Cybersecurity Month in Review: Uncovering Digital and Physical Threats

Jim

Welcome to the Cybersecurity Today, the month of review show. We have two of our regulars back. Laura Payne. Welcome, Laura.

Laura Payne

Hey, Jim. Thanks.

Jim

Drumroll. And David Shipley. David Shipley back as contestant number one. He's been our reigning champion. No. Oh, that's Jeopardy. Sorry. David Shipley, welcome. And Anton Lavia. And Anton. Did I say your last name right again this time?

Anton Lavia

Yeah, yeah, that was great.

Jim

We went through all this and then I spelt it wrong in the interview. And people who watch the show will know Anton. We did an interview with him about two weeks ago and I went, this guy's gotta be on the panel. So there we go for the panelists and for Anton. Because you're new to this, this is how the show works. We have asked everybody to select one or two stories and we try and give a little depth to them, do a little bit of a deep dive. The person introduces the story, tells the story and sets the stage for everybody. And then we discuss it. And sometimes we can't get out of the first story. I never promised how many stories we're gonna get there. All I know is if Shipley gets to anything on legislation reach. Laura, you're close to him, you can see. Reach over and just tap them.

Laura Payne

Yeah, we might need a special episode just for that.

Jim

Well, yeah, listen, this. But this is because we have a large American audience. I never know how much they nor care about Canadian legislation. We do care about American legislation and normally we have such a lack of legislation we don't have to worry about talking about it too much. But we do have one bill that's come up and that is a bit of a pain. So we might drift into there. So welcome back, guys. I'm going to start with the first story that I want to cover and that is the mystery leaker. And this started, I first read about it in the Register and I did a story that covered it. And there's an anonymous individual, he has the alias gang exposed, who said he's on a personal mission to fight against an organized society of criminals. And he's been doxing people. He got Stern, the leader of Crickbot and Conti and revealed that Stern is actually Vitaly Nikovalych Kovalev. And he's also gotten the professor, I think, who is this 39 year old Russian named Vladimir Viktorich Kvitko, I think. And at that one I had struggled with Kvitko allegedly living in Dubai. So this guy's been basically revealing all of this information. The curious part is he's he Describes himself as a cosmopolitan who moves from city to city and just wants to stamp out this evil criminal gang. And he's turned down a $10 million reward by not coming forward. So he's richer than I am. But that's easy. And that's where I gave it away. I thought it was. First it was Shipley, but then the fact that he turned down the $10 million reward. I had to start looking for other people.

David Shipley

So to turn down the 10 million reward means he's smart enough to know that he doesn't want to get found and pushed out of an apartment building for this. And no grapes are quite as sweet as sour grapes. So can you say someone got screwed in an exit scam? And payback. These are my favorite stories. But whatever keeps you warm at night.

Jim

Yeah. So you think it might be Shipley, but. And you're just turning down the reward so you don't get pushed out of a window? Me? You're in Fredericton, man. Like, how far can you fall from a window in an office building in Frederick?

David Shipley

Russian gangs got long arms, my friend. So I imagine if someone's burning them left, right, and center and they're thinking that they are a cosmopolitan thinking about showing up at a bank to collect your 10 million in accidents happen. So I don't know. But I love it. I also love that this is law enforcement creating a Persona to do it and then create fear and paranoia. That there's an additional untrustworthy element inside of the cybercrime community would be Chef's Kiss. I will note that law enforcement is doing hilarious things on the Operation Endgame website. And as your resident culture critic, I have to point out that whatever police officer thought of using AI to do.

Unknown

A Japanese anime style trailer for making.

David Shipley

Fun of one of the ransomware groups.

Unknown

That they hacked back on, complete with.

David Shipley

Theme music and characters, is a bold move that I am here for. It's been a. It's been a wild week. A wild month.

Jim

Okay. And now. And we have a brand new website where we're going to actually be able to properly display the podcasts and the links. So you'll send me that link at the end of the show and we'll.

David Shipley

Yeah, we should watch it because it's.

Unknown

Just so spectacularly beautiful.

David Shipley

But it's one time. Jim. AI Art.

Jim

You got Anton. You don't know. You don't know. David. Getting him to say anything nice about AI is it. It's a magnificent accomplishment letting you guys talk a little bit. How did you guys pick up this story this week. Laura, you anything on it?

Laura Payne

No, I'll admit I had, I had not picked up on this one but yeah, it's. It is. There's been a lot going on as I think we discussed at the end of the, at the end of April going into May there was so much and then looking at this month again it was like oh, it wasn't really any quieter or calmer so nothing surprising anymore.

Jim

And Anton, your job is to serve and protect people.

Anton Lavia

I don't, I think, I think it's too hard to keep actually fully anonymous identity online so I don't bother with that.

Jim

Yeah, this one, like I said, this was really something. He has money though and seriously or at least has access to things because he picked up an FSB list. He said he paid $250,000 for that and he's talked to the registered. By the way, if you're out there, you can talk to cybersecurity today. You can reach me at editorialechnewsday CA before they push me off the building, I'd love to do an interview with them. That was an interesting story and I think David, you pointed it out correctly is anything you can do to stir up trouble on these gangs is a wonderful thing.

