July 12, 2025 • 70 mins
In this episode of 'Cybersecurity: Today's Month in Review,' the panel of experts, including Laura Payne, David Shipley, and new guest Tammy Harper, delve into major cybersecurity stories from the past month. Discussions range from the recent arrest of a Montreal scam operator, Scattered Spider's targeted attacks on various sectors, and the impacts of AI on the cybersecurity landscape. The panel also highlights industry shifts, new threat tactics, and the importance of strategic communication during incidents. The episode concludes with reflections on AI's integration into enterprise systems, emphasizing preparation and ethical considerations.
00:00 Introduction to the Cybersecurity Month in Review
00:12 Meet the Panelists
00:26 Laura Payne's Introduction
01:04 David Shipley's Introduction
01:38 Tammy Harper's Introduction
04:09 First Story: Montreal Scam Arrest
10:52 David Shipley's Big Story: Scattered Spider
16:40 The Rise of Young Cybercriminals
32:36 Ingram Micro Ransomware Attack
33:27 Government Breaches and Fast Recovery
34:56 Ingram Micro Incident and Communication Failures
35:55 Importance of Communication in Incident Response
37:39 Ransomware Trends and Threat Actor Tactics
39:55 Shift from Encryption to Exfiltration
46:41 Government Actions and Market Impact
51:27 AI in Cybersecurity: Risks and Opportunities
58:53 Ethical AI and Future Considerations
01:08:12 Final Thoughts and Wrap-Up
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Welcome to Cybersecurity.
Today's Month in Review show.
This is where our panel ofexperts looks at big stories in
cybersecurity from the past monthand gives them a bit of a deep dive.
And speaking of panels, wehave our returning panelists.
I'm gonna g give you a quick introductionto the person, which is their name,
and then I'm gonna let them give us acouple lines about who they are and what
(00:22):
they do, and that's more fun than meintroducing them theoretically, at least.
So we're gonna start with Laura Payne.
Laura, welcome back.
Thanks, Jim.
Great to be here and in honorof you asking us the question.
I will say that I am currently the CEOand head of Consulting at White Tuque.
We are a, a unique cybersecurity company.
(00:43):
And we do services and consultingbased in Canada, and we have
some footprint in the US for ourfriendly neighbors to the south.
And I will leave it at that.
Be nice.
Yeah.
Yeah.
Cybersecurity with your elbows up.
It's good.
But we have friends.
Good.
Okay.
We put our elbows up for all our friends.
There you go.
(01:04):
David Shipley.
Welcome David.
Thanks for having me back, Jim.
Always always fun to be here.
And for those who don't know me, I amthe CEO of Beauceron Security, which is
the only Canadian owned cybersecuritybehavior change and culture platform.
So we do the anti phishing fundstuff and I am a passionate amateur
neuroscientist, cognitive scientist,and the resident culture critic
(01:28):
for all things cybersecurity today.
And the host of Monday's Cybersecurity.
Today's show, which meansJim gets a day off, yeah.
And we have a new guest.
Welcome Tammy, because you'renew, we're gonna give you four
lines to describe yourself.
Take all the time you want.
Welcome Tammy.
Hi everyone.
Thank you very much for having me.
(01:48):
My name is Tammy Harper.
I'm a senior threat intelligenceresearcher at Flair.
Flair is a Canadian company thatspecializes in threat intelligence,
external attack, surfacemanagement continuous monitoring
for clear web and dark web.
And I'm very excited to be here.
You're a researcher.
We were talking about this beforethe show 'cause we hadn't met before.
Tell us a little bit about that.
(02:08):
Yeah.
So I specialize inransomware and cyber crime.
And so I really focus on howthreat actors are developing new
techniques, tactics and procedures.
How are they recruiting, how are theydeveloping their tool sets and how
are they finding access into companiesor into organizations or enterprises?
(02:30):
Are they developing in-house likezero days or are they purchasing
access from initial access brokers?
So I try to stay on top of all oftheir new techniques and tactics.
And because it's Tammy's first timein the panel, I just wanna say I had
the chance to be on a panel with Tammyat the, the National Cybersecurity
Consortium inaugural conferencein Banff, which yes, is gorgeous.
(02:53):
But the conference was amazing.
Laura was actually there as well.
So we got to meet IRL andhang out with the scenery.
And she was also white.
Tuque was a sponsor for thisevent, which was phenomenal.
Some of the top research,some really cool stuff.
I was like a nerd in a candy shopbecause they had the poster boards up.
And so I was reading everybody's research.
(03:14):
It was amazing.
And Tammy standing and a friend of mine,Benoit DuPont, who runs the criminology
department at the University of Montreal,was highly complimentary of Tammy.
I believe he something along theeffect of a national treasure.
But I, I have certainly since signingup and getting to know Tammy I've now
reading her stuff on LinkedIn and it'snow part of my daily required reading.
(03:34):
'cause you've got a banger ofa LinkedIn post out now about.
And you, cybercrime gang has increasedtheir KYAC know thy customer rules
for their affiliates, and they'requote unquote raising their standards,
which like I said, read, that's cool.
Read it like five minutes beforethe show, but now I'm reading
Tammy stuff all the time.
So there we go.
I'll check it out.
We'll put a link in the show notes too.
(03:55):
You, you can never learntoo much about this stuff.
You don't sleep well but you cannever learn too much about this stuff.
So welcome to the show guys.
I want to get you started.
Who's gonna be first?
Laura, we can we put youon the hotspot hot feature?
Oh, sure.
For the first story.
Oh boy.
Actually the one I I had first onmy list was the arrest in Montreal.
(04:20):
We have a gentleman bythe name of Gareth West.
He was identified as a heavily wantedperson for being the leader of a
scam that disabused grandparents andother seniors of about $30 million.
So he was wanted in June, and asof this week, they've now arrested
(04:40):
him along with a few others.
There's still another person outthere who is wanted as part of this,
but this was one of these cases wherelegitimate front businesses were set up.
And about 2021 they had been flounderingand then suddenly they like, started
looking like they were really doing well.
And that's an interesting year to startdoing really well in a. Real estate
(05:01):
maybe was reasonable, but fitnessseemed like an odd choice for a business
to do really well in 2021 and so on.
So that was where he was fronting things.
But and behind the scenes he had set upa number of call centers in the Montreal
area who were actively targeting andand tricking seniors into giving them
thousands of dollars notionally forthe support of their grandchildren,
(05:23):
getting outta scrapes and so on.
So it's, it's a it's about a four year,three to four years that it took to
get the person at the top of the chain.
But it's nice to see that we arestarting to make these connections.
And not surprisingly it's 'cause somebodymessed up and that at the lower end of
the chain at one of the mules who was.
Moving money cross borderas part of this scam.
(05:46):
Had a fingerprint that was identifiablein a database and it was the beginning
of the downfall of the whole thing.
So it's we just like seeing these,the good guys win sometimes a
absolute case in hell for these guys.
Sorry, but the people whotrick and it's desperate.
We had, I was doing some talk withthe OPP here in Ontario and these
people will come back and milkseniors for every penny they've got.
(06:10):
They will leave them impoverished.
And I just sorry, I just, this is ascam that we have to shut down and
it being in Canada is even worse.
There are a lot of over overseas Iguess call centers, you could call
them, but most of them are places where.
People are human traffickedinto these things.
For this to be existing here inCanada, it's just, it's a plus
(06:33):
to the police that, that, thatfinally took them off the street.
I hope they, I hope Ihope they rot in hell.
But that's but the fullestextent of the law would do.
My dad was whizzed by one of these guys.
And I talk about that.
My dad was very intelligent man.
So anybody who thinks that, the,that it's because they're seniors.
They, they should feel embarrassed.
(06:53):
They should not feel embarrassed.
They should report this.
And I'm gonna do a, I'm gonnado a column for my local paper
called, you have to have the talk.
You have to have thetalk with your parents.
Now, used to be, we hadto talk with our kids.
Now we have to talk with our parents tosay, you don't need to feel embarrassed
if somebody calls up and you've got eventhe vague question, hang up on them.
Call me.
(07:13):
And I'll make that offerto any senior out there.
I'm on LinkedIn.
If somebody call you calls andyou think it's wrong, call me.
I'll talk to them.
Because I think it's just, I thinkit's terrible what people are doing.
And so this this gang was $30 million.
This is not small amounts.
This is 30 million in total.
They were highly successful.
They've, they broke.
(07:34):
David's patent pending number onerule of cyber crime, which is don't
hack in your own country and don'thack in a country that ex extradite.
And so the good news is they'renot facing us or Canadian.
Revolving door bail, slap the wrist,kind of white collar sentencing.
They're facing US charges like where thecrimes actually get punished on this side.
(07:58):
So it's it's life choices that youdon't want to be making, but this
individual, should they be actuallyfound guilty of the crimes they're
alleged to have committed is infor a bad time and that's a crime.
