A

Welcome to Cybersecurity Today, the month in Review show. We get a little bit of a different thing planned. We all will do the month in review, but as we get back from summer, people are starting to think about the year ahead in Canada and I guess most of the northern United States. By the time we get to Labor Day, kids go back to school and we're starting to finalize our budgets and think about the next year. So we wanted to make a bit of a special twist to the show. So we're going to cover the month of review with our panel, but we're also going to try and get some look ahead to some of the issues that we might all be facing and some of the trends that are going to be coming up in the current year. I'm going to introduce the panel, Tammy Harper. Welcome back. Tammy, can you tell us who you are, where you work and just a little bit about yourself for those the one or two people who haven't heard about you yet.

B

Hello, everyone. My name is Tammy Harper. I'm a senior threat intelligence researcher at Flare. I am part of a very talented team that researches emerging threats, ransomware, specifically cybercrime and the underground economy. We try to stay at the bleeding edge of what's out there and make sure that we can develop TTPS and IOCs for companies that can stay ahead of and depend against these new threats. Yeah, happy to be here.

A

And another fixture on the cybersecurity scene for many years now, Laura Payne, who works for I think one of the companies that has the most Canadian of names, White Toque. Welcome, Laura.

C

Thanks, Jim. My name is Laura Payne. Happy to be here again. I spend my time at White Toque mixed between running the company and supporting our clients with consulting services. And we are Canadian but we operate outside of our borders as well. We are always glad to bring the toque to people who otherwise might feel a little bit unsheltered.

A

I love that we're bringing the toque and to two guys with, with hair that's going the toque is very important in the winter. David Shipley, my partner in crime, co host of the of the show. Welcome. And also has a daytime job as well. Welcome, David.

D

Thank you so much, Jim. It's always fun to be back here. It's always fun to surround ourselves with like brilliant people, Tammy and Laura and dive into this stuff and yes, but day job is is running around or being led by the pack of poster on security these days. Best part about being a CEO of a startup is eventually you get to Fire yourself from all the things and watch a new generation take it all over.

A

Great.

B

Free.

A

We don't do commercials. But. But are you ready to announce your, your, your new service or is that secret?

D

It is not secret. We just announced today something really cool that we're excited to get into. So we've been doing employee based cybersecurity awareness training since 2017 and doing some pretty cool things. We've been watching what Aaron west has aptly called the scamdemic just explode across North America and globally with fraud losses, both direct cyber enabled fraud or traditional fraud that's been accelerated with technology. And so today we just announced a brand new awareness platform for banks, credit unions and fintechs that embeds into mobile banking and desktop banking applications and gives people a cyber wellness score that actually helps them understand how much they know about cybersecurity, where they can improve, where their information might be showing up in the dark web through services like have I been boned? And really creates a feedback loop and what it does is it changes the nature. Right now banks, credit unions, fintechs are doing their best just to blast out information and it's a fire hose and it's passive and it's one way. And we know that doesn't work. It doesn't work in the same level of effectiveness that they need to have. And you know, to put this into context, the reason we're so pumped about this is last year the FBI's Internet Crime Reporting center said there were $16.6 billion in reported cybercrime. 83% of that was cyber enabled fraud. You know, as much as we get excited as professionals, talking about the ransomwares is a problem. It's an $814 million problem, but it's not a $13.5 billion reported loss problem.

B

So we're pretty excited.

D

We've got our first partner bank in the United States financial institution working on it and using it. So we're going to be showing it off in San Diego at a major banking.

A

Nice stuff happening. Cool. Who wants to go up with the first story? And by the way, Shipley, I noticed when you said the brilliant people, you only mentioned Laura and Tammy. You know, the. Yeah, I, I'm not hurt. I, I have a big ego. I can take this. Who wants, who besides David wants to start doing the first story?

D

First of all, Jim, we know that the mutual acknowledgment that the two guests we bring on are smarter than either of us just, just so that we.

A

Level that was never the Question. Which one of them wants to start?

C

I was going to say, for those who can't see us, both Tammy and I are just sitting here smiling but shaking our heads.

A

Okay, Laura, we're going to start with you. Go ahead.

C

All right, all right. Okay. I made the mistake of speaking. All good. No, you know what? I'm going to kick us off with something that I think is a positive direction from looking back at August. The OPC has released its biometric guidance. So the opc, the Office of the Privacy Commissioner of Canada, has actually released guidance on biometrics. It's been a long time in the making, but now we actually have official privacy guidance around this. And I think it's so important just because we know biometrics are very strong authenticators. But because they're such strong authenticators, being tied specifically to you, and especially the Mordechai, unique they are to you, the more important it is to make sure that they can't be stolen and replicated and tampered with, et cetera, they really do deserve appropriate attention. So there is now official guidance for companies that collect biometric information as far as what's considered the appropriate guardrails, what the principles of privacy around them are, and what makes, you know, also some definitions and delineations around different types of biometric information since it's not all created equal and how, again, the more sensitive it is, the more important it is to protect. A finish line crossed for one of our national organizations. It's easy to be the armchair quarterback and complain about how long these processes take, but I know it is incredibly difficult for any large organization, let alone a national organization, to get all of the right players at the table to hear the various expressions of opinion and to get to a final product that is appropriate for release. So I do want to give them some kudos for getting it over the line.

D

Yeah, it is great to start on a pause on that side and Laura smiling. For those who are listening in the audience, just like, okay, where are you going next with this? Wouldn't it be amazing if our federal privacy commissioner actually had the ability to enforce said policy and guidelines?

C

That would be fantastic.

D

So for folks in government listening, and we do have a non small audience of government policymakers listening to this show, fall is upon us. And it would be a good time to reintroduce, just like you did, the critical infrastructure legislation saying federal private sector privacy legislation that can actually give our privacy measure the teeth to enforce really well thought out incoming and much needed biometric protections.

C

And just to kind of piggyback on that call out, which is absolutely, I agree, the right direction for us to go in. You know, the writing and the analysis around this that I've read does call out that Quebec is already ahead of the rest of the nation as far as how they've been approaching it. So there are examples we can draw from and follow within our own country for that type of how do we get further along the enforcement spectrum? So leave that thought with folks.

A

Tammy, any comments on that? That's the right.