Unknown

It's been a great month for trouble on top of the multi season YouTube videos will be in the Operation Endgame website that I will send in the link. You've got Loomis stealer going down. So this is perfect. You're tackling the ecosystem right from the algae right up to the top level sharks and so getting rid of that info stealer and given that it was the number one market penetration, you're causing a massive disruption inside that space. Then you've got Operation Endgame on top which is taking out infrastructure and players and naming and shaming which is interesting, right? Because one of the leaders that's outed here of Conti is the group that was responsible allegedly for the Newfoundland health attack. Dear Newfoundlanders, which was at the time the largest healthcare cyber attack in Canadian history to be eclipsed later by the impact on five Ontario hospitals. Sylvie. But this is interesting. We actually have a face for the pain. Naming and shaming, man. I think it's incredibly powerful and restricting these folks summer travel plans and worldwide freedom of motion that's imposing costs. So I am here for it. It's multi layered, it's pushing back.

David Shipley

I'm going to enjoy the season of.

Unknown

Joy that this will bring before the inevitable next cycle because until we stop paying ransoms they'll Be back.

Anton Lavia

Yeah. It's interesting to think about whether it's maybe just a really skilled white hat that kind of went undercover and infiltrated those circles and it's now exposing them from within. I love the idea of that.

Laura Payne

I feel like. Am I allowed to segue, Jim? Yeah, I feel like my story builds on this perfectly. I picked up a story on Lock bit leaks revealing how they are downgrading their barriers to entry. And they're offering their light service now, which I think is just an interesting kind of follow on. So they were certainly seriously disrupted late last year through police activity. And this is their next step in their business evolution. They have to get out there and recruit more ransomwares to their ecosystem. So they're offering light now for the grand price of $777. You too can now be a ransomware distributor. But you need no tech experience. You don't need to know what you're doing. And so it just continues to degrade their whole. In the early days of ransomware, we like to think that they had better support than many IT departments because they were almost reliable. And that is just going to devolve even further with this dog's breakfast of newbie attackers going into the ecosystem. So it'll be interesting to see. It's always interesting. Every disruption results in a pivot. But I don't know that this will be. This is actually more just. I think they're just going to make more money off of people signing up than maybe from the ransoms themselves because the likelihood of paying a ransom on a poorly executed attack is going to go down significantly.

Jim

That'd be interesting if they're making money on the franchise. These guys really are capitalists.

Anton Lavia

Do they have a referral program too?

David Shipley

You gotta sell X amount of shampoo bottles and X amount of ransomware and Russian Amway has got your path to be million.

Anton Lavia

But wait for the first 10 subscribers. There's more. You'll get a shammach.

Jim

Yeah. And so if you're living in your mom's basement with a computer and trying to be a script kitty and you actually get invited out to a party somewhere, it's locked bit.

David Shipley

I love that we just Amwayed Lockbit.

Jim

Mom, I've got a friend. They invited me out to a party.

David Shipley

You wouldn't believe that's getting you the eyebrow if you tell your mom. Amway or Russian cybercrime gang.

Anton Lavia

Oh, yeah, yeah.

Jim

Who's up next?

Anton Lavia

I can throw in a story that kind of ties into this, which is from the crypto Industry, which will probably tend to bring up more than others, because that's a lot of my background. But Coinbase, and because I do doofus.

Jim

Introductions, tell people a little bit about what you do so they can understand the crypto comment.

Anton Lavia

I'm a security researcher and I'm a part of a firm that specializes in helping kind of high risk companies keep their assets safe. And a lot of those companies happen to be financial institutions or digital asset companies. We have a lot of background in building vaulting and custodial solutions, so those take a lot of effort to protect adequately. And that's the gist of what we do. And we do some consulting and penetration tests, smart contract reviews, but lots of open source development as well, building the tools that we feel we need to implement security the way we'd like to.

Jim

And Anton's firm, actually, you guys haven't met him yet. Anton's firm actually makes these tools available to help other people, which is.

Anton Lavia

Yeah, we found that there was a lot of kind of gaps in the approach we wanted to take and tooling that makes it easy to do. So we even built their own Linux distribution, which is solving a bunch of problems that the others just weren't. But anyways, I don't want to derail.

Jim

The podcast until, you know, you're a Linux guy when you say, I had this problem. So I built a distribution. Yeah, sorry, back to your story.

Anton Lavia

So it was actually about Coinbase, which is, I think, maybe the biggest digital assets company in the world. And recently they got ransomed, they had some insiders that got bribed, and they were able to steal a bunch of information. It was like name addresses, phone numbers, emails, Social Security numbers. Numbers was for a small subset of their clients. And the attackers asked for a $20 million ransom. But Coinbase pulled a Total Uno reverse card and instead of paying them, offered $20 million to whoever gives them info about the attackers. And they fully covered any loss that resulted from the ransomware attack. So that cost them about $400 million. So I thought that was one of the better responses that I've seen to a ransomware attack. Of course, not every company has that kind of money to do that. No, you're not getting paid. And we're going to pay whoever gives us intel about you the same amount you asked for. So I thought that was a cool way to deal with a ransomware group.

Jim

It's like when those guys take on the mob. They say, blackmail you. Guy goes, you're going to blackmail me, I'm going to blackmail you. I love it. So 20 million? Yeah. We're not going to pay you the $20 million grants, but since we were going to lose it anyway. $20 million to anybody who finds you. Yeah.

David Shipley

And Anton, one thing I was unclear of.