Shame.
Yeah.
And one day we're gonna havecybersecurity laws in this country.
One, one day.
Wow.
One day.
Yeah.
May maybe just prosecuting forfraud, really resourcing the
(08:20):
police to actually do more in this.
But it's interesting because, Quebechas got this fascinating I don't
know if you want to be at the top ofthis list, but the, some of the most
successful cyber criminals in Canadahave come out of Montreal and Ga No.
So we had the guy who was the affiliatefor one of the big ransomware gangs
who he racked up 20, $27 millionand got himself nailed 'cause he
(08:42):
left his tooling on a Polish server.
And he got this cat and, Ontario is onlyon the board for 17 million in crypto
fraud thefts from a 17-year-old kid.
Come on, Ontario.
What are you doing?
We had that block thataffiliates in Bradford.
Oh, okay.
He was the one that was trying to takedown Ho Children's Hospital, wasn't he?
Can't comment on that,but the, he was caught.
(09:04):
He was he was caught in his garageand logged into the affiliate panel.
And
it was an beautiful take down.
Like literally red handedor red mouse clicked.
Wow.
That's awesome, Laura.
Great job on that story.
Yeah.
(09:24):
Yeah.
That and something that I think we,we really I do take my hat off to the
police that put these together, though.
I think people forget howbig these investigations are
and how much effort it takes.
And we always talk aboutfeet on the street.
We need fingers on the keyboards.
And desperately for this to protect oursenior citizens and other people who are
(09:46):
getting hit by, by these types of frauds.
There's another one that came up thatjust drove me crazy, was it was a
restaurant fraud that's happening now.
And what you do is when you, when theypass the the device to you that you
normally just tap your card against,if you have if people haven't changed
the codes in these things, you canactually process a refund for yourself.
(10:07):
While the waiter's off . And for littlebus, small businesses, small restaurants,
this can be tens of thousands of dollars.
Fraud's big, it's it's a big deal.
At 13, 13.5 billion of the 16.6billion in US reported cyber crime
last year was all tied to fraud.
We get excited in cybersecurity.
(10:28):
And don't get me wrong, there's lots ofshenanigans that are happening, but the
big dollar losses happen at much smallerscale over the long tail of the fraud
side, and cops are absolutely overwhelmed.
Yeah.
And shenanigans.
You watch your language, Mr. Shipley.
We don't use words likethat on this program.
(10:50):
David, what's your big story?
Oh my God, where do you get started?
June just did not stop rocking.
But I think Scattered Spider and thechaos that they caused throughout
the spring in the UK retail sector tosee that then land on the insurance
industry, which reap sewn payingthe whirlwind of ransomware may have
(11:11):
finally come home to roost, et cetera.
But then it's really been the airlinesand they have just hammered, it's
been WestJet Hawaiian Airlines,Qantas before the end of the month,
and remarkably successful now.
They started with Co-op and withMarks and Spencers in the uk.
Yes.
They had quite the list as well.
(11:33):
Like they there were a number offashion brands that were hit by them.
Like they were working a lot of retailand they were being incredibly successful.
And, they even hit food supply ina way that was, really interesting.
There was a German food distributorthen in the us a company called
unfi unify, I think, or that doesa lot of the health food, specialty
(11:54):
product distribution had been hit.
They were massively successful.
And a lot of this comes back to theweakness of help desk processes.
And what I mean by that ishelp desks are still, even for
account resets, incented towards.
Quickest problem resolution,less friction as possible, making
(12:14):
the customer happy, et cetera.
And I point my finger squarely atyou ITIL and say that you have to fix
your standards for help desks becausethat's the role that you could play.
And actually fixing this, I just, theywere not expecting this in the podcast.
Someone who's gonna listen to this on theweekend and be like, ITIL got called out.
Yeah.
But by point being, if you have the wrongincentives you're gonna get bad outcomes.
(12:38):
And the other part is the onething I will give scattered scr,
Scattered Spider credit for.
Is that they have laid bare themyth of phishing resistant MFA.
They have shown that we will MFAbomb you, we will use evil jinx.
We will do things.
And if we could retire that language,that's not to say that MFA is not useful.
(13:02):
MFA is incredibly useful forbrute force attacks for, just
credential stuffing other things.
But a determined attacker workingsocial engineering will get by MFA if
your people don't respond effectivelyto what they're seeing and say, holy
crap, I've got a hundred alerts,I should tell someone in it, and
(13:25):
then they can actually get engaged.
So just, and maybe Tammy, maybe youknow more about these guys than I do.
They really pursued, this is not atechnical crew as I understand it.
They were really pursuingsocial engineering.
Did I get that right?
Yeah, so Scattered Spider is not asingle entity, it is not a single group.
(13:45):
It is a name, A scattered spider was aname given by CrowdStrike to a loosely
affiliated groups of individuals.
And usually there on the younger side.
And they're usually English speakingout of countries like US, UK, Canada,
and they are very sophisticatedin new ways of social engineering.
(14:07):
For example they will they willuse Steeler logs, they will use
credentials, but also they willalso look you up on on LinkedIn.
They will look you up on Googleor ZoomInfo and things like that.
They will do their research and thenthey will try to, for example, call
your help desk through teams or through.
Different methods or on the phone andtry to reset their, your password, right?
(14:32):
And they have enough information on you.
They have your email, they haveyour like LinkedIn profile.
They know your position, and if yourcompany has a lot of information out
in the public they're smart enoughto put pieces together and create
a tactical offensive blueprint onhow to gain access to your company.
They're they're known to workwith some really big gangs.
(14:54):
So they first started working off this iswhat, in terms of timeline, we know that
they, around, they started working withAlpha V or Black Cat or Alpha V. And this
was around the time when they were lookingat MGM and all of the casinos in 2023.
So this was Scattered Spiderand Alpha V and Black Cat.
And then when V got shutdown and exit scammed.
(15:16):
They moved to Ransom Hub and whenRansom Hub also shuttered they've been
moving towards now Dragon Force andthis is the Mark and Spencer's attack.
This was under the DragonForce brand of ransomware.
And now I'm waiting to see whatbrand of ransomware they're
operating under for the airlines now.
(15:37):
'Cause that information isn't completelypublic, so that would be really
interesting to see how that develops.
So they've worked theirway through verticals.
Does that help them withthe social engineering?
I guess it does.
They get a real knowledge.
They seem to move vertical to vertical.
Yeah.
So they're very skilled, like they're.
They know how companies work, right?
Because they are based in the countrieswhere these companies operate.
(15:59):
They potentially have worked for similarcompanies or know how corporate life
and corporate structures are done.
They know the corporate game.
So they know how to speak the lingo,they speak English and they can
absolutely socially engineer theirway into tricking someone who's not
expecting to be tricked like that.
(16:21):
And it's not your fault if you getsocially engineered because it's
the attackers that did it, right?
You were, it was specifically designedto target you and to trick you.
It's not your fault.
It's, there's a lot of like victimblaming and victim shaming of oh,
I'm so stupid that I fell for thiswhen, no, that's not the reality.
Yeah, and David was talking about thetimes that we put the time pressure, we
(16:44):
put help desks under I'm wondering ifwe're actually giving those people the
right training to say, Hey, wait a minuteI this could be social engineering plus.
And I don't know this for a fact.
Maybe you guys know better than I do.
You're on a help desk and somebodywho conceivably could really be a
vice president of the company startsto put pressure on you and he knows
(17:06):
all the language and he knows yourboss and all that sort of stuff.
You can bend a lot ofrules really quickly.
I could just imagine whatthese guys would be doing.
Yeah, exactly.
And they're really good.
Like I've seen as in some certain chatsfrom this, like from people who are
doing this type of stuff where they'llbe like, Hey, I need a. Female English
(17:28):
speaker, or I need a male Englishspeaker, or I need someone who's familiar
with this specific type of company.
And they'll hop on a call andthey'll do a bunch of they'll dial,
they're called dialers, and they'lljust bunch do a bunch of dials.
So it's it's a, andthey're all very young.
It's definitely a way to make moneyonline because you get paid in crypto
(17:48):
and a lot of it is facilitated withon Telegram and other chat platforms.
But a lot of it as well is facilitatedon other types of social media platforms
like TikTok for example where a lot ofthis type of stuff is promoted and the
lifestyle that it can bring is promoted.
And a lot of younger folks see that andbe like, Hey, I can potentially do that.
(18:13):
There's enough pseudo anonymitybetween me and this crime.
And I can do it.
And yeah.
And then you get into Sextortionand you get a whole into a whole
bunch of different extortions.
Not just like the ransomware crime,but all the other extortions.
They're all these groupsare all connected.
Yeah.
So who runs the engine of it, thecollection and somebody doing, I hear
(18:34):
you that it's a collective or, a socialgroup or whatever you wanna call it, but
who runs the organization make sure thatthey collect the money and all of that.
