Cybersecurity Today: Balancing Trust, Risks, and Innovations

Wed Jun 25 2025

In this episode of Cybersecurity Today, host Jim Love discusses various pressing issues and trends in the realm of cybersecurity. The episode starts with a revelation from Okta's 2025 Customer Identity Trends report, which highlights the conflicting...

Summary

Cybersecurity Today: Balancing Trust, Risks, and Innovations

Hosted by Jim Love | Release Date: June 25, 2025

Introduction

In the latest episode of Cybersecurity Today, host Jim Love delves deep into the intricate balance between trust, emerging risks, and technological innovations in the cybersecurity landscape. This episode navigates through pressing issues such as password security, sophisticated hacking operations, the evolving cyber insurance market, and vulnerabilities in smart home devices, providing listeners with comprehensive insights to safeguard their businesses and personal data.

Password Security and Canadian Digital Behavior

The episode kicks off with a discussion on OKTA's 2025 Customer Identity Trends Report, highlighting a concerning paradox in Canadian digital behavior. Jim Love reports:

"While 67% of Canadians worry about identity theft, 65% admit to reusing the same passwords across multiple accounts" ([00:01]).

This statistic underscores a significant vulnerability as password-dependent security systems are frequently compromised. The report reveals that 62% of Canadians find remembering unique passwords for every account too difficult, leading to widespread reuse despite the inherent risks.

Jim emphasizes the business implications:

"76% of Canadians will stop doing business with a company after a data breach, with nearly half never returning" ([00:02]).

This sentiment highlights that weak authentication methods don't just pose security threats but also jeopardize customer trust and business viability. The trust gap is evident, with banks earning confidence from 66% of Canadians, compared to only 27% trusting small online retailers with personal data. Additionally, the report notes that 83% of Canadians prefer human interaction over AI agents, suggesting that over-reliance on AI could alienate consumers.

Sophisticated Chinese Hacking Operation: "Lap Dogs"

Transitioning to external threats, the podcast sheds light on a sophisticated Chinese hacking campaign dubbed "Lap Dogs". This operation involves turning everyday home and small office devices into a global spy network using a custom backdoor named short Leash. Key points include:

Targeted Devices: Over 1,000 devices worldwide, predominantly in the United States, Japan, South Korea, Taiwan, and Hong Kong ([00:04]).
Exploitation Methods: The hackers exploit older, unpatched devices with outdated software, particularly Ruckus Wireless and Buffalo Air Station routers.
Operational Tactics: Unlike typical botnets, Lap Dogs function as an operational relay box network, making tracing the source of attacks exceedingly difficult.

Ryan Shirtston from Security Scorecard comments:

"These devices fly under the radar, often overlooked in audits and patching cycles" ([00:06]).

The hackers' ability to control routers allows them to monitor internet traffic, steal sensitive data, and launch attacks on critical infrastructure. For businesses, the recommended defenses include replacing older routers, ensuring regular security updates from vendors, and network segmentation to isolate vulnerable devices.

Cyber Insurance Market Dynamics

In a surprising turn, the episode discusses the decline in cyber insurance premiums in 2024:

"Cyber insurance premiums actually dropped in 2024, falling 2.3% to a total of $7.1 billion in premiums" ([00:08]).

Jim elaborates that the decrease is primarily due to pricing changes rather than a reduction in risk exposure. A.M. Best's report suggests that insurers might be diverting clients away from high-risk areas, while some large companies are self-insuring by creating their own captive insurance entities. This shift is not reflected in the premium data, potentially masking the true demand for cyber insurance.

Additionally, insurers remain highly profitable, with loss ratios below 50%, meaning they pay out less than half of the premiums collected in claims. One contributing factor is the rising reluctance of companies to pay ransoms, as highlighted by the case of Coinbase, which not only refused a $20 million ransom but also offered a reward for information leading to the attackers.

However, Jim warns of potential red flags, such as heavy reliance on reinsurance and emerging AI-related risks, exemplified by the New York Times lawsuit against OpenAI over unauthorized content usage. Munich Re projects the global cyber insurance market to reach $16.3 billion in 2025 and $29 billion by 2027, suggesting a dynamic and evolving landscape.

Vulnerabilities in Smart Home Devices: The Jeff Bezos Analogy

The episode concludes with a spotlight on the security flaws in smart home devices, using a $2,000 smart mattress as a case study. The researcher discovered that the mattress, designed to regulate temperature, was accessible remotely by company engineers, allowing them to:

Monitor sleep patterns
Detect occupancy
Access other smart devices on the network

What’s more alarming is the presence of a backdoor, enabling engineers to bypass security controls and execute commands on customers' devices. Additionally, exposed Amazon Web Services (AWS) keys could have financially crippled the company if exploited.

Jim summarizes the implications:

"Sometimes, the smartest solution is choosing the dumb device that just works without watching you sleep" ([00:12]).

