A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.

Welcome to Cybersecurity Today, our month in review show. And we have.

Drumroll. Laura Payne from White Toque, who famously gave me a white toque this year, and David Shipley who, not to be outdone, David made sure I got a beaucer on hat. But also. And now we're upping the ante on this. I don't know if you can read this because I couldn't take the. Because I drank coffee already. This is Ocean Air Coffee, a local New Brunswick company.

B

Yeah.

C

So we've partnered with Saltwinds and they're a cool tech story as well. Saltwinds discovered that the coffee that was. That was made and shipped in the Age of Sail had a distinct flavor to it. It was often less bitter than the.

B

Coffee that we have now because over.

C

The course of the journey the salt in the air would infuse into the coffee beans and create a different kind of flavor profile. So they actually invented a technology to do this. And my wife and I have enjoyed their coffee for years. We've now partnered with them to create Boseron branded coffee. It's called En Garde.

A

Huh.

C

Works in English and in French and very much playing up on our proud Canadian roots. And both companies being Canadian. And we're bringing it to a Canadian conference near you and any of our clients listening. You can easily request a taste of coffee in these age of inflation and coffee apparently is leading the cost. We're trying to do our part to help. Be patriotic. Dear American listeners, we love you, but unfortunately due to the tariff situation cannot.

B

Bring you coffee at this time.

A

We're working on it though.

Yeah. So just I. And the old pitch, just for the cost of a cup of coffee a day, you two can have friends listen. But it was a great gift. It was the. And like I said, I went to look for the bag for the show and I realized we drank it all.

C

And it has a beautiful little Beauceron Ron character in his full on barista outfit. It is somewhat of a collector's item.

A

There you go. So we want to get to the news from this week. I don't know where you guys want to start. I put together a couple of stories. One of them. And I think I will start with it. And, and David, there's a couple ones I know you've got. And, Laurel, you'll have some as well. But the one that just got me was not one story. And many of these things I'm going to bring up today aren't just one story. We've gone back to this living off the land thing. And for all of you out there, I know I don't want to talk down to anybody, but I hate using terms and then people. Some people might not know what they mean, but living off the land means essentially, you're using the tools that are natural for that environment, and you stay hidden from most of the things that are used to detect malware and other threats. And this is. It's been around for a long time, but I was reading a story about the Ukraine war, and for anybody who thinks that war is only fought with guns. No, there's a lot of intelligence that goes on. There's a lot of cyber war that goes on. And one of the ways that they stayed hidden was to use Microsoft utilities. And then I read that story, and then what happens when you see a story and then you see it everywhere? That happened to me. And then there was a story that came up. Because this has been around for about 12 years, I think my research says, from somebody that gave it to me, it wasn't. Sorry, not my research. The person who tuned me into this said that it was Christopher Campbell and Matt Graeber who used the term living off the land first. And that was a dozen years ago. So it's been around for a long time, but now I'm seeing it everywhere. There was a Microsoft story this week, we ran with it, that said that attackers were using PowerShell WMI task scheduler, all legitimate Windows components. And PowerShell downloads a script. That's what it does. WMI executes commands remotely. Yeah. Could be a scheduled task. There's nothing that involves a really suspicious binary, and it doesn't look foreign to the system. I saw that. Then all of a sudden, there were fake Calendly attacks. I don't know whether you guys use Calendly. A lot of executives do. Now I need to book time, so I'll put time out there. People can book in to Calendly. Now the people are sending Calendly. I guess they're phishing attacks, and they're targeting them really well. Now, this was another one that came up.

They're using Calendly and a. An approach that really goes after people who are in the ad game.

B

Yeah.

C

So a couple of different things.

B

Like, I think you're seeing the evolution of the Concept of living of the land as applied in social engineering.

C

Living of the land, what?

B

Number one, it's hella convenient, right? You don't have to do the extra work. You're not going to fly above the tree line and trigger all the EDR threat detection alerts because it looks perfectly normal. So you use what you have it, you're much more likely to maintain persistence.

C

And, and it works. It works really well. So why go fancy now? I am of course going to be.

B

As our regular AI critic point out.

C

That Microsoft has just put the plumbing in place for the evolution of living.

B

Off the land with their new Agentic AI framework in Windows 11. Amazing.

C

We used to call these rootkits, malware, all kinds of other things. But now through the magic of social engineering and agentic AI, I don't have to sweet talk you in a phishing email.

B

I have to Sweet talk your AI to then go and download a PowerShell script and go from there. So we keep making it harder. And the other thing that gets interesting in the age of AI is the more and more network traffic and noise as we think about what agents are going to be doing and the level of network traffic that's going to generate.

C

And keep in mind most security tools.

B

That monitor for weird things that are happening on device and even over a network go back to a central log management component and they charge by how much data is being generated.

C

So we're going to see enormous pressures.

B

On how long logs are going to be able to retain, what level of detail will be in logs, and a lot of noise. Living off the land is going to be even more successful in the age of AI. And then lastly, on the social engineering side, it's not just calendly, it was ical and Google Cal invites, it was DocuSign and DocuSign is having a hell of a time.