It's just a bunch of looselyaffiliated smaller entities and groups.
There's no single individual in control.
This is not your typical gang, that'swhy it's called Scattered Spider.
(18:56):
Because it's scattered.
There's no real head honcho type ofthing at the top of Scattered Spider.
What it's, what you're talkingabout is cyber crime as a vibe.
It's a movement.
It's a, it's an affiliation.
It's a belief system.
And it's fascinating.
These are like we see this, right?
These are the modern day hippies,but not quite, there's no central
(19:16):
organization to that particular movement.
Movement.
And it's, instead of peace, love andeverything else, and a music concert,
it's taken down airlines on a Wednesday.
And some elements of this groupthough, get real dark, real bad.
And this is where, the tie into someof the headlines are getting dangerous.
So there's a group that's alsoin this same kind of Venn diagram
called the Calm or the community.
(19:38):
And there are various players thatare seeking there to do ideologically
motivated violent extremism.
So racism writ large anti-immigration.
It is.
It is the new four chan interms of the biggest toxic
waste dump of humanity online.
I think that's a very fair sort of analogyfrom what I have observed from that.
(20:04):
And this is also where threatactor groups are also are trying
to recruit kids to commit not justcyber crimes, physical crimes.
So there's a terrifying story outof northern Europe where an Iranian
group had recruited a teenager totry and kill Jewish individuals,
Israelis as part of a murder for hire.
Like this stuff is crazy and scattered.
(20:27):
Spider is on the milder side of thecrimes and things that we're seeing.
But it speaks to hugeissues in our society.
It speaks to, you know what thisconfluence of technology I. Immature
morality minds like, the human brain'snot really dev fully developed until
your twenties, maybe for males tothirties, forties in some cases.
(20:50):
I'm kidding.
I'm speaking 62.
Yeah.
My, my wife always reminds methat the difference between.
Bonds and men are, thatbonds eventually mature
and you have a date.
Yeah.
That's what my beard's all about.
It's all about demonstrating maturity.
I wanna jump in if I can just on acouple of things and David May or may
(21:12):
not know that he was picking at mewhen with his iil comments, but that's.
I'm gonna, I'm gonna say ITIL agile hasbeen abused by people who wanna use it.
However they feel like ithelps them get their way.
And I think this is a perfect examplebecause part of what ITIL actually
does impress on people is that ifyou only measure one thing, you
will get that exhaust, that you willget that result, but it will be at
(21:35):
horrendous costs in other directions.
You all, for every measure, you needa countermeasure that ensures that you
don't have unintended consequences.
And I think this is a perfect exampleof unintended consequences, right?
And poorly implemented ITIL.
I'm going to,
So if you're doing itil, do itproperly that's my message, right?
You can't half bake it andexpect to have a good result.
But yeah it and the, yeah the scatterednature of it, the, we do see that, yeah.
(22:00):
Young people more and more are thetargets for the cr for perpetrating crime.
We have, there's so much moreaccess that young people have.
And so it, for the last I'm just gonnasay a hundred years, it's probably
a little bit more than that, right?
We've seen the age at which people takeresponsibility, move up and up, right?
People used to get married at 14, 15, 16.
(22:21):
That wasn't unusual.
That was when you were an adult andyou started a family and you started
providing for yourself 'cause nobodyelse wanted to do it for you anymore.
So we've moved up, at 21to drink in the us right?
So we have this really big movementforward in, in when people are
supposed to take responsibility.
So young offenders are in that gap.
And people know that there'smuch lower consequence threshold.
(22:44):
And we try to say, that's to protect themfrom mistakes, but these aren't mistakes.
Anymore, right?
These are, these have massive consequencesand somewhere there needs to be some
maybe readjustment in that space, right?
More education to people upfrontthat there are consequences, right?
Just consequences without educationis not going to deter people.
(23:06):
You need education so that itbecomes deterrent, but then the
consequences do have to be real.
For violent crime, for significantwhite collar crime it's not sustainable
to say that, oh, you were 17 and ahalf when you committed this crime.
Sealed records, right?
And let you go about your merry way.
And in Canada, the YouthCriminal Justice Act.
(23:29):
Never contemplated this world.
And in, in similar sort of thinkingin the western world is exactly
what ideological opponents ofthe west are going to leverage.
This is straight sortof brilliant playbook.
I can, these people knowthere are no consequences.
They make good bank and away they go.
(23:50):
And so it's really interesting.
The, remember the PowerSchoolhack we were talking about earlier
this year, it was a 19-year-old.
He got caught because as, as dumbas he is to commit these crimes,
he also then used the traceablecrypto to buy some high fashion.
And I gotta point out very welldressed for his court appearance
in the photos that I saw.
Clearly he put the money to gooduse, but also fashion critic
(24:13):
he's doing eight to 10, but.
Got a nice suit, possibly17 years for this.
And that's the other side of what Laura'ssaying is that our caddle culture is,
when these people do graduate to ffojustice system, territory then that's it.
That their life is gone.
And so we need a big rethink onthis, but the comm's not going away.
(24:35):
And I think the other driver of thisrisk, and it I know this is bigger
than our sort of IT security audience,normal sort of thinking, but I put it
to you this way, unemployment ratesin the west for people under 25 are a
lot higher than the national average.
And AI wiping out entry level jobs,which is a thing right now, rightly or
(24:57):
wrongly, is gonna put pressure on that.
And you wonder why you had instabilityin some countries like Greece and
other places where you have highyouth unemployment and they are
going to rage against the machine.
And they have to make money.
So we are putting a pay in place themacro socioeconomic conditions that are
driving people into the arms of thesegangs and they are going to turn them
(25:20):
on us in increasingly expensive ways.
I.
It's an amazing business model though.
You have to admire that.
They've, they're recruiting from apool of people who are technically
savvy have time on their hands canbe brought into initial rebellion.
I know what you guys, I was back inthose days, I was just smoking pot.
Yep.
I was like and that I think wastechnically illegal at that point.
(25:44):
But no, but you, there was, there'sthe act of rebellion and you get into
that and then some people just getfurther and further along with it.
And that's something that,that these groups are good at.
And that could, that hurts us all.
Yeah.
No.
And and the bill is starting to add up.
And yeah, it's, it is what it is.
Yeah.
Other, I guess there are otherstories might wanna come.
(26:06):
Can I just, Tammy wants to say something.
I can tell.
I can I, 'cause I can I,'cause I'm watching you.
I wanted to say this and this trendof seeing threat actors recruiting
younger and younger, it's actuallysomething that we're seeing as also
online more and more specifically,for example a group called Qilin or
Quillin they are they're one of the topgroups right now after the downfall of,
(26:29):
and of the shuttering of Ransom Hub.
And what they're doing is thereis right now a bit of a lack in a
va, in a gap, in a vacuum for thereally top performing affiliates.
Like the top level red teamers.
There's a bit of of adeficit for those guys.
So the groups now are likefighting and are trying to promote
(26:50):
themselves to attract as many ofthe top level talent as possible.
But they're, because this is likethe old guard is moving away.
They're like, they have the money now.
They're starting families.
They're doing what they need to do.
They're exiting the crime space the, butnow the new generation has to come in and
we actively see like groups like Qilin whohelp moderate on a forum called duty free.
(27:15):
And they are basically helping trainthe new like training the lower English
speaker kids into becoming the top levels.
Because they understand thatthis is, this needs to be done
to continue the fill in the.
And one last quick point I wanted tosay is when these kids do crime, we
(27:38):
shouldn't necessarily depending onthe crime, this is case by case, we
should try to incorporate them intosome form of program of rehabilitation.
Similar to what the NCA did with IntelBroker in the UK where they, he is
incredibly intelligent troubled, butincredibly intelligent and they saw
(28:01):
this, they recognized this and they puthim into a training program for the NCC
As NCA and they were able to keep himunder their radar for about a year or so.
And then he still left and did his crimes.
But I think that is a good blueprint.
We should try to be doing morebecause that way we get to recruit
(28:22):
talent, which we need and wecan also keep an eye on things.
Yes.
I love what you said, Tammy, but I'mactually terrified because what you're
telling me is Qilin actually hasbeen listening to all of the security
influencers, keynote speakers and everyonesaying, Hey, this multimillion dollar
unfilled, multimillion person unfilledsecurity jobs is because you want seven
(28:43):
years experience in a three-year-oldtechnology and you're not willing to train
the next generation up to fill the jobsand criminals went, you have a good point.
Let's implement that.
And meanwhile, back in cybersecuritydefender land, we're still
going to the same keynote.
You guys get what I'm dropping downon this because I if only feel like
the criminals would have a regulatorybody that would make it much more
(29:03):
difficult to get the initial hires done.
Wait a second.
So that slowed down a lot.
