A

Welcome to Cybersecurity Today, our month in review as we start Cybersecurity Month. Our panel today is Tammy Harper from Flare.

B

Hi everyone.

C

Thanks for having me.

A

Laura Payne from Waketuque. Laura, welcome.

C

Thanks Jim. Always a pleasure to be here.

A

And my co host on the host of our Monday morning show. And you do something else too, David, what is that? Oh yeah. CEO of Bosera Securities. I. Shipley. Sorry. It's all about me, buddy. This thing gives me Monday morning off.

B

I was going to say, I thought you were going to say culture critic slash new travel influencer, but no. Okay.

A

All kinds of different roles. Okay. So I want to start talking about Cybersecurity Month. One of the things I do want to get to is what are you folks up to in Cybersecurity Month? Somebody said that we hadn't really talked about Cybersecurity Month and that's true. One of the things I'm hoping to do is, and I'm still going to try and do it, is we're going to do a revival of Maple Sec. And if anybody remembers that it's something I started, the Canadian Security Show. We're going to do end of month show, probably a couple hours maybe with some hosts and we're just going to do a slow start of it and we'll be back bigger next year. But I want to do that sort of thing. So I'll be planning that. We'll have a couple of presenters, we'll have a live audience. And we've been experimenting with live audiences and it's really cool to have a live audience for the show. So that's something we'll be doing. And I'm also at, and this is probably not as well known, but we're going to do the CIO of the Year awards. We're reviving those in honor of my friend and colleague Fawn Annan. And I've turned that over to the CIO association of Canada. We ran it, Fawn, for I don't know, 10 or more years. So that's being picked up by the CIO association of Canada. CIO Canada. And you're going to be wondering why am I mentioning that on a cybersecurity show? Because there's a CISO of the Year award. And so that's something. And by the way, if you're a CISO and you're not a member of CIO can you're missing out, buddy. Or the this is a place where it, this organization is run by CIOs and CISOs. So it's not a sponsored thing where somebody going to try and sell you a pile of stuff and things like that. It's one of those private meetings you can have as a Canadian executive where you can get. You can get people who will mentor you, you get people you can liaise with you. A peer group type of thing. I'm a member, have been for years. On the CIO side, they let me occasionally over to the CISO side, but only with training wheels. But. But if you're not in that organization, you're missing out on something big. Just go to CIO cam, just Google it and join up. It's. The dues are minor, but the benefits are big. That's my month. What are you guys doing?

B

I guess I'll kick off and then. But. So this is the busiest month of the year for me. I was super excited and, and really honored. I got to give my first ever talk at Sector. That's Canada's largest cybersecurity conference. It's our Black Hat conference. And to the shock of absolutely probably no listener that's heard me before. I was talking about why we need to do security awareness and why phishing training does work when you do it well and use the data that we've had things we've talked about in the show before and it was really well received. I got some excellent questions. Questions. And one of the things that was really heartbreaking though, was a couple of professionals came and they said, listen, our senior executives, or in one case a ciso, they had seen these clickbait headlines that said security awareness didn't work. And they just, we don't want to do this anymore. It doesn't work. And they had to battle it. And they asked me for some facts that they could actually use. And it was, it was eye opening. And I think it speaks to the irresponsibility of some of the tech journalism that I've seen that took the headlines and ran amok with them far beyond what the research actually said with respect to the limitations of some methods. So that was there. And then a huge amount of client presentations.

A

Just gonna stop you for a second. Yeah, I caught everything. I heard every individual word you said. But I would. You got to irresponsible tech journalism. What was. What's the issue? Just. I just want to make sure I'm clearing that.

B

Yeah. Since Black Hat in the States, when the University of California San Diego paper, some of the authors, not all of them, decided to play up their findings beyond what their research actually said. We have seen dozens of Headlines that have gone beyond phishing training doesn't work to up to security awareness isn't worth it. And so they, they have literally caused tremendous harm and damage to, to this effort to educate people. And I do, I get extraordinarily angry about this because some of these folks are medical doctors and they're trying to tell me that education doesn't work. And I'm like, that's fascinating, buddy. Clearly your education was worth something. So maybe we should be talking about what is the right education approach to this, which is, ironically, there were some really responsible researchers involved in some of these studies who had very specific points, and that's been lost now. And yeah, so it's been an ongoing thing to see the impact of that overhyped research in headlines. Even like just last week, ZDNet ran it again. And the worst part is the journalists didn't even read this study. They just, they just kept compounding this doesn't work and playing into this notion that we can only fix cyber with tech tools. And I'll be the first to admit it. If there was a tech solution that 100% shut down criminals, I would be the first from the top of the mountains to be shouting at everyone using it. But there's not.

A

You and I would have formed a company and been out there making ourselves rich.