B

I think it's going to be really interesting to see how things develop in the future. I really want to see how that, how that plays out. Yeah. So it's like what I want to know is if each province is going to be able to like, because you mentioned that it was going to be like Quebec's already ahead of the curve, but what are the other provinces have to do to like catch up to like how far ahead is Quebec and what do the other provinces have to do to like basically get to that level? Or is it like a leadership issue? Is it a regulatory issue? Like, what's the like, why is Quebec so ahead?

D

Well, you know, it's interesting because the, in the, in the horse race that we had in Canada, initially it was British Columbia and Alberta were kind of leading ahead in the charge in this. But, but really they were all kind of pre gdpr, pre the big European change where, oh my God, these fines could actually mean something to me. And then Quebec's legislation really is taking what GDPR core principles, which ironically, privacy by design was invented by a Canadian, Ann Kabuchin, who's absolutely outstanding and an amazing person. And we didn't even typically use our own innovation first. Right. Europe beat us to it, but Quebec acted in absence of federal action. And the problem for Canadian businesses, and this is a similar problem for the United States, by the way, they're going through this as well and is that as each subnational jurisdiction, state or province creates legislation, the inflation varies slightly, the reporting mechanisms varies ever so slightly, and you're adding a ton of complexities. Now, the winners here, well, consultants, raw firms, privacy experts and others. Like every time you add another twist, well, we add a bunch of work. The losers here are businesses and folks who want to combine, want to do the right thing. So national level legislation in Canada, the United States is more cost efficient. It's better. And it's also, I would end on this point, more fair. The fact that some people in California have more rights than other people in the same country should Upset folks. And the fact that Californians have more rights than Canadians when it comes to the behavior of California based technology companies, well, easily bugs me.

A

Yeah. This gets down to two issues though, and that's one, and it happens in the states and it happens in Canada, is the conflict between the federal jurisdiction and the states, the provinces. This makes me crazy because I understand why various levels of government want to have their own approaches to how they build roads and whether they have hospitals and all that stuff. I get that totally. But cybersecurity, all this does is slow the process down. And I'm a big believer in biometrics, especially as a secondary identifier. I'm going through this big thing right now where I think I might have been hacked. I'm not sure it's a common thing where you're always worried about it, but I'm absolutely confident that certain accounts are fine because they need two factor and they need biometric. And, you know, so this is something that I think really is something we need to really be pushing. Passwords, you just don't make it anymore. And I think we all know that. But disagree or agree with me on that. I'm happy to have a debate on that, but I think it's one of the things we need to talk about.

C

I think what it really highlights too is how much policy and direction is aligned with culture. And I think that's why it is so difficult to get federally organized on some of these things where a province like Quebec clearly prioritized the desire for people to have additional protections around privacy. Culturally, Quebec has always been a little bit more on that side of individual rights and just a little more forward thinking on getting to a legal set of rules around those kind of things than other provinces have been. So the danger, of course as well with kind of going top down is if you've got an area that is culturally very strong on a particular point, when it kind of moves up the chain, inevitably we see it get watered down. So unless there's a really strong desire at the top to take instead of lowest common denominator to move to the highest common denominator, that's a challenge. And we've seen that democratically. That is a challenge to address. When you need to kind of push a direction that really is for the better of everybody. But it takes a lot of work to convince everybody to get on board instead of just saying no, this is how we're going to do it. Now we just need to make smart choices. So there's a lot of complication in pushing in that direction, which doesn't negate how important it is. It just is kind of or challenge a recurrent system.

A

And it's the same in the us. Like I said, we whine about the federal system up here, but the same in the US California is inevitably ahead of most other states and I've seen them mostly on AI legislation, come forward with some stuff that made real sense and then have to back down because of federal pressure. So maybe my idea of the federal thing isn't the best in the world either. Sometimes I have these half baked ideas I need to just fully bake them.

D

Yeah, I'll segue into the story that sort of caught my attention and lack of government leadership in this particular space. So earlier this week it was brought to my attention a really interesting proof of concept done by two cybersecurity researchers who built a series of AI processes and systems to go from a published critical vulnerability and exploit listing for a given product or service. Read those things and iterately develop exploit PoCs Proofs of concepts for them. And what was absolutely terrifying for me was they figured out how to do it, that the average time to generate an exploit was 15 minutes, that the cost to generate a workable exploit was a dollar. This comes in the backdrop of a really nasty Microsoft hybrid exchange environment vulnerability that may have been responsible for the breach of the House of Commons here in Canada. Judging by the timing of the particular attack, the timing when that exploit was announced, fingers were pointed at poor old Microsoft for this one. Two leading suspects and this one looked a lot like the leading candidate. But what was interesting about that is you know they were given a patch timeline of a couple of days particularly this is the one CISA in the US said you've got to get this patched in 24 hours and now we're talking about patch windows from exploit publication to you could get pwned in a couple hours. We are not prepared for that. The only real viable way forward is to improve the baseline quality of our software products and have greater accountability and it's since the company provides a SaaS this is greater accountability and more restrictions on limitations of liability to ensure that they are not moving fast and breaking things because YOLO not our problem. We've got that sweet sweet indemnity clause in our licenses changing fundamental behaviors of the start. But the Trump administration has absolutely gutted all of the Biden era guidance on this from we need to move to memory safe programming languages to security by design and holding companies accountable because regulation bad and now we're in an arms race and to put this into a medical context, we've just discovered that superbugs are running around in our hospital really, really badly and there's such non zero chance that they're going to bring down a lot of patients and we're like, meh, washing hands and hygiene standards, too much regulation.

A

I want to jump in and just make sure nobody missed that story that you're bringing up because I think it's important and we do have. I've got an invite out to the people who did the proof of concept on this, but this was published, I think over the weekend. A proof of concept that basically said using AI, this group had been able to take a zero day or a flaw and literally develop an attack in less than 15 minutes and a viable attack. And so. And they're still in proof of concept, but this was a viable attack and as David pointed out, cost about a buck. This is, this is just sort of. I don't know how to describe it. You know, we're getting to the point where the reality of where we can't, where we patch is a problem. And it wasn't just the House of Commons that exchange flaw went ripping through companies throughout North America in days, just literally in days. And now you've got flaws that can be put out in 15 minutes and started from literally from the zero day. There's. You might as nobody's going to be able to patch that fast. I think we have to keep in mind is we've had a lot of patches that have gone south, particularly from Microsoft, and I'm not dumping on them, but I understand the challenges. You've got to be able to patch right away, you've got to be able to patch correctly and you cannot fail.