They need an HR departmentto slow things down.
That's what so what you're saying isthe criminal gang does not care about
your badge from insert credentialingorganization, X, Y, Z that charges
$6,000 for this forensic course.
(29:23):
But they train them up, put 'em towork and promote based on skill.
What a crazy concept.
And last I checked, they don'teven do a background check.
It's but on the serious part of thisthough, even if the jobs were open, the
entry level jobs of, staring at a screenand responding to all of this sort of
stuff that's, that, that doesn't have theexcitement of you're gonna be a hacker.
(29:44):
And maybe.
We're thinking about this wrong sometimes.
Maybe it should be guys my age thatyou get to, to watch the screens have
a glass of wine, maybe, do you know,deal with a few things in there?
No, but we're just, I could saywe're not the newspaper ad now, Jim,
it's, do you like to watch securityfootage of in your condo building?
(30:06):
I have a job for you.
Exactly.
But Walmart greeter, SOCoperator, Walmart reader.
SOC operator, yeah.
Yeah.
But it's not only that we'renot training, not that we're not
accepting people into that experience.
We're not training them.
Maybe we should give them a little bitof excitement in what they do as well.
Because it's some of these entry leveljobs, I'm sorry but it's, they're
(30:28):
mostly dull at, as they need a clearpath or objective like you put up
with the boredom as a young person,because there's a next step that looks
pretty interesting and, there's a,there's that dangled promise, right?
You put in your time andyou get to the next step.
But that loyalty, andit's two ways, right?
Employers to employees and employees toemployers is practically non-existent.
(30:52):
So there's no longer the promiseif I put in my grunt work
time that I get that next job.
And so yeah, there's a lot of bigproblems to solve around how do we deal?
And I think what you wanna get to,I'm sure is the question of how
AI is is adding to that effect.
David wants to get there.
I made my digs earlier.
I will note to fascinating reportingin academic studies coming out that
(31:16):
AI is perhaps making us stupiderbecause of cognitive offloading.
But I know Jim will probably not let meget away without, a rich report to that.
I'll probably pursue you on that one.
I think we were stupid 10 years ago.
Trust me, the people whoare stupid are still stupid.
But the issue though of this is,and I think it is a realistic
one, is not, we are in a soperiod of social transformation.
(31:39):
It is going to happen.
I'm sorry.
I don't believe Sam Altman thatwhen he says that, don't worry,
everybody will get much better jobs.
We're in a period of social upheaval, andthis is going to cause problems . We as
cybersecurity professionals can't solveworld hunger or the problems of the world.
But we need to be aware of the factthat this is going to be something we're
(32:00):
seeing sharper, brighter . These arekids who are really good at what they do.
They're being recruited well,and this is gonna hit us over
the next couple years for sure.
And as as I, I don't even know ifyou need youth unemployment for this
is gonna be, this is still flashy,it's exciting, and it's a better
career than an entry level job.
And these guys are good social engineeringexperts, and they're gonna social
(32:24):
engineer their way to get recruitment.
Now the thing is, what I'm saying though,and I think come, came out of this loud
and clear, is maybe we should starttaking some of this, learning a little
bit about this in the way we recruit.
That's, yeah.
No I think to Sarah I think for otherstories, this got notified in July 5th but
still, I think we can tie into our monthin review is we just had our asteroid.
(32:48):
Passed close to the Earth slashColonial pipeline slash Holy Mother
ransomware attack with Ingram MicroJuly 5th, which I will note they are
back up and running four days later.
And I, I believe, can't believethis, believe that's a record.
I can't believe this.
They got hit Thursday and theirbackup, I'll buy stuff from
Ingram Micro just on that alone.
(33:10):
Oh, yeah.
Hey I am in, this is textbook of what weshould be aspiring people to talk about.
They got a little bit of flack onReddit from their community because
the initial communications waswere down and no one was talking.
Take that in for who it is.
But I have seen governments.
(33:31):
Us states, the move it breach, wait afew months before they fess up, they
lost everybody's driver's license.
So with that as a comparator it'sstill pretty fast turnaround on
this, but what scared the hell outof me was, this is a company that's
integral into the supply chain.
This is this fourth party riskbecause they're a broker for cloud
(33:55):
services, Microsoft 365, Azure,Dropbox, et cetera, to MSPs.
And so the idea of a really goodhit at that level, that potentially
could have gone on for a time basedon the bragging notes that the group
was putting out there, which I wouldstill love to see more transparency
(34:15):
keep coming from this Ingram.
You're doing good, but don't stop.
That could have really, that makes Kaseya.
Which itself was pretty scary.
Looked small potatoes.
So one, I am blown away.
I'm not blown away that they got hit.
'cause anybody in 2025 that's oh my God.
Clutch the pearls.
I can't believe someone got hit, man.
Dude.
(34:36):
Ns a's been hacked.
CIA's been hacked.
Like everybody, it happens.
I have not seen anyone recover that fast.
If we had Bob Dylan, now,he wouldn't be singing.
Everybody must get stoned.
He'd be Everybody will get hacked.
Yeah.
Hacked.
That's for anybody out there over 60.
Who remembers who Bob Dylan was?
(34:56):
But this thing, two things aboutthe Ingram Micro thing though.
One was interesting and funny forme, and that was how fast Palo
Alto got on there and went, not us.
Not us.
They did a great job of communicatingand Ingram Micro got, gets an a plus
for recovery and like a D minus for for.
(35:17):
Any sort of communication.
I looked at their website,I couldn't see a darn thing.
I found out more from stuff thatbleeping computer and others had gotten.
That was how they got their message out.
They could have got an a plus knockit outta the park if they had a great
plan and a great communicator that hadstepped up, that, that would've, yep, that
would've been just absolutely first rate.
(35:39):
In there.
Sorry.
And often, oh, sorry.
In my experience with tabletops, the commspeople aren't in the tabletop, right?
Hey.
Yeah.
No, legit.
Like a lot of legals there.
You wanna bet legals there,the security team's there, all
compliance executives there.
But oftentimes, like comms is not giventhe amount of thought that it needs
(36:00):
to be given in these conversations.
Yeah.
Trust me, like aroundthe box, I trust you.
I'm more I must confess, I get more andmore into the journalistic side of this
and less into the hands-on side of it.
Haven't worked in a large companyfor several years, but you don't
bring your communications peopleinto your red team blue team.
They'll say, oh, yeahwe have a plan for that.
But they don't exercise them in thator really dive into it the same way
(36:24):
that they dive into everything else.
And yet every advisor I talk totalks about the communications
plan being one of the biggestelements of your recovery plan.
You don't get an A because you didreally well studying the perfect
notification that we have been hacked.
Yeah.
Since.
(36:45):
And then editing hell.
You can't say that.
Oh no, you can't say that.
You wonder why it took 48 hoursfor them to say it was ransomware.
'cause 36 of that 48 or 39, 47 ofthe 48 hours, whatever it is, where
back and forth do we wanna say this?
We're gonna move this verb thisway, this adjective like, no.
That, that should have been practice.
(37:06):
You should have had that in the can.
Yeah.
If you get those people,throw 'em out of the room.
There are really goodprofessionals out there.
We've had some of them on a show who aregreat at communication, our lawyers and
understand the ramifications of what theysay and still will tell you, be honest,
be straightforward and get out there.
And matter of fact, everybody who'sdone this well has probably been on
(37:29):
the edge of the legal thing of sayinga good lawyer will tell you to shut
your mouth on this sort of stuff.
You get points for being straightahead and saying, we got hacked.
This is something we're working onit, we're telling you everything.
I don't know, Tammy, you look likeyou wanna say something this, so
companies that recover reallyquickly, that's what you want to do.
And when it comes to incidentresponse, I think we need to have,
(37:53):
like David said, you need to havea clear message and we don't wanna
see threat actors doing it for you.
'cause there is a big trend rightnow where threat actors will go to
regulatory bodies and they will startto talk to the SEC or talk to different
types of regulatory bodies in yourcountry and saying Hey they got hacked.
(38:16):
We have the data.
And they're not cooperating,they're not being truthful about it.
So you don't want threat actorsto do it on your behalf either.
Yeah, what was the story, Jim, thatwe saw that one of the gangs, was it
Qilin Again, has hired or allegedlyhas hired lawyers to help give your
company some pro bono legal advice abouthow screwed you are after they're in.
(38:37):
Don't want them to be your PRagency or your legal, so Wow.
On, on, on that as well.
Qilin is also ramping things upand what they're doing is they're
going to be deploying througha third party call centers now.
And those call centers are going tobasically be down using the Exfiltrated
(39:00):
data to go through it and see if they canfind more stuff to extort from the victim.
And they're gonna be calling thevictim, but they're also gonna be
calling the clients of the victim.
And they're just gonna be puttinga lot more pressure now on
the victims to pay the ransom.