Unknown

So did they lose 400 million and.

David Shipley

They'Re reimbursing their customers.

Unknown

Is that 400 million in the wind.

Anton Lavia

Or that's what it cost them? Yeah, because of the resulting loss from the clients getting hacked because of this information leaking. So they had a. As a part of that, you had to go through a process of confirming that your loss did actually result from this leak. And then if it did, they would cover you. So, yeah, it cost them 400.

David Shipley

Okay. So these criminals theoretically got away with $400 million, but there's a $20 million bounty on them depending on how many criminals you're talking about. Four way split before taxes, 100 million each. Okay. Crime's still paying when it looks at things.

Anton Lavia

Yeah, yeah, they definitely got away with a lot. And yeah, it makes me wonder like how they could have done better in preventing that. This is like a thing I see everywhere where it's. A lot of regulators require that you collect kyc, but I feel like the regulation around protective methods aren't as stringent. So one idea that I've had for a while and I've implemented in some of the companies I've worked with is this idea of you need multiple people to access certain sensitivity or level of confidentiality on data. So if it's something that's not super sensitive, maybe you can access it individually. But if you need, let's say, someone's passport or a more sensitive piece of data, you can build a system where you need to have multiple people, maybe even across different teams work together. And not every company could do that, but a company like Coinbase, I feel should be able to afford to do that and should be doing that with their size. But just something that seems like a pattern that would work well, yet nobody's really using as far as I've seen. Or even just simple things like the rate at which you can access data. If you're a support person, you shouldn't be able to access more than one record a minute or something. I don't know what the rate is, but that would prevent like kind of that exfiltration en masse.

Jim

The amazing thing about this is how low tech this leak was. They basically bribed a bunch of people. This good old. We're not going to hack anything like that, we're just going to bribe people One of the people, there was a story out just today. One of the people just took a picture with their cell phone camera. First of all, what are they doing with a cell phone camera in a highly restricted area? But they actually did catch the person. But it was just dumb stuff like that that gave this away. And of course they offshored it to a company. And not that offshoring itself is a bad thing, but it's just they've taken your records, these sensitive records, and sent them out to a company who. They've no idea what controls they have in place. And now the company's saying, we're going to put some controls in place. One of the things to be like a Don't hire North Korean hackers to do this. That'd be good. And. But second, if you're going to have. It's like another story that happened was not a security story where There people had 600 people pretending to be an AI in India in a company.

Anton Lavia

Oh, I saw that.

Jim

So people would go on, code this for me in AI and the AI would come back and say, I guess, wait a week. I have no idea. It's kind of a slow AI.

Anton Lavia

How about Mechanical Turk?

Jim

Yeah. Oh, yeah. This is the mechanical Turk thing again. For people who don't know that was somebody had a chess player, I think in the 1800s, I can't remember. Basically there was a guy hiding under the table. So they did this whole thing again. But the amazing thing is Microsoft had them as a service. All of these supposedly knowledgeable companies dealing with this company. Nobody did anything like a real inspection, don't verify.

Anton Lavia

Just blind trust.

Jim

So if you're offshoring or you're contracting stuff out, you may want to actually find out what types of controls people have about who they hire.

David Shipley

So gather around the campfire, kids, because I'm about to tell you this is not the only AI ghost story you're going to see when you've got a feeding frenzy and overhyped to the extent.

Unknown

That'S going on and literally people pouring.

David Shipley

Buckets of money to light on fire for any possibility that we're going to.

Unknown

Have artificial generative AI. This is what a hype cycle looks like.

David Shipley

And when you start to see the blatant frauds like this pop and companies.

Unknown

You would think would know better, like Microsoft falling for it, that we're in the insane portion of the hype cycle. And it's hilarious, like 700 Jim. Then I heard about this earlier today.

David Shipley

And the first person I thought, so Jim's gonna Have fun with this.

Jim

I believe in AI, I just don't. I think that there's still one board every minute.

Laura Payne

On the upside, I got so many fewer calls from the CRA this week. So maybe that's why. Directing their attention.

Jim

No, I think that's. I think that's because the CRA is sitting there, like, nursing their wounds after. After getting killed in court this week. They went after Shopify. Is that. Was that a story you were going to cover or.

Laura Payne

No, no, I wasn't talking about the real CRA calling me.

Jim

Oh, the phony cra. There's a fake.

Laura Payne

That was trouble. I wouldn't put that in.

Jim

I didn't mean to give it out on the program.

Laura Payne

Yeah, right up there with the irs. The calls pretending to be the IRS or the Canadian police. I've gotten those calls too.

Jim

Wow.

Laura Payne

Please send gift cards to your. Your contact. I will provide you. Yes. To keep them from showing up on your. No, thank you.

Unknown

At the moment that they actually have gift cards that we think cops would actually want, like Tim Hortons. They might actually have a higher yield rate.

David Shipley

May or may not have just given.

Unknown

Ideas, but I'm just saying.

Jim

Yeah, okay. There goes the guest for my next law enforcement show. Thanks, Shipley.

David Shipley

I said Tim Hortons.

Unknown

I did not imply what in Tim Hortons.

David Shipley

I just implied Canadian brand loyalty.

Jim

There you go. Yeah. Anybody got another story?

David Shipley

So I want to stay on the crypto beat because.

Unknown

And I. I'm about to make a.