C

And what's interesting is with DocuSign phishes.

B

They are coming from DocuSign people have signed up for legitimate DocuSign accounts and they're loading malicious content into DocuSign.

C

And so if your business actually uses DocuSign, your email filter is going to.

B

Allow the DocuSign emails in. In fact, your ITT may have even allow listed the Calendly or DocuSign emails to come in and be delivered. And your last line of defense, educating.

C

Your people to question the context of.

B

Things coming in crazy. That still is actually an important part of it.

C

But for DocuSign and others that use.

B

A freemium model to recruit customers in that also lets criminals in this is a whole new level of pressure now, and they're having to expend a lot of money to try and battle this issue, and it's negatively impacting their brand.

A

Now, in fairness, David, I have to say Microsoft has warned people that Windows 11's AgentIC AI could install malware on your PC. And you should only enable this feature if you understand the security implications. So it's not like they're doing nothing about this data.

C

So one of my favorite movies, culture critic hat on, is catch 22. So if you're familiar with the movie at all, the pilot is trying to.

B

Get out of a very dangerous air duty during war.

C

And of course, he's a very sane individual, realizes that continuing to fly will get him killed. And so he pretends to be crazy.

B

So that he can be downlisted from being able to fly.

C

The crazier he pretends, the more the military says, no, you're fine. And they say, what do you mean? You'd have to be crazy not to.

B

Pretend to be crazy.

D

So you're fine.

C

It's catch 22.

A

Yeah.

C

Microsoft saying this can be used to use malware, will be used, install malware. It's basically telling you, here is a security implication. If you understood the implication, you wouldn't enable it.

A

Now, to be fair, the catch 22 also explains the economics of AI and because there's a very famous scene in there where a guy buys eggs for 8 cents a dozen and sells them for 5 cents a dozen and makes a profit, and they actually do explain it.

D

So that's how the math is mathing now.

A

It solved two problems in there. Catch 22, it's is like 1984, they've turned into manuals, not novels. And so anyway, we've been taking all the oxygen other. This has got to be something that, that you see hitting clients very much.

D

Very much. And it was highlighted in the, the threat Outlook that was released by the Canadian government earlier this year as one of those emerging trends that we're seeing. And it's the equivalent of somebody dressing up in a uniform of your cleaning crew and walking into the building. Like, for people who are still like, what's the analogy that I can wrap my fingers around here? It's somebody who appears to have the authority to be where they are, but they don't. And it's as with so many things, where we created convenience models and the calendar invites are the perfect example of that. Right. How convenient. Calendared invite comes in, gets automatically processed. No AI needed, right? No, it got Automatically processed into your calendar, started being used by salespeople to try to just hijack their way into your time. Guess who's on there next? Right. As soon as somebody's starting to use it. For sales and social engineering, they're very related types of fields. It's just whether you're trying to sell a product or trying to get a scammed.

A

Yeah. Laurel will not be. Will not be circulating this video to her sales team.

D

That's the point.

The principles apply. Right. It's no. No how your customers will feel about you if you apply social engineering. Tactics are probably the way I feel about very pushy salespeople. A good salesperson doesn't need to employ these. These kind of tactics. That's my take on it.

A

And I was making a joke, but I don't dis sales people. I will tell you, as somebody who ran a consulting practice and then tried to run my own company and do the sales, I phoned every single salesperson who worked for me and said, I'm sorry you have a hard job. Let's. Let's get that outta the way. But this whole thing of living off the land. Yeah, you're right about it's. Been around forever. In my book. The I once I took one scene where somebody got past a security guard by walking in coveralls. Why? Because I'd lived it. I walked in and saw people walking out of our building with PCs. I asked the security guard, these guys, should these guys be doing this? And they started to run. And I'm like, this is a real thing that happened. But they had coveralls and clipboards. And so no, in my book, I have to.

D

That's the fancy effort. I was going to say it's a fancy effort based version of just walking around like you belong. Right.

A

Yeah. And now you wear coveralls and you have an iPad and you get in anywhere and I guess DocuSign document.

D

No.

A

Yeah, DocuSign document. But this is what's our waste on this.

D

I think it really highlights the challenge for providers. And David, hit on it with. Especially when you have the freemium version. Right. How do you provide that service? And you want people to use it and you want it to be available to organize like small companies that are starting up. Right. You want them to have the opportunity to do things in a better way. Digital signature is definitely better than scanned copies of what signatures. Right. So we want people to have access to these services. But wow, does it put an awful lot of onus on you as a provider to understand what content are people putting in your platform that's malicious And I mean that we picked on DocuSign a little bit here just because they're a sweetheart at the moment in this space. How much I do appreciate for them this is a more containable problem and challenge than what we see on social media which is just the bigger version of that challenge. How do you manage when you've opened your platform for people to put content in and publish to others that what they are putting in there is not obviously damaging for the it's not obviously for the purpose of damaging others and social media's got a whole other gray area though not obviously for the purpose of damaging others. But yeah and many services have this.