B

But, but, but we need layers of defenses, and that includes people. And yes, it's tricky, it's hard, it's, it's not as easy as binary ones and zeros, but it is valuable. And to wholeheartedly dismiss it is irresponsible. So that's. That was the black hat talk. And I've actually published some research on LinkedIn. We've expanded our why People Click study. We're now up to 6,293 respondents. The data continues to get more interesting on that. We thought I'd asked my data science team to run an experiment to see if survey responses changed on Monday mornings, which still is our highest click time. And I was convinced we were going to see a significant shift in the responses and we didn't. And so that. And we did a chi square, which is for the stats nerds out there. Like, we really tested the math on this and there was not a significant relationship between the time of the day people clicked and the reasons that they clicked, which means it's deeper than the work style. And there's something else driving the Monday morning click rate beyond what I thought was there. But what was interesting is that people that did our survey and answered it within 24 hours of being assigned it, they had statistically significant chi square validated outcomes six months after they had. We don't know all the whys. I can't give you causation on this. It's just. It's really interesting on that side. So anyway, sorry to prattle on about.

A

That, but it's a lot of word month this. And I want to go back to this because this drives me crazy about tech. Journalism in cybersecurity is. Wise up, folks. The journalists are listening in there. Or readers go back and tell people, our listeners, they'd be. I would hear about it. But. And to be quite honest, we have a YouTube version. It drifts along. I get people pitching me all the time saying, your headlines aren't good enough. You good? And I know what we're not doing. We're not doing clickbait. I'd rather have 100 or 200 or 300. And by the way, we're not dying for audience. Our audience keeps growing and growing. But. And I try to put stuff out that. That catches attention, but this is just fricking irresponsible. These guys and David and I did a whole program on this. It's a couple weeks back. I'll put a link into it, but check it out. We brought in a real researcher from the University of Montreal and we talked about these things and it is really important. We need to improve not just the research we do, we need to improve how journalistically, how we report it. Anyway, that's off of Soapbox. I'll let the other guys.

B

So the. Yeah. And the rest of the month is talks. But what's interesting in the amount of talks that I'm giving now about the impact of AI on destroying the shared concept of truth and reality, on the enablement of social engineering is through the roof. And even the last thing I'll end off with is the amount of folks who I spoke with at sector who are disillusioned with AI. Both the just deluge of the attacks that they're dealing with and just. Just feeling it. Like really feeling it. But also there's a growing disillusionment with the overhyping of AI in the marketing on the defensive side. And it was palpable and that was really interesting to see. I had folks come to my talk and they were like, I'm just glad you're just talking about humans right now. Or mostly talking about humans. I've just. I've had it to hear. Agentic AI has become the new zero trust in security. Marketing and I think people are. They're peaked out for a bit. So that was interesting. Anyway, Tammy and Laura probably have more interesting things to say.

C

Is going to build a little bit on that. It's just the. We've preached for many years, right. Security is not the same as compliance. And the way that study has been put out there is the classic example of that. What they really were finding is straight up compliant security awareness. I checked a box I did a thing once a year. Is not effective for teaching people how to spot phishing and to be effective gatekeepers. That seems pretty true. Which isn't to say we shouldn't do annual awareness training. It serves a different purpose. Training on the wrong thing will not yield results. Shocker. That's a headline right there.

A

Headline Bad training doesn't work. Stop the presses.

C

Yeah, yeah. So anyway, that's my take on that. But I think that's often one of the themes during Cybersecurity Awareness Month is it's not enough to check the box. It's not enough for your insurer to check the box. It's not enough for your security program to check the box. It really is about doing the right things for the right reasons and then doing them consistently and doing them well. Similar to David, I was out at Sector. I've got my sector shirt on today and at various conferences we're trying to get out into other industry conferences. So it's not just the echo chamber of security people talking to security people and just bringing the word out there that it's. It's not impossible. It is necessary. In every industry, more and more people are getting it, but they need to figure out where to get started. And that's the big thing with Security Awareness Month.

A

What else are you looking forward to in Cybersecurity Month? Dora?

C

Just, you know what? Honestly, it felt like this year September was Cybersecurity Awareness Month. Everything's a little early. It's German Oktoberfest. If you ever go to Germany for Oktoberfest, you have to go in September. That's when all the parties are. If you go at the end of October, you've missed it. So. And this year I think it just feels like everything's been pulled forward. But it doesn't mean there's nothing going on in October. But it feels like we've already been racing through a lot of opportunity to get out in front of people and share that awareness. So we'll keep doing that through October. But I'm looking forward to being maybe just a little quieter than September in a good way.

A

And Tammy, you got some stuff coming up.

D

Yeah, so I. I also was at Sector and I'm. I'm very much like a researcher and I don't really have that desire for all the flashy corporate stuff. I think the only. Only swag that I took from Sector was the white tube from Whitetuque. So the. For me, like as a researcher going around and as someone who's really deep into. Into the industry going around, like Sector, when I was at the. At the booths and I would want to talk to people, most of them were just salespeople and. Or account executives and they wouldn't know what I'm talking about. Right. And so it was very like, I felt like that conference was not for me at least like that whole floor was not for me as a cybersecurity practitioner. It was basically like the talks were all agentech AI, most of them, like. So I was trying to figure out, like, what am I doing here. But this weekend I'm going to Besides Toronto and I'm very much looking forward to that. I'm seeing some really interesting talks there and way more like talking to other researchers. Right. More grassroots, more. More like in the trenches of people. What are you seeing? What are you talking about? And not necessarily talking to salespeople.