D

It almost feels like there's a terminal velocity to patch speed that like approach this particular speed and the problems you're causing by moving at this speed are almost as bad and then will cross over into worse than the threat you're facing. It's almost like a maximum viable patch speed. I don't like where the math is heading on this one. So that's just where my head's at on this. Is that better quality in code? Like, I feel like there's two things. I just want to give a shout out as the resident culture critic to one of the best uses of a meme so far in a security researcher post. For those not familiar with the common Invincible, which was a great comic series and now a popular Amazon prime series meme where the father's talking to the son in this particular meme, which, you know, you should look up yourself and say, so I need to learn Ruby first to build a Ruby exploit. And the father goes, but that's the neat thing you don't, right? So the skills lowering on exploit development here, this is going to do for exploits what scripts did for script kitties. It is no BNO for everybody.

B

One very interesting point about threat actors leveraging AI more and more is a story that came from two researchers this week. They said that they had found the first instance of a fully AI ransomware. Now that AI came in with its own models. It was around like just the samples that I saw were around 10 megabytes as a binary. It basically connected to a server and it could run that server locally or it could run that server remotely. Basically it was leveraging ChatGPT's OSS2 model to write a bunch of LUA scripts and then execute those LUA scripts. It used a spec encryption and I think it was like 128 or 256 bit encryption. It was able to exfiltrate data encrypt and warm itself through the network. It was fully automated. All the logic was built with AI. They warned that this looked very much like a proven concept and that's they were looking to see what happened. But you're seeing a lot of threat actors experimenting now with new concepts. As AI is racing towards more sophistication, we're going to have to start incorporating AI more and more into our defenses, unfortunately.

A

Yeah. And the question that comes up as we look at this is how early are we in the game? Because as you pointed out, people think that this was really a proof of concept. Because I think as I remember it, anytime somebody logged into the server, it would shut things down. And so that was a problem. So it looked like for all intents and purposes they were just trying this out because it gave it away pretty early in the game when they shut down the server if somebody else tried to log on. So if this is the start of it, where are we going?

C

I think there's a couple of opportunities here on the defender side and they're not new concepts. So there should be some stuff that's getting pretty close to being proper release. Right. But the concepts of virtual patching, which leverage AI machine learning services again to be more flexible on the proactive side and more quick to patch. So that's kind of on the like, the positive, like what can we do that's going to be really you know, potentially as whiffed on velocity as what the attackers are doing. But I think the other side of it is organizations should really be looking at their services that are exposed and being really prepared. What is the plan if the best thing for us to do is to just shut down that access and make it so that you have to come in through another route, or we're back to some sort of manual process, or what is that? What is your continuity plan if that's the better option? Because it's not unrealistic for some of these things to be like, yeah, it's way better given the nature of a particular exploit or a particular vulnerability, to not have the service but still have the data intact, to have the integrity intact, to know that an attacker did not get into it until we have time to patch versus allowing the potential for that breach to happen. All comes down to risk decisions. But at least have the thought right and think about, okay, well, what would it mean? How would I work around? How would it be minimal damage to the organization to operate without that service being accessible?

A

At least that's at least some good news in that. Yeah, let's take our cast forward into the coming year. We've certainly seen some of the things that have been happening if this was the month of AI and new proof of concepts and things like that, and hopefully, as you said, maybe some legislative moves forward, which is actually on the plus side, that's a good thing. What are the things we should be watching for in the coming year that we should really be taking stock of now? David, do you want to start?

C

Yeah.

D

So I'm going to go to everything old comes new again. So we're back in the hot debate about private sector companies giving the authorization to go on the attack to actually be given government authorization. So we've got some great reporting at a risky business that says there's legislation that's been reintroduced by US Congressman David Schweitkert, Republican. Good news is hopefully not going to pass in its current form, but it is called the Scam Farm, the Scam Firms Mark and Reprisal Authorization Act. And it riffs off of the old fashioned letters of Mark and Reprisal that authorized private organizations known as privateers to attack and capture sailing vessels, but now applied to a digital work. And anyone familiar with Canadian culture is going to immediately know the maritimer was immediately attracted to the thing that sounds like Baron's Privateers. So, yeah, it caught my attention. But let me just reiterate right off.

A

The bat, this is for Everybody, you got to go back and give the cultural reference, because I don't think. I'm not sure that everybody knows of this particular thing, but when the Wars in the 1800s, there were a lot of ships that were taken that were really for hire, and some of them were real losers, but they essentially, you could go and join the war. And in this particular case, whether it was a war between us and Canada, because there actually was one, or in other places, you could actually go out and be a privateer. And you were. You had the authority of the government to be out there in it at a time of war. And you're saying the same concept maybe being introduced into modern legislation.

D

Yeah, so it has been introduced. There's a lot of weird things happening in government right now in a lot of places, including the United States. Really bad idea. And in normal times, this concept has appeared in the past and been rightfully knocked down, and hopefully it will get knocked down again. But essentially it gives the authorization to hack back. And there are a million and a half ways this goes wrong. Right. Like, number one, most sophisticated criminal organizations attacking someone use a series of proxies along the way. Consider it the cyber version of island hopping. So the last person to hit you is usually not the actual person doing the attack. They're just a little puppet along the way. There's somebody's poor, compromised home router or more likely a university near you who left their stuff wide open and, you know, was used to attack Homeland Security 100 million times over a weekend. I'm not saying I. I personally experienced that back in the day, but may have seen some things, may have. May know some things, and had that private right of action applied in that case. Or the time that a university accidentally tried to attack and DDoS, Google back in the day and said, Google had said letter of mark to hit back, we would have just blown up the university network, which would be emotionally satisfying to the Google team, I suppose, but super bad news for that really innocent university that didn't have enough cybersecurity funding. Again, all strictly hypotheticals, no names, no places. But, yeah, it's supervised. And then you get your national security concerns, so you do hack back and you actually do manage to hit the Chinese, the Russian team, and they're like, oh, this is a unprovoked escalation from the United States. Maybe we're going to shoot at one of their Navy vessels going through the South China Seas, and all of a sudden things get out of control. All right, thank you. This is stupid. Yeah, I Couldn't put it other ways. And by the way, if you ever want to tell someone's from Atlantic Canada, all you have to do is just sing out. I'm a broken man on a Halifax pier. And if they start singing to you.