The researcher opted to replace the expensive smart mattress with a $150 aquarium chiller, maintaining temperature control without the associated surveillance and security risks. This anecdote serves as a cautionary tale about the trade-offs between convenience and security in the era of smart devices.

Conclusion

In this comprehensive episode of Cybersecurity Today, Jim Love effectively navigates through the complex interplay of trust, risk, and innovation. From the paradox of password reuse in a security-conscious population to the intricate strategies of international hackers, the evolving cyber insurance market, and the hidden vulnerabilities of smart devices, listeners are equipped with vital knowledge to better protect their digital and business interests. As cyber threats continue to evolve, the insights shared underscore the importance of proactive security measures and informed decision-making in maintaining trust and safeguarding against emerging risks.

Notable Quotes:

"While 67% of Canadians worry about identity theft, 65% admit to reusing the same passwords across multiple accounts" – Jim Love ([00:01])
"76% of Canadians will stop doing business with a company after a data breach, with nearly half never returning" – Jim Love ([00:02])
"These devices fly under the radar, often overlooked in audits and patching cycles" – Ryan Shirtston, Security Scorecard ([00:06])
"Sometimes, the smartest solution is choosing the dumb device that just works without watching you sleep" – Jim Love ([00:12])

For more insights and updates, visit Cybersecurity Today or contact the host via the podcast's website.

Transcript

Jim Love (0:01)