A

If BSIDES is a very interesting, very interesting thing. David turned me onto it from the US point of view. So we've got one going on here next. Is it this weekend?

B

Yeah, yeah, it's Saturday. Sunday.

A

Great, because we're going to go to air Saturday so we can give them a shout out. Whereabouts are they?

C

Luke's here.

D

They're hosting it at Toronto Metropolitan University.

B

Okay.

A

So TMU used to be Ryerson.

B

Yeah. I got to see if they've already. They usually sold out. Sell out. So B sides Toronto, you might look out this year.

C

I know David's checking right now, but they didn't open ticket sales until maybe 10 days ago. So you might. This might be the year where the procrastinators win.

B

Yeah. No, there were still tickets available as of Friday morning. We'll go from there. Yeah.

A

Personally, like the talks of Sector last year, I wasn't there this year, but it was the meeting people and being able to discuss some of the stuff. I'm not as interested in the booths as I am the people that meet. The hall.

C

The hallway.

A

What?

C

Yeah, the Hall Tribe.

B

The whole tribe. Yeah.

A

That's the thing about being at a place like this is being able to meet people, catch up, chat with them I didn't get a white tooth. Go. I'm gonna actually talk. Oh Jim, we gotta get have a talk with somebody about that.

B

And.

A

And there was a real white toque and I had to find it out on this show.

C

The white Tuke stickers for learning great things. Right?

B

So the white Tuke stickers are going on my very awesome luggage that are getting tagged. So it's like Pete Canada stammering so no, I agree with Tammy the the merch. And I will actually give a shout out to White Duke as well because Eldon Spickenhoff, who is one of the founders of Ecentire, one of the biggest Canadian cybersecurity tech stories that we have and also one of the nicest guys you'll ever meet. He is a board member, I believe for White Duke or certainly a fan advisor board member and he was signing copies of his book Committed and his book plays on that idea in multiple ways because Committed has multiple meanings. I haven't read the book yet, I haven't had time but I actually have a signed copy now thanks to White Duke, so I'm excited. The other good thing I would say about Sector is you get to see folks like sort of our. We have some amazing superstars in this country and Tanya Janka and there's a host of others that you get a chance to meet and learn from that. That is awesome. And I would say the last thing I enjoy seeing the different booths, particularly the Canadian startup side and the little Startup Village and I continue to root for because they're New Brunswick. Yes, I'm biased, I'm just going to own it. But it's an amazing little company called TROJ AI that's been working years ahead of time on this issue of AI data poisoning and protecting AI models, et cetera. So they were there, but there were a host of other really good. There's a Canadian alternative to Cloudflare now and that's. That's based out of Quebec and so I'll be ringing them up to learn more about what they're up to. There's a Quebec based email filter as well. Quebec's doing some really cool things in the Cyber and Flare and others obs. I'm going to give Tammy and the crew a shout out on that. But yeah, it was awesome to see. There was even a really sharp startup that's working on stopping bad Python packages from getting into your developer environment and into your stack. So I may drop in that card if you're listening. Ben, my ciso. Yes, I'm sending you to go learn yet another technology and that. But there's really some really good things. And again, I've been at sector a few times, but to be able to actually have that on the resume was a pretty big moment. Pretty happy to start Security Awareness Month.

A

So love the folks from Quebec, but don't forget Cloudflare has a Canadian founder. We're all around the world. We're getting everywhere.

C

We're invasive in our own way in a very polite kind.

A

Yeah, well, I can't wait till the toque starts spreading through the U.S. like, right now everybody's traveling with Canadian flags. Next thing they'll be traveling with the toques.

C

My unofficial slogan is converting beanies to tukes one customer at a time. But Tammy, to your point, it's very well received. And so I sit on the review board and the re. The feedback is always welcome and taken. And all I can say is, where's your talk submission for next year? I want to see it.

A

Absolutely.

C

I want to see that. And the review board loves seeing that blend of content. We did not want it to be the AI show, but I got to tell you, you can throw, I don't know, as something at your screen and not hit an AI talk in the list this year. So we look forward to next year when maybe it'll be the we're over AI because Horses Come along.

A

Or the new book if somebody builds it, Everybody dies. Spoiler alert. Everybody dies at the end. I love that book reference story. Let's go on to the stories for this month. What's getting at everybody? What are the stories that are most affecting you and that you most want to talk about? And, oh, God, Tammy, I hope you're going to talk about Clop because of being back.

D

No, I'm actually not going to talk about Clop.

C

I'm going to crash. I'm joking.