B

Problem and a not so gray area like this is probably stretching the boundaries on cybersecurity but because it enables it's about digital fraud I'm going to ask.

C

Jim for a hall pass on this one but in November Reuters dropped a.

B

Blockbuster story and I'm still pondering the full implications of it but what Reuters discovered is Facebook own Meta's own documentation showed that they estimated that 10% of their global ad revenue was knowingly coming from fraudsters and scammers and they still took the money. Why they had bills to pay. What does that Translate into? Roughly 15 billion scam ads per day in social media platforms.

C

So the root of this is something.

B

Banking'S had to do because of a money laundering laws oh your customers KYC.

C

And the Americans have poked at the.

B

Edges of this with requiring hyperscalers cloud providers to start implementing some basic KYC and that's going to be increasingly important.

C

Segues nicely Jim into the the stupidest.

B

Move I've seen of 2025 going to.

A

Stop hold that thought because I want to comment on the social media thing because I don't I think they are related Perfect. I think fraud is something that that that has victims and it is part of the cyber threats that are out there but and we'll do our crappy person of the of the year award or something soon but or the crappy person of the month from this but meta's coming close on this one My wife is on social media. I'm not a big Facebook guy. It just I don't have I got a lot of things to do with my life beyond watching people crab at me and I get enough of that on LinkedIn now there's a I don't need to go looking for more.

No but and I love comments that's why I always say I like Constructive criticism because you suck. Or when I'm doing an interview with David and somebody who's a former CSIS person and somebody tells me that this person knows nothing about security, criticism is okay. But the rage baiting the word of the year on social media I can live without. But when I hear some of the stories, because my wife reads me some of these stories about people who've been taken time and time again by these ads and unfortunately, many of the people who are taken by these things can't afford it. So I don't want to give Meta a pass on this. This is not a victimless crime. Fraud is something that inordinately affects people who can least afford it.

D

And this might color to we know in business money talks, right? So for the big advertisers who are spending real large amounts of money in single shots with these platforms, I think there's an opportunity there to really push for change because your brand gets diluted by every crappy scam ad out there. So if you want the platform to be a place where your ad dollars actually return for you, make that noise right? Or walk right. Show the platform that it's not where you can be anymore because they don't support an integrity environment.

B

As always, dear listeners, Laura always finds like the brilliant, easier, better path.

C

My. My harder role of we need government employees KYC regulation on these. So it's going to be a cold.

B

Day in hell to get government to help.

C

I'll tell you that's brilliant, Laura.

A

I did this thing on a long time ago about hoop does purchasing online. Everybody's pitching me. I see the girls in tight sweaters and I'm human, but you're not selling me anything. Guys, it's just. But they're. My wife is a person, does a ton of online shopping and a lot of buying. So if Meta thinks that they can impress a guy like me and they can toss away cut people who actually talk to each other and share these stories and then stop buying on Facebook, they're going to be sorely. They will. There's a day of reckoning on that. And I so I totally agree with you, Lars. The best thing people can do is push these companies and these companies should be pushing Meta to say when you pee in the pool, nobody goes swimming.

C

Yeah, no way.

A

I guess it's probably I should. Yeah. I love this colorful subdivision.

B

I You know what? I think it's. It makes the point about the poisoned environment.

C

And you know, it's interesting.

A

I was interviewed by that's my culture toy story.

B

Yeah, there we go.

A

Somebody poisoned the water hole.

B

Yeah, there we.

C

CBC did a big thing on Black.

B

Friday scams and the rise in scams. By the way, it increases 300% in the holiday season. It, it, it's nuts. And BMO and RBC in Canada did phenomenal jobs as banks. With press releases and consumer education around the rise of fraud. JPMorgan Chase has did 22 targeted in person sessions in cities across the United States.

C

As much as we're going to give.

B

Potentially Microsoft or Meta the stinky for this episode for their various shenanigans, I don't know what the champion award is going to be, but banks are stepping up and it's good to see.

C

One thing I was giving in my.

B

Advice to CBC was stop using ads, stop clicking on the ad, stop following them.

C

If you see something interesting from your.

B

Best Buy, your Walmart, your Costco, wherever, go to the website and go find it there. Purposely bypass it. One, it'll be safer for you.

C

Two.

B

It'll send a message about exactly the point that you've both made so well in various ways. It's time for the pool to get cleaned up.

A

I think it's a good general rule whenever it works. I think that should be one of the things that people adopt. If it's at all possible for me to not click on something and just go and do a search on the name myself or type in the URL myself, that's what I do. And as I figure I don't know what deal that I'm a prime customer, what deal is Amazon going to offer me on an ad that they're not going to offer me on the site? And by the way, the good part of AI is you can say check the prices for me and it will hallucinate. Oh, if a deal's too good to be true, it probably is.