A

You know they're from, you know they, they exist. And for those who don't know of this, Stan Rogers, wonderful, incredible musician and you should Google it. Do I really get stung if I put it. I'll get a copyright violation on you.

D

There you go.

A

So yes, David, we will have a. The clip of Barrett's Privateers editing this show for the audio podc. If you're on YouTube listening to it.

C

I was gonna say you can always put a link in the description or the show notes to direct people to it for their extra credit.

A

Yeah. And so can we just go back in this? I understand the concept of maybe hitting an innocent victim, but is it really? I also wanna understand the frustration that people have of why they can't hit back. And we know that government's hitting back at these groups has been actually a great thing going after them. So why, why would, is it only the issue of you might hit the innocent or are there other drawbacks to this type of legislation?

C

Well, I mean, it's the same as.

D

People wanting to do the whole catch a predator thing, right? Emotionally satisfying, want to be protective, want to protect children and vulnerable people in your community. Completely understand a lot of the motivation. Some people just want to beat on other people and use this as an excuse. Just like some hackers just want to hack shit and are going to want to use this to break into somebody else's stuff. You can blow up years of police investigations, you can interfere with some of these nation state backed things, you can cause a lot of chaos along the way. And you could hack something that enables a proportional response cover from a hostile nation state, say, well, you guys started it and we were just responding proportionally. It's, you know, there's no such thing as mutual assured destruction in cyber. I mean, that's a wonderful awful thing about nuclear weapons in that form of conflict is you know who fired it. And everyone knows that if you fire it, you're going to get a response that's going to be awful and you don't do it. Cyber has no equivalent concept of mutually assured destruction. It has this amazingly awful, warm, comforting blank of plausible deniability.

C

And I'll play a little bit of Devil's Eye, but can't you punk this one? To David's point, as with just about every idea and every policy. It's all about the implementation. Right. I've seen things that were directed and sounded like great ideas and in the implementation turned terrible. And I think this has the potential from something that, yeah, if it is implemented in a very loosey goosey fashion, that's the official term for it, by the way. Loosey goosey. That, that it could be very, you know, it could be very detrimental, but also implemented correctly because it's not like it shouldn't be. Okay, I'm going to say it shouldn't be. Just anybody can put their hand up and say, hey, you know, this was an open letter. Now I'm approved to go do whatever I want. It's like, no, it's not like you just got to be a private chair because you got on a boat one day and said, hey, I'm a privateer now. You know, you were approved and effectively, in a sense, hired, though the pay was your own to make. There were, there were certain rules of engagement around it and certainly in a modern concept, some sort of sense of, yeah, there are appropriate steps to go through before engaging. It's not a free for all and that if you break the rules, you're out like that. You know, it's not a carte blanche to do whatever the heck you feel like. So again, implementation. I'm not saying any of those things have been done or considered. I have no idea. I'm just saying it could be done in a way that balances the need to act quickly because that also is a factor. You can't tie it up in so much red tape that it's not going to be effective, but also has a few checks and balances in it to make sure you avoid the problems, like you said, David, of compromising other investigations, causing a war. Small implications that could be. We want to avoid those.

A

I think also we have to realize who we're dealing with. And this is a caution I would give to anybody on this is don't mess with hackers. Like, it's. You don't know who you're up against. You may think you're up against some kid sitting a script kiddie. And not surprisingly, being a show that has cybersecurity in it, I get taunted all the time by people. Big surprise. Laura, what's your image for the future or your projection into next year? What are we watching as we go forward?

C

Well, you know, one of the things that has sort of cropped up a little more frequently for me, and I don't know that many People are making noise about this, but we talked a little bit in the earlier part of the show about biometrics and mfa. And one of the things that I do see regularly is MFA that's implemented in a way that you can just kind of opt to bypass it if it fails for some operational reason. And I see it in sort of the common platform implementations where it's like, yeah, we want you to use this really good version of mfa, whether it's the app or a token or a biometric. But if you can't quite meet that, we'll let you downgrade to SMS or we'll let you downgrade to a one time password on email or hey, you know what, if that's too hard, maybe we'll just let you just not do the MFA at all in certain circumstances and kind of work around it. And I think that will quickly. By quickly, I mean 12 to 18 months. I think we really need to get cracking on that and stop making it so flexible on the spectrum because that's also, you know, those are the cracks that the hackers play in, right? Every the people who are setting organizational direction and their IT teams tells them, yep, everybody's got mfa or we've turned it on for everybody now. But on is not the same as actually enforced at the correct level. So there's different degrees of on.

D

And we've got a painful, painful municipal lesson on this now with the decision by the insurer for the city of Hamilton to say, yeah, no, you didn't deploy mfa, you were told. And what's worse is they had the receipts saying you knew years before your incident and you had to get this done and they just didn't. To the city's credit, they acknowledged they felt honest. Well, what the end result is is that, you know, they had $18 million plus cleanup cost. 5 million of that could have been covered by insurance. If not the larger argument of maybe they wouldn't have had any of the $18 million expense if they had done this. The INH defense, the city says in this particular attack, it was a different kind of vulnerability. MFA wouldn't have made a difference. Yeah, well, it would have made a $5 million difference in your coverage. And I guarantee you there's one thing I'll say, they ain't the only ones that have been told in warned. Your insurance is predicated on X, Y and Z. And they either have it as vaporware, shelfware, check the boxware, leaky lightware. And I tell you more and more, when the bill comes due, this Stuff comes out and really sucks.

A

So this is one of the simple things as we go looking forward into next year, because I'm always amazed at this, the glacial progress we've made at mfa. And I point out the example. And I'm not, I'm never too much. And I don't brag about this. I don't claim that we're the security experts, we're not like, we get hacked like everybody else. But without that comfort of knowing that I have MFA on at least my key accounts and religiously so, and that we don't do, we don't follow links and we don't do those things, I'd be in a total panic with just a couple of the emails I've gotten over the past day. I sent one of them to David to say, this one looks perfect. This hacking email just looks absolutely perfect. And, you know, so if you don't have that mfa, you don't have the assurance. I think you've pointed out, David, that check your insurance policy, if you're sloppy about mfa, remember that insurance companies, God bless them, don't exist to pay out. They exist to pay out within the exact confines of the contract they have. And they're very sticky about this. And if this works for Hamilton, where an insurance company doesn't have to pay $5 million, you watch that a lot of claims people will be going, what? And doubling down on this. So don't be surprised if you had a claim that you thought was approved and you didn't. You don't have MFA if somebody comes after you on it.