D

I'm joking. So, yeah, absolutely. So what's really interesting is, so we started to see rumblings around September 29th of a new CLOP campaign. And so Clop is a RAS ransomware as a service that is private. And so I'm just going to explain a little bit of how they work, because there's, like, a lot of, like, information about how, like, Lockbit works, where they have an open affiliate program. If you pay enough, if you're vetted in or vouched in, or you pay a deposit, you can start accessing the tools and start deploying campaigns and attacks on corporations and enterprises. But Clop functions a little differently, so they have Ransomware. But it's not their bread and butter anymore. They are mainly a data extortion and a data broker at this point. And they partner and leverage their infrastructure and their tools and their development to private groups known as Fin7, Fin11. So Fin7 and Fin11. And these are closed groups. These are not necessarily groups that are super public. You'll see a few handful of members on forums talking but it's not like they have a banner and they really rally on them. It's a really closed group. It's like similar to Kira or the INC groups where Shinobi and Lynx these are or even play like these are groups that are really closed. We've seen since a few years now we've seen CLOP move towards like data extortion and how they're doing it is that they're targeting files sharing applications. So they targeted go anywhere. They then they targeted MoveIt and then they targeted Clio and now they're targeting. As of September 29th we've started hearing rumbles of them targeting Oracle EBS application.

A

That's the story we did yesterday. And that blew me away because. And I'd forgotten how big Oracle had become. People remember Oracle from buying PeopleSoft and apparently PeopleSoft still exists out there. But this is your Oracle ERP, which surpassed SAP last month in sales. This is a lot of installations. And maybe you can help me out with this because I think, and I don't want to falsely attribute this to Oracle, but they more or less said we're not, there's nothing wrong here. We don't see anything wrong. And the reality is I don't know how that can happen. I don't know how you can be, how you can find so many different Oracle installations and be writing to them saying you've exfiltrated their data without it having some startup with the ERP itself. I just can't like you're not, you're not hacking individual instances that quickly. Something in the main core system is allowing you access and that was. So that's the story we did. I've. I nothing to prove it, but I just couldn't walk away from that story. And this is, this is, this is another supply chain piece that is going to be massive.

B

Hey, hey, I'm gonna.

A

But Klopp had gotten wiped out. I thought.

B

I mean, guess who's back?

C

Shady's back.

B

But these guys never go away, right? Unless they get pushed out of the window by the FSB because they upset the wrong person. They're. They just rebrand right? It's like Clop plus now with data extortion instead of ransomware. And also good to go back. Clop is actually a reference to like an insect bloodsucker parasite. I just always like to go back to their brand name because at least these guys are really into honesty in their advertising. But to your point, and because I'm the pop culture critic and I'm going to have a little bit of fun about this is number one. Oracle's PR response to the Oracle house breaches earlier this year was essentially that scene where the Springfield cops are putting the jeans on. They're like, nothing to see here, boys. And come on, yeah, there's a problem. And then they get sued. They're like, yeah, we got breached. And now what they're doing is shaggy as it was in me. Hey man, we had a patch out in July, so if you didn't patch, that's your problem. It wasn't me and it's okay. But to your point about the speed of all this, Jim, this is where I'm going to say the words. I hate to say it. Probably AI is helping out the ability to do mass programmatic exploits using and developing POCs faster and pulling data. But the last point I'll make about this is it used to be that these gangs really needed to protect their brand and reputation. So they didn't lie that they had data, but they very well could be lying. And this could be Klopp's going at a business sale in terms of cashing in all their brand rep and the fear of it because the demands they're asking for are in like the seven and eight figure ranges. And even if they only get a fraction of panic execs to pay some of those seven figure amounts, this has been a good bad day on that side. So this is a, this is a new evolution because we don't know if it's real and no one's taking responsibility to confirm if it's real. The vague blog post from Oracle was like, hey man, if you didn't patch your stuff, maybe could be real. But they're not saying, yeah, yeah, some people got hit because they didn't patch.

A

So Tammy, what's your take on this? What do you think?