C

Even if AI tells you, even if AI tells you which speaking of deals that aren't the deal you think they are. So segueing back to living off the land a little bit. So Microsoft, in its infinite wisdom that.

B

Is its intense competition with Slack, has.

C

Decided to roll out by default as of January to all tenants, a new.

B

Invitation to chat that can be delivered by email.

C

Now, what's interesting about this chat is it's different.

B

It's a new feature on top of the ability for your users to communicate with other external teams, tenants which, by.

C

The way, I despise way to turn teams into email again, great.

B

But don't worry, they're taking the logical conclusion of Polluting the team's environment even further with this guest invite. Now, what's really cool about this is Microsoft and others have taught people for years that in a properly licensed IE spend more Microsoft Teams environment, we have.

C

Features such as Safe Links, Microsoft Defender for Office 365 and other key features that will automatically protect you. Except if you're invited with one of these new guest chat invites and the tenant doesn't have these things turned on. I. E. It's Dave Cybercrime Inc's Microsoft 365 tenant inviting you to a chat. When you arrive in that environment, all.

B

Your protections are off. It's who's hosting the chat.

A

We want to walk through this really carefully because when you first brought this story up to me, I went, I read it the first time and I think, I don't know if they changed it, but I went, I can invite outside people. Big deal. What's the big deal? The big deal is don't invite the outside people. You invite their rule structure.

C

Yes.

A

So when you follow that invite, you're not in your own team's environment. You're in whatever rule structure they have, whatever malware they have, whatever they've got going, and you think you're being protected and you're not.

C

Exactly. Yes. And that's the end to the average user.

B

It's just teams. I'm just having a teams chat. I was told by my IT team we had certain protections and.

C

But they don't realize those rules don't apply. It's almost when you cross the border.

A

Right.

C

It's the rules of the land you.

B

Have now entered is the closest analogy I can come up with. You are no longer operating under your country's laws. You're in the new country's laws and.

C

That'S where the risk applies.

B

I understand the business reasons for wanting to make teams as easy and popular and well used as possible. Completely get this. But this is not complex. The rules of the participant should be governed by their organization, regardless of where they're having the conversation. If those rules are higher, so simple logic we could build in whatever environment has the more stringent controls, those laws apply. Microsoft, please, in your infinite wisdom, if anyone is listening and is not assigned to some bizarre AI project right now, whatever scant humans are assigned to this particular rollout, please steal my idea and go with the law of the higher rules. If you do not, you have created the greatest, second greatest living off the land gift after Windows 11 agentic AI. And we're not going to have a good year in 26, we're not going to have a good year for a lot of reasons. You're making it worse.

A

Please stop.

D

And I will say without being having time in the last five seconds to fully deep dive into where the options are, I will say for anybody who's concerned about this and has the opportunity to look into the rules, because Microsoft does tend to give control, may not be super granular, but does tend to give control to the people who manage the tenant to allow certain activities, including being allowed to join external chats. So that's the kind of thing that as a configuration holder, right, you should be looking into and making sure you have made the right choices. And I will say a lot of large organizations that I've either worked in or worked with have done that, right? They made teams an insular kind of organization. Or they can allow people to, they can invite people, but you can't go join random other places. So just, I think to maybe just wrap that one up, that it may not. I'm not saying it's not as bad as it is, but you may have choices and you may need to just.

A

Check and look, I think David's point, because when he called me about this because he actually, he went, I got to talk to somebody. What's happening here? This is enabled by default. And if there are ways to shut it down, the proper way to introduce this would have been to make it new. Leave the defaults on as. As prop. As most protective. And if you want to take this and take the risks, then know what they are. And I think that would have been a better introduction as well. I agree with you. But there are things you can do.

B

About it and you should, And Laura is 100% correct. So you can, you can put in place cross tenant policies so that guest access is only allowed to vetted partner tenants. But my point that this MC1182004 feature being rolled out globally and on by default because I study human behavior.

C

And the irony is, here's Microsoft saying.

B

After they get hacked royally by the Chinese and the Russians, we're going to.

C

Put a memo up from the CEO. Secure Future Initiative. Every executive is incented by security.

B

That was cute before we were incented by AI.

C

And then we're like, we're going to roll out on default the single greatest gift to phishing in 20 years. These things don't reconcile.

D

Kids.

C

Your competitive urge is overwhelming.

B

Secure Future Initiative on this one.

C

Somebody in Redmond call somebody, raise the red flag.

B

Because when a US government Department and it probably will be a US government department forgets about this feature and leaves it on by default and they lose something important. You're going to hear the screams from a certain U.S. senator who really doesn't like you already and you don't want that.

C

So this is my gift to you.

B

Microsoft, the gift of foresight.

A

And Laura's been able to talk him down a little bit. That's good. You're going to be the David whisperer, Laura, so that's good. So do you want to let us keep clobbering this stuff or you got something you want to bring up on this?