C

I was just going to say, sadly, I mean, this is one that made it public. But the number of insurance claims that have been denied over the years. Right, and people don't understand, right. Paying your premium to get your insurance is worth zero if you don't do the things you said you did. And you're the one who answered yes or no. Right? You told the insurance company whether you put this in place, you told them whether you had anti malware on all of your machines, you told them a number of things. And they're simple yes, no questions. Which means there is some. Where a question's answer is gray. Right. Can create maybe some challenge, but at the end of the day, it's a much more expensive fight if you lied to try to get anything back out of them, or if you were in the gray zone, maybe it wasn't a full lie, but it was you, you interpreted creatively and as a person who.

A

Spent a fair bit of time on in it in insurance companies, I will tell you it's not malice, it's not, there's not some evil person sitting there. When times get tough, when margins are challenged, instructions come down. Make sure you're being doubly careful. And those instructions no doubt have gone down on cyber insurance many times. And that is to say, be doubly careful to make sure everybody's dotted every I and crossed every T in that policy. And you can hate the people who do the reviews, the policies, enforcement, they're just doing a job that if they didn't do, they'd get fired.

D

I know some people in the insurance industry and they do care about their clients like the best in that industry. They view what they do as what it can be. It can be that lifesaver, it can be that help. It's that ability for people to pursue their dreams with a safety net. But there's a bargain, there's an understanding, there's a contract, there's a mutual obligation that, you know, it's not just a one way thing. You didn't buy the ticket to the movie and they now just owe you x.

A

But there are two components to insurance and this is what we have to realize. The people you're talking to and dealing with, whether it be brokers, whether they be salespeople, whether they be whatever customer facing people, are in a different side of the organization from the underwriting. And the underwriting are the people who make the rules and say these are the risks we're willing to take. And they are also in charge that side of the house anyway, not necessarily underwriting, but that side of the house is in charge of enforcement. So all of the caring in the world from your insurance, all of the personal relationships you built up, they God bless them. A lot of these people will go to bat for you. But the reality is if you don't have what you say you have on your insurance, Law's advice is absolutely stellar. Do it now. Go and make sure you get it done. If you're a person in cybersecurity, go to your management, to your board, to whomever, and say, we got to do this. This is our exposure. Take the Hamilton example with you. And I've got a friend who's a CISO and he says every time he gets a story, he actually follows cybersecurity today because every time he gets a story where there's something like that, he sends that on to people. And the Hamilton story is a great story to send to people. Our insurance could be voided and we could be out $5 million. That takes care of a lot of executive bonuses.

C

But one other thought out there, talk to your broker and you can ask a broker to run different scenarios on your insurance policy and, you know, loop some of those things over. Ask them, you know, what if I say no on this? Not that I'm saying no, but if you want to find out what really causes the root cause of cyber incidents, find out how expensive your premium goes up for certain things or whether you can just not get insurance anymore. And if you can't get insured on it, that means it's no longer an if, it's just a when that will cause a breach. And yeah, anyway, I'm not saying, you know, waste your broker's time with a bunch of scenario running, but it's very valid to ask the question and sometimes it'll come back and it makes no difference at all. Well then at least you know, what if that's true for you, the answer is no. Stick with no.

D

Dear, dear insurance industry, Laura has just handed you into Silver Plate, a perfect marketing tool with a webpage where you can walk them to a cyber insurance policy and have them turn things on and off. And boy, wouldn't that save broker some time. But it's a hell of an education tool. Not everything has to be a computer based trading module. The chance to actually click, click, oh is a really good experience.

B

But.

D

But I want to toss over Tammy because I'm hoping for good news, but I'm prepared for bad news. Tammy, you know we talked earlier this summer about scattered spiders. There's now has been some arrests as we look through to the fall is are the spiders scattering?

B

So the latest news I have on basically that group and more is that they have actually started trolling researchers a lot more. For example, they recently put out a fake Europol $50,000 bounty on the admin of Killin, the ransomware group. No. And the admin is called have H A I S E. And they were, it was like it was on Telegram and it was basically like a poster, like a wanted poster from Europol. The same like design and everything. And it was basically saying like if you had information about hints, come forward and like, yeah, here's like where you could contact us. And it was like a $50,000 reward. Now there was a lot of issues with that because Europol has never actually done something like that. I know the FBI has done some stuff similar in that aspect when they were targeting breach forums. And so this is where the inspiration came from because they started like, they created, like, when they took over the breach forums, essentially created like FBI breach forums and that it was like a tip line for people to come forward. So this was like Europol cti and it was like, meant to be a tip line on Telegram, but it was completely fake. This was created by, like, the Scattered Spider Lapsis gang. And one of the interesting things was that it was 50,000, and the way it was formatted was like USD. Like, Europol would always put it out of a bounty in Euros. So that was one giveaway. And there was a lot of other different giveaways because it was never, like, formally circulated by, like, Europol's LinkedIn or Telegram or Twitter account. So there was a lot of different things like that. And they've actually just started a new forum called Reach Stars, and so we're seeing them posting on that as well now.

A

What's the point? Why would they do this to this person?

B

So it's a lot of the counterintelligence work they understand, and because some of the individuals that are part of this group are part of the cybersecurity community as well, to some degree, and they understand that a lot of our tools work on keywords, so they know that by including certain keywords in their claims, they'll trigger a lot of flags and a lot of notifications. And this is a way of creating counterintelligence and making it harder to sift through the noise. And it's really just. A lot of it is for his trolling. Absolutely.

A

Yeah. And so they put up a wanted poster for this admin. And like I said, I'm still lost as to what they gained from doing that.

B

So there's an idea that. So one of the theories is, again, this is just purely speculation, but there was another user on one of the other forums that was asking for a similar amount, 48,000. And they had a grudge and beef and grievances with the group and because they were claiming that Killian dropped $50,000 worth of a ransom. So if you're following the dots, this could be the same affiliate or an affiliate that is connected to this, and this was their way of trying to make a name for themselves. But a lot of this is just counterintelligence.