D

Knowing Klopp. Yeah, David, you hit the nail on the head. It's Clop doesn't really lie. They haven't lied so far and they've made some like reaches with some attributions and some claims in the past, but they're still one of the most serious about leaking data and keeping it online and making it really easy to download data. And so I'm looking at what CLOP is doing now and it's just an extension of their mo, their recent MO and there and to your point of this is going fast because we've seen them go from Movie Clio and now to Oracle. It's just a refocus of the group because now they're putting, instead of deploying ransomware, they're just deploying on PoCs and on exploits of these end days vulnerabilities. And the group is very focused, they're very much, they have made a lot of money and they are very well funded. And plus they have access to Fin7 and Fin11 which is also very well funded groups. So these are not like some script kiddies, these are very well funded individuals and sophisticated groups. But what's interesting as well is, and this ties into another story a little bit that I wanted to cover because they're connected is there was another group called Scattered laspis Hunters and this is basically the whole story of Shiny Hunters, Scattered Spider and Las Vegas coming together and creating this coalition. And it's a bunch of like real brain rotten nonsense in terms of their chats because their chats go up, there's 10 people in there, they get botted and then there's 11,000 subscribers in their Telegram chats and then all of a sudden they get taken down. They're taunting law enforcement constantly, they're name calling like the FBI director. They're essentially making it really hard to focus and there's so many keywords that they keep putting in that they're. It's really difficult to make sense of the noise now. They called out Klopp in one of their latest posts saying that because now they're basically these are the two big groups in the headlines right now and they're basically calling the other group out again. Part of this distraction, part of this noise like cyber like warfare mentality of let's attack them. And they're basically leaking. They allegedly leaked the exploit that Coop is using. And so that's a really fascinating twist where we can see two groups basically trying to compete now in the headlines and very well aware of the media now and how they're being perceived and how journalists basically will be an extension of their extortion now. And so we have to be very careful of that. And bleeping computers was one of the first to report on co op and they had an interview with Klopp and it was done over Email. But basically Klopp said we're not ready to disclose anything at this point and. But we are going to definitely be reaching out to you when we have more information. But the groups now are very media savvy now and we have to be careful.

B

Wow.

A

Amazing. Does anybody else have any more comments on that? I'm just trying to absorb it all these two.

B

Yeah, I'd love to get Laura's take because it's just interesting. Right. I'm curious if these are now the two big groups, like which ones is the Yankees, which one is the Blue Jays. But it's just making a small little proud Canadian moment that maybe we can win, win the MLB this year.

C

Yeah, yeah. You know what, if you want to jinx baseball, you have me comment on it. So I'm just gonna keep my opinion to myself over here. Yeah, no, you know, it just shows the continuing evolution of these groups and how they are responding and adapting. Right. Like they figured out people are, listen, they're going to throw a whole bunch of garbage and obfuscation within their chats. It will be really interesting to see over the course of time if we can figure out, and I'm sure we will. Right. Like how they are using that obfuscation and to be able to crack into it. In some ways it's that all the old things are new again. Right. The same techniques were used in World War I, World War II, trying to mask how the communications were happening and encoding and mass communication. And so we'll see, we'll see where it goes. But I do find it really interesting.

A

Tammy, I'll let you have the last word, but I think my last piece on this would be that I take it away is if they're getting media savvy, they're in a position to manipulate any story they want because we're all going, oh, give me clickbait. And we've proven that. So this is a smart group. And I don't know when we say are they lying or are they manipulating us?

B

Well, one thing I want to just add is that the moment these guys figured out that they could talk in Jen Alpha slang with skibidi toilet riz and they're gonna just confound a whole bunch of middle aged cops. That's just gonna be like the 21st century's answer to the wind talkers in Navajo, right? What the hell are these people really need an AI to translate from? I'm getting to that point now with anyone under 10 years old, I don't know what language they Use. But yeah, no, it is interesting to see because they're responding and it's interesting ecologically. Right. So you've got smart folks like Tammy and Flair and other dark web firms. Their job is to be private sector intelligence agencies, counterintelligence agencies gathering these things. And now to your point, Jim, like the criminal ecosystem has to evolve and trying to develop all these different things. The moment we see numbers stations pop back up and those not familiar with Cold War era shenanigans. This one's there. It's just interesting. So. Yeah, but the other thing that was interesting is you mentioned, we thought for a brief moment that Shiny Hunters Lapsus and some of the scattered folks, scattered spider folks had posted early in the month and said, we're out, we're retiring. And absolutely zero people believe that. But they were having a lot of fun doing it. It's honestly, it's. It feels like Slim Shady without me. These gangs really have. Yeah. Have a sense, an inflated sense of their impact on the scene.

A

For those who can't, who can't watch or aren't watching this on YouTube, I saw Tammy's head just shaking. No, they're not retiring. Tammy, I'll let you do the wrap up of this. What should we take away from this?

D

I just wanted to just get a little bit more of. A little bit of the detail on this one and wrap it up. It's like they're very savvy and to your point, David, again, exactly what you said was they are very aware of what the private intelligence firms are doing and they are very well aware of what law enforcement is doing. Like to a point where in one of their telegram channels they were basically talking about style metric analysis is, which is what we use to detect and to put patterns to how people are talking and how people are writing so that we can potentially identify authorship. And so they were talking about like how there may be one or more authors in this with like admin privileges to basically be writing. And we are just not looking at one person but multiple people now. And so it was really fascinating to see their adaption. And also they named their new leak site which leaked today. They named it a dls, which is an industry term for Darknet or dark web or data leak site. And I haven't seen a blog, like a ransomware blog or a data extortion blog brand itself as a DLS before. So they are very well aware of the lingo and what is going on in, in the industry. And it is a very much like a counter operation. And they're very savvy.

