Cybersecurity Today: Month In Review Panel for August 2025

Podcast: Cybersecurity Today
Episode: Month In Review Panel for August 2025
Host: Jim Love
Panelists: Tammy Harper (Flare), Laura Payne (White Toque), David Shipley
Date: August 30, 2025

Overview

This episode of Cybersecurity Today's "Month in Review" takes a dual perspective: reflecting on key cybersecurity developments in August 2025 while also forecasting the pressing challenges and strategic priorities for the upcoming year. Jim Love and a panel of prominent cybersecurity thought leaders delve into legislative progress, the growing sophistication of threat actors (turbocharged by AI), regulatory gaps, and practical defensive measures every organization should consider.

Panel Introductions and Format

[00:01–02:23]

Jim Love introduces guests, highlighting panelists' credentials and setting the theme: examining August's security news while anticipating issues for the coming year.
Tammy Harper (Flare): Senior threat intelligence researcher focusing on cybercrime/ransomware trends.
Laura Payne (White Toque): Runs consulting services; operates within and beyond Canada.
David Shipley: CEO of a security startup, co-host.

Key Discussion Points & Insights

1. New Biometric Privacy Guidance in Canada

[04:58–07:51] Laura Payne, with David Shipley and others

OPC Biometric Guidance: Canada’s Office of the Privacy Commissioner released long-awaited biometrics guidance, delineating company obligations, guardrails, and risk stratification for different biometric data types.
Quote ([05:26], Laura):

"We know biometrics are very strong authenticators. But...the more unique they are to you, the more important it is to make sure they can't be stolen and replicated."
Enforcement is Still Lacking: Federal leadership on enforcement remains an unsolved problem.
Quebec Leads the Way: Quebec’s advanced legislation is cited as a model, but the patchwork of provincial laws hampers nationwide progress.
National vs. Provincial Regulation Dilemma: Panel agrees that fragmented laws increase organizational complexity and costs, but a lowest-common-denominator federal approach risks under-protecting privacy.

2. AI-Driven Threats and Accelerating Attack Timelines

[13:04–21:45] David Shipley, Jim Love, Tammy Harper, Laura Payne

AI and Rapid Exploit Development: Security researchers demonstrated AI systems can generate working exploits for published vulnerabilities in 15 minutes, at a $1 cost.
Quote ([14:23], David):

"They figured out how to do it...the average time to generate an exploit was 15 minutes, the cost to generate a workable exploit was a dollar."
Patch Windows Shrinking: Discussion of a recent Microsoft Exchange hybrid environment flaw exploited rapidly across North America.
The Need for Better Code, Not Just Faster Responses: The panel warns current patch/change management speeds risk outpacing the ability to patch safely.
AI-Generated Ransomware ([18:18], Tammy):
- First reports of fully AI-built ransomware using ChatGPT to write and execute LUAs.
- Automated encryption, exfiltration, and lateral network movement observed.
- Experimental but portends rapid escalation.
Defensive AI & Virtual Patching: There’s promise in using AI/ML for proactive defense (e.g., virtual patching), but organizations must also plan for continuity in case urgent shutdowns are safer than exposure.

3. "Hack Back" Legislation: Risks & Ramifications

[22:16–29:48] David Shipley, Jim Love, Laura Payne

Proposal in U.S. Congress: 'Scam Firms Mark and Reprisal Authorization Act' would allow private companies to retaliate against cyberattackers.
Major Issues:
- Attribution is fraught: easy to hit intermediaries (e.g., universities/hijacked routers) and spark unintended escalation.
- Interference with law enforcement or national intelligence operations.
- Potential for international incidents.
Quote ([25:54], David):

"There's a million and a half ways this goes wrong...the last person to hit you is usually not the actual person doing the attack."
Laura’s Caution ([29:00]):

"If it is implemented in a very loosey goosey fashion...it could be very detrimental, but also implemented correctly...[with] checks and balances...maybe you avoid the problems."

4. MFA (Multi-Factor Authentication) and Insurance: Gaps & Lessons

[30:21–38:52] Laura Payne, David Shipley, Jim Love

MFA Bypass Loopholes: Despite being “on,” MFA is frequently downgradeable or optional for user convenience, opening organizational gaps hackers exploit.
Hamilton Ransomware Incident: City’s insurance denied claim for $5M due to incomplete MFA deployment, despite incident specifics.
Quote ([32:56], David):

"Your insurance is predicated on X, Y, Z...more and more when the bill comes due, this stuff comes out and it really sucks."
Actionable Advice:
- Audit and enforce MFA everywhere, not just surface compliance.
- Regularly consult with insurance brokers about policy requirements and impact of controls.
- Use real breach stories to drive home urgency to executives and boards.

