top of the chain. But it's nice to see that we are starting to make these connections and not surprisingly it's because somebody messed up and that at the lower end of the chain one of the mules who was moving money cross border as part of this scam had a fingerprint that was identifiable in a database and was beginning of the downfall of the whole thing. So it's, we just like seeing these, the good guys win sometimes.
[05:56]
Jim Love
Hey, hell for these guys. Sorry but the people who trick and it's desperate. We had, I was doing some talk with the OPP here in Ontario and these people will come back and milk seniors for every penny they've got. They will leave them impoverished. And I just, sorry, I just. This is a scam that we have to shut down and it being in Canada is even worse. There are a lot of over overseas I guess call centers you could call them but most of them are places where people are human trafficked into these things. For this to be existing here in Canada it's just, it's a plus to the police that that finally took them off the street. I hope they, I hope they rot in hell. But that's, but the fullest extent of the law would do. My dad was whizzed by one of these guys and I talk about that. My dad was very intelligent man. So anybody who thinks that the, that it's because they're seniors, they, they should feel embarrassed, they should not feel embarrassed. They should report this. And I'm going to do a, I'm going to do a column for my local paper called. You have to have the talk. You have to have the talk with your parents. Now used to be we had to talk with our kids, now we have to talk with our parents to say you don't need to feel embarrassed. If somebody calls up and you've got even the vaguest question, hang up on them question, call me and I'll make that offer to any senior out there. I'm on LinkedIn if somebody call you, calls and you think it's wrong, call me, I'll talk to them. Because I think it's just, I think it's terrible.
[07:24]
Tammy Harper
What people are doing into this gang was $30 million. This is not small amounts, this is 30 million in total. They were highly successful. They broke David's patent pending number one rule of cybercrime, which is don't hack in your own country and don't hack in a country that extradites. And so the good news is they're not facing us or a Canadian revolving door bail, slap the wrist kind of white collar sentencing. They're facing us charges like where the crimes actually get punished on this side. So it's, it's life choices that you don't want to be making. But this individual, should they be actually found guilty of the crimes they are alleged to have committed, is in for a bad time. And that's a crying shame.
[08:11]
Jim Love
Yeah. And one day we're going to have cyber security laws in this country. One day.
[08:17]
Tammy Harper
Maybe just prosecuting for fraud, really resourcing the police to actually do more in this. But it's interesting because Quebec has got this fascinating. I don't know if you want to.
[08:28]
Laura Payne
Be at the top of this list.
[08:29]
David Shipley
But the, some of the most successful.
[08:30]
Tammy Harper
Cyber criminals in Canada have come out of Montreal and Gatineau. So we had the guy who is the affiliate for one of the big ransomware gangs who he racked up 20, $27 million and got himself nailed because he left his tooling on a Polish server. Then you got this cat and Ontario is only on the board for 17 million in crypto fraud thefts from a 17 year old kid. Come on Ontario, what are you doing?
[08:54]
Unknown
We had that lock bit affiliates in Bradford.
[08:58]
David Shipley
Okay. He was the one that was trying.
[08:59]
Tammy Harper
To take down Children's Hospital, wasn't he?
[09:01]
Unknown
I can't comment on that. But he was, he was, he was caught in Theory's garage and logged into the affiliate panel. It was a beautiful takedown.
[09:16]
David Shipley
Like literally red handed or red mouse click. That's awesome. Laura, great job on that story.
[09:24]
Jim Love
Yeah, yeah. And something that I think we really, I do take my hat off to the police that put these together though. I think people forget how big these investigations are and how much effort it takes. And we always talk about feet on the street. We need fingers on the keyboards and desperately for this to protect our senior citizens and other people who are getting hit by these types of frauds. There's another one that came up that just drove me crazy. Was There was a restaurant fraud that's happening now. And what you do is when they pass the, the device to you that you normally just tap your card against, if you have, if people haven't changed the codes in these things, you can actually process a refund for yourself while the waiter's off. And for little business, small businesses, small restaurants, this can be tens of thousands of dollars. Fraud's big. It's. It's a big deal.
[10:16]
Tammy Harper
13, 13.5 billion of the 16.6 billion in US reported cybercrime last year was all tied to fraud. We get excited in cybersecurity and don't get me wrong, there's lots of shenanigans that are happening, but the big dollar losses happen at much smaller scale over the long tail of the fraud side. And cops are absolutely overwhelmed.
[10:43]
Jim Love
Yeah, and shenanigans. You watch your language, Mr. Shipley. We don't use words like that on this. David, what's your big story?
[10:52]
David Shipley
Oh my God. Where do you get started?
[10:54]
Tammy Harper
June just did not stop rocking. But I think scattered spider and the chaos that they caused throughout the spring in the UK retail sector to see that then land on the insurance industry, which reap sown paying. The whirlwind of ransomware may have finally come home to roost, et cetera. But then it's really been the airlines and they have just hammered. It's been WestJet, Hawaiian Airlines, Qantas before the end of the month and remarkably successful now.
[11:25]
Jim Love
They started with co op and with Marks and Spencer's in the uk.
[11:31]
Tammy Harper
Yes, they had quite the list as well. Like they. There were a number of fashion brands that were hit by them. Like they were working a lot of retail and they were being incredibly successful. And they even hit food supply in a way that was really interesting. There was a German food distributor and in the US a company called Unfi Unifi, I think, or that does A lot of the health food specialty product distribution had been hit. They were massively successful. And a lot of this comes back to the weakness of help desk processes. And what I mean by that is help desks are still, even for account resets, incented towards quickest problem resolution, less friction as possible, making the customer happy, etc.
[12:17]
David Shipley
And I point my finger squarely at you, Itil and hey, that you have to fix your standards for help desks because that's the role that you could play in actually fixing this.
[12:28]
Tammy Harper
I guess they were not expecting this in the podcast.
[12:30]
David Shipley
Someone is going to listen to this on the weekend and be like, I Told got called out.
[12:34]
Tammy Harper
Yeah. But my point being if you have the wrong incentives, you're going to get bad outcomes. And the other part is the one thing I will give Scattered Scattered Spider credit for is that they have laid bare the myth of phishing resistant mfa. They have shown that we will MFA bomb you. We will use evil jinx, we will do things. And if we could retire that language. That's not to say that MFA is not useful. MFA is incredibly useful for brute force attacks, for just credential stuffing other things. But a determined attacker working social engineering will get by MFA if your people don't respond effectively to what they're seeing and say holy crap, I've got a hundred alerts I should tell someone in it and then they can actually get engaged.