B

What's interesting, it's like it's getting into the we know that, but you only get to know what we want you to know. And it's just, oh man, this onion's gonna get really complicated. So I'm glad smarter people like yourself and others are into that space. But on the just different story track, this was just broke today, so I'm gonna count in the month of review. But little Gander International Airport on their Facebook nose not familiar. Gander was one of Those places in 911 that a lot of American planes landed on. And it's famous in the come from away. I think someone to go for like most cultural references in a podcast episode today they posted on Facebook something that really hit me right in the heart in Security Awareness Month. And they were talking about they have seen a significant increase in people showing up at the airport waiting for someone they love who's apparently coming from overseas to arrive and the plane lands and no one's there. And they've been dealing with a lot of the emotional fallout of that. And they describe it as catfishing. But we often talk about romance baiting or what Aaron west earlier this year talked about in terms of pig butchering and other things. But it's the point now where airports are starting to talk about it because they're seeing it so much. And to me, that just put a real human feel on this. And as much as we talk about the importance of educating people about scams and ideas and doing it the right ways, we also have to have a big conversation about the loneliness epidemic in our society and how we're reaching out and caring for people and making sure they've got genuine human connections that we biologically are wired to need. And we're seeing it show up. And it's not just about the money being lost. Imagine someone's entire world coming to a crash, what they thought was about to happen, and walking up with these fraudulent flight itineraries. And someone, some poor staff member at an airport who is not trained to be a grief or trauma counselor is basically encountering that. And Nothing seems more 2025 in terms of the human impact than that. Just that one story. And it just hit me like there's been lots of big scary cyber stuff in the last month. The the sandworm Shai Hulud, which honestly, like I was swallowing real hard for a few hours just wondering to see how bad that AI powered shenanigan could have. And thank God it didn't. But it's it we're building to a big worm moment on that side. We've got a whole bunch of other things now with the shutdown with the US government. So SISA is gutted. This is we're getting pounded left, right and center with vulnerabilities and the defenses, the shields, remember, shields up, shields are down, kids, and that's going to hurt on that side. But it's the human side that really landed.

A

For me, two things. One is we did a story just this morning, I think England did, on cis, which is we hear about cisa, but there's a whole organization that CISA supported for states and small places in the U.S. small municipalities, people that couldn't afford or people groups that couldn't afford their own cybersecurity protection. That's defunded now and that's, well, happy Cybersecurity Month. Talk about irony. But I want to go back to this other thing and I'm going to leave you with one because I know I'm the AI apologist in the group and I But here's something you teach people to do any AI program Perplexity Claude chatgpt Ask them to learn to type in Is this a scam, especially for older people. Get them familiar with that and just say when somebody calls you, just ask this. This is a big smart thing here. Just ask it if it's a scam because it will tell you and that. So there's a plus side to the education from AI and that is that people can look this stuff up and say is this a scam? And will tell you and maybe that will help reduce some of this stuff because it's just, it seems to get worse every month. And now with the ability for us to be able to do audio voice fakes in real time, and I'm talking in real time. Substitute my voice for your son, your daughter, your whatever, your head of accounting. And I said I was doing a speech, I was in Parry Sound doing a speech for the Seguin Business Council. And I said to anybody, if you have instructions that you're giving anybody who can give instructions, be it the president, be it anybody for a transfer, get code words in place now, because this is going to run and I don't think it's going to take very long, Tammy, for one of these groups to grab a hold of this and just run the table with it, because who's the president calls you. This is his voice. I know it and I have to do this. And he's saying, look, I'm saying I Got to talk to the security people. I'm the damn president. I want this done now. It's going to work more times than not. Anyway, I'm off that soapbox or those three soapboxes and I'll go back to you, Laura, what's your story for the month?

C

Oh yeah, that was a big soapbox to follow just because I. Sorry. No, it's one that, yeah, very passionate about as well. And for me it's process controls. Sorry, I'm going to take two seconds just to build on that. Safeword is one option, but whatever it is, process driven controls around things that are important so it never matters who they say they are and how important it is. That's not our procedure. I will follow the directive when I get it done through the right channel. And that saves companies over and over again so many things. You can avoid making a bad decision in isolation because there's good company procedures around how it should be done. And just living on that, I think I'm going to. I'm going to pick up on the Canadian ARC as I was going to pick on first. And I will caveat this that yes, this example is definitely sensationalized because of the profiles involved. But our RBC is, has a former employee now who is being prosecuted by the RCMP as insider threat. And that's one of the biggest areas that we have to talk about as far as security awareness and actually ties right into our procedures discussion just a moment ago. So in this particular case, they were caught for accessing the profiles of Mark Kearney and a Justin Trudeau. It's as far as the reporting goes, it's believed it's not the Justin Trudeau that we all think of in Canada, but a Justin Trudeau. But that was the headline. That's the exciting part. It's another case where somebody met this group online and you can look this up and I'm not going to give him any more fame by bringing his name into this. But he met this group online and got sucked in and they were paying him for creating false accounts and fraudulently extending lines of credit because that was something within the scope of what his job could do. And over the course of a couple of years defrauded the bank and then was starting to go after sensitive or trying to go after sensitive information. And that has not worked out for him in the long run. But it just shows how these groups are operating and they're looking for people who are in positions of trust. This person probably wouldn't have done it if it wasn't a payday. He wasn't particularly politically motivated. He was financially motivated. And what we can see as this story is still breaking and it's just going to court now, which is why it has started to be out in the public. But we put a lot of trust in the institutions. They do have very good programs. But for anybody listening and they're thinking about how much trust they put in their employees, having that program to be keeping track of what's going on inside your organization, it can be intentionally malicious, it can be coerced maliciousness. So in this case it was for financial gain. But you get somebody who has been phished into a situation where they are now being coerced under external pressure to do these things. They can be the unintentional ones or phishing clickers are those ones as well who opened the door and let people in or let information out.