D

I will bring this one up because I feel like it's. For me it flew a little bit under the radar until I was doing my review, but just highlights the importance of understanding what's happening in the larger enterprise. So Oracle had a significant vulnerability earlier and that led to multiple large organizations being breached through its E business suite. And this is again clop that's doing what they do right? Finding, finding juicy low hanging fruit and bearing it, doing their homework and, and then really executing congrats to them for doing a good job and being able to take advantage of that. But this is a case, the patches for the flaw actually came out in October. But Oracle, and this is. Sorry, I want to be clear, this isn't a commentary about Oracle. This is more about the hygiene around making sure you stay on top of these things.

C

Right.

D

It's easy to get caught up in the big Windows patches and you have a really good cycle of patching for that and it's easy to get for Windows workstations. Software on workstations have lots of auto updates and things like that. But these really big core systems where people are tend to be a little bit cautious and not with a good reason around getting a patch applied because of how much it can impact from an availability perspective if the patch doesn't work well but it doesn't mean you have weeks and weeks to patch a critical vulnerability, it needs to still be done. I wanted to highlight that one and we're talking about universities, we're talking about major global suppliers that had their data extorted on them as a result of it being extracted from, from these core systems.

B

And a couple of interesting things about this. So first of all Klopp is back, Shady's back, man.

C

This group, by the way their name is a, a play on a Russian.

B

Play on a blood sucking tick which I guess they are a parasite and they continue to do their thing.

A

I like to See people who live up to their brand.

D

Yeah.

B

Who really have done the full ownership of this.

C

So what's interesting is so this gang.

B

Picks a software supply chain target and they really think about it and they work it. And they work it and they work it. These big file transfer breaches, remember those that basically caused a year's worth of nightmare for so many folks.

C

They move it. We got to move it.

B

Sorry, I just can't resist making a pun on this. And I'll have to watch that, that, that animated movie again.

A

But it was the move it file transfer. These guys took that on, which was an enormous one.

C

And so with Oracle E Business, they're back.

A

This is at least a hundred customers who are significant. There are 10,000 people in the Washington Post. These are not small installations.

C

Numerous Ivy League universities and of course which segues well into for Penn University of Pennsylvania. Like disclosing a data breach sucks.

B

Disclosing a data breach after a group of very angry hackers send some of the worst content you can Im, using your email addresses and downloading your entire donor database. Got a double suck. And I, I want to say that without humor and just with absolute empathy. This is their. The queen used to say the horrible years. Right. The annus horribilis. This is like for pen, this has not been a great year. Then of course it comes in this May. Multiple class action lawsuits. And the thing about the, the PEN stories have been standing out is of course the standard questions now emerge faster than ever. Did you have multi factor authentication? Not that it's a silver bullet, but that it's like a necessary question of were you wearing your seatbelt in the car crash?

C

And it turns out that some executives.

B

Were exempted from having to wear the seatbelt because it was too inconvenient. And that is going to be a massive problem for them. And a reminder that when we talk.

C

About security culture, it's not just assigning mandatory security awareness training once a year. It's people see your leaders. And if your leaders get treated differently, not only does that send a signal to your employees, but attackers really appreciate you.

A

Yeah. And maybe it's not you or I, the hotheads of the world, maybe it's the Lauras of the world who could sit people down and have a calm conversation with them and say, do you know what messages you're sending?

C

Yeah, yeah.

D

And you know what? Sometimes it's, I will also say you just turn it back on for them. Yeah. They asked for that exemption five years ago and people are still tiptoeing around them. It's. You know what? I bet they're probably a little bit more ready now. Right? Like they're. It's probably fine. It's just not top of their agenda to think about. Hey, how come I don't have mfa? Oh, I can't.

A

Yeah.

D

So revisit those decisions. But yeah, I think too, it's a red flag for any organization at this point. If you have leadership who resists core controls that are now very much. There's public awareness and understanding. There are very few people I think in the workforce who do not know at least the letters MFA and understand that's appropriate to have on here accounts. So, yeah, I don't think there's any excuse anymore for that. As we've discussed multiple times. And there is something to be said as well for. Yeah, the types of exploits that are really, really difficult usually are not preventable by MFA. Remote code execution has nothing to do with mfa. In fact, it may even be a vulnerability as part of the authentication process.

A

But keep a good thought.

D

But every time you have.

A

I'm always so cheered up after we have little talks.

C

I know.

A

Yeah, I'm thinking about that one now.

D

It's my gift to you. But. But the thing is. Yeah. At any time you have an incident, the first questions asked, to David's point, are always about the basics. Did you at least do the basic things that everybody says you should do? And if you're not even doing those, then the rest of what you're doing comes into question. So do yourself a favor. Everybody's going to have an incident. It's not a question of if. It's just when. The more things you have done that just take question off the table of your integrity and your intent, the easier it will be to have real discussions about what actually happened.