[13:27]
Jim Love
So just. And maybe Tammy, maybe you know more about these guys than I do. They really pursued. This is not a technical crew as I understand it. They were really pursuing social engineering. Did I get that right?
[13:39]
Unknown
Yeah. So Scattered Spider is not a single entity, it is not a single group. It is a name. Scattered Spider was a name given by Crowdstrike to a goosely affiliated groups of individuals. And usually they're on the younger side and they're usually English speaking out of countries like us, uk, Canada. And they are very sophisticated in new ways of social engineering. For example, they will, they will use stealer logs, they will use credentials but also they will also look you up on LinkedIn. They will look you up on Google or Zoom info and things like that. They will do their research and then they will try to for example call your help desk through teams or through different methods or on the phone and try to reset your password. Right. And they have enough information on you.
[14:34]
Tammy Harper
They have your email, they have your.
[14:36]
Unknown
Like LinkedIn profile, they know your position and if your company has a lot of information out in the public, they're smart enough to put pieces together and create a tactical offensive blueprint on how to gain access to your company. They're, they're known to work with some really big gangs. So they first started working off this is what in terms of timeline we know that they around they started working with Alpha V or Black Cat or Alpha V and this was around the time when they were looking at MGM and all of the casinos in 2023. So this was Scattered Spider and Alpha V. And then when Alpha B got shut down and exit scanned they moved to Ranson Hub and when Ransom Hub also shuttered they've been moving towards now Dragonforce and this is the Mark and Spencer's attack. This was under the Dragon Force brand of ransomware. And now I'm waiting to see what brand of ransomware they're operating under for the airlines now because that information isn't completely public. So that would be really interesting to see how that develops.
[15:44]
Jim Love
So they've worked their way through verticals. Does that help them with the social engineering? I guess it does. To get a real knowledge, they seem to move vertical to vertical.
[15:52]
Unknown
Yeah. So they're very skilled. Like, they're. They know how companies work. Right. Because they are based in the countries where these companies operate. They potentially have worked for similar companies or know how corporate light and corporate structures are done. They know the corporate game, so they know how to speak the lingo. They speak English. And they can absolutely socially engineer their way into tricking someone who's not expecting to be tricked like that. And it's not your fault if you get socially engineered because the attackers that it is. Right. You were. It was specifically designed to target you and to trick you. It's not your fault. There's a lot of, like, victim blaming and victim shaming of, oh, I'm so stupid that I fell for this when. No, that's not the reality.
[16:41]
Jim Love
Yeah. And David was talking about the times that we put the time pressure, we put help desks under. I'm wondering if we're actually giving those people the right training to say, hey, wait a minute, this could be social engineering plus. And I don't know this for a fact. Maybe you guys know better than I do. You're on a help desk, and somebody who conceivably could really be a vice president of the company starts to put pressure on you, and he knows all the language and he knows your boss and all that sort of stuff. You can bend a lot of rules really quickly. I could just imagine what these guys would be doing.
[17:16]
Unknown
Yeah, exactly. And they're really good. Like I've seen, as in some certain chats from this, like, from people who are doing this type of stuff where they'll. They'll be like, hey, I need a female English speaker, or I need a male English speaker, or I need someone who's familiar with this specific type of company. And they'll hop on a call and they'll do a bunch of. They'll dial. They're called dialers, and they'll just bunch. Do a bunch of dials. It's. It's a. And they're all very young. Definitely a way to make money online because you get paid in crypto and a lot of it is facilitated on Telegram and other chat platforms, but a lot of it as well is facilitated on other types of social media platforms, like TikTok for example, where a lot of this type of stuff is promoted and the lifestyle that it can bring is promoted. And a lot of younger folks see that and be like, hey, I can potentially do that. There's enough pseudo anonymity between me and this crime and I can do it. Yeah. And then you get into extortion and you get a whole. Into a whole bunch of different extortions. Not just like ransomware crime, but all the other extortions. They're all these groups are all connected. Yeah.
[18:30]
Jim Love
So who runs the engine of it, the collection and somebody doing. I hear you, that it's a collective or a social group or whatever you want to call it, but who runs the organization, makes sure that they collect the money and all of that.
[18:44]
Unknown
It's just a bunch of loosely affiliated smaller entities and groups. There's no single individual in control. This is not your typical gang. That's why it's called Scattered Spider, because it's scattered. There's no real head honcho type of thing at the top of Scattered Spider.
[19:03]
Tammy Harper
What, what you're talking about is cybercrime is a vibe, it's a movement, it's a, it's an affiliation, it's a belief system. And it's fascinating. These are like, we see this, right? These are the modern day hippies, but not quite. There's no central organization to that particular movie movement. And it's instead of peace, love and everything else and a music concert, it's taking down airlines on a Wednesday. Some elements of this group though, get real dark, real bad. And this is where the tie into some of the headlines are getting dangerous. So there's a group that's also in the same kind of Venn diagram called the comm or the community. And there are various players that are seeking there to do ideologically motivated violent extremism. So racism writ large, anti immigration. It is, it is the new 4chan in terms of the biggest toxic waste dump of humanity online. I think that's a very fair analogy from what I have observed from that.
[20:04]
David Shipley
And this is also where threat actor.
[20:06]
Tammy Harper
Groups are also are trying to recruit kids to commit not just cyber crimes, physical crimes. So there's a terrifying story out of Northern Europe where an Iranian group had recruited a teenager to try and kill the Jewish individuals, Israelis, as part of our murder for hire. Like this stuff is crazy. And Scattered Spider is on the milder side of the crimes and things that we're seeing, but it speaks to huge issues in our society. It speaks to, you know what, this confluence of technology, immature morality minds like the human brain's not really fully developed until your 20s, maybe for males, the 30s, 40s in some cases. I'm kidding.
[20:52]
David Shipley
I speak.
[20:55]
Jim Love
My wife always reminds me that the difference between bonds and men are that bonds eventually mature and you have a date.
[21:03]
David Shipley
Yeah, that's what my beard's all about. It's all about demonstrating maturity.
[21:08]
Laura Payne
I was. If I can just on a couple of things. And David may or may not know that he was picking at me when. With his Itel comments, but that's for us. I'm going to. I'm going to say ITIL Agile has been abused by people who want to use it however they feel like it helps them get their way. And I think this is a perfect example because part of what ITIL actually does impress on people is that if you only measure one thing, you will get that exotic that you will get that result, but it will be at horrendous costs in other directions. You. For every measure, you need a countermeasure that ensures that you don't have unintended consequences. And I think this is a perfect example of unintended consequences.
[21:46]
Unknown
Right.