David Shipley

Very unfortunate segue, the cryptocurrency theme.

Unknown

Because remember we were talking earlier in May about this horrific case of the New York City where an Italian man was lured to New York, held, kidnapped, beaten, tortured, threatened with death and escaped. And the story just keeps getting wilder. Now there are New York police detectives under investigation for potentially being involved with this. And this is one of a spate of physical real world crimes targeting cryptocurrency owners, CEOs, et cetera. And this has been a trend that's been emerging the last couple years. Their CEOs have been kidnapped, some individuals have been mutilated. Organized crime is getting organized and realizing that if you've got the super secure.

David Shipley

Cold wallet going to defeat the hackers.

Unknown

We'Ll just cut your fingers off. So this is a dangerous asset class.

Anton Lavia

To hold the good old wrench attack. They realized it's very effective for this particular kind of profile.

Jim

So, Anton, you're dealing with companies in that area. Do you hear people talking about this?

Anton Lavia

This is actually something we deal with a lot because a lot of our clients are crypto companies. And let's say you have your team going to a conference somewhere. This happened recently. They were going to an event in France and it just so happens that in France there have been like three is exactly like this since just the beginning of the year. And the most recent one was where they tried to kidnap in broad daylight in Paris. A van drove up to the, I believe, son and granddaughter of a CEO of a crypto exchange based in France and tried to grab them and shove them into a van. They didn't succeed, but they actually caught this on camera. You can watch the video. It's really crazy to watch. Before that there was also, I think it was the co founder of Ledger, which is a hardware wallet manufacturing company based in France. They kidnapped his partner I believe and if I got this right, they cut off someone's finger. So it's serious business. And this is happening. It's been happening for a while. There's a guy, Jameson Mob, he's actually kept a GitHub repository that's been keeping track of physical attacks in the crypto space and there's like hundreds now. So it's been definitely an emerging trend and more people have caught on lately. What I'm dealing with is every so often a client comes to me and we're going to this event. What should we do? So there's a number of recommendations we make around this, but some are like, don't wear swag with your company name on it. Wear a hat and a mask. It's normal to wear a mask now, so make yourself more incognito. Don't post where you are, don't post pictures of where you are. Maybe hire bodyguards. We've actually done a bunch of research on reliable bodyguard services in different regions of the world. But it's very serious, a serious concern because yeah, when you have the cryptographic material that allows you to move a lot of funds like you're an immediate target, it just makes sense for an attacker to come after you again.

Jim

It would seem that maybe some of the basic things that we use from the physical world could also be applied to this though. And that's. I have a. We have a, like in every small town, we have a big drug problem and all the pharmacies, there's nobody who can unlock this safe after 8 o' clock or it takes two combinations to get in here and you'll never get in. I think in some of these crypto companies having one person who's got the keys to get into everything's probably really not a great idea.

Anton Lavia

Yeah, and that's exactly right. Like a lot of companies in this space, and this is something we encourage them to do is set up multi party setups where you need multiple people, ideally across different separate geographical locations to actually move the funds. And so if you broadcast that and make it known that this is how your system is set up, the likelihood that you'll be attacked is lower because they'll need to coordinate working across multiple time zones, jurisdictions. And it's not as simple all of a sudden. Now of course you could go and hold someone hostage and still ask for a ransom, but it's not as easy as immediately hitting somebody with a wrench and getting the coin out.

Jim

Well.

Unknown

Yeah, but remember too like the threat model for this is quite sophisticated. If you're in North Korea and you've been relying on billions of dollars of this to fund various programs including probably a ship refloat and repair. If you're not following the awful things that happened in North Korea. They tried to launch one of their new ships, Navy ships, and it did not go well and tipped over on its side and has been structurally damaged. So they're going to need a lot more money to build more warships.

David Shipley

They're going to be on the market hard with more wrenches and more packs.

Anton Lavia

Because it accounts for a significant portion of their GDP and it's their nuclear program, their ship like Navy, it's really messed up. But yeah, it changes the way you need to think because when a nation state actors attacking you and they're funding literally everything they're doing by whacking people with crypto, it's.

Jim

Yeah.

Anton Lavia

All of a sudden all attacks are.

David Shipley

On the table for pop culture references. That scene in Back to the Future where the Libyans come after Doc Brown for the stolen uranium that he was supposed to get for them, but he was using to help fuel the DeLorean classic time machine. What was once like the butt of.

Unknown

Jokes of these kind of hostile, very negative nation state regimes having a very tangible impact on regular people. Went from Hollywood to Wednesday.

Laura Payne

And I think it's very much like that cautionary tale is the older institutions. So my background's finance, right. So the older institutions, they dealt with these problems like a hundred years ago. Right. And they learned how to separate people who were very visible and very. It would have the appearance of power and they have quite a bit of organizational oversight from anybody who has actual control over the accounts and things like that and implemented yet the classic two person controls and all of these it's really boring and it's not exciting and it's not fun and it's not what fintech is all about. It what crypto is all about. But it's going to be because these are the consequences of not learning from what other people went through, past history. And there's a reason why you don't hear about bank CEOs getting kidnapped because there's a lot of other things that are in place that already protect them.

Jim

Yeah. And it's Edward, the guy who wears the bad suits, who can actually open the vault.

Laura Payne

Or probably not just Edward, right?