'Cause this is a good thing in general,that the ransom payments have been
(39:20):
going down like over the years.
Like the amount of people payingransoms is diminishing, which is
a good thing because this is howyou stop funding these groups.
But the groups are getting moreaggressive now, and they're recruiting
more, they're being more aggressive.
They're coming up with new techniquesand tactics to extort better.
So yeah, it's gonna be,it's gonna be a tough ride.
(39:41):
Wow.
Tammy, you got a story for us.
So I, again, in the line of ransomware, Iand this is you took the story I wanted to
talk about right at the beginning of ourlittle discussion there at the beginning.
But I wanted to talk about groupsmoving from extortion, like
encrypting groups to extortion.
(40:04):
So there was a group calledHunter's International and.
This group essentially hasbeen Target been around since
2023, has been very successful.
They were known originally forpotentially reusing Hive source code.
And they highly disputed that.
They said that they acquiredinfrastructure from Hive, and, but
(40:24):
they've been able to rewrite a lot oftheir source code and it's all theirs.
They are not Hive.
And what they're doing now is, andthis is something that they posted
on their affiliate panel, and they'resaying that due to new regulations
in the states encryption now isbeing punished a lot more severely.
And so they don't wanna be encryptingnetworks anymore, and they're
(40:47):
gonna be moving away from thatand going purely exfiltration.
So they started a rebrand, andthat rebrand is called World Leaks.
And what they're doing nowis purely exfiltrating data.
The problem with purely as abusiness model, if you think
about it, the return on investmentis much slimmer on exfiltrating
data than it is on encrypting.
(41:08):
Because you have to pay for servers,you have to pay for bandwidth, you
have to pay for storage and youhave to pay for all of those things.
And if you are host and then the, yourthreat of hosting this data is only as
good as the availability of that leakdata and it resiliently staying up.
So you can't take it down.
(41:28):
It's not like on mega, you can'tdo A-D-C-M-A take down or any
other like type of take down.
And it has to become,it has to be resilient.
It has to be fast because youdon't want people to wait like
weeks to download the data set.
It has to be available and speedy.
So you have to have adecent infrastructure.
Now if you're using Bulletproofhosters, that's quite expensive.
Because Bulletproof hosting, yesthey'll go above and beyond what
(41:51):
traditional VPS providers will do toprotect your data and your privacy.
But that comes at a price.
They're significantly more expensivethan the traditional, like Vulture,
digital Ocean or AWS type of thing.
And, but, so if you're hostinglike in on your own infrastructure,
you gotta pay for all of that.
So we're seeing them use likeBitTorrent and trying to get really
(42:11):
creative and stuff like that, butyou still have to pay for that.
Now, if you are, if you're just doingencrypting, you will have, you just
have to send them a decryption, likejust a decryptor, and then that's a few
kilobytes or a few megabytes, and thenthey can decrypt their own environment.
The client pays forstoring all of that data.
They have to back it up and makesure that the decryptor works.
(42:34):
You're offloading all of the therisk to the client and to the victim.
And when you're doing exexfiltration, you're putting all of
that responsibility on hosting andcaring for that data on yourself.
We'll see if that pays off.
There have been groups that havebegrudgingly gone exfiltration only.
So for example, Bian Leanne when Avast wasable to reverse engineer their encrypter
(42:56):
and release a free decryptor in the worldbeyond then switch to exfiltration only.
And for the most of it, theirdata was not available on their
dedicated leak site, their DLS.
If you had to go back and download it,like if you weren't downloading that
data set within the first initial daysthat it was up, you could not, it was not
archived and you could not go like two,three months down the line and pick it up.
(43:19):
It really puts a it really dampensthe threat of saying, Hey, I'm gonna
leak your data, but it's only gonnabe available for a couple of days.
And it's gonna be really slowand probably only four people
are gonna be able to download it.
So it's interesting to see whathappens with this new Doesn't sound
like a great sales pitch to me
.Exactly.
But this whole thing of encryption versusexfiltration I haven't heard, I haven't
(43:44):
seen any legislation or any or anythingthat I've heard of coming out of the US.
Now, the way the US regulates is some guyin an office somewhere wearing, or orange
makeup goes, do this and they do it.
So you never know.
But the issue, this seems to besomething that they must firmly
believe 'cause they've done a lot ofmovement and they even gave away their
(44:07):
original encryption keys, didn't they?
So they even allowed peopleto, to decrypt their data
so maybe they know something we don't.
Yeah, I haven't seen any specificregulations specifically targeting
encryption, but they mentionedthat it was classified as an act of
terrorism now, and, but specificallytowards critical infrastructure.
This is not if you're attackingmom and pop shops or like
(44:30):
businesses and private businesses.
This was only specificallytowards critical infrastructure.
So think hospitals,think things like that.
So it's but a lot of groupsdon't do that anymore.
They have it in rules.
They're affiliate rules that you're notallowed to attack, like CIS ex-Soviet
X-U-S-S-R states and countries andyou're not allowed to attack hospitals
(44:51):
or governments and things like that.
So they, a lot of these groups have rules.
And, but now encryption is a new one.
A new rule that we're alsoseeing is you're not allowed
to attack Bricks Nation.
So that's like Brazil that'sRussia, India, South Africa China.
So that's a new rule and anew restriction on targeting.
(45:14):
The main reason for not targeting BRICS issimply for monetary payout because those
countries tend not to pay out as much.
And they want to focus their affiliatesattention on the Commonwealth
and Europe and like Australia.
Even hitting Australia is really hardnow since medi the medi ME aid breach.
So that's a really tough market.
(45:34):
I think David mentioned somethinglike that a little earlier.
And so it's it's a reallyinteresting ecosystem.
Now I seeing, before I make a joke, Lori,I think you were gonna add in or we're
looking on some of these shenanigans.
Oh, I was just looking up to see whenthis kind of shift happened and, this
is a very quick search that I did,but it looks like it goes back to 2021
(45:57):
after the Colonial Pipeline attack,that it was a focus on investigation.
So putting more emphasis onspeed and getting to conclusion
when there's ransomware attackson critical infrastructure.
Which totally makes sense why thatwould start to cause criminals to
pivot away to things where they knowthere's less resources and people
(46:18):
are gonna take longer to investigate.
And the likelihood of ever havinga true conclusion on the side of
the law is going to be a lot lower.
Yeah so essentially we're saying is onelittle terrorism charge, and my mom got
scared and I'm off to living with myauntie and uncle in Bel Air, AKA data
extortion only sorry to all you FreshPrince fans and my version of that.
(46:41):
But my, my, my serious point aboutthis is government actions matter.
When the United States decided thatthey were gonna treat ransomware on
critical infrastructure as a whole ofgovernment, the WOG, which terrorism
is the other thing, the global Waron Terror in, in, the first part of
this millennium got that attention.
(47:01):
All of a sudden now you'reseeing this and, start throwing
around tomahawk missiles andstrike teams every now and then.
And people are starting tothink, eh, this is not the line
of business I want to be in.
And on the Australian side.
The Medibank hack that you mentioned,Tammy, that was horrible, right?
10 million people'sdetailed health information.
The first thing they leaked was everybodywho had a reproductive health procedure.
(47:24):
The second thing they leaked waseveryone's mental health files.
And Australia said, that's it.
We're done.
We're out.
We're we?
If we can't get you with cops,we're gonna break your stuff
and we're gonna change our laws.
And they've gotten serious about nomoney's coming outta this country.
And what was funny, on one of theRussian forums, there was this long
post and I still chuckle about itbecause Tammy doesn't, the one I'm
(47:46):
referencing, it was like, guys Ithink we ruined Australia as a market.
Yeah, you did.
And Dear Canada, take the Australianmethod 'cause you don't got the cruise
missiles for the American method.
Yeah.
And we'll spend a billion dollars inCanada to, to get a pound of fentanyl.
So like we could actually pass somelaws and maybe even put some money
(48:08):
behind enforcing and seriouslyenforcing these laws 'cause it
seems to be having an impact.
And if they know they're gonna get areally heavy penalty for this, they
might, it might discourage some of them.
Yeah.
So the good news is C 26 AKA, the neverending law that David spent two and a
half years of his life besides running astartup, pounding away on and testified
(48:31):
three times about because I'm not better.
I'm absolutely better that itdied because of a typo is back.
Yay.
Because we are a serious country nowwith a new serious prime minister
that gets serious stuff done it'llwait till after the summer break.
I not that serious.
(48:52):
Still thought his firstmeeting in David come.
Yeah.
Come on.
That's pretty good for Canadian politics.
It's almost as bad as the parliamentarianthat looked me dead in the eyes and said.
Parliament moves at thespeed of parliament.
And to which I replied backto 'em, I said, hackers move
at the speed of digital.
Guess who's winning?