[21:46]
Laura Payne
And poorly implemented. Till I'm going to. So if you're doing itil, do it properly. That's my message. Right. You can't half bake it and expect to have a good result. But yeah, and the. Yeah, the scattered nature of it, the. We do see that, yeah, young people more and more are the targets for the crime, for perpetrating crime. We have. There's so much more access that young people have. And so for the last. I'm just gonna say a hundred years, it's probably a little bit more than that. Right. We've seen the age at which people take responsibility move up and up. Right. People used to get married at 14, 15, 16. That wasn't unusual. That was when you were an adult and you started a family and you started providing for yourself because nobody else wanted to do it for you anymore. So we've moved up like 21 to drink in the U.S. right. So we have this really big movement forward in. In when people are supposed to take responsibility. So young offenders are in that gap and people know that there's much lower consequence threshold. And we try to say that's to protect them from mistakes. But these aren't mistakes anymore. Right.
[22:51]
Unknown
These are.
[22:52]
Laura Payne
These have massive consequences and somewhere there needs to Be some maybe readjustment in that space, right? More education to people up front that there are consequences, right? Just consequences without education is not going to deter people. You need education so that it becomes deterrent. But then the consequences do have to be real for violent crime, for significant white collar crime. It's not sustainable to say that oh, you were 17 and a half when you committed this crime. Sealed records, right? Let you go about your merry way.
[23:26]
David Shipley
And in Canada the Youth Criminal justice.
[23:28]
Tammy Harper
Act never contemplated this world and in similar sort of thinking in the western world is exactly what ideological opponents of the west are going to leverage. This is straight sort of brilliant playbook. I can. These people know there are no consequences, they make good bank and away they go.
[23:50]
David Shipley
And so it's really interesting.
[23:52]
Tammy Harper
Remember the power school hack we were talking about earlier this year? It was a 19 year old. He got caught because as as dumb as he is to commit these crimes. He also then used the traceable crypto to buy some high fashion. And I got to point out very well dressed for his court appearance in the photos that I saw.
[24:09]
David Shipley
Clearly he put the money to good use. But Also fashion critic 8 to 10 but got a nice suit, possibly 17 years for this. And that's the other side of what.
[24:20]
Tammy Harper
Laura is saying is that our caudal culture is when these people do graduate to FAFO justice system territory then that's it, that their life is gone. And so we need a big rethink on this. But the calm's not going away. And I think the other driver of.
[24:37]
David Shipley
This risk, and I know this is.
[24:39]
Tammy Harper
Bigger than our sort of IT security audience normal sort of thinking. But I, I put it to you this way. Unemployment rates in the west for people under 25 are a lot higher than the national average. And AI wiping out entry level jobs, which is a thing right now, rightly or wrongly is going to put pressure on that. And you wonder why you had instability in some countries like Greece and other places where you have high youth unemployment and they are going to rage against the machine and they have to make money. So we are putting in place the macro socioeconomic conditions that are driving people into the arms of these gangs and they are going to turn them on us in increasingly expensive ways.
[25:26]
Jim Love
It's an amazing business model though. You have to admire that they're recruiting from a pool of people who are technically savvy, have time on their hands, can be brought into initial rebellion. I don't know what you guys. I was back in those days, I was just smoking pot. It was like, and that I think was technically illegal at that point. But. No, but you. There was. There's the act of rebellion and you get into that and then some people just get further and further along with it. And that's something that these groups are good at. And that could, that hurts us all.
[25:59]
Tammy Harper
Yeah, no, and, and the bill is starting to add up and. Yeah, it's.
[26:03]
Unknown
It is what it is.
[26:04]
Tammy Harper
Yeah. Other.
[26:05]
David Shipley
I guess there are other stories.
[26:06]
Jim Love
Can I just. Tammy wants to say something. I can tell because I can, because I'm watching you.
[26:09]
Unknown
I wanted to say this. And this trend of seeing bad actors recruiting younger and younger, it's actually something that we're seeing us also online more and more specifically, for example, a group called Killin or Quillen. They are, they're one of the top groups right now after the downfall of and of the shuttering of Ransom Hug. And what they're doing is there is right now a bit of a lack in a gap, in a vacuum for the really top performing affiliates like the top level Red Teamers. There's a bit of a deficit for those guys. So the groups now are like fighting and are trying to promote themselves to attract as many of the top level talent as possible. But there. And because this is like the old guard is moving away, they're like, they have the money now, they're starting families. We're getting what they had to do. They're exiting the crime space. But now the new generation has to come in and we actively see like groups like Killin who help moderate on a forum called Duty Free and they are basically helping train the new, like training the lower English speaker kids into becoming the top level because they understand that this is, this needs to be done to continue the flu and the.
[27:31]
Laura Payne
Dead.
[27:34]
Unknown
Wanted to say is when these kids do crime, we shouldn't necessarily depending on the crime. This is case by case. We should try to incorporate them into some form of program of rehabilitation similar to what the NCA did with Intel Broker in the UK where they. He is incredibly intelligent, troubled but incredibly intelligent. And they saw this, they recognized this and they put him into a training program for the NCC as nca. And they were able to keep him under their radar for about a year or so and then he still left and did his crimes. But I think that is a good blueprint. We should try to be doing more because that way we get to recruit talent which we need and we can also keep an eye on things.
[28:27]
David Shipley
Well, I love what you said, Tammy.
[28:28]
Tammy Harper
But I'm absolutely terrified because what you're telling me is Killen actually has been.
[28:32]
David Shipley
Listening to all of the security influencers keynote speakers and everyone saying hey, this multi million dollar unfilled, multimillion person unfilled security jobs is because you want 7 years experience in a 3 year old technology and you're not willing to train the next generation up to fill the jobs and criminals went. You have a good point. Let's implement that. And meanwhile back in cybersecurity defender land, we're still going to the same keynote. Remember you guys getting what I'm dropping down on us because I feel like.
[29:00]
Laura Payne
Criminals would have a regulatory body that would make it much more difficult to get the initial hires done.
[29:06]
David Shipley
Wait, yeah.
[29:09]
Jim Love
They need an HR department to slow things down. That's.
[29:11]
David Shipley
So what you're saying is the criminal gang does not care about your badge from insert credentialing organization XYZ that charges $6,000 for this forensic course but they train them up, put them to work and promote based on skill. What a crazy concept.
[29:29]
Laura Payne
Last I checked they don't even do a background check.
[29:31]
Jim Love
But on the serious part of this though, even if the jobs were open, the entry level jobs of staring at a screen and responding to all of this sort of stuff, that's that that doesn't have the excitement of you're going to be a hacker and maybe we're thinking about this wrong sometimes. Maybe it should be guys my age that you get to watch the screens, have a glass of wine maybe you know, deal with a few things in there. No, but we're just.