5. Threat Actor Update: Scattered Spider/Lapsus$ and Trolling Tactics

[39:06–47:33] Tammy Harper, David Shipley

Ongoing Activity: Despite some arrests, Scattered Spider remains active and is engaging in counterintelligence trolling, e.g., posting fake Europol bounties on rival admins.
Quote ([40:56], Tammy):

"A lot of it is for trolling...they understand that a lot of our tools work on keywords, so they know including certain keywords in their claims will trigger a lot of flags and notifications."
Social Engineering & Compromise Vectors:
- Exploiting CRM/OAuth (e.g., Salesforce) to send legitimate-appearing phishing via DKIM-passing emails.
- Leveraging massive data from breaches to fuel more convincing social engineering.

6. AI Risks: Security, Regulation, and Societal Harm

[47:46–57:51] Group

AI Encoded Risks:
- Increasing integration of open-source models into attack chains.
- First lawsuit over AI-induced self-harm in youths.
- Underlying training data (“landfill covered by dirt”) yields unpredictable harmful outputs.
Quote ([47:46], David):

"It was really sad this week to read the story of a young teenager who died after months of encouragement to commit self harm by allegedly by OpenAI's products..."
Regulatory Imperative:
- The panel emphasizes demanding regulatory guardrails and AI security requirements from government.
- AI will shape employment, policy, and geopolitics; urgency to act is paramount.

7. Looking Ahead: Advice for Cybersecurity Professionals

[51:05–end] Panel closing thoughts

Big Problems, Simple Starting Points:
- Don’t get paralyzed: focus on MFA, secure identity, phishing awareness, and the fundamentals.
Quote ([64:23], Jim Love):

"Just because you can't do everything doesn't mean you can't do something."

Panelist Hopes & Guidance

David Shipley ([51:31]):

"The initial exuberance...this is magic tech that's ready to go...has been burst. And from that we can march towards a pragmatic, useful, safe approach."
Tammy Harper ([52:51]):

"We have to pressure our governments to implement regulatory policies to try to put guardrails on this. It's the only thing we can do, I think, at this point."
Laura Payne ([58:30]):

"Stay focused on your real priorities...do the things you need to do around those to protect those priorities. Stay focused, get those things done. Don't let the noise distract you."
Jim Love ([64:23]):

"If you're feeling...hopeless about this, go back to the fundamentals...You need technology, yes, but you need suspicious people."

Notable Quotes & Memorable Moments

On AI-generated attacks ([14:23], David):

"Average time to generate an exploit was 15 minutes, cost a dollar."
On insurance ([32:56], David):

"When the bill comes due, this stuff comes out and really sucks."
On persistent threat actors ([40:56], Tammy):

"...a lot of it is just counterintelligence and trolling."
On AI imperatives ([55:17], Tammy):

"We have to pressure our governments...to put guardrails on this."
Optimism from adversity ([58:30], Laura):

"...if you're focused on the right things, the other things will follow."

Timestamps for Key Segments

Panel Introductions: [00:01–02:23]
OPC Biometrics Guidance: [04:58–07:51]
AI-Generated Exploits & Patch Speed Race: [13:04–21:45]
"Hack Back" Legislation: [22:16–29:48]
MFA and Insurance Risks: [30:21–38:52]
Scattered Spider Update: [39:06–47:33]
AI Security & Societal Challenges: [47:46–57:51]
Panel Hopes/Advice: [58:30–end]

Final Thoughts

The panel underscores a cybersecurity landscape accelerating into new territory, destabilized by AI-driven attacks and regulatory lag but also bolstered by new tools and unyielding focus on the basics. Their collective wisdom: Put your fundamentals in order, pressure leaders for real regulation, and understand that while the threats evolve, staying focused and grounded is essential for survival in the coming year.

Keep your stick on the ice.

Cybersecurity Today: Month In Review Panel for August 2025

Overview

Panel Introductions and Format

[00:01–02:23]

Jim Love introduces guests, highlighting panelists' credentials and setting the theme: examining August's security news while anticipating issues for the coming year.
Tammy Harper (Flare): Senior threat intelligence researcher focusing on cybercrime/ransomware trends.
Laura Payne (White Toque): Runs consulting services; operates within and beyond Canada.
David Shipley: CEO of a security startup, co-host.