Jim

No. I say this because early in my career I was the guy who could actually open the vault. And it took two of us. And you had to get. And there was this other guy, old guy, I have no idea. It took the two of us to get in. I always wondered, why would they let us do this? And you go, oh, maybe now I know.

Unknown

Listen.

David Shipley

It'S always uncomfortable when you realize you were somebody else's meat shield.

Jim

And I don't mean to go away from the jocularity here, but these guys are serious. This is serious muscle. We had Operation Shamrock on the program last week and we were talking about this. These are organized criminals who will do anything. They run human trafficking, they'll kill people, they'll beat people. We're getting into a newer world where it's really just tough organized crime that is also getting behind all of this.

Unknown

Also, I guess I have breaking news.

David Shipley

I was just quickly looking up to see where the state of that France.

Unknown

Kidnapping case because there's been a string of these. Apparently Moroccan police have detained an individual, Mohamed Ahmed Baju, a 24 year old dual French Moroccan citizen, who's thought to be the mastermind behind a string of brutal kidnappings of crypto entrepreneurs. And they had a international manhunt since 2023 with a full Interpol red notice. This is very much tied to this surge of kidnappings.

David Shipley

In fact, what they were saying is.

Unknown

In May 13, someone tried to kidnap the daughter and grandson of Pierre, the CEO of the cryptocurrency network Pingium.

Anton Lavia

That's it.

Unknown

Yeah. And then there was a failed. Rescued the father of a crypto entrepreneur who had been held captive for days for 7 million in Bitcoin. Yeah, this is crazy. So they may have actually.

David Shipley

Breaking news, literally live as we tape.

Unknown

May have caught one of the folks behind this, but this cat looks like a serious, well funded individual as well.

Jim

Another story that came up just in the normal world, not in the cyber world. We've been talking about quishing for about a year and a half, but this really got my attention and I ran this story. Some old girlfriend, you've been cheating on me. And they and all your friends should know about this. Puts it up on a telephone pole with a QR code. What are you gonna do? For sure? And bang, there you go. They got you this. These people are. We've gone from the criminal side of this to the clever side of this. But this is like, how do you deal with that sort of problem where people are. They take QR codes and I did some work on a law enforcement show, and there are people going and peeling these QR codes off parking meters. This is getting. Oh, yeah, deal.

Anton Lavia

Yeah, yeah, I saw that too. Yeah. It's very sneaky. It's actually ingenious.

Jim

Yeah. You click that QR code and I don't know the tech behind it. I was actually trying to dig into that. But you've now either downloaded software or done something without taking any other action.

Laura Payne

Yeah, it's not very sneaky. Right. It's just taking advantage of getting you to click a link. Except this time you're clicking camera on your phone to access the QR code. But, yeah, the attack is the same underneath. It's a poisoned website that it directs you to that's taking advantage of a vulnerability. And there's just spray and pray. They don't care who they get.

Anton Lavia

Yeah. Some of them are literally just. They send you to a payment portal and it's here. Pay here for your parking.

Laura Payne

Yeah. You replicate what you're supposed to get to.

Jim

If you're where I live, you know, and you go to Minden, population 6,000 at the best of times, we don't have parking meters. Actually, you can't do it on a parking meter. But if you go to New York City in the financial district and you put up some QR codes that people start clicking on, you're going to reach a fair amount of people with some significant access in terms of finance and other things. Amazing.

Laura Payne

Yeah. I think what'll be interesting in that is the middle layer there for the ones that are replicating, say, a payment portal or whatever. Right. They're having to sign up into the payment ecosystem. Right. So there are the credit card providers, MasterCard and Visa, of course, in the middle of this, whose fraud departments are really not thrilled about transferring money on your behalf into the hand of criminals. So there are certainly, like middle layers in that that are going to do what they can to recover the cost and As a consumer, you have some level of protection to say, look, I was defrauded. Right. It was an illegitimate site. It was sneaky on their part. Right. I did not think I was paying them. They posed as a legitimate site. And so usually as a consumer, if you file a request, you will be able to get your money back from. But watch, it requires your part.

Jim

You watch that. Because the bank of Nova Scotia, I believe, and I'll edit this if I'm wrong, but I think it was the bank of Nova Scotia tried to stiff somebody. They claimed that he'd been defrauded over about $20,000. And they just claimed you gave it away.

Anton Lavia

Oh, wow.

Laura Payne

Definitely depends on the circumstances. Yes. I don't know whether that was a credit card case or whether. Was that a credit card or was. Depending on the circumstances, it may be that they will try to not do it, but for a small charge, they're more likely to keep your good.

Jim

I don't trust. I just don't trust banks. Sorry. But I don't. Because for years they've been pushing fraud back to people whenever they get the chance. I'm not going to dump on bns. Only because you keep hearing story after story of people who've been defrauded, and they. They inherit all the responsibility of having to track that back.

David Shipley

First of all, as a practitioner in the cybersecurity awareness industry, I want to apologize to everyone on the planet for our industry inflicting yet another portmanteau that never needed to exist. QR code phishing. But quishing is just. Oh, it's like nails on the chalkboard. It's triggering all kinds of visceral uncomfortableness.

Unknown

So it's interesting, right, you're mentioning. We've seen a lot of this parking meter fraud just covering up the QR codes.

David Shipley

QR codes, of course, are another side.