A

I think you can have a polite discussion right now. If executives are bypassing security. And don't take career advice from me. I'm the guy who had a CFO of an insurance company throw something at him because I told them no on something. And it's not great career that you can be better. You can be a better communicator. But I think you can sit them now down right now and say when we're hacked and we will be, and the insurance company comes looking or the press comes looking, if we have obvious holes in our security or exemptions we've got, it's not going to look good for us. I'll leave that with you, Mr. Or Mrs. Executive or Ms. Executive. I'll leave that with you. But you really need to think this through and I need you to tell me in writing that you want me to do this.

D

Yeah.

C

And I think this gets to an interesting segue between the battle about what.

B

Basic good advice looks like and it's become a heated topic for me because to to a degree of credit, a group of security leaders led by Bob Lord got fed up with some bad security advice, some mythology and folklore and other things around risks, and published an open letter and emphasized the importance on some basic things. Multi factor authentication, patching and updating devices, strong passwords and password managers. These are all good, fundamentally sound pieces of advice. Some of the things they challenged worth questioning. Juice jacking at the top of the list. For those not familiar with juice jacking, they became an incredibly popular sort of security esoteric sort of concern after a research paper said it's theoretically possible to leave malware infection via USB charging because you don't filter out the data components of USB and just get the power. It has never been seen or publicly disclosed in the wild as a valid attack method for a variety of reasons. So it's one of those things from a risk management perspective. Where is it possible? Yes. Is it probable? Low. Okay, that's good, sound advice. Old advice. Rotate your passwords every 90 days. That's bad old advice. The person at NIST who came up with the NIST password guidelines apologized years ago, did not understand the unintentional consequences.

C

Of telling people to create passwords that.

B

Were hard to remember and rotating them would result in people creating patterns that could be guessed.

C

So.

B

So that's good advice. But here's where I get upset. Sometimes what we communicate requires context and nuance and clarity.

C

And by lumping the old advice is.

B

All QR never scan a QR code. And that was never quite the advice that was being given by most people. But it's been interpreted by some people as in QR codes are just URLs. They're fine. We're going to talk about that in a minute.

C

And also avoid public WI fi when.

B

The advice needed not to be scrapped, but to be evolved to be cautious about certain things on certain public networks. Yes. And the problem is that when you read through the DNA of the advice that's being given in hacker lore is it's very rooted in a technological bias. You can see it in some of the writing where it says modern OSes and browsers protect you from this, my friends. Not all the time. That also technology controls fail and technology controls can be social Engineered and bypassed. MFA can still be bypassed if I put enough effort in. So I really hate that they've created confusion around QR codes, particularly lines if Bob is listening, saying there's no evidence of widespread criminality with QR codes, which as Jim knows, I spent an entire episode in November dissecting multiple parking campaigns across the world using QR codes. They absolutely are using QR codes for criminality. And this morning out of Calgary we have reporting in the holiday season, a family lost $10,000 to an Interact email fraud that relied on using QR codes because it obscures the actual proper sort of signals that you know you're on Interact, et cetera. It's real people losing real money. QR codes in from people you don't know in public should be treated extraordinarily cautiously. That's not to say at a conference, dear security folks, where a trained professional and I talked to a brilliant woman about this is giving you a talk.

C

And she has been up there for an hour and she's a world renowned.

B

Expert and puts a QR code at the top. They should all grasp your T shirt.

C

Neckline and then we'll be like a QR code. No, you're adults.

B

We can use some context. A professional delivering a QR code in that context is likely safe. You can infer from context. But running around and telling average everyday users like QR codes, oh, it's fine. It's a stupid, bad idea.

D

I think that the key there is it's not black and white and at least red. It's at least red, yellow, green. Isn't that?

A

Yes.

D

Yes. But there's things that are definite don't do's. Right. And there are things that are definite do these things. And then there's things where it's just a proceed with caution. And I think that's what the list really missed out on the opportunity for. Yeah. Interacting in the public with things that use your digital device or those are proceed with cautions. WiFi is in that category. QR codes are in that category. Read reading a URL off the sign. It doesn't have to be a qr. It's still in that category. Interacting with ads is in that like all of these things. It's if you have questions about the trust or the provenance and then giving people some idea where to look for how do I know how to trust a thing? I the list isn't going to go into the details of look for stickers on QR codes that that's for further campaigns and research. But I do agree, I think the list was a little bit too. Just a little bit too straightforward on some of those topics. And we will see definitely problems. And we do see free WI fi is an. Is another category. Doesn't mean don't use free WI fi, but be thoughtful about it. Look for trusted, real ones. Understand what's usual about using a free WI fi and make some choices about what you're going to do when you're on free WI fi just in case it turns out it wasn't as trustworthy as you thought it was.

A

Absolutely. Let me stop for a second, David, because we're presuming everybody listens to the show every day. This story, I just want to give some background to this story because David covered this on Monday. And I'll let you, I'll let you magnify my description of it. But basically someone came out and did something that, you know, there are dorkish moves you can do and sometimes I as a writer might even do them. You go for something clever. And he said, this is all hack lore. All of these things are hacked lore.

C

Yes.