Key Discussion Points & Insights

1. New Biometric Privacy Guidance in Canada

[04:58–07:51] Laura Payne, with David Shipley and others

OPC Biometric Guidance: Canada’s Office of the Privacy Commissioner released long-awaited biometrics guidance, delineating company obligations, guardrails, and risk stratification for different biometric data types.
Quote ([05:26], Laura):

"We know biometrics are very strong authenticators. But...the more unique they are to you, the more important it is to make sure they can't be stolen and replicated."
Enforcement is Still Lacking: Federal leadership on enforcement remains an unsolved problem.
Quebec Leads the Way: Quebec’s advanced legislation is cited as a model, but the patchwork of provincial laws hampers nationwide progress.
National vs. Provincial Regulation Dilemma: Panel agrees that fragmented laws increase organizational complexity and costs, but a lowest-common-denominator federal approach risks under-protecting privacy.

2. AI-Driven Threats and Accelerating Attack Timelines

[13:04–21:45] David Shipley, Jim Love, Tammy Harper, Laura Payne

AI and Rapid Exploit Development: Security researchers demonstrated AI systems can generate working exploits for published vulnerabilities in 15 minutes, at a $1 cost.
Quote ([14:23], David):

"They figured out how to do it...the average time to generate an exploit was 15 minutes, the cost to generate a workable exploit was a dollar."
Patch Windows Shrinking: Discussion of a recent Microsoft Exchange hybrid environment flaw exploited rapidly across North America.
The Need for Better Code, Not Just Faster Responses: The panel warns current patch/change management speeds risk outpacing the ability to patch safely.
AI-Generated Ransomware ([18:18], Tammy):
- First reports of fully AI-built ransomware using ChatGPT to write and execute LUAs.
- Automated encryption, exfiltration, and lateral network movement observed.
- Experimental but portends rapid escalation.
Defensive AI & Virtual Patching: There’s promise in using AI/ML for proactive defense (e.g., virtual patching), but organizations must also plan for continuity in case urgent shutdowns are safer than exposure.

3. "Hack Back" Legislation: Risks & Ramifications

[22:16–29:48] David Shipley, Jim Love, Laura Payne

Proposal in U.S. Congress: 'Scam Firms Mark and Reprisal Authorization Act' would allow private companies to retaliate against cyberattackers.
Major Issues:
- Attribution is fraught: easy to hit intermediaries (e.g., universities/hijacked routers) and spark unintended escalation.
- Interference with law enforcement or national intelligence operations.
- Potential for international incidents.
Quote ([25:54], David):

"There's a million and a half ways this goes wrong...the last person to hit you is usually not the actual person doing the attack."
Laura’s Caution ([29:00]):

"If it is implemented in a very loosey goosey fashion...it could be very detrimental, but also implemented correctly...[with] checks and balances...maybe you avoid the problems."

4. MFA (Multi-Factor Authentication) and Insurance: Gaps & Lessons

[30:21–38:52] Laura Payne, David Shipley, Jim Love

MFA Bypass Loopholes: Despite being “on,” MFA is frequently downgradeable or optional for user convenience, opening organizational gaps hackers exploit.
Hamilton Ransomware Incident: City’s insurance denied claim for $5M due to incomplete MFA deployment, despite incident specifics.
Quote ([32:56], David):

"Your insurance is predicated on X, Y, Z...more and more when the bill comes due, this stuff comes out and it really sucks."
Actionable Advice:
- Audit and enforce MFA everywhere, not just surface compliance.
- Regularly consult with insurance brokers about policy requirements and impact of controls.
- Use real breach stories to drive home urgency to executives and boards.

5. Threat Actor Update: Scattered Spider/Lapsus$ and Trolling Tactics

[39:06–47:33] Tammy Harper, David Shipley

Ongoing Activity: Despite some arrests, Scattered Spider remains active and is engaging in counterintelligence trolling, e.g., posting fake Europol bounties on rival admins.
Quote ([40:56], Tammy):

"A lot of it is for trolling...they understand that a lot of our tools work on keywords, so they know including certain keywords in their claims will trigger a lot of flags and notifications."
Social Engineering & Compromise Vectors:
- Exploiting CRM/OAuth (e.g., Salesforce) to send legitimate-appearing phishing via DKIM-passing emails.
- Leveraging massive data from breaches to fuel more convincing social engineering.