Unknown

Effect of the pandemic.

David Shipley

They were another thing. Tech invented that. Everyone was like, this is useless. And then all of a sudden, the pandemic, we couldn't touch anything. We wanted to scan things. Their phone, it became marginally useful. I would also make the same argument for cryptocurrency.

Jim

But Anton, he's gone all the way up to marginally useful.

Anton Lavia

Yeah, no, that's decent. I'll take it. I'll take away.

David Shipley

It's super useful for criminals to get paid. But anyway, this QR code, just a.

Unknown

Demonstration of cleverness, right? And constantly thinking about things.

David Shipley

The same people that are just spamming.

Unknown

To say, you didn't pay your toll are now going to do the parking thing.

David Shipley

And it's because the cost of doing.

Unknown

Crime is so low, chances of actually being prosecuted, near zero.

David Shipley

You make a few bucks here and.

Unknown

There and it's a dishonest day's living. Right.

David Shipley

I don't have any data, haven't run any experiments how this plays out generationally. My dad just barely uses the smartphone.

Unknown

Parts of his smartphone.

David Shipley

He's 75 years old. Like he may or may not take.

Unknown

Pictures with his phone at this juncture.

David Shipley

But he ain't scanning no QR code. That's not a thing.

Unknown

So is this Gen Alpha's new poison?

David Shipley

Is this. You know who, who is this really going to?

Jim

One of your friends is closer in age to your dad than you might think. I know I look but you're sending all the QR code using our phones and maybe all of the facilities of the ageist.

Laura Payne

And the question of what is this target? I think it's really millennials. Right. Be stressed and I just want convenience. Right. And I will admit to being at one edge of the millennial bracket. So this includes people of my contemporaries.

Anton Lavia

That are not fun. Fun fact for the viewers. For those who aren't aware, visiting a site can be enough to get you compromised. This is largely because the V8 JavaScript engine that powers most browsers is so complex and huge that it's impossible to fully patch. And so even though we tend to think of browsers as sandboxes, they're actually not due to this reason. And so every year there is even dozens of zero day exploits for popular browsers that some of them allow you to break out of that sandbox and fully compromise your device.

David Shipley

So Jim, I will point out a.

Unknown

2013 study said that seniors were only 13% likely to use QR codes. And of course QR codes were brand new by then. And Statistia, what are they saying for usage by age?

David Shipley

Looks like our data that the youngest of the ones at risk in this.

Unknown

Thing may be pretty solid.

Jim

Yeah. And that's what I was getting at earlier about this thing and that if you just get to the website, you've got a problem. It used to be that you actually had to engage do something. We're getting technically more sophisticated about how quickly we can pass on any sort of corruption, infection or attack.

Laura Payne

I'm going to challenge you on the used to. There's been exploits forever that you just go to the site and you're done. I've been subjected to one like 15 years.

Anton Lavia

That's been a thing for a while.

Laura Payne

It was a poison. So in that case it was a poison ad. So it wasn't even the site itself had been hacked. It was just somebody gotten an ad potent that was circulating and the ad itself was the poisoned attack.

Jim

This is the thing that we're getting to a level here where we've talked about the physical attacks that are out there. We've talked about the fact that you don't. The things that we've warned people about, don't click, all of those sorts of things. They're not as relevant anymore.

Laura Payne

Oh, don't click is still very relevant.

Jim

No, but we. Yeah, no, sorry, I didn't mean that they don't. But that's just a cost of entry. Now you, we people have to get even much more sophisticated about how they, how we, they manage and how we educate them becomes more and more difficult.

Unknown

Yeah.

David Shipley

And I think this is where the.

Unknown

Message about patching your devices is so critical. Right. And by the time Apple or Android releases a patch, there's like X amount of negative day vulnerabilities that are being dealt with. So these are things that have been around and used for a while. Laura and Anton are saying that they finally got around to patching because browser engines are hard.

David Shipley

Traditionally zero click vulnerabilities were reserved for.

Unknown

The most part for higher end NSO group kind of shenanigans where they're using Pegasus to target people. This stuff gets expensive, right? Cybercrime still works on the old cheap, still works before you have to spend real money. This is the economics and that type of stuff. The other thing that's an interesting consequence is when we closed off, I remember the day everyone was waving their mission accomplished flags on the cyber aircraft carrier. For those kids not getting the reference to the George Bush war on terror moment that I'm shaping for the visual here.

David Shipley

When everyone was like, oh my God, Microsoft killed macros. Malware is dead. I'm like, no, you have just created the next wave of malware innovation.

Unknown

And there are lots of attack surfaces.

David Shipley

That have not had the scant amount.

Unknown

Of attention because it has been like malware creation. I'm not a coder, but I genuinely think of it like gold rushes. Right.

David Shipley

There's gold in California that used to be Microsoft Word. There's gold in the Yukon, that'll be browsers.

Anton Lavia

And the same thing happened when Macs became super popular. They started porting malware from Windows to Mac. And so I think it's 2017 or something. Mac for the first time had more new novel malware than Windows in The air. We saw that, too.

Unknown

This stuff is why I always advocate for people. Vigilance is your number one friend. Being skeptical is important. Keeping your stuff patched is vital.

David Shipley

But also anyone whispering into your ear by my beautiful cybersecurity AI blockchain technology and all your security worries go away.