So to your point, Laura, it is good thatthey got the first thing again and voters
move at the speed of throw you out.
(49:13):
Yeah, I wish they would do moreof that but in all seriousness,
this is the consequences coming onthe critical infrastructure side.
The downside of it is they still have agun pointed at the head of CISOs right now
in terms of individual liability, whichhas got a whole bunch of people who are
in their fifties going, my net worth is X.
This will wipe me out.
I don't wanna do this job anymore.
So I'm having some conversationsback room in, in Ottawa and very
(49:38):
vocally, publicly right hereand now saying, did really dumb.
Could you please work thisout before you finalize it?
Now that we've got some more time,but but yeah, consequences are coming.
I do think, I'm gonna geton my favorite hobby horse.
I. And I'm not gonna say this isthe last time, stop paying the
ransoms, ruin the business market.
Don't pay it for the extortion.
Don't pay it for the encryption.
(49:58):
The only other thing I can hope for inthe world of Crime, on crime is that
these Tammy, I loved your story aboutthe cost of hosting all this data,
is that some criminal groups starttargeting the leak only groups and
encrypting their shit and ransomingthem because that would be amazing.
There's an interesting story Afew months ago when Ransom Hub was
(50:23):
missing and they were MIA for a while.
Dragon Force was trying to make aname for its themselves and they
spin off and they started saying,Hey, we're gonna start a cartel.
And this is basicallya fancy little thing.
We're gonna white label our RATinfrastructure, and if you wanna
start a new group basically you useour payloads, you use everything that
(50:43):
we have, use our infrastructure, andwe'll just put your logo and your brand
all over our stuff and you'll haveyour own onion site and everything.
And so what they did as part ofa, like marketing campaign is that
they started to hack smaller groups.
So they basically hacked a groupcalled Blacklock and they got
(51:04):
their logo on their DLS site.
And then when it came to Ransom Hub,they're like, Hey, we're hosting
Ransom Hub right now and we hopeyour group follows us along and
all your affiliates come to us.
So yes, there is a lotof infighting with these.
Groups, you'll love to see it happen.
And a lot of better marketing thatI've seen in a lot of companies.
(51:24):
So here's my story, we'll, I'llwrap up with my story in this.
'cause I know Davidloves to hear about ai.
And I'm, I don't worry, David, I'llsay something negative at this.
You you could relax.
Everything in ai, if you've beenfollowing it, has been ag agentic, and
it is the marketing end of ai, and thatis, and for those of you want to know
what agentic means, basically meansinstead of just asking questions of a
(51:47):
chat bot, these things can take action.
But not as an algorithm,not as a simple program.
They will develop a strategyand they will go and execute it.
And that's been the big thing in ai.
The second thing though, that's come up,and it's been very recent, is the start
of integration with enterprise systems.
And there's a couple ofthings that have come up.
(52:07):
Model control, pro protocolfrom Anthropic which has been a
way to integrate with software.
Google has recently just released awhole toolkit of this, and the Linux
the Linux Foundation, I guess it is, hasalso put together what they call A two
A, which is another way of communicating.
The bottom line is for anybody whothought oh God, let these guys play
(52:31):
with this, often their own office,they'll never touch the enterprise
systems those days are coming to an end.
There will, as I've said, whenyou put productivity and profit
versus security security loses.
Now, the, these are actuallyin my mind, good things.
They are things that will allow usto integrate with our enterprise
(52:54):
software, be able to do thingsthat we could never do before.
However, this run and breakthings attitude that's out
there is, could be a little bad.
Anthropic Bright guys introduced theirMCP were, a model control protocol.
It has now been adopted by everybody.
They're very sharp people.
(53:14):
First couple of weeks out, they'vegot a 9.4 outta 10 vulnerability
in their MCP toolbox now.
And if anybody wants to know howeasy it is to hack an AI, it is.
There, there's just so many plaHow do I hack the, let me count the
ways, you can do prompt injection,you can do all kinds of things.
(53:36):
These are still notoriously loosepieces of software and easy to get into.
My favorite hack, and this is ifyou wanna know how extreme this is,
my favorite hack is that you justflood them with bullshit Now and I'm
using bullshit as a technical term.
You actually just give allkinds of jargon and fancy words
and all that sort of stuff.
(53:56):
The same thing you hear in a corporatemarketing presentation, and you just fire
all those words and bury your commandin there, and you'll get one group did
this and they beat almost every LLM.
So what I'm saying is there, we'renot as advanced in security on
the LLM models as we need to be.
We're not we're running a littletoo fast on this, but that.
(54:19):
Sorry, cybersecurity professionals.
That's the world we're in.
We need to start to get ahead of thisand start to talk about these issues in
our companies and start to roll this out.
You're not gonna get by beingDr. No, it's just not gonna work.
We have to start having intelligentdiscussions about the dangers of
AI used improperly and how we're,how it links to the enterprise.
(54:42):
That's , my story for the month . DidI say enough negative David, or do
you want to come in and dump all?
Yeah, I could have used somesprinkles on that, ice cream,
that 9.4 was pretty funny.
But I will save my commentary tothe end 'cause I would love to hear
from Laura and Tammy about, yourthoughts nightmares about Agen ai.
(55:03):
It's a very short and succinctthought, which is if you don't really
know what you're doing, don't do it.
Maybe that's a very Canadianregulatory approach.
I'm not sure.
But why would you, especially if you'rein a, I get it for startups, like
you're doing things that are new anddifferent and whatever, go to town, but
like you're an established business.
(55:24):
You have clients who depend on youand are you willing to bet the farm on
just letting whatever these are loose.
Like you wouldn't let an internloose in your environment.
Why would you let this stuff that hasno ethics or morals attached to it?
Anyway, that's, I, it's not that I'mthe department of no, it's like just
(55:45):
everybody and everybody needs tobe at the table thinking about it.
It's not the CTO's job, it'snot the security person's job.
It's really the business needsto think about how bad is this
gonna be if it goes wrong?
So let's make sure we do our best todo it right, because it's not worth
losing your business and impacting allof those other people who will also
(56:08):
be impacted if you lose your business.
Over wanting to play with the flashy newtoy or hoping for a productivity gain.
'cause I think that's the other thing too.
It's not just that they don't knowwhat they're doing on the setting it
up properly side, but there's an awfullot of not knowing how it's actually
gonna turn a positive result forthe business as part of it as well.
(56:29):
So two things.
I am gonna steal what youjust said for a t-shirt
and I think that Laura is a phenomenalpositioning of how we need to, I've heard
people say the department of know howbut the department of how can we do this?
I love that.
But I'll make my otheranalogy in a second.
Tammy, I'd like to get your thoughts
.Yeah.
On the subject of Anthropic.
Also this happened in June.
(56:50):
Philanthropic put their ai, theiringen AI in a vending machine.
I don't know if you've heard that story.
No.
Yeah.
They were saying, okay, so you area business owner and what you need
to do is you need to make surethat you're selling what you want
and you need to be great at this.
And again, it was not ready.
(57:11):
And people started asking it fortungsten cubes, which are worth
hundreds of thousands of dollars.
And it was basically stockpiling tungstencubes and selling them at a loss.
And people were able to hack theknowledge of it and basically make
sure that it couldn't understandsupply and demand properly.
Yeah, so putting that type ofintelligence, or if you can
(57:34):
really call it intelligence,it's more like of a predictive.
F engine of what you might want to getout of a response as close as possible
to then put that into and integrate thatinto your enterprise data, which you've
worked so hard for, and then having itpotentially read and write access to it,
(57:55):
and then talk to clients on your behalf.
That just sounds like a nightmare.
And even if you're trying to putguardrails, but if you're depending on
the AI companies to put in guardrailsfor you, it's not gonna work.
'cause they don't know whatthey, what type of guardrails you
specifically need for your company.
So we need to have alot more transparency.
(58:16):
And this is where I want to I'm gettingto the point where I wanted to get to
is we need something called AI bombs.
And so these are AI Bill of materials.
So this is the same software bombsor and so this is basically gonna
tell how your a, your agents aretrained, how, what the data sets are.
And this is basically gonna tell youeverything that you need to know about
(58:39):
the implementation of how these agentsare gonna be used into your corporation.
And we need more support for stuff likethis because there needs to be more
transparency from the, from these agentson how things work under the hood.
So here's my analogy about what'scurrently happening with the world
of generative ai, particularlylarge language based ai.
(59:02):
They hovered up every single nonpassword protected piece of content they
could possibly get over the internet.
Good, bad, horrendous, and evenworse than horrendous on the
whole, they vastly underpaid.
The folks trying to weed out the awfulfrom that, and they just rushed it,
underpaid it traumatized the hell outof the, these unfortunate individuals
(59:25):
repackage it, publish it out.
This is the equivalentof a garbage dump now.
What they're selling us is abeautiful urban environment.
Think, celebration, USAfor urban geographers.