D

So I just want to add a cultural reference in here for folks wondering what Scattered Spider and the Web on the criminal side is starting to really look and feel like to. If you have not seen the great 1970s cult classic the warriors, that is essentially what Gen Z and Alpha and the crimes are now living through. And it sounds a lot like someone just put a head out on killing and he's going to bop his way through the New York borough and not get busted up. So again, highly encourage you if you're on your weekend watching the warriors and you know it's gang culture, right, like you're taking out your opposition. You got a beef with somebody like, you know, we just keep doing the same things as humans. We just find new ways to do it. So the short answer to my question, Tammy of Scottish fighter Are they done? Are they finished? We got the four key leaders identified. No, no, the party's still on and that's bad news. And where this fits in Jim is we saw some stories this summer and sort of forward projecting youth unemployment continues to rise. Disruption in the technology space continues to push really well educated trained folks into desperation. And if Godman666 from DEFCON the warning on any of this, people with these kind of skills could end up on the wrong side of the law not because they want to, but because they feel like they have to. And you know, this is not a great combination. You getting trapped into this cycle, getting drawn into this, recruited into the comm through things or into scattered spider through the comm and other things like the kids are increasingly not all right and we better get a handle on it.

A

The data is absolutely clear and this is something for anybody who's thinking about, you know, jobs lost to AI and unemployment. We record this on Thursday. So I'm actually can tell you what I'm story I'm going to have tomorrow and it's on youth unemployment and there is a huge report that really looks at the data and there's been at least a 13% decline in youth employment at a time when many other places are experiencing increases. It is their theory that these youth are the most hit by AI. When you start to see the number of jobs that are for entry level programmers and tech people. Yes, there are a lot of people with technical skills or technical interest who are not getting jobs. That's a huge social implication. But also Tammy, I just want to go back to scattered spider because I read a thing today and I'll probably be doing a story on it as well is they are just famous for social engineering and if everybody's followed a number of CRM systems have been compromised through OAUTH and through other things and what they're getting is incredible amount of data and information on people that allows you to do social engineering. There was a huge piece that was just Published on this. Are we going to see more social engineering from this group as they're reforming?

B

Yeah. So one of the ways that they do, they were able to leverage basically Salesforce to send legitimate emails that passed DKIM inspections and they were able to say, hey, hey, this is a legit email. It was a legit email and they were basically saying like socially engineering through that vector. So they are very motivated, they are very technically skilled and they are very cunning is the way to put it when it comes and really tricky when it comes to like trying to deal with them. They're not to be taken lightly even though they're young. They absolutely need to be respected and not to be taken lightly and not underestimate it.

D

And just something I want to go back to, Jim, is that when I hear techno utopians tell me that security controls are going to solve all of our risk and we don't need to educate people and improve awareness programs and do phishing tests, I love reminding them of stories of, hey, you know that cool DKIM SPF DMARC protocol that you still haven't fully properly implemented everywhere, even when it's there, it can still be abused because actually it can inflate trust in other ways. And what a great example. Like, yeah, these kids are not like, they're not dummies then they, they know how to do this stuff well and it's kids. You know, we're seeing other attacks on Salesforce right now that, you know, this may be a good segue into what does the future hold. So we had attacks leveraging authorization theft essentially, you know, identity access theft that target AI access. And so through drift AI into customer Salesforce instances to extract large corpuses of customer information. So, you know, I was talking to a reporter and I was just shaking my head about agentic AI and other things. I was like, wow, just when you think, you know, it's safe to go back in the water, some brilliant technology comes along and takes the most effective attack method for human beings, social engineering, and says, let's bake it into the AI now. Awesome. So now we can social engineer computers too. Sweet.

A

Yep, it's going to be a challenge. One of the new open source models for AI that OpenAI released has been automatically integrated into the attacks. And these things will just get better and better as we go forward.

D

And one thing about the what the what the fall is going to hold. It was really sad this week to read the story of a young teenager who died after months of encouragement to commit self harm by allegedly by OpenAI's products and the parents have now launched what he suspect will be the first of many, many lawsuits. This, by the way, is not the first news story to allege that someone was led to self harm, but this is the one that's bringing some receipts to the table and has a very prominent American law firm driving this. And it's coming at a time where the lie of prompt security or prompt based security is really unraveling so fast. And I think the analogy I used about some of these large language models is that imagine a massive urban landfill garbage disposal facility and that eventually they just covered it all up with dirt and turned it into the mountain of garbage into a ski hole and they made it look pretty and they did everything else. But as you're skiing down that ski hill, occasionally you catch a whiff of something awful because below the surface is a lot of garbage and you can bury it. But if you didn't clean that garbage out, garbage in, garbage out. And there's a lot of harmful content hidden in these ones.

A

But there's not, it's not. And it's not just OpenAI, by the way. META has a similar lawsuit out these things, the tools that are being used in AI are dangerous in those aspects. We should be doing something about it. But the story of AI, if you regard AI as secure and you can be a proponent of AI, and I very legitimately am, why? Because I believe it's going to happen. We better get used to it. When Jeffrey Hinton, who really regarded as the godfather of AI, there's a big debate going on right now and that is will we ever get to superintelligence, will we not? And all that sort of stuff. Big who cares? Geoffrey Hinton, we regard as the godfather of AI, said, I tried to warn you that we had little time to prepare for this. We have less. And that's basically what he's been saying. And in the security end of this, first of all, you have two elements. One is it isn't secure, it just isn't. You cannot deal with AI in a way that makes us secure. Why? Because I'll give you a dozen stories of how to beat prompts. They have not developed a secure application. They've developed an intelligent application. That's piece one. Piece two, the idea that you can somehow hope that OpenAI or meta or somebody will protect you by keeping these things safe so that they don't attack you is gone. There is so much open source, open weight model models released. They are not going back. Pandora's Box will not be closed. This is something we have to deal with in the coming year as cybersecurity professionals. And I don't sense that we've really prepared for it. I mean, I felt that we botched MFA like that. We just sort of la de da through that.

C

But we can't even use firewalls really well.

A

And we're good with firewalls. Yeah. After.