Unknown

Is selling you snake oil.

Anton Lavia

You forgot to say Quantum.

Jim

I forgot nothing on the bingo card there. You're denied the prize.

David Shipley

Circle gets the square. I missed Quantum.

Laura Payne

I'm sorry. Though I don't think David is discounting, though, the value of. We think of our phone as, like, somehow not a computer, and it is a computer. So an extra layer of security protection is a good idea. From the trusted and reliable. Again, none of them are perfect. But having something else on there besides just hoping and praying the OS is going to do its job is a good plan.

Anton Lavia

My strategy is I don't trust the phone for anything that I care about. I just go and deal with that elsewhere. So my phone is just considered to be compromised. I actually consider most things to be compromised.

Jim

And that's probably a good starting point.

David Shipley

I would point people. I would point people at the latest reports coming out about Salt Typhoon and that assuming everything everywhere is compromised is less and less. Tinfoil hat.

Jim

Yeah, you went back to updates and things like that. And again, we get back to the general people who were in. In the general populace. And many times because we. Our equipment's all not sitting in some corporate place. Much of it is at home. We're working with phones and all that sort of stuff. And we say things like, you should update your browser. I got instructions on a Chrome update because I was doing a story and they decided to go through the instructions that they gave, and they're all wrong.

David Shipley

Was it written by AI?

Laura Payne

Was it trying to get you to download malware?

Jim

Nothing worked. I don't know if anybody ever notices this, but if you actually read instructions. I don't. I use AI to get my instructions to get it right. Most of the time it's perplexity, but if you actually go and follow the instructions for most things, they don't work. There's always something wrong or missing. Nobody spends a lot of time on this stuff to make sure they actually could do it.

David Shipley

Listen, on behalf of IKEA users everywhere, there is absolute truth to what you're saying. There's that moment where you realize that you have completed a step that cannot be undone, that the little cartoon character did not tell you not to do.

Anton Lavia

What a frowny, frowny face. Oh, no.

Jim

Yeah, that's okay. There's an AI now where you can actually take a picture and it will.

Anton Lavia

Tell you how to put. I assembled the Kallax 5 by 5 within 45 minutes. Yes. Yesterday.

Jim

Yeah. Yeah, that's great.

Laura Payne

See, from that. I know Anton likes Lego.

Jim

Yes.

David Shipley

I know he works in crypto and understands actually how the blockchain works because he can put ideas together.

Jim

Yeah.

David Shipley

But it's. There's an interesting theme, like as we.

Unknown

Go back to this entire story, right. The speed at which things are happening online in real life, the scope of the things that we're seeing. The ransomware gangs are getting hammered, but physical gangs have picked up business because the story of the last decade of crime has been. It's all moving virtual. Don't have to swing the wrenches now. Okay. Police are reacting virtually and wrench swinging.

David Shipley

Has turned out to be back in the toolbox again.

Unknown

These are all things that are just happening in this iterative wheel. I think we're at one of those inflection points where physical crime. I don't think this one guy getting nailed in Morocco is going to stop this trend.

David Shipley

And it's going to be interesting how.

Unknown

This is going to play out if we continue to see ransomware and extortion, because we saw ransomware attacks were starting to threaten physical violence if you didn't pay. They were posting images of people's homes from Google Maps using that threat of violence. So it's interesting. What I hold hope for is that generally cops respond a lot more actively to the violent crime portion. And so this may trigger a more visceral police response. But I think we're in for challenging times.

Anton Lavia

So it's very counterintuitive that we're seeing more physical attacks with advancement in technology. But it's definitely seems to be going up.

Laura Payne

It feels like the Internet of things is fueling into it too. When we look at crimes that are more easy to perpetrate if you can defeat the physical security by taking advantage of a digital security control. Looking at car theft, for example, how easy that became to be because the.

Anton Lavia

Therapist had his car stolen like twice within a few months, because they used the whole NFC repeater kind of thing where they got near his house and hijacked his car.

Unknown

We literally have a national security law in Canada that's landed with sweeping new powers in part because massive amounts of cars are being stolen, ironically, and I will point this out, that they're not fixing the root cause of these car thefts, which is absolute insecurity of the car as Iot to Laura's point, we're.

David Shipley

Going to do more.

Unknown

We can raid more places in ports and we're going to spy the crap out of Canadians now. But no, God forbid we make major auto manufacturers use encryption. I don't know, crazy thoughts, but again.

Jim

The things that happen to us. And I just, I want to pull this back just as we wrap up our hour here, because now, I used to say I didn't need an alarm clock because I just woke up in the middle of the night screaming. But that was about backups and ransomware. Now it's like everything is out there. How do we cope with that? How do we help companies and people cope with that? I know on the law enforcement end, they don't have enough budget. We're not spending enough money on law enforcement, but they're still making do with their budgets. And I've talked to a couple people this week and there's the idea that the old idea where if you. You thought you'd been blackmailed or you'd been. Or you'd been scammed or whatever, you can go to the police. And a lot of them are set up, particularly in Ontario right now. They have counselors now they're really starting to step up their game. Governments don't put enough money into law enforcement for cybercrime. They. Feet on the street sounds cool and you can get money for that, but fingers on a keyboard, not so much. But they're still doing great work. So one of the things I would say is that people think that there's any problem, violence, ransom, anything like that, or fraud, go to your police department. There's places like Operation Shamrock that will pick up if the police don't do anything. So we are getting some ways of dealing with this now, but on the rest of it, how do we educate people? How do we make them be safer?