I'm, I know that I just said is a horrificexample of a beautiful environment, but
I'm being very stereotypical, the perfect,idyllic, suburban kind of environment.
(59:48):
That's what they're selling us.
But it's built on top of the garbage dump.
And right now, every now andthen we get a sniff of what
it's actually sitting on top of.
And we're like, oh, this isn't what Iwas expecting from my beautiful ideal
sort of, this isn't what you sold me.
And sooner or later we're gonna havea methane explosion in our little
(01:00:12):
celebration town analogy on this.
And it is going to be awfulbecause garbage in, garbage out.
Eventually.
And I think the overpromising ofthis industry is going to be for
this generation, the.com boom.
That isn't to say that inthe long run, Jim is wrong.
(01:00:33):
In the long run, Jim is goingto beat David, and I'm just
going to admit that right now.
This is not it.
That we can learn from this,prepare from it, get better at it.
I have my eye on the kinds ofcompanies that are building something.
And these are the ones that are buildingvisual systems that are a different
(01:00:55):
branch of AI that are understandingthe world we actually exist in.
And the way that they'rebuilding those models is how the
human intelligence developed.
And if they crack that nut, it's gonnablow this stuff out of the water.
But this stuff, as it's currentlybeing rushed to be sold in the gold
race, is a dump with a celebration.
(01:01:17):
USA built on top of it, and it, whenit collapses, it's gonna be worse
than the little vending machine.
From the ashes of that,the next thing is coming.
But in the short term, that's not to saythat you can't live in the town, but.
You're gonna get some weird smellsand be careful what you build on.
(01:01:39):
I'm gonna throw my fun sarcastic commenton, which is, don't worry, David, we're
filtering out the real content fromentering the AI Cloudflare has announced
that they are putting up the first AIblocking capabilities to keep owned
content that is intellectual propertyof certain people from being scraped.
So it's only gonna get betterfor the garbage in the dump.
(01:02:04):
But to Tammy's point, the the,and I love this, I hadn't heard
of the AI bill of materials.
The problem is the lack of abilityof transparency about what got
into the model in the first place.
And in credit to Jim as a handoverback over, I actually heard of
an ethical generative AI company.
So they're actually building.
Licensed content model based generativeAI video solutions where they paid for
(01:02:30):
the right to actually use the material.
And in their hope is that thiswill be much friendlier to creative
types by saying, Hey we recognizethis is how we could do this
ethically, so maybe less garbage.
And in fairness, I'm moreof a techno optimist.
And I say this in terms of wherewe're going with ai and technically
I understand the foundations ofit were predictive based on text
(01:02:55):
and all of that sort of stuff.
We've gone way beyond that.
And the models are much, muchmore sophisticated than simple
predictors at this point.
The fact is we don't know what happensin most of the models, and that's
a scary point as we get through it.
My prob problem with this is not thatthis is going to follow the same curve
(01:03:15):
that Gartner has been showing us.
We'll get overhyped, wewill come crashing down.
We will work our way out of it.
, The problem with Gartner's model is you'dnever know where you are on that curve and
so that, let's take that off to the side.
The point I'm making though isI've been doing this for 40 years.
Every major technology thatwe brought into businesses,
(01:03:38):
we have screwed up royally.
We have gotten ahead of it.
We have not dealt with security oreven with the fact that our data's
so messed up and still is messed up.
After 40 years of doing this,everybody's still saying Our data's crap.
So we haven't solved thefoundation problems, and we keep
doing it over and over again.
Mini computers, micro computers,the cloud, all of these things.
(01:04:02):
We've had these big rush it in, oversellit, and somehow we muddled through and
somehow we do, we muddle through andwe managed to get it together enough.
And Laura, you've worked in a bank.
You know what the, what or if you'veworked in a government, you know what
those legacy systems are like, and we putstuff on top of that is just impossible.
(01:04:23):
And we demand that it work.
And of course it falls apartand a bunch of people work late
at night and keep it running.
We've been doing that forever.
We can't do that with AI.
I honestly believe it.
It's too dangerous.
And, and because for the first timewe're trusting the machines not to
do algorithms, not to be where we canpull the plug, but to be out there
(01:04:45):
executing things in ways that we don'tunderstand, where, ways that we can't
audit and where we can never fullyunderstand what's happening in the model.
That's a really good opportunity forus to actually say, why don't this
time we start to think about howwe're gonna implement it earlier.
Just a thought, maybe we start toget some red teams going now maybe we
(01:05:08):
start to get some data people goingnow, and we start to to put some time
aside to plan ahead for the inevitablebecause it, , it is inevitable.
I. It's not gonna stop.
We are going to be in an AI drivenworld, and that may be dysfunctional
in dystopian, or it may be thewonderful land of milk and honey.
(01:05:29):
I don't know.
And anybody thinks theyknow is lying to you.
I just wanna go back to, to, to whatLaura had said earlier when I made my my
from the corner ice cheap shot on itel.
And it was, if you have the wrongNorth star and no counter to balance
it out, you get bad outcomes.
(01:05:50):
And I think, Jim you've nailed iton the head if we don't think better
about this, and what I'm desperatelyafraid of is all people are talking
about all executives let me very,let me take my next cheap shot.
All the C-suite wants to see isproductivity, profit, and they
are not doing those things.
And I have zero confidence.
(01:06:13):
That we are not going torepeat the sins of 40 years.
Oh, worse than that.
They're, they want bodies off the orgchart, regardless what anybody tells you.
The irony's not lost on me asa CEO, that actually the most
AI friendly job to target.
And, but that's, theydon't realize, right?
(01:06:33):
Like I'm doing a show.
I do the, my AI show, I'm doing a showwith a guy who has actually got a co CEO
that's an AI and she's doing a great job.
So I'd watch out.
Laura, you were gonna say something?
I know you, I was gonna, there,there may be some small hope or
just more to ignore, I dunno.
But if I look at the pace thatit took, from, I'll say the
(01:06:57):
early two thousands, right?
Was early security days of frameworks andstructuring how we should think about it.
A lot of those lessons seem tohave been applied in the AI space.
The rate at which we are producingrelatively, completely thought out
frameworks, relative is an importantword in that, but that are built for AI
(01:07:20):
The materials and the thought leadershipis available if people choose to apply it.
So OWASP, this is relevantto a June update, right?
OWASP launched its AItesting guide this month.
So it is just one example of manywhere people are putting their
attention and trying to sharepublicly good practices that could
(01:07:40):
save your butt from a bad decision.
Yeah.
But it all comes down to having thatwill and that desire to actually
put the brakes on a little bit todo it right in the first place.
So may for the people who care.
There, there is material andsupport and good thinking out
there that that you can find.
It's not pay walled in a lot of cases.
'cause people realize that people whocare enough to put these things together
(01:08:03):
also realize that it's not proprietary.
It is something that applies toeverybody and it needs to be out there.
Yeah, that's a good place.
And my message for them is if you'rea CISO and you do have any sway, sit
down and tell people this is coming.
I'm not gonna try and stop it, butI'd like it sandboxed and I'd like
(01:08:24):
us to be playing with it and I'dlike us to be experimenting with it.
And I'd like us to be educatingourself before that development
team that you don't even see.
Has bought something with MCP and withall of this stuff and got it integrated
and keep yourself open so that youknow what's happening out there.
That's just my message on this.
It's a new thing.
We fixing it afterwards can be painful.
(01:08:45):
Be the Department of doing ai, right?
Trademark.
Yeah.
Laura Payne.
I think we get, I think we'regonna get, thanks, David.
No, but I think doing it we're gonna,we're gonna get this t-shirt together.
And we'll start to do merch on this.
That'll be that'll be one wayto make money on a podcast.
Tammy's what did I sign up for?
Yeah.
Thank you.
Thank you for coming in.
This has been mild.
Thank.
Yeah, thank you everybody.
(01:09:06):
That's our show.
We'll call it a wrap.
To the audience out there, send us a noteand let us know what you thought of this.
You can write me a tech newsday.ca or.comand you just use the Contact Us form
on the website, or if you're watchingon YouTube, you can, you know what to
do, make comments under the video, butbe nice in, or not, doesn't matter.
(01:09:27):
Thanks to our panelists, DavidShipley from Beauceron Securities.
. Thank you, David.
Thank you.
Laura Payne from WhiteTuque Thanks, Laura.
Thanks Jim for having me and Tammy,what a pleasure it was to meet you.
We gotta have you back.
We, we've got a, thewealth of knowledge there.
. Thank you so much for having me.
It was a pleasure.
Yep.
And I'm your host, Jim Love.
(01:09:48):
Thanks for listening.
You had other things you could have beendoing with your weekend, especially in
the summer, and you joined us for thislittle discussion and we appreciate it.
Have a good time.
And, you'll be hearing thison the weekend most likely.