C

Not really, no.

A

So, okay, we're not good with. We're not good at firewalls.

C

We can't even manage firewalls.

A

I don't want to leave this with this because we've got about an hour. We do have to close the show down. But I just want to go back to this and say, what's the hope? I don't want to admire the problem. We've got some of the things that we should be doing in the next year. What should we be doing and how should we be attacking this? But I'm going to start with Laura because actually, I'm going to end with Laura because Laura is usually the most positive. I'll start with David because he's usually the most negative. Did I say that first?

D

To change, you have to know there's a problem. And from ChatGPT5's underwhelming launch to the new MIT study that says 95% of AI projects are failing to drive actual value to the businesses that implement them, to the shocking stories of harm caused by this, the story is clear. The initial exuberance, this is magic tech that's ready to go. Has that bubble has been burst. And from that we can march towards a pragmatic, useful, safe approach to intelligent software and to reap some of the tangible benefits that we have seen. The tantalizing future potential from Like Jen, I will fully acknowledge that a future of humans and technology together working more intelligently to drive better outcomes is bright for us. If we listen to the Geoffrey Hinton warning in its truest sense of stop, pause, fix it, get it right, and don't trust meta that break things, people, careless people, and apply critical thinking. There is hope. If we pull out of the nose, dive, dumpster fire position we're in now, maybe I'll yield to Tan. He's been patiently waiting to hopefully give us more on the hope train or derail us to take us back to dystopian nihilism.

B

So there's this really amazing research by Daniel Coco Tangelo, Scott Alexander, Thomas Larson, Eli Leaflin and Romeo Dean. It's called AI 2027 and it is a Fantastic research paper, you can download it for free. Essentially in that research paper they create this fictitious open brain company which is modeled around Anthrop, OpenAI and Google deepfying. And essentially they're saying that in the next couple of years we're going to start as these companies build out more powerful data centers that could throw more computing power and assign better energy sourcing agreements with governments, they're going to be able to throw more processing because we're still using the same fundamental tactics and techniques that we did from 2017, 2019 to grow these models is just throw more compute power at these, which is highly inefficient. But at the same time, and essentially they're saying that once the AIs can start training themselves and rewriting themselves, these companies are going to start creating AIs that are designed at AI research. So once they focus themselves on these things, they're going to be able to create these agents that are like Agent 1, Agent 2, Agent 3, Agent 4, Agent 5, that are more powerful than its predecessor. And a lot of that for times the models that we see are the public side are not the best models that these companies have. These are the models that internally they have way more sophisticated models that are creating the public model. And so what's going to end up happening, according to this research paper, is that as more people start using the public models and these are more efficient models, we're going to have to change regulatory stances, employment is going to really be affected, and then you're going to start to see like geopolitics really getting affected. And because there's a whole concept of AI black boxes where you have like, can you understand the AI anymore? Or essentially as well, it's like, can you trust the AI models? Are they lying to you? Are they misaligned? So these are all things that we have to figure out. And the only way to really do so, and I'm going to basically wrap up here, is to say that we have to pressure our governments. It's really just pressuring our governments to implement regulatory policies to try to put guardrails on this. It's the only thing we can do, I think, at this point.

A

And the next 12 months will be. And I'll accept two of your three premises. David, that MIT study do not read headlines. They said that 5% of AI was delivering a financial benefit. They didn't say that 95% of AI projects failed. That's been a popular misunderstanding. And as I pointed out with cloud, when I first started talking about Cloud, I think probably 15 years ago, you could tie a pork chop around my neck and the dog wouldn't play with me. Then we got to the point where people would come to my sessions and they would say, I'm here to find out about Cloud because I want to know how to argue against it. And then five years later, you'd meet the same person, they'd be coming to one of your sessions, they'd be saying, I need to know how to adapt to Cloud. And through that whole period of time, there were objections. Everybody said that Cloud would save you money in the first part. Everybody realized it wouldn't, and we moved on. It is now the dominant way that we offer it. AI is going to do that under. But under a whole compressed time. Whether we like it or not, it's happening. The immediacy is in the stuff that you're doing, Tammy, right now, the tools that are being put in the hands of groups like Scattered Spider and Hackers, we need to cope with, you know, at the same time, we need to cope with the vulnerabilities that we have in our own AI implementations. Because I will guarantee you another thing just from the trend of history, is that if you try to regulate against AI in your corporation, people will sneak it in, executives will bring it in. How do I know they did this before with SaaS and they'll do it again. So we have to get a strategy for dealing with this in the coming year.

D

Just a quick thing. I want to, I want, I want to own the mea culpa on that because I just spent Saturday's episode getting upset at people for missing the point of some research. But the thing about the MIT study, you're right, that what it said in terms of the financial value. But the other part is anybody who's been around the block about IT failure rates knows that new complex technology, enterprise resource planning, customer relationship management systems, they had staggeringly high failure rates initially and it had nothing to do with the tech. It had to do with. Do you understand the business problems you're solving? Do your people feel bought into it? Do you have the right change management process? And that's. So I just wanted to own that for a second, say I should have delivered. The nuance on that is that we have a chance to stop, pause and figure out how to do this technology in our businesses and organizations. Well, so I'm just going to own that moment. And Sensei, thank you for correcting me on that.

A

Yeah. But we have to understand these systems are fundamentally flawed. They are fundamentally Security problems just by the way they're designed. This was the way that AI has come at it. And Tammy said it quite rightly. They've been experimenting a whole pile of people playing with this stuff. There's no architecture for security. I think maybe anthropic comes close, but nobody else is even looking at that sort of stuff. And we will pay for that flaw in the software, especially at the speed it's moving. We're moving at a speed that we can't keep up with culturally or process wise. We just can't. Laura, what's your hope?

C

I think I must have been channeling my thoughts through David's mouth when he jumped in there, because that was one of the directions I was going to go is from the positive direction. It's like focus on what problems you need to solve. And a phrase that I like using a lot is AI is a solution looking for a problem. Half the time people are like, oh, I got to get on this AI train and we're falling behind because we're not not getting on board. And if you're falling behind, it's not because you're running, it's not because you're not using AI. Understand what is causing it. You know, if your business is falling behind, the solution is not why you're falling behind, it's some other fundamental problem. And then maybe AI and those types of machine learning tools or new technology is the solution that will help you solve the problem. But you know, to that point, understanding what the core of the business problem is, what the change needs to be, and then correctly executing against understanding your requirements or having iterative methodology to try and fail quickly to get to the things that actually work is so important. So, yeah, the solution doesn't preclude what the problem is. I don't think I have a whole lot of positive other than like, just keep your stick on the ice or.