Anton Lavia

Yeah, I just wanted to bring something up about. I don't know if you covered this before, but isn't there like a new cyber security military unit that was started like, last year at some point in Canada?

Jim

Not that I know of, no.

Anton Lavia

Yeah.

David Shipley

So Cyber Command in.

Unknown

In the caf, but Cyber Command in the caf is actually more about protecting the Canadian forces.

Anton Lavia

And it's like, it doesn't have anything to do with chasing down, like.

Unknown

No, we do have CSE and CSIS both got updates in various pieces of legislation, allowed them to do what they call active cyber. And actually some researchers in Ontario just published a report. I just saw it the other day, and I apologize to them if they're listening. It is a super cool report where they actually list what we do know about the numbers of times active cyber are used as part of a disruption operation or other things. It's been used a handful of times. I think the importance of active cyber needs to be coupled with loudly talking about it. It's not speak quietly and have a stick to beat these gangs with a stick and have your prime minister going and if you come back for more, you're going to get three times the beatings, which is what Australia has done. And guess what? They're seeing less shenanigans than we are. So it's typically Canadian to be like, we don't talk about the things we do because we're polite. Like, no. Talk about how you burn their stuff, wreck their servers, expose their criminals. Be loud and proud. We are part of Operation Endgame. I, I would be very happy if we were responsible for the little animated video that we did. But it was probably the Europeans because they're very cheeky sense of humor. But we need to be louder about this stuff. And I think the one thing that I think is going to be interesting is we have this almost Patriot act like element to what's happening in Canada with the border security stuff. So you have this big national security emergency. In our case, it's oh my God, we can't sell to the United States is our economic crisis and our response is to pass a whole bunch of stuff that cops have been asking for in Canada since 1999 and our courts have consistently shut down. So it's interesting. Right. Like this is a time.

Jim

Yeah. And we're going to do a special show on that just even for the run of the Canadian audience probably over the next week or so. Because there is, and I think there's a relevance to our US listeners as well. We never assumed that governments would really. Or maybe some of us did. But many people don't assume that governments will abuse the authority. At least that's the argument that's made. If we get all your data, we're only going to go after crooks. I don't think that's always true. And in Canada, just over the past week, the judges have started to say, do you. Revenue Canada was going for just wild amount of information from Shopify and the judges shut it down, said, you just can't do fishing expeditions. You actually have to have a reason, due process and all of those sorts of things. That's the thing I get worried about is that in the rush to do things where we make the argument if you're, if you're for encryption, then you're supporting pedophiles. We make these arguments at that level instead of saying no, there's due process and it's there for a reason. To protect our privacy and to give us the freedom that we're supposed to have.

David Shipley

And my concerns are practical. Right. CIA, the NSA in the United States both had all their super cool hacking tools either hacked and stolen or leaked by their staff. And if they can't keep the keys safe, I don't know if we've looked.

Unknown

At the government of Canada's track record, but global affairs, we aren't exactly paragons of security. No, you can't have global backdoor keys. And they say they're not asking for backdoors. This is the ongoing debate. This is crypto wars 3.0, not cryptocurrencies. Time back to the original crypto wars.

David Shipley

Which was can I have nice things.

Unknown

Like secure banking online or are we going to burn it all down?

Laura Payne

I want to end this with a feel good story. It's just a nice local story. It was highlighting that there's a young man in the Barrie area, his name's. I'm going to find it. Sorry. As part of his Chief Scout Award project, he was inspired to research on protecting against cyber fraud and cybercrime. His project got into the kind of things we've been talking about, QR phishing and deepfake scams. He put this all together and shared it with the Barrie police who picked it up and said, how can we help amplify this? They actually hosted an evening last night just putting that out there. Small seeds of interest can have big.

David Shipley

Ripple effects and I know we're going.

Jim

To end on that note. Laura, give me the contact. We'll do an interview with this young man.

Laura Payne

Awesome.

Unknown

That's phenomenal.

Jim

We need.

Anton Lavia

If you're listening, way to go.

Jim

And if you are listening, you've got an invitation to be on the show. That's our wrap up. This was an interesting conversation this week, but I think as we said, Laura, you talked about it when we started. Laura last month. We said there's a whole lot happening.

Laura Payne

It's never dull.

Jim

I want to thank my guests, David Shipley, Laura Payne, Anton Levia, Antonio, you got to come back and, and keep us honest at one point.

Anton Lavia

I'd love to. This has been very fun and we'll.

Jim

Yeah, this has been great. So thank you to everybody's listening. That's our show. If you've enjoyed the show, please let a friend know you can find past episodes of our podcast now on our new improved website@tech newsday.com you by popular demand, people have asked me to have make sure we have more information on these things. You'll be able to find them there, and you can refer your friends to that and all that good stuff. And just as a little bit of a personal appeal, we do take sponsors, but we're really picky. We don't want people who are hawking stuff or anything like that. So we're always in a revenue crunch on this show. So if you'd like to support us and help provide the content we provide to you, please go to buymeacoffee.comtechpodcast that's buymeacoffee.com tech podcast. And you can buy me a coffee. Thanks a lot. Thanks to our crew and we'll see you next week.