[30:00]
Laura Payne
I can see the newspaper ad now. Jim, it's. Do you like to watch security footage in your condo building? I have a job for you.
[30:08]
Unknown
Exactly.
[30:10]
David Shipley
Walmart reader, sock operator. Walmart.
[30:14]
Jim Love
Yeah. But it's not only that we're not training. Not that we're not accepting people in. We're not training them. Maybe we should give them a little bit of excitement in what they do as well. Because it's some of these entry level jobs, I'm sorry but it's. They're mostly dull at.
[30:32]
Laura Payne
They need a clear path or objective like you put up with the boredom as a young person because there's a next step that looks pretty interesting and there's a. There's that dangled promise, right? You put in your time and you get to the next step. But that loyalty be. And it's two ways, right? Employers to employees and employees to employers is practically non existent. So there's no longer the promise. If I put in my grunt work time that I get that next job. And so, yeah, there's a lot of big problems to go around. How do we deal? And I think what you want to get to, I'm sure, is the question of how AI is adding to that effect.
[31:10]
Jim Love
David wants to get there.
[31:11]
David Shipley
I made my digs earlier. I will note to fascinating reporting and academic studies coming out that AI is.
[31:18]
Tammy Harper
Perhaps making us stupider because of cognitive offloading. But I know Jim will probably not let me get away with it.
[31:25]
Jim Love
I'll probably pursue you on that one. I think we were stupid 10 years ago. Trust me, the people who are stupid are still stupid. But the issue though of this is, and I think it is a realistic one, is not we're in a period of social transformation. It is going to happen. I'm sorry, I don't believe Sam Altman that when he says that, don't worry, everybody will get much better jobs. We're in a period of social upheaval and this is going to cause problems. We as cybersecurity professionals can't solve world hunger or the problems of the world. But we need to be aware of the fact that this is going to be something we're seeing sharper, brighter. These are kids who are really good at what they do. They're being recruited well. And this is going to hit us over the next couple years for sure. And as I don't even know if you need youth unemployment for this is going to be. This is still flashy, it's exciting and it's a better career than an entry level job. And these guys are good social engineering experts and they're going to social engineer their way to get recruitment. Now the thing is, what I'm saying though, and I think came out of this loud and clear, is maybe we should start taking some of this, learning a little bit about this in the way we recruit. That's.
[32:36]
David Shipley
Yeah, no, I think there, I think.
[32:38]
Tammy Harper
For other stories, this got notified in July 5, but still I think we can tie into our month in review is we just had our asteroid pass close to the Earth slash Colonial Pipeline, slash Holy mother Ransomware attack with Ingram Micro July 5th, which I will note, they're back up and running four days later. And I, I believe that's a record.
[33:05]
Jim Love
Because they got hit Thursday and they're back up. I'll buy stuff from Ingram Micro just on that alone.
[33:11]
Tammy Harper
Hey, I'm in. This is textbook of what we should be aspiring people to talk about. They got a little bit of flack on Reddit from their community because the initial communications Was were down and no one was talking. Take that in for who is. But I have seen governments, US States, the move it breach wait a few months before they fess up. They lost everybody's driver's license. So with that as a comparator, still pretty fast turnaround on this. But what scared the hell out of me was this is a company that's integral into the supply chain. This is this fourth party risk because they're a broker for cloud services. Microsoft 365, Azure, Dropbox, et cetera to MSPS.
[34:02]
David Shipley
And so the idea of a really.
[34:04]
Tammy Harper
Good hit at that level that potentially could have gone on for a time based on the bragging notes that the group was putting out there, which I would still love to see more transparency keep coming from this Ingram. You're doing good, but don't stop. That could have really. That makes Kaseya, which itself was pretty scary. Look small potatoes. So one, I am blown away. I'm not blown away that they got hit because anybody in 2025, that's. Oh my God. Clutch the pearls.
[34:34]
Unknown
I can't believe someone got hit, man.
[34:35]
David Shipley
Dude, NSA has been hacked.
[34:37]
Tammy Harper
CIA has been hacked.
[34:39]
David Shipley
Like everybody.
[34:41]
Tammy Harper
It happens. I have not seen anyone recover that fast.
[34:46]
Jim Love
If we had Bob Dylan now, he wouldn't be singing Everybody must get Stone. He'd be Everybody will get hacked. That's pretty much out there. Over 60 remembers who Bob Dylan was. But this thing. Two things about the Ingram Micro thing though. One was interesting and funny for me and that was how fast Paulo Alto got on there and went, not us, not us. But they did a great job of communicating. And Ingram Micro got gets an A plus for recovery and like a D minus for. For any sort of communication. I looked at their website, I couldn't see a darn thing. I found out more from stuff that bleeping computer and others had gotten. That was how they got their message out. They could have got an A plus, knock it out of the park. If they had a great plan and a great communicator that had stepped up that. That would have. That would have been just absolutely first rate in the sort of.
[35:40]
Tammy Harper
And often in my experience with tabletops, the comms people aren't in the tabletop, right.
[35:48]
David Shipley
Hey, hey.
[35:49]
Tammy Harper
Yeah, yeah.
[35:49]
David Shipley
No legit.
[35:50]
Tammy Harper
Like a lot of legal's there. You want to bet legal's there, security teams there, compliance executives there. But oftentimes like comms is not given the amount of thought that it needs to be given in these conversations. Yeah, trust me, like they're on the.
[36:05]
Jim Love
Line I trust you. I'm more, I must confess, I get more and more into the journalistic side of this and less into the hands on side of it. I haven't worked in a large company for several years. But you don't bring your communications people into your red team, blue team.
[36:17]
Tammy Harper
They'll say oh yeah, we have a plan for that. But they don't exercise them in that or really dive into it the same way that they dive into everything else.
[36:28]
Jim Love
And yet every advisor I talk to talks about the communications plan being one of the biggest elements of your recovery plan.
[36:37]
David Shipley
You don't get an A minus cuz you did really well in studying perfect.
[36:41]
Laura Payne
Notification that we have been.
[36:43]
Tammy Harper
Yeah.
[36:45]
David Shipley
And then editing hell. You can't say that. You can't say that. I wonder why it took 48 hours for them to say it was ransomware. Cuz 36 of that. 48 or 39, 47 of the 48.
[36:59]
Tammy Harper
Hours, whatever it is.
[37:00]
David Shipley
We're back and forth. Do we want to say this? We're going to move this verb this way, this adjective, like no, that should have been practiced.
[37:07]
Tammy Harper
You should have had that in the can.