A

Some smart stuff in there. Anyway. Published this on LinkedIn. I forget who it was, but they published it there. And they're a security professional. And sometimes you gotta call people on the stuff that they do and say, did you really think that through?

C

It's been amplified by really smart, prominent.

B

People because some of the advice, and there is good advice around those four best practices, but the problem is in which they've framed it and communicated. And yes, you can be a CISO and a technical expert and I absolutely admire you for a lot of things, but you can also be a bad communicator.

A

And in this case, people did this big thing where they wanted to talk about how cybersecurity education was overrated and that we should be. We should be relying on technical tools. And you don't go off on this one. I will, David, because you're the education guy. I was doing this thing and I went, how many cybersecurity rescue stories do we have? Precious few of them. But you know what they all have in common, including this one guy at Microsoft who late at night looked at that. They say, should that be happening? Cybersecurity rescues happen because people are courageous enough to ask a question and say.

There'S something strange about that. And that's where these don't educate people. Call it hack lore. I don't know if you're contributing to the community in a meaningful way. I have no problem taking On a big company, I have no problem with that. But I think we have to watch our language at times in terms of how we communicate as cybersecurity.

B

And to more point, I think that as always, she nails it on the nuance. Red, yellow, green, give. And for me, I mentioned this in.

C

The episode the GRU famously said, your.

B

Threat model is not my threat model. The assumption in hacklore is some of a universal consumer threat model. Let me tell you, if you're being stalked by a former partner who has any kind of IT sophistication, your threat model ain't the same as the regular person. So my job is to inform you of the general environment and the context and give you examples. Then your job as an individual is to give them the choice of your the information and your understanding of your risk appetite, your threat environment and other things to choose how to apply that. Because I treat humans as intelligent actors making choices in their lives, I am not techsplaining to them, I'm not talking down to them. I believe in the potential of people. And I think that's one of the big red flags in our industry is when we textplain and you're like, oh, they do average people, they're simple, they can only remember four things. So if there's only four things they can remember, these are the four things we need to remember.

D

And I think what the sad thing about that is that it's a self fulfilling prophecy or actually a demoting prophecy, right? If you think people can only remember four things by the time you've told them the four things you thought that they needed to know, they're not even going to remember those because you've presented it in such a way that it's not meaningful anymore. So David, I really believe in what you said as well. I think you need to put the information out there in a way that respects that, that people do have brains and the average human deserves a lot more credit. But while we get fed so much garbage online and our brain rot is is real, right? Don't contribute to brain rot, don't send out garbage information and try to be part of treating people as people who can make choices. And in part that's the best you can do.

B

Yeah. And part of the hackler thing on, oh, avoiding public Wi fi is old news. Awful case out of Australia. Guy got seven and a half years prison time. He was using evil twin. Pineapple's been around a long time, man. It's pretty easy to do. What he was doing was social engineering. And again the problem with the hacklore kids, as I see them, I will admit this is my perception is they're still seeing this as well. These are missed because they're not attacks on devices.

C

My dudes, my ladies. It's not about the devices, the people.

Oh, social engineering. Stop downplaying it please because it's the number one way we still pwn people anyway.

B

He targeted among the people he hauled in and predominantly in the treasure trove of awful information he harvested were women travelers compromising their social media accounts to take intimate images and other sensitive information about them. And once again my threat model is not the same right My, my risk profile but we missed in this golden opportunity is that when you're using public WI fi, red, yellow, green. If the WI fi says you need to authenticate using your social media account. Nope, we're out, we're done. No, you might.

C

It might sound funny.

B

Who the hell would do that? I've been to airports that have asked you to authenticate an account legitimately asked you to do that. Airport, stop doing this like you are creating the premise that predators will use. Stop it.

A

And I'm more strict on this, I.

D

Think too big part of it and there was a legitimate part of it was the idea that if you're going to use the hack or I guess that really has developed is oh, just use a VPN and you're safe on public WI fi. And that has become a challenge and certainly has some commercial incentive linked to it for certain organizations. Does that mean VPN is useless? No, there's lots of reasons you might use a vpn. Some of them are security related, some of them are not or they're anti security related. That's neither here nor there. It's a tool and that's how it is. But that's I think the other part that's complicated about the hackler type things is the reason why somebody put something on a list of don't worry about this may have come from a really good place but by the time it's been diluted down to a four word byte on a list, it's lost that context. So anyway, have we beat this one?

B

I just want to be point I do not believe that the intentions behind hacklore were bad. I do not believe they were bad. I believe people are trying to do their best in this side of things. I'm asking them to listen to that very clear point that you just made about signal to noise and about the degradation of messages. And just because you're a technical expert does not Mean, you're expert in communication and you should think about the unintended ways that multiple layers of your message play together by lumping everything in together as folklore or myth. You then take things that have never happened, like juice jacking and QR codes, and in a, an average, reasonable person's mind, they are now equating these as the same when they're not. When you tell people, you just need to focus on these four things you're telling them the tech will always protect you and it won't. And you need people to use their discernment, judgment and vigilance to know this. And oh, by the way, circling back to our point about mfa, if you don't give real examples of real threats in the application of technology, like how MFA helps in various scenarios, then they're not going to do it. So you, you have to remember explaining why is important when you communicate with adults.