A

But I think this is important there as well. In my career, one time somebody approached me and said that they had actually stolen some bonds from the vault and they were very young, it was the very start of their career. It's 30 years. So I guess nobody can prosecute me for my advice, which was I said, what should you do? Tear them up, burn them and never mention it to anybody. But you've been given a chance in life. Just go and sin. No more, more or less. And because I knew I at that time, I was actually trained in this stuff and I was. I knew you'd never get them back in the vault. You do more damage doing that. Sad to say so, and I'm just being honest about this, but if I had been dishonest about that, I could have blackmailed that person. Taking more and more. Remember, you may have a good person working for you who does one little thing wrong and can then be used by criminals for the rest of their career inside your organization. It's not that people are necessarily bad. There are bad people protect against those. But you could have good people who get fished in by a romance scam who are people are threatening them, threatening their children, or just blackmailing them. And they're smart people who are going after these folks. And so you need to protect them as well by having good controls.

B

And a couple of things here is that they caught it themselves. So that is security control success story. They caught it, reported it to police and prosecuted it. So that's the way the system works. As long as you have human beings, as you both have pointed out, there'll be a variety of reasons for people to make poor Choices in this case, this individual, one of the reports I saw was like, maybe made $5,000. Now, the damage that they caused was much larger than 5,000. And that's part of the charging parade that they are now facing is significant jail time. And by the way, I'm a former crime reporter, I can tell you that stealing from your employer, judges drop the absolute hammer on that because the principles of justice that they look for is deterrence, but also denunciation of the crime and breaking that trust is seen as a huge moment. So this person is facing significant penalties, and the operators who made the most money will not likely face any real sanctions from this. Now the other point, your point about coercion we are aware of in numerous sectors now, much more use of threats, intimidation and violence. Cybercrime used to be, frankly, low effort, high return. As we are seeing investments in improving defenses and we've introduced friction and cost to the criminal equation. They are responding with their toolkit, which includes violence. And it's, it's something that cybersecurity and IT teams are not currently trained, staffed or thought about. In most areas, banking has more depth and experience, but this goes far beyond banking. And we are going to need to form more relationships with criminologists, with policing agencies and others, because cyber is going to get more violent. We've already seen this in the last 12 months with cryptocurrency thefts, and we've talked about this a lot. But those cases that were infrequent, they are almost weekly now of kidnappings, assaults and other things to access cryptocurrency wallets. And that's an example of the rising use of physicality in the space. As we head into Security Awareness Month and actually Cyber Security Awareness Month, we're increasingly, it's becoming Security Awareness Month. Physical is a rising part of our dynamic.

A

Laura, I'm going to give you a last, unless time you want to jump in, but I'll give you the last word on this piece because this is an important piece and we don't talk about it enough.

C

Yeah. And if you've taken your CISSP or you're studying for it, you'll remember physical security is a piece of it. If I have access to an entry point, I'm already 75% of the way there. And we often think of that as far as protecting the servers, protecting the network access. But it's also, yeah, to the point here. Right. Helping protect people. And with everything that's going on around polarization of individuals, of really sucking people in ideologically into different ways of thinking that are unfortunately no longer aligned with reality. These are real threats to organizations. And that ideological problem isn't so much the physical threat, but it's all in the same vein. Right. It's things happening to people outside of their workspace sphere are creating risks inside the work sphere. So something for everybody to be aware of and. And also dehumanizing of each other. Unfortunately, it makes it much easier for people to on the attacking side, to dissociate from the humanity of their victims and to see them as just a means to the end and not as another human being who has family, who has a life, who has people who depend on them and who they are about to ruin completely with what they're doing.

A

Yeah. And just going back to my example in there, if somebody tried that, tried to blackmail me, we had good controls in the vault. We always had two people. We never slipped up on those sorts of things. I would. You're protecting your employees by having good controls. So as much as we talk about, we love to talk about the tech talk of all that sort of stuff. Yes. Training works and process works.

C

Yeah. I guess is the bank manager example from back in the day. Too many banks were getting stolen from because the attacker would go after the manager at their home after hours, haul them over to the bank and the gun to their head and make them open the vault. Then they put in a control. The vault just will not open after a bank is closed. It just doesn't work. And then it was great because people stopped attacking bank managers because it didn't matter anymore. You couldn't get what you wanted.