[37:09]
Jim Love
If you get those people, throw them out of the room. There are really good professionals out there. We've had some of them on the show who are great at communication are lawyers and understand the ramifications of what they say and still will tell you, be honest, be straightforward and get out there. And matter of fact, everybody who's done this well has probably been on the edge of the legal thing of saying a good lawyer will tell you to shut your mouth on this sort of stuff. You get points for being straight ahead and saying we got hacked, this is up, we're working on it, we'll tell you everything. I don't know Tammy, you look like you want to say something this.
[37:43]
Unknown
So companies that recover really quickly what you want to do and when it comes to incidents response, I think you need to have, like David said, you need to have a clear message. And we don't want to see threat actors doing it for you because there is a big trend right now where threat actors will go to regulatory bodies and they will start to talk to the SEC or talk to different types of regulatory bodies in your country and saying hey, they got hacked, we have the data and they're not cooperating, they're not being truthful about it. So don't want threat actors to do it on your behalf either.
[38:26]
Tammy Harper
Yeah.
[38:26]
David Shipley
What was the story, Jim, that we saw that one of the gangs, was it killing again? Has hired or allegedly has hired lawyers to help give your company some pro bono legal advice about how screwed you are after they're in. Don't want them to be your PR agency or your legal.
[38:43]
Unknown
On. On that as well. Tillin is also ramping things up. And what they're doing is they're going to be deploying through a third party call centers now, and those call centers are going to basically be down using the exfiltrated data to go through it and see if they can find more stuff to extort from the victim. And they're going to be calling the victim, but they're also going to be calling the clients of the victim. And they're just going to be putting a lot more pressure now on the victims to pay the ransom. Because this is a good thing in general that the ransom payments have been going down, like, over the years. Like the amount of people paying ransoms is diminishing, which is a good thing, because this is how you stop funding these groups. But the groups are getting more aggressive now, and they're recruiting more, they're being more aggressive. They're coming up with new techniques and tactics to extort better. So, yeah, it's going to be. It's going to be a tough ride.
[39:42]
Jim Love
Wow. Tammy, you got a story for us.
[39:46]
Unknown
So I. In the line of ransomware, I. And this is. You took the story I wanted to talk about right at the beginning of our little discussion there at the beginning, but I wanted to talk about groups moving from extortion, like encrypting groups, to extortion. So there was a group called Hunters International, and this group essentially has been targeted, been around since 2023. Very successful. They were known originally for potentially reusing Hive source code, and they highly disputed that. They said that they acquired infrastructure from Hive, and. But they've been able to rewrite a lot of their source code, and it's all theirs. They are not hive. And what they're doing now is. And this is something that they posted on their affiliate panel, and they're saying that due to new regulations in the States, encryption now is being punished a lot more severely. And so they don't want to be encrypting networks anymore. And they're going to be moving away from that and going purely exfiltration. So they started a rebrand, and that rebrand is called World Leaks. And what they're doing now is purely exfiltrating data. The problem with purely as a business model, if you think about it, the return on investment is much slimmer on exfiltrating data than it is on encrypting. Because you have to pay for servers, you have to pay for bandwidth, you have to pay for storage, have to pay for all of those things. If your host and then your threat of hosting this data is only as good as the availability of that leak data and it resiliently staying up so you can't take it down. It's not like on Mega, you can't do a DCMA takedown or any other like type of takedown. It has to become, it has to be resilient, it has to be fast because you don't want people to wait like weeks to download the data set. It has to be available and speedy. So you have to have a decent infrastructure. Now if you're using bulletproof hosters, that's quite expensive because bulletproof hosting, yes, they'll go above and beyond what traditional VPS providers will do to protect your data and your privacy. But that comes at a price. They're significantly more expensive than the traditional like Vulture, DigitalOcean or AWS type. But so if you're hosting like in on your own infrastructure, you gotta pay for all that we're seeing them use like bittorrent and trying to get really creative and you still have to pay for that. If you're, if you're just doing encrypting, you will have, you just have to send them a decryption, like just a decryptor and then that's a few kilobytes or a few megabytes and then they can decrypt their environment. The client pays for storing all of that data. They have to back it up and make sure that the works, you're offloading all of the risk to the client and to the victim. And when you're doing exfiltration, you're putting all of that responsibility on hosting and caring for that data on yourself. We'll see if that pays off. There have been groups that have begrudgingly gone exfiltration only. So for example, Bian Lian, when Avast was able to reverse engineer their encryptor and released a free decryptor in the world, Bian Lian then switched to filtration only. And for the most of it, the data was not available on their dedicated leak site, their dls. If you had to go back and download it like if you weren't downloading that data set within the first initial days that it was up, you could not, it was not archived and you could not go like two, three months down the line and Pick it up. It really puts a. It really dampens the threat of saying, hey, I'm going to leak your data. But it's only going to be available for a couple of days and it's going to be really slow and probably only four people are going to be able to download it. So it's interesting to see what happens with this new.
[43:35]
Jim Love
Doesn't sound like a great sales pitch to me but this whole thing of encryption versus exfiltration I haven't heard, I haven't seen any legislation or any, or anything that I've heard of coming out of the U.S. now the way the U.S. regulates is some guy in an office somewhere wearing orange makeup goes do this and they do it. So you never know. But the issue, this seems to be something that they must firmly believe because they've done a lot of movement and they even gave away their original encryption keys, didn't they? So they even allowed people to, to decrypt their data. So maybe they know something we don't.
[44:15]
Unknown
Yeah, I haven't seen any specific regulations specifically targeting encryption but they mentioned that it was classified as an act of terrorism now and, but specifically towards critical infrastructure. This is not if you're attacking mom and pop shops or like businesses and private businesses. This was only specifically towards critical infrastructure. So think hospitals, think things like that. So it's. But a lot of groups don't do that anymore. They have it in rules. There are affiliate rules that you're not allowed to attack like cis, ex Soviet, ex USSR states and countries and you're not allowed to attack hospitals or governments and things like that. So they, a lot of these groups have rules and. But now encryption is a new one. A new rule that we're also seeing is you're not allowed to attack BRICS nations. So that's like Brazil, that's Russia, India, South Africa, China. So that's a new rule and a new restriction on targeting. The main reason for not targeting BRICS is simply for monetary payout because those countries tend not to pay out as much and they want to focus their affiliates attention on the Commonwealth and Europe. And like Australia, even hitting Australia is really hard now since medic the medi media breach. So that's a really tough market. I think David mentioned something like that a little earlier and so it's, it's a really interesting ecosystem. See before I make a joke, I.