A

Absolutely. And the thing in the lesson from this story is, and I took it away because I think I actually am a cybersecurity journalist. I never, I don't really think of, I think of myself as an old CIO who's retired, who's got a great hobby of doing a podcast. But the reality is people actually do listen to us. And I did a think about this and saying, are we exaggerating stories? Are we giving the right weight to stories? I think these guys had a valuable wake up call for all of us and I think we should all take that and think about that. But equally, I'd ask that they do the same and ask did they make, did they do this in a way that made the best contribution? As somebody once said, we're all in this together.

C

Yeah. And by the way, take Laura's idea. Here's here is this red, yellow, green.

D

It's really new. This is groundbreaking for 2020.

C

I've read we can call it the traffic light. Wait, no, I'm not going to get into that.

A

Never mind. Listen, we got a wrap in a minute, but I do what we. David invented this thing called the Stinkies and there were some awards that are going to go out and I'm not, I hate picking on people like this, but one of our, our listeners wrote about Sonic Wall and their issues they had with Sonic Wall. And I think, I'm not saying Sonic Wall is not a great product or they're not great people. They what? I'm not referring to any of that. But for heaven's sakes, guys, if it's true that Sonic Wall management devices must enable and use the default user admin if that's true, and if you must disable all MFA on all devices you wish to manage with Sonicwall's NSM appliance before it works.

What the heck were you thinking? And in fairness, I wrote to Sonic Wall before and I gave him three days before I published this story. And I have heard crickets now if they went to my spam folder. Sorry, but that's just. Guys, give your head a shake and thank you to the listener who wrote in and tuned us into that story. Because now customers will do what customers do. I'm not trying to get Sonicwall to take away any of their business or anything like that. I'm just saying if you're a customer, ask that question and keep asking it till they go. It would be really important to fix.

B

This because yeah, I'll just add to that.

C

We are always happy to be corrected. That's a cool thing about this. So if we missed something here, please get on the phone now and say, oh, it's toads.

D

Not like that.

C

There was a misinterpretation. You got some splated to do at this line. If, however, it was the case and.

B

You change, please be in touch. Say, oh, we've changed it.

C

Here's how we've learned there's lots of opportunity here.

B

We don't want to give you the stinky. You have a maybe a conditional one.

A

Yeah, we'll, we'll let, we'll plug our nose now and ask whether or not you fixed it. But the reality is we didn't. We don't do this stuff lightly. I got, I was sent copies of the emails that people had gone back and forth with. And I did, we did alert the company. We're not going to give you a stinky, but we are going to give you a nudge to say and if you're. And if you fixed it, send me a note. I'd love to tell people on the next episode that you guys stepped up and took and because we're just as good at that. We just want it to be better.

C

Well, however, reserve the stinky for Meta.

B

For taking $16 billion in fraud ads. Do better.

A

I think Meta gets. I think we're going to call it like the early election call Metta. Meta wins out on this one in there.

D

Yeah.

A

Laura, David, thank you very much. I'm going to get everybody together for a year end show. So our next month in review will be a year end show. Bring your eggnog and, and I'll wear my white too.

D

I feel like I have to check. That might be my my anniversary of guesting on the show. I think it's around this time we.

C

Went to look but oh we will definitely celebrate that.

B

Laura, thank you so much as always.

C

For being the voice not only of reason but really good nuance and clear. Always great advice.

B

Always appreciate it. I always enjoy learning from you.

D

I enjoy having lots to riff off of from you. David.

Yes, Jim just gets to herd the cats.

A

There's two seasons, there's T shirts and plaid. So we'll continue the plaid season and and we'll see you guys in a couple of weeks for our year end show. Thanks a lot. David Shipley from Bo Seron Securities. Great coffee, nice hats. Laura Payne from White Toque and I actually have the authentic White Toque. Thanks again and to you out there listening to this, I was we meandered around by a lot of things but I think we made some good points. Love to hear from you. Send me a note you can find. Just go to technewsday.com you can leave a note on the Contact Us page there you can. If you're watching this on YouTube you can leave a comment. We check them all the time and some of you just hunt me down on LinkedIn and that's perfectly fine as well. Love to hear from you any way you can. Thanks a lot. David will be back on Monday with the cybersecurity news and Laura will be back in a couple of weeks for our year end show. Thanks again. And that's our show for today. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices, warehouses, all the way to large campuses and data centers. Book a demo@meter.com CST that's M E T E R.com CST.

And you can reach me@technewsday.com with your tips, comments or even constructive criticism. If you're watching this on YouTube, you can just leave a note under the video or as some of you do, track me down on LinkedIn.

Love to hear from you. I'm your host, Jim Love. Thanks for listening.