⅓ of Canadians fear identity theft but reuse passwords. Chinese hackers capture Soho office tech. And yes, you heard it right. Cybersecurity premiums went down last year. And finally throwing Jeff Bezos out of your bed. This is Cybersecurity Today. I'm your host Jim Love. OKTA released its 2025 customer identity trends report yesterday, revealing a dangerous contradiction in CANAD digital behavior. While 67% of Canadians worry about identity theft, 65% admit to reusing the same passwords across multiple accounts. The findings come at a critical moment. Just last week, billions of login credentials were leaked online, reinforcing the vulnerability of password dependent security systems. Yet the report shows 62% of Canadians say remembering unique passwords for for every account is simply too difficult. But here's where the business impact becomes critical. 76% of Canadians will stop doing business with a company after a data breach, with nearly half never returning. That's not just a security problem. It's an existential business threat. For companies relying on weak authentication methods, trust patterns show clear hierarchies. Banks earn confidence from 66% of Canadians, while only 27% trust small online retailers with personal data. This trust gap creates competitive advantages for established institutions and higher barriers for emerging businesses. This trust deficit extends beyond passwords, by the way, the report reveals 83% of Canadians prefer human interaction over AI agents, suggesting companies may be rushing to deploy AI first customer experiences, but they may also be alienating their user base. But the security issue is the one that's front of mind. And for many, the solution isn't asking customers to remember more passwords, it's eliminating them entirely. Yet only 27% of Canadians currently rely on stronger security measures like two factor authentication. It's both a challenge, but also a massive opportunity for those who can implement passwordless technologies successfully. And for Canadian businesses, the message is customer trust is fragile and password based security creates commercial risk. Companies that fail to implement stronger authentication methods risk losing customers permanently. In an increasingly breach prone digital landscape where consumers fear the very threats that their own habits enable, Security researchers have uncovered a sophisticated Chinese hacking operation that's quietly turning home and small office equipment and routers into a global spy network they're calling lap dogs. The campaign uses a custom backdoor named short Leash to take complete control of everyday devices like routers and IP cameras, then disguises itself as legitimate web traffic. The hackers mock law enforcement by creating fake security certificates that impersonate the Los Angeles Police Department security scorecards. Research team found over 1,000 infected devices worldwide, with the heaviest targeting in the United States, Japan, South Korea, Taiwan and Hong Kong. The operation specifically hunts for older, unpatched devices running outdated software, some dating back to the early 2000s, the researchers found. About 55% of compromised hardware came from Ruckus Wireless, now part of Commscope with Buffalo Air Station routers also heavily targeted, especially in Japan, these devices typically run lightweight Web servers with default settings that make them easy targets. Unlike noisy botnet attacks that flood networks with obvious malicious traffic, lapdogs operate as what experts call an operational relay box network. Think of it as a digital shell game. Hackers bounce their real attacks through these compromised home devices, making it nearly impossible to to trace back to the source. The campaign shows sophisticated planning. Researchers discovered the hackers launch attacks in coordinated batches, sometimes targeting just one country per day, other times hitting multiple regions simultaneously. All infected devices in each batch use the same network port, creating a digital fingerprint that helps investigators track the operation. What's particularly troubling is how these devices fly under the radar, Ryan shirtstobitoff from Security Scorecard says. These are often overlooked in audits and patching cycles. Many are managed by third party providers who may not even know they're compromised. The security implications extend far beyond individual users. When hackers control your router, they can monitor all Internet traffic, steal sensitive data, or use your device as a launching pad for attacks on bigger targets, like critical infrastructure. For businesses, the recommendation is clear. Replace older routers, require vendors to provide regular security updates, and separate these devices from core business systems through network segmentation. How we deal with the massive amount of unpatched devices in small and home offices is another story entirely, but one ultimately we may have to deal with. And here's some good news. Apparently, for the first time since tracking began in 2015, cyber insurance premiums actually dropped in 2024, falling 2.3% to a total of $7.1 billion in premiums. But the seemingly good news comes from a significant twist that reveals how the market is really evolving. According to a.m. best's new report, the decline was driven more by pricing changes than any changes in risk exposure. Credit rating agency didn't elaborate on what specific pricing changes caused decline, but it would be logical to assume that some of the pricing is diverting clients away from the higher risk and lower profit areas of cyber insurance. Another part of the story lies in what's not being counted. Large companies with strong cybersecurity track records are increasingly ditching traditional cyber insurance altogether, instead creating their own captive insurance companies to self insure, their cyber risks am best explained. Organizations that have strong cyber hygiene and historically good loss experience are finding it more beneficial to pay their own captive, keeping the money under the same parent, thus keeping the benefit of their own good experience. These self insurance arrangements don't show up in the premium data, potentially masking the true scale of cyber insurance demand. Meanwhile, insurers remain highly profitable with loss ratios below 50%. If that's correct, it means that they're paying out less than half of the premiums collected in claims. So why is this happening when just a few years ago the worry was that some providers might go under or stop issuing policies altogether? One potential factor that might be resulting in lower losses for insurance companies is, and there's Some data from 2023 and current anecdotal data that indicates more and more companies may not be paying ransoms. The most recent case was Coinbase that not only refused to pay a $20 million ransom, but then turned around and offered that same 20 million to anyone who might give information leading to the apprehension of the ransom gang members. And while some of this reluctance might be driven by doing the right thing, as long as companies pay ransoms, there will be ransomware. But there's also maybe a more pragmatic aspect to their behavior. There have been so many reports of companies paying and then finding that their data was still for sale on the Internet or where they were attacked or ransomed a second time that paying seems to be a waste of money that could be more well used in their recovery efforts. There are some other red flags in this otherwise positive report. Insurers are heavily dependent on reinsurance, ceding over 50% of their premiums to reinsurers, more than any other insurance line. And artificial intelligence is also emerging as a major concern, although not in the way you might think. With the New York times lawsuit against OpenAI for ChatGPT's use of the Times content without permission, we're highlighting new risks that traditional policies weren't designed to cover, and it's possible that this premium decline may also be temporary. Munich Re projects the global cyber insurance market will reach $16.3 billion in 2025 and potentially $29 billion in 2027. Whether this is increased demand or increased premiums, we're not sure. But hey, let's take the good news when we can get it might be a good time also to try to lock in your rates for as long as possible. And finally, in an article titled Getting Jeff Bezos out of My Bed, a security researcher found what was under the covers in his new smart mattress. And that that could give you some nightmares. The security Expert discovered his $2,000 smart mattress was riddled with security vulnerabilities that let engineers spy on his bedroom. The eight sleep mattress, designed to regulate temperature, was doing more than just collecting sleep data. The researchers found that any company engineer could remotely access the customer's beds. This would allow them to monitor when people slept, detect how many were in the bed, and even know when houses were empty. But the bed's computer could also potentially access other smart devices on the home network, from laptops to smart fridges. And whoever designed the overall corporate security to manage these devices was apparently asleep at the switch. Most alarming was a backdoor, allowing engineers to bypass all security controls and run commands on every customer's device. But the threats were not only for individuals who owned the mattress. Reportedly, our researcher found live Amazon Web services keys that could have cost eight sleep hundreds of thousands of dollars per month in cloud bills if these were exploited. That's the type of thing that should give finance some nightmares. But in the end, our expert decided he wasn't going to lose any more sleep over these risks. He ditched the $2,000 Internet connected bed system entirely and replaced it with a $150 aquarium chiller with an appropriate, and presumably, we hope for the sake of irony, analog temperature control. By unplugging the bed's tubing and connecting it to the chiller, he got all of the functionality with none of the surveillance. And this might seem extreme, but there's another issue that might actually make this pay for itself. He'd lost the cost of the initial system. His new solution, however, lets him avoid the monthly maintenance fee that he would have to pay. Yes, he'd have to pay a maintenance fee of $24 a month. So his new system could, depending on how long he kept the mattress, pay for itself. A dream come true. And the real point is it works, he explained. Now you have all the temperature control with none of the apps, subscriptions, Internet connectivity, backdoors, and security liabilities. And it makes you Wonder if a $2,000 mattress can't protect user privacy. What about smart TVs, thermostats, door locks, all the other devices in your house? Sometimes, maybe the smartest solution is choosing the dumb device that just works without watching you sleep. So go ahead, kick Jeff Bezos out of your bed. And that's our show. We hope it's everything you dreamed it might be. Love to hear from you. You can reach us via our contact form on our newly renovated website@technewsday ca or dot com. Take your pick. I'm your host, Jim Love. Thanks for listening.