[45:45]
David Shipley
Think you were going to add in or we're looking at on some of these shenanigans.
[45:50]
Laura Payne
Oh, I was just looking up to see when this kind of Shift happen. And this is a very quick search that I did, but it looks like it goes back to 2021, after the colonial Pipeline attack, that it was a focus on investigation. So putting more emphasis on speed and getting to conclusion. When there's ransomware attacks on critical infrastructure, which totally makes sense why that would start to cause criminals to pivot away to things where they know there's less resources and people are going to take longer to investigate and the likelihood of ever having a true conclusion on the side of the law is going to be a lot lower advantage.
[46:28]
Unknown
Yeah.
[46:28]
David Shipley
So essentially we're saying is one little terrorism charge and my mom got scared and I'm off to living with my auntie and uncle in Bel Air, AKA data extortion only. Sorry to all you Fresh Prince fans and my version of that.
[46:41]
Tammy Harper
But my, my, my serious point about this is government actions matter. When the United States decided that they were going to treat Russia ransomware on critical infrastructure as a whole of government, the wog, which terrorism is the other thing, the global war on terror in the first part of this millennium got that attention all of a sudden. Now you're seeing this and start throwing around Tomahawk missiles and strike teams every now and then, and people are starting to think, this is not the line of business I want to be in. And on the Australian side, the Metabank hack that you mentioned, Tammy, that was horrible, right? 10 million people's detailed health information. The first thing they leaked was everybody who had a reproductive health procedure. The second thing they leaked was everyone's mental health files. And Australia said, that's it, we're done. We're out. We're we. If we can't get you with cops, we're going to break your stuff and we're going to change our laws. And they've gotten serious about no money's coming out of this country.
[47:39]
David Shipley
And what was funny, on one of the Russian forums, there was this long.
[47:42]
Tammy Harper
Post and I still chuckle about it because Damian is the one I'm referencing.
[47:47]
David Shipley
He was like, guys, I think we ruined Australia as a market. Yeah, you did. And dear Canada, take the Australian method because you don't got the cruise missiles for the American method.
[47:59]
Jim Love
Yeah. And we'll spend a billion dollars in Canada to get a pound of fentanyl. So, like, we could actually pass some laws and maybe even put some money behind enforcing and seriously enforcing these laws because it seems to be having an impact. And, oh, they're going to get a really heavy penalty for this. They might, it might discourage some of them.
[48:22]
Unknown
Yeah.
[48:22]
David Shipley
So the good news is C26, aka.
[48:25]
Tammy Harper
The never ending law that David spent two and a half years of his.
[48:28]
David Shipley
Life, besides running a startup, pounding away.
[48:31]
Tammy Harper
On and testified three times about because I'm not better. I'm absolutely better.
[48:37]
David Shipley
That it died because of a typo is back.
[48:41]
Laura Payne
Yay.
[48:42]
Tammy Harper
Because we are a serious country now with a new serious prime minister that gets serious stuff done. It'll wait till after the summer break. Not that serious.
[48:52]
Laura Payne
And still that's pretty good for Canadian politics.
[48:56]
David Shipley
That's almost as bad as the parliamentarian that looked me dead in the eyes.
[48:59]
Tammy Harper
And said parliament moves at the speed of Parliament. And to which I replied back to them, I said hackers move at the speed of digital.
[49:07]
David Shipley
Guess who's winning.
[49:08]
Unknown
So to your point, Laura, it is.
[49:10]
Tammy Harper
Good that they get the first voters.
[49:11]
Jim Love
Move at the speed of throw you out.
[49:14]
David Shipley
Yeah, I wish they would do more of that.
[49:17]
Tammy Harper
But in all seriousness, this is the consequences coming on the critical infrastructure side. The downside of it is they still have a gun pointed at the head of CISOs right now in terms of individual liability, which has got a whole bunch of people who are in their 50s going, my net worth is X. This will wipe me out. I don't want to do this job anymore. So I'm having some conversations backroom in, in Ottawa and very vocally publicly right here now saying this is really dumb. Could you please work this out before you finalize it now that we've got some more time. But. But yeah, consequences are coming. I do think I'm going to get on my favorite hobby horse and I'm not going to say this is the last time.
[49:52]
David Shipley
Stop paying the ransoms, ruin the business market.
[49:56]
Tammy Harper
Don't pay it for the extortion, don't pay it for the encryption. The only other thing I can hope for in the world of crime, on crime is that these Tammy, I loved your story of hosting all this data is that some criminal groups start targeting the leak only groups and encrypting their.
[50:11]
David Shipley
Shit and ransoming them. Because that would be amazing.
[50:18]
Unknown
There's an interesting story two months ago when Ransom Hub was missing and were MIA for a while. Dragon Force was trying to make a name for its themselves in these spin offs and they started saying hey, we're going to start a cartel and this is basically a fancy little thing. We're going to white label our RAAS infrastructure and if you want to start a new group, basically you use our payloads, you use everything that we have, use our infrastructure and we'll just put Your logo and your brand all over our stuff and you'll have your own Onion site and everything. And so what they did as part of a like marketing campaign is that they started to hack smaller tweeps. So they basically hacked a group called Blacklock and they their logo on their VLS site. And then when it came to Ransom Hub, they're like, hey, we're posting Ransom Hub right now and we hope your group follows us along and all your affiliates come to us. So yes, there is a lot of infighting with these groups.
[51:19]
Tammy Harper
You love to see it happen and.