6. AI Risks: Security, Regulation, and Societal Harm

[47:46–57:51] Group

AI Encoded Risks:
- Increasing integration of open-source models into attack chains.
- First lawsuit over AI-induced self-harm in youths.
- Underlying training data (“landfill covered by dirt”) yields unpredictable harmful outputs.
Quote ([47:46], David):

"It was really sad this week to read the story of a young teenager who died after months of encouragement to commit self harm by allegedly by OpenAI's products..."
Regulatory Imperative:
- The panel emphasizes demanding regulatory guardrails and AI security requirements from government.
- AI will shape employment, policy, and geopolitics; urgency to act is paramount.

7. Looking Ahead: Advice for Cybersecurity Professionals

[51:05–end] Panel closing thoughts

Big Problems, Simple Starting Points:
- Don’t get paralyzed: focus on MFA, secure identity, phishing awareness, and the fundamentals.
Quote ([64:23], Jim Love):

"Just because you can't do everything doesn't mean you can't do something."

Panelist Hopes & Guidance

David Shipley ([51:31]):

"The initial exuberance...this is magic tech that's ready to go...has been burst. And from that we can march towards a pragmatic, useful, safe approach."
Tammy Harper ([52:51]):

"We have to pressure our governments to implement regulatory policies to try to put guardrails on this. It's the only thing we can do, I think, at this point."
Laura Payne ([58:30]):

"Stay focused on your real priorities...do the things you need to do around those to protect those priorities. Stay focused, get those things done. Don't let the noise distract you."
Jim Love ([64:23]):

"If you're feeling...hopeless about this, go back to the fundamentals...You need technology, yes, but you need suspicious people."

Notable Quotes & Memorable Moments

On AI-generated attacks ([14:23], David):

"Average time to generate an exploit was 15 minutes, cost a dollar."
On insurance ([32:56], David):

"When the bill comes due, this stuff comes out and really sucks."
On persistent threat actors ([40:56], Tammy):

"...a lot of it is just counterintelligence and trolling."
On AI imperatives ([55:17], Tammy):

"We have to pressure our governments...to put guardrails on this."
Optimism from adversity ([58:30], Laura):

"...if you're focused on the right things, the other things will follow."

Timestamps for Key Segments

Panel Introductions: [00:01–02:23]
OPC Biometrics Guidance: [04:58–07:51]
AI-Generated Exploits & Patch Speed Race: [13:04–21:45]
"Hack Back" Legislation: [22:16–29:48]
MFA and Insurance Risks: [30:21–38:52]
Scattered Spider Update: [39:06–47:33]
AI Security & Societal Challenges: [47:46–57:51]
Panel Hopes/Advice: [58:30–end]

Final Thoughts

Keep your stick on the ice.

wavePod

Cybersecurity Today: Month In Review Panel for August 2025

Powered by Wave AI

Summary

Cybersecurity Today: Month In Review Panel for August 2025

Overview

Panel Introductions and Format

Key Discussion Points & Insights

1. New Biometric Privacy Guidance in Canada

2. AI-Driven Threats and Accelerating Attack Timelines

3. "Hack Back" Legislation: Risks & Ramifications

4. MFA (Multi-Factor Authentication) and Insurance: Gaps & Lessons

5. Threat Actor Update: Scattered Spider/Lapsus$ and Trolling Tactics

6. AI Risks: Security, Regulation, and Societal Harm

7. Looking Ahead: Advice for Cybersecurity Professionals

Panelist Hopes & Guidance

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Thoughts

Summary

Cybersecurity Today: Month In Review Panel for August 2025

Overview

Panel Introductions and Format

Key Discussion Points & Insights

1. New Biometric Privacy Guidance in Canada

2. AI-Driven Threats and Accelerating Attack Timelines

3. "Hack Back" Legislation: Risks & Ramifications

4. MFA (Multi-Factor Authentication) and Insurance: Gaps & Lessons

5. Threat Actor Update: Scattered Spider/Lapsus$ and Trolling Tactics

6. AI Risks: Security, Regulation, and Societal Harm

7. Looking Ahead: Advice for Cybersecurity Professionals

Panelist Hopes & Guidance

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Thoughts