A

I waited to the end of this, I set you up for this and what I get is stick on the ice.

C

That's what you get is my Canadian bit for the day. No, I think there is a lot going on. And another thing that I do very much tap into is focus and simplicity. Right? If you stay focused on what your real priorities are and then look at what do you need to do around those to protect those priorities. Stay focused, get those things done. Don't let the noise distract you. If you're focused on the right things, the other things will follow. And that's universal advice. But it's very true in tech as well. If you stay focused on the things you need to do to get your objectives met, you can whittle out a lot of time distractions because to Jim's earlier point, there are so many different vectors that every new service brings to you that you have to make sure that you've thought about. You have to think about what data are you putting in there? What happens if it gives you a wrong answer? What happens if it's been poisoned and doesn't just give you wrong, but gives you malicious answers? Is it critical? Have you injected this in a critical service? Well, what happens if it fails or makes mistakes or all of these things kind of wrap around it, right? So there's a lot of energy and effort that needs to go into success. And it's very possible. We see, you know, there are those 5% that are true successes, and among the 95%, I'm sure there are some that will turn and become successes with more time. But if you're not staying focused and being able to put those safeguards around it and doing the right things, understanding how do you build checks and balances into it, you know, you're not setting yourself up for success. One other thought to share was a couple years back, I was honored by being a keynote at sector. And one of the things that I graphed, and it wasn't real graph, it was just Laura's perspective was the chart of adoption. Right. You see, it's a bell curve, right. And there's no like really fixed numbers around it. But, you know, it starts off with your early adopters and then there's your kind of next phase. Right. The people who are your early, early adopters. And then usually before you get to the peak of the curve, there's a trough of disillusionment. And with AI, because it was so easy for people to experiment as individuals without having to do commercial investment, I really feel like we are now at the point where we did cross the curve. We're well over half adoption in companies. But this is where the trough of disillusionment is coming in now. And the question is, how much did you adopt before you felt the pain of disillusionment? And if you went too far, are you prepared to claw back? And that. That'll be a question I think people need to be looking at in the, in the coming months, Right. Did we have a plan to pull out of those services? And this is a really negative note to end on. Sorry, I'm not going to end on it, I guess. But cloud, the cloud, Bill, south of the border. I think that's another one of those turning points where people are going crap. You know, I thought we were ticked and tied that we were safe. You know, the physical services are geographically located where we wanted them to be. There are separate corporate entities. But at the end of the day, the people with the fingers in the systems are in places that are no longer operating as a friendly. There's going to be a lot of work coming in the next few months to say where do we need to pivot and pull back faster than we were able to go and make the move in the first place.

A

Yeah.

D

And I'm going to back on the positive note of that. Laura, I will tell you that this issue, the Cloud act, the issues of data sovereignty, digital sovereignty, I had a very quick conversation with some senior government folks this week and it's on the radar. So the good news is I know the nine scariest words in Kenya politics is, I'm from Ottawa and I'm here to help. My riff on Reagan's famous but they're not unaware. I just want to end on this. That reintroduction of the trough of disillusionment to the choices that we have to make because of that. That actually was Bozdem. He really did a great job of framing up, hey, this has happened before with other technologies. We're here. Here's where we are in the journey.

A

Tammy, you look like you got something to say. I don't want to leave the show without you doing.

B

No, I was just. That was such a fantastic way to put it, Laura. I think, like, I'm just going to go back and say what I said before, which is we have to pressure our governments to put some regulatory pressures into this and not to cave into the corporate profit seeking. We need to, we need to make sure that everyone is taken care of and that this is actually going to be right for us.

A

Yeah. And I'm going to leave us on one note and it will go back to what you said. Laura, you're getting the gold star for this edition, but the issue is in our jobs as cybersecurity professionals. We have already been swamped with just the regular keeping up with all the things that are happening. We now have to face the fact that the things that we might think of as outside of the technology range of our jobs, legislation, digital sovereignty, social issues, and the colossal speed of technology, all of these can seem a little overwhelming. But Laura's advice really was important. Keep your stick on the ice. It's better to do something than to do Nothing. So, you know, just. And my advice to cybersecurity professionals is when you feel overwhelmed, remember Jim's rule, which is, you know, just because you can't do everything doesn't mean you can't do something. And as we go back to this, if you're feeling sort of hopeless about this, go back to the fundamentals. You know, the fundamentals that we talked about mfp, making sure that you've taken care of your login, you take care of your identification, make sure that you're educating people about the world that's out there. And we're going to cover some shows on that. Tammy's going to come back and we're going to bring in people who are going to, over the next few weeks and months, talk about some of these issues in more depth. David's talked us about phishing. Don't forget about phishing and the fundamentals of that. I shared an email with David yesterday. I know it's gotta be a phishing email. I cannot find out why. And that's the type of sophistication we're gonna deal with. So building that and how do you deal with that? You need technology. Yes, but you need suspicious people. You need people to say, I don't have to click on that. I'm not going to. Maybe that idea of just zero trust as an attitude would be a great thing to build. Thank you, team. I appreciate this. We'll bring you back again in the coming months and we'll see how the year goes by. I want to give my thanks to Laura Payne from Whitetuque. Laura, thank you very much.

C

Thanks for having me again.

A

Jim, Tammy Harper, wonderful to have you back and we'll be talking to you more in the coming year.

B

Thank you very much.

A

And David, who will be back? I don't know. We haven't discussed this, but I don't know if you're doing a Monday morning show or a Tuesday morning show for the first morning of the week, but that's, that's something. You'll be back next week sometime with Cyber Security today.

D

I will also be recording the following week from the beautiful and sunny island of Barbados where I get to hang out with some clients. So, you know, super excited about that trip.

A

I was trying to like you, David. It's. It's rainy and cold here. And that's our month in review show. David will be back on Tuesday morning and I'll do a Thursday show next week. In the short week. Until then, have a great weekend. I'm your host, Jim. Love thanks for listening.