[51:21]
Jim Love
A lot of better marketing than I've seen in a lot of companies. So here's my story. I'll wrap up with my story in this because I know David loves to hear about AI and I'm, I don't worry, David, I'll say something negative of this. You could relax. Everything in AI if you've been following it has been agentic and it is the marketing end of AI. And that is. And for those of you want to know what agentic means, basically means instead of just asking questions of a chatbot, these things can take action, but not as an algorithm, not as a simple program. They will develop a strategy and they will go and execute it. And that's been the big thing in AI. The second thing though that's come up and it's been very recent is the start of integration with enterprise systems. And there's a couple of things that have come up. Model Control Protocol from Anthropic, which has been a way to integrate with software. Google has recently just released a whole toolkit of this and the Linux, the Linux Foundation, I guess it is, has also put together what they call A2A, which is another way of communicating. The bottom line is for anybody who thought, oh God, let these guys play with this off in their own office, they'll never touch the enterprise systems. Those days are coming to an end. There will, as I've said, when you put productivity and profit versus security, security loses. Now these are actually in my mind, good things. They are things that will allow us to integrate with our enterprise software, be able to do things that we could never do before. However, this run and break things attitude that's out there is could be a little bad. Anthropic bright guys introduced their mcp, the Model Control protocol. It has now been adopted by everybody. They're very sharp people. First couple of weeks out, they've got a 9.4 out of 10 vulnerability in their MCP toolbox now. And if anybody wants to know how easy it is to hack an AI. It is. There's just so many places. How do I hack the. Let me count the ways. You can do prompt injection. You can do all kinds of things. These are still notoriously loose pieces of software and easy to get into. My favorite hack, and this is if you want to know how extreme this is, my favorite hack is that you just flood them with bullshit. Now I'm using bullshit as a technical term. You actually just give all kinds of jargon and fancy words and all that sort of stuff the same thing you hear in a corporate marketing presentation. And you just fire all those words and bury your command in there and you'll get one group did this and they beat almost every LLM. So what I'm saying is there we're not as advanced in security on the LLM models as we need to be. We're not. We're running a little too fast on this. But that. Sorry, cybersecurity professionals, that's the world we're in. We need to start to get ahead of this and start to talk about these issues in our companies and start to roll this out. You're not going to get by being Dr. No. It's just not going to work. We have to start having intelligent discussions about the dangers of AI used improperly and how it links to the enterprise. That's my story for the month. Did I say enough negative David, or do you want to come in and dump all this?
[54:48]
David Shipley
I could have used some sprinkles on that ice cream.
[54:50]
Tammy Harper
The 9.4 was pretty funny. But I will save my commentary to the end because I would love to hear from Laura and Tammy about your thoughts nightmares about agentic AI.
[55:03]
Laura Payne
It's a very short and succinct thought which is if you don't really know what you're doing, don't do it. So maybe that's a very Canadian regulatory approach. But why would you. Especially if you're in a. I get it for startups like you're doing things that are new and different and whatever go to town. But like you're an established business. You have clients who depend on you. Are you willing to bet the farm on just letting whatever these are loose? Like you wouldn't let an intern loose in your environment. Why would you let this stuff that has no ethics or morals attached to it anyway?
[55:41]
Unknown
That's.
[55:42]
Laura Payne
It's not that I'm the department of. No, it's like just everybody and everybody needs to be at the table thinking about it. It's not the CTO's job, it's not the security person's job. It's really the business needs to think about how bad is this going to be if it goes wrong. So let's make sure we do our best to do it right because it's not worth losing your business and impacting all of those other people who will also be impacted if you lose your business over wanting to play with the flashy new toy or hoping for a productivity gain. Because I think that's the other thing too. It's not just that they don't know what they're doing on the setting it up properly side, but there's an awful lot of not knowing how it's actually going to turn a positive result for the business as part of it as well.
[56:29]
David Shipley
So two things.
[56:30]
Tammy Harper
I am going to steal what you just said for a T shirt and I think that, Laura, is a phenomenal positioning of how we need to. I've heard people say the department of know how, but the department of how can we do this? I love that. But I'll make my other analogy in a second. Tammy, I'd like to get your thoughts.
[56:47]
Unknown
On the subject of anthropic also. This happened in June. Anthropic puts their AI, their agentic AI in a vending machine. I don't know if you've heard that story.
[56:56]
Jim Love
No.
[57:00]
Unknown
Okay. So you are a business owner and what you need to do is you need to make sure that this powering what people want and you need to be great at this. And again, it was not ready and people started asking it for tungsten cubes, which are worth hundreds of thousands of dollars. And it was basically stockpiling tungsten cubes and selling them at a loss. And people were able to hack the knowledge of it and basically make sure that it couldn't understand supply and demand properly. Yeah. So putting that type of intelligence, or if you can really call it intelligence, it's more like of a predictive engine of what you might want to get out of a response as close as possible to then put that into and integrate that into your enterprise data, which you've worked so hard for, and then having it potentially read and write access to it and then talk to clients on your behalf, that just sounds like a nightmare. And even if you're trying to put guardrails, but if you're depending on the AI companies to put in guardrails for you, it's not going to work because they don't know what they what type of guardrails. You, you Specifically need for your company. So we need to have a lot more transparency. And this is where I want to, I'm getting to the point where I wanted to get to is we need something called AI boss. And so these are AI built up materials. So this is, and so this is basically going to tell how your, your agents are trained, how, what the data sets are. And this is basically going to tell you everything that you need to know about the implementation of how these agents are going to be used into your corporation. And we need more support for stuff like this because there needs to be more transparency from the, from these agents on how things work under those.
[58:54]
Tammy Harper
So here's my analogy about what's currently happening with the world of generative AI, particularly large language based AI. They hovered up every single non password protected piece of content they could possibly get over the Internet. Good, bad, horrendous and even worse than horrendous on the whole, they vastly underpaid the folks trying to weed out the awful from that and they just rushed it, underpaid it, traumatized the hell out of these unfortunate individuals, repackages it, publish it out. This is the equivalent of a garbage dump. Now what they're selling us is a beautiful urban environment. Think Celebration USA for urban geographers. I know that I just said it's a horrific example of a beautiful environment, but I mean very stereotypical, the perfect idyllic suburban kind of environment. That's what they're selling us. But it's built on top of the garbage dump.
[59:54]
David Shipley
And right now, every now and then.
[59:56]
Tammy Harper
We get a sniff of what it's actually sitting on top of and we're like, oh, this isn't what I was expecting from my beautiful ideal. Sort of, this isn't what you sold me. And sooner or later we're going to have a methane explosion in our little celebration town analogy on this. And it is going to be awful because garbage in, garbage out eventually. And I think the over promising of this industry is going to be for this generation, the dot com boom. That isn't to say that in the long run Jim is wrong. In the long run Jim is going to beat David. And I'm just going to admit that right now this is not it, that we can learn from this, prepare from it, get better at it. I have my eye on the kinds of companies that are building something and these are the ones that are building visual systems that are a different branch of AI that are understanding the world we actually exist in. And the way that they're building those models is how the human intelligence developed and if they crack that nut, it's going to blow this stuff out of the water. But this stuff as it's currently being rushed to be sold in the gold race is a dump with a celebration USA built on top of it. And it when it collapses, it's going to be worse than the little vending machine. From the ashes of that the next thing is coming. But in the short term, that's not to say that you can't live in the town, but you're going to get.
[61:36]
David Shipley
Some weird smells and be careful what you build on.
[61:40]
Laura Payne
I'm going to throw my fun sarcastic comment on which is don't worry David, we're filtering out the real content from entering the AI mod Flare has announced that they are putting up the first AI blocking capabilities to keep owned content I.e. intellectual property of certain people from being scraped. So it's only going to get better for the garbage in the dump.