B

Yeah. And to your point, Laura, about process, but also all this has happened before, like cyber. We love to think that we're. We've invented new things and you're just like, oh man, this is. These are crimes from time immemorial and it's just doing it with the computer. And so we're going to see this blend of old school physical crime, which is. It's been interesting, right. Like we, we went the first year where. I can't remember which European country it was, but they went an entire year without a bank robbery. And they're like, wow, this is amazing. And I'm like, no, this is really bad because they figured out I don't need to rob banks anymore. So that's been fun on that side. But. But yeah, no, Process is probably the most underappreciated part of our security control stack. And I'm really glad that you mentioned that because the Biggest cybercrime out there is business email compromise. And the best defense for it, not an AI, it is process.

C

And mfa.

A

Yeah, Teddy, did you. Do you want to add something about the BBC?

D

Yeah. Talking about insider threats, there was a quick story about Joe Tidy, or basically the BBC, who does a lot of, like, cyber quantum reporting, was offered by a unnamed group for access to slap pop so that they could basically pivot into BBC infrastructure. But absolutely, people are getting reached out all the time and, like, the insider threat is not only, like, known employees that are getting approached, but there's the whole, like, North Korean tech worker story where everyone, like people are getting hired as insider threats. So, yeah, it's an absolute problem and we have to have protections to mitigate against that.

A

We're just about all wrapping up on this one. We'll be back again with our panel next month. So thank you folks for dropping in. And Tammy, we were going to do a show this month.

D

Yeah, absolutely. So I'm working on a new talk. It's about the future of cybercrime. So it's not going to be a sci fi story, but it's a look at what the current trends are of, like, where cybercrime can go and not go. So I'm going to be taking a look at emerging technologies like Quantum, for example, artificial intelligence, malware, and basically trying to look at what's coming next. But this is not like wild predictions. This is really based on my research and based on as much of a conservative approach to these predictions as possible.

A

Fabulous. And Laura, what's happening in your month?

C

Oh, in my month coming up.

A

Yep.

C

You know what? It's just a little more of the same, a little bit quieter than September, but we'll be getting out and doing things and then focusing on actually doing the work. Right. Getting the security done with the folks we work with. So we're excited.

A

Plan your work. Work your plan.

C

Yeah, but I want to maybe one quick tag onto what Tammy was talking about there. From the September news, it is nice to see that people still are repulsed by attacks that target children or leverage children. With the kiddo breach in the UK and the attacker group, they're feeling the pain enough to go, yeah, me a culp. Now, they said they deleted it and nobody believes they deleted the data, but they seem to be feeling the pain. Somebody is putting a lot of pressure on them. I. The public clearly is repulsed, but I am sure somebody with fewer guardrails than the public is putting their pressure on them to.

D

Yeah, even other cyber criminals. I know you're talking about the Gradient group. They other cybercriminals vowed to dox them and to go after them because it's the same thing with like real life criminals, like kids are off limits. A lot of the other like well known and well established groups basically said we're going, don't do this, we don't want you in our forums, we don't want you here. But also it was really a dark thing to see was what some other groups were saying. I respect what you're doing as an extortionist. So that was a really like dark take on things. And I was like, wow, that's dark.

B

Yeah.

A

Laura, can you just give us a quick rundown on the story just to make just.

C

Oh yeah. A daycare company in the UK was breached. The photos and other information about the children in the daycares was held ransom and basically they were trying to extort the company by dripping information into the online forums for sale. And yeah, people were pretty quick to respond and say that's not okay. And I don't believe the ransom was paid because of course that just encourages bad behavior and really makes no sense from the daycare's perspective. There's not a whole lot right now that I have seen and I have to admit I didn't spend a ton of time digging into it to see how much has been discussed about what would have maybe prevented the breach in the first place. But I'm not here to blame the victim. It's just not okay to use kids as leverage.

A

Never. And I'm glad of a great high opinion of the cyber criminal community. But I'm glad that at least that there is a line we won't cross.

C

At least some people will. We'll wait and see if it turns into a follow up attack just like we saw with the school board's breach earlier maybe it's almost a year now since that one where they start going after individuals instead of trying to extort the organization where the data came from.

A

Yeah. So that's our show. Tammy Harper, thank you very much for joining us.

C

Thank you very much for having me.

A

Laura Payne, always a pleasure and I want that white toque.

C

Jim. I will be in touch. I will be in touch for sure. We have to get you some sweet swag and always a pleasure to be here and I know David's had to sign off but I know he always enjoys being here too.

A

And thank you to our audience. If you've been listening this long, you've stayed with us then we appreciate it.

C

Thank you.

A

Always want to hear your comments. We want to turn this monthly show into something that makes really good sense for you and is valuable to you. So send us your comments, your constructive criticism, and, of course, your swag. Talk to you soon. Thanks for listening.