[62:05]
David Shipley
But to Tammy's point, the the and.
[62:07]
Tammy Harper
I love this, I hadn't heard of the AI bill of materials. The problem is the lack of ability of transparency about what got into the model in the first place. And in credit to Jim, as a handover back over, I actually heard of an ethical generative AI company. So they're actually building licensed content model based generative AI video solutions where they paid for the right to actually use the video material. And their hope is that this will be much friendlier to creative types by saying hey, we recognize this is how we could do this ethically, so maybe less garbage.
[62:43]
Jim Love
And in fairness, I'm more of a techno optimist and I say this in terms of where we're going with AI and technically I understand the foundations of it were predictive based on text and all of that sort of stuff. We've gone way beyond that and the models are much, much more sophisticated than simple predictors at this point. The fact is we don't know what happens in most of the models and that's a scary point as we get through it. My problem with this is not that this is going to follow the same curve that Gartner has been showing us. We'll get overhyped, we will come crashing down. We will work our way out of it. The problem with Gartner's model is you'd never know where you are on that curve. And so that. Let's take that off to the side. The point I'm making though is I've been doing this for 40 years. Every major technology that we brought into Businesses we have screwed up royally, we have gotten ahead of it, we have not dealt with security or even with the fact that our data is so messed up and still is messed up. After 40 years of doing this, everybody's still saying our data's crap. So we haven't solved the foundation problems and we keep doing it over and over again. Minicomputers, microcomputers, the cloud, all of these things. We've had these big rush it in, oversell it and somehow we muddle through and somehow we do, we muddle through and we manage to get it together enough. And Laura, you've worked in a bank, you know what, or if you've worked in a government, you know what those legacy systems are like and we put stuff on top of that is just impossible. And we demand that it work and of course it falls apart and a bunch of people work late at night and keep it running. We've been doing that forever. We can't do that with AI. I honestly believe it. It's too dangerous because for the first time we're trusting the machines not to do algorithms, not to be where we can pull the plug, but to be out there executing things in ways that we don't understand, where ways that we can't audit and where we can never fully understand what's happening in the mod. That's a really good opportunity for us to actually say, why don't this time we start to think about how we're going to implement it earlier? Just a thought. Maybe we start to get some red teams going now, maybe we start to get some data people going now and we start to put some time aside to plan ahead for the inevitable because it is inevitable. It's not going to stop. We're going to be in an AI driven world and that may be dysfunctional and dystopian or it may be the wonderful land of milk and honey, I don't know. And anybody thinks they know is lying to you.
[65:33]
Tammy Harper
I just want to go back to, to, to what Laura had said earlier when I made my my from the corner ice cheap shot on Itel and it was if you have the wrong North Star and no counter to balance it out, you get bad outcomes. And I think Jim, you nailed it on the head if we don't think better about this. And what I'm desperately afraid of is all people are talking about, all executive let me vary, let me take my next cheap shot. All the C Suite wants to see is productivity, profit and they are not doing those things and I have zero Confidence that we are not going to repeat the sins of 40 years.
[66:17]
Jim Love
Worse than that, they want bodies off the org chart.
[66:22]
Tammy Harper
Regardless of what he tells you.
[66:23]
David Shipley
The irony's not lost on me as.
[66:25]
Tammy Harper
A CEO that actually the most AI friendly job to target.
[66:32]
David Shipley
And that's what they don't realize. Right.
[66:35]
Jim Love
I'm doing a show. I do the my AI show. I'm doing a show with a guy who has actually got a co CEO that's an AI and she's doing a great job. So I'd watch out. Laura, you were going to say something.
[66:50]
Laura Payne
There may be some small hope or just more to ignore. I don't know. But if I look at the pace that it took from I'll say the early 2000s. Right. Was early security days of frameworks and structuring how we should think about it. A lot of those lessons seem to have been applied in the AI space. The rate at which we are producing relatively completely thought out frameworks. Relative is an important word in that. But that are built for AI, the materials and the thought leadership is available if people choose to apply it. So owasp, this is relevant to a June update, right? OWASP launched its AI testing guide this month. So it's just one example of many where people are putting their attention and trying to share publicly good practices that could save your butt from a bad decision. But it all comes down to having that will and that desire to actually put the brakes on a little bit to do it right in the first place. So for the people who care there, there's material and support and good thinking out there that that you can find. It's not paywalled in a lot of cases because people realize the people who care enough to put these things together also realize that it's not proprietary. It is something that applies to everybody and it needs to be out there.
[68:11]
Jim Love
Yeah, that's a good place. And my message for the is if you're a CISO and you do have any sway, sit down and tell people this is coming. I'm not going to try and stop it, but I'd like it sandboxed and I'd like us to be playing with it and I'd like us to be experimenting with it and I'd like us to be educating ourselves before that development team that you don't even see has bought something with MCP and with all of this stuff and got it integrated and keep yourself open so that you know what's happening out there. That's just my message on this. It's a new thing. We fixing it afterwards can be painful.
[68:46]
David Shipley
Be the department of doing AI right.
[68:49]
Tammy Harper
Trademark yeah.
[68:50]
David Shipley
Laura Payne.
[68:51]
Jim Love
I think we'll get again. No, but I think doing it we're going to, we're going to get this T shirt together and we'll start to do merch on this. That'll be, that'll be one way to make money on a podcast.
[69:00]
David Shipley
Tammy, what did I sign up for? Thank you.
[69:04]
Tammy Harper
Thank you for coming.
[69:04]
Jim Love
This has been mild. Thank. Yeah. Thank you, everybody. That's our show. We'll call it a wrap to the audience out there. Send us a note and let us know what you thought of this. You can write me attech newsday ca or.com and you just use the contact us form on the website or if you're watching on YouTube, you can, you know what to do. Make comments under the video but be nice in the or not doesn't matter. Thanks to our panelists, David Shipley from Boaster on Securities. Thank you, David.
[69:31]
Tammy Harper
Thank you, Laura.
[69:34]
Jim Love
Paid from white to thanks, Laura.
[69:36]
Unknown
Thanks, Jim, for having me.
[69:38]
Jim Love
And Tammy, what a pleasure it was to meet you. We got to have you back. We, we've got a wealth of knowledge there.
[69:43]
Unknown
Thank you so much for having me. It was a pleasure.
[69:47]
Jim Love
And I'm your host, Jim Love. Thanks for listening. You had other things you could have been doing with your weekend, especially in the summer, and you joined us for this little discussion and we appreciate it. Have a good time. And you'll be hearing this on the weekend most likely. So you look forward to seeing David Shipley with the news on Monday morning. Talk to you later.