So you look forward to seeing DavidShiple with the news on Monday morning.
Talk to you later.
Welcome to Cybersecurity.
Today's Month in Review show.
This is where our panel ofexperts looks at big stories in
cybersecurity from the past monthand gives them a bit of a deep dive.
And speaking of panels, wehave our returning panelists.
I'm gonna g give you a quick introductionto the person, which is their name,
and then I'm gonna let them give us acouple lines about who they are and what
(00:22):
they do, and that's more fun than meintroducing them theoretically, at least.
So we're gonna start with Laura Payne.
Laura, welcome back.
Thanks, Jim.
Great to be here and in honorof you asking us the question.
I will say that I am currently the CEOand head of Consulting at White Tuque.
We are a, a unique cybersecurity company.
(00:43):
And we do services and consultingbased in Canada, and we have
some footprint in the US for ourfriendly neighbors to the south.
And I will leave it at that.
Be nice.
Yeah.
Yeah.
Cybersecurity with your elbows up.
It's good.
But we have friends.
Good.
Okay.
We put our elbows up for all our friends.
There you go.
(01:04):
David Shipley.
Welcome David.
Thanks for having me back, Jim.
Always always fun to be here.
And for those who don't know me, I amthe CEO of Beauceron Security, which is
the only Canadian owned cybersecuritybehavior change and culture platform.
So we do the anti phishing fundstuff and I am a passionate amateur
neuroscientist, cognitive scientist,and the resident culture critic
(01:28):
for all things cybersecurity today.
And the host of Monday's Cybersecurity.
Today's show, which meansJim gets a day off, yeah.
And we have a new guest.
Welcome Tammy, because you'renew, we're gonna give you four
lines to describe yourself.
Take all the time you want.
Welcome Tammy.
Hi everyone.
Thank you very much for having me.
(01:48):
My name is Tammy Harper.
I'm a senior threat intelligenceresearcher at Flair.
Flair is a Canadian company thatspecializes in threat intelligence,
external attack, surfacemanagement continuous monitoring
for clear web and dark web.
And I'm very excited to be here.
You're a researcher.
We were talking about this beforethe show 'cause we hadn't met before.
Tell us a little bit about that.
(02:08):
Yeah.
So I specialize inransomware and cyber crime.
And so I really focus on howthreat actors are developing new
techniques, tactics and procedures.
How are they recruiting, how are theydeveloping their tool sets and how
are they finding access into companiesor into organizations or enterprises?
(02:30):
Are they developing in-house likezero days or are they purchasing
access from initial access brokers?
So I try to stay on top of all oftheir new techniques and tactics.
And because it's Tammy's first timein the panel, I just wanna say I had
the chance to be on a panel with Tammyat the, the National Cybersecurity
Consortium inaugural conferencein Banff, which yes, is gorgeous.
(02:53):
But the conference was amazing.
Laura was actually there as well.
So we got to meet IRL andhang out with the scenery.
And she was also white.
Tuque was a sponsor for thisevent, which was phenomenal.
Some of the top research,some really cool stuff.
I was like a nerd in a candy shopbecause they had the poster boards up.
And so I was reading everybody's research.
(03:14):
It was amazing.
And Tammy standing and a friend of mine,Benoit DuPont, who runs the criminology
department at the University of Montreal,was highly complimentary of Tammy.
I believe he something along theeffect of a national treasure.
But I, I have certainly since signingup and getting to know Tammy I've now
reading her stuff on LinkedIn and it'snow part of my daily required reading.
(03:34):
'cause you've got a banger ofa LinkedIn post out now about.
And you, cybercrime gang has increasedtheir KYAC know thy customer rules
for their affiliates, and they'requote unquote raising their standards,
which like I said, read, that's cool.
Read it like five minutes beforethe show, but now I'm reading
Tammy stuff all the time.
So there we go.
I'll check it out.
We'll put a link in the show notes too.
(03:55):
You, you can never learntoo much about this stuff.
You don't sleep well but you cannever learn too much about this stuff.
So welcome to the show guys.
I want to get you started.
Who's gonna be first?
Laura, we can we put youon the hotspot hot feature?
Oh, sure.
For the first story.
Oh boy.
Actually the one I I had first onmy list was the arrest in Montreal.
(04:20):
We have a gentleman bythe name of Gareth West.
He was identified as a heavily wantedperson for being the leader of a
scam that disabused grandparents andother seniors of about $30 million.
So he was wanted in June, and asof this week, they've now arrested
(04:40):
him along with a few others.
There's still another person outthere who is wanted as part of this,
but this was one of these cases wherelegitimate front businesses were set up.
And about 2021 they had been flounderingand then suddenly they like, started
looking like they were really doing well.
And that's an interesting year to startdoing really well in a. Real estate
(05:01):
maybe was reasonable, but fitnessseemed like an odd choice for a business
to do really well in 2021 and so on.
So that was where he was fronting things.
But and behind the scenes he had set upa number of call centers in the Montreal
area who were actively targeting andand tricking seniors into giving them
thousands of dollars notionally forthe support of their grandchildren,
(05:23):
getting outta scrapes and so on.
So it's, it's a it's about a four year,three to four years that it took to
get the person at the top of the chain.
But it's nice to see that we arestarting to make these connections.
And not surprisingly it's 'cause somebodymessed up and that at the lower end of
the chain at one of the mules who was.
Moving money cross borderas part of this scam.
(05:46):
Had a fingerprint that was identifiablein a database and it was the beginning
of the downfall of the whole thing.
So it's we just like seeing these,the good guys win sometimes a
absolute case in hell for these guys.
Sorry, but the people whotrick and it's desperate.
We had, I was doing some talk withthe OPP here in Ontario and these
people will come back and milkseniors for every penny they've got.
(06:10):
They will leave them impoverished.
And I just sorry, I just, this is ascam that we have to shut down and
it being in Canada is even worse.
There are a lot of over overseas Iguess call centers, you could call
them, but most of them are places where.
People are human traffickedinto these things.
For this to be existing here inCanada, it's just, it's a plus
(06:33):
to the police that, that, thatfinally took them off the street.
I hope they, I hope Ihope they rot in hell.
But that's but the fullestextent of the law would do.
My dad was whizzed by one of these guys.
And I talk about that.
My dad was very intelligent man.
So anybody who thinks that, the,that it's because they're seniors.
They, they should feel embarrassed.
(06:53):
They should not feel embarrassed.
They should report this.
And I'm gonna do a, I'm gonnado a column for my local paper
called, you have to have the talk.
You have to have thetalk with your parents.
Now, used to be, we hadto talk with our kids.
Now we have to talk with our parents tosay, you don't need to feel embarrassed
if somebody calls up and you've got eventhe vague question, hang up on them.
Call me.
(07:13):
And I'll make that offerto any senior out there.
I'm on LinkedIn.
If somebody call you calls andyou think it's wrong, call me.
I'll talk to them.
Because I think it's just, I thinkit's terrible what people are doing.
And so this this gang was $30 million.
This is not small amounts.
This is 30 million in total.
They were highly successful.
They've, they broke.
(07:34):
David's patent pending number onerule of cyber crime, which is don't
hack in your own country and don'thack in a country that ex extradite.
And so the good news is they'renot facing us or Canadian.
Revolving door bail, slap the wrist,kind of white collar sentencing.
They're facing US charges like where thecrimes actually get punished on this side.
(07:58):
So it's it's life choices that youdon't want to be making, but this
individual, should they be actuallyfound guilty of the crimes they're
alleged to have committed is infor a bad time and that's a crime.
Shame.
Yeah.
And one day we're gonna havecybersecurity laws in this country.
One, one day.
Wow.
One day.
Yeah.
May maybe just prosecuting forfraud, really resourcing the
(08:20):
police to actually do more in this.
But it's interesting because, Quebechas got this fascinating I don't
know if you want to be at the top ofthis list, but the, some of the most
successful cyber criminals in Canadahave come out of Montreal and Ga No.
So we had the guy who was the affiliatefor one of the big ransomware gangs
who he racked up 20, $27 millionand got himself nailed 'cause he
(08:42):
left his tooling on a Polish server.
And he got this cat and, Ontario is onlyon the board for 17 million in crypto
fraud thefts from a 17-year-old kid.
Come on, Ontario.
What are you doing?
We had that block thataffiliates in Bradford.
Oh, okay.
He was the one that was trying to takedown Ho Children's Hospital, wasn't he?
Can't comment on that,but the, he was caught.
(09:04):
He was he was caught in his garageand logged into the affiliate panel.
And
it was an beautiful take down.
Like literally red handedor red mouse clicked.
Wow.
That's awesome, Laura.
Great job on that story.
Yeah.
(09:24):
Yeah.
That and something that I think we,we really I do take my hat off to the
police that put these together, though.
I think people forget howbig these investigations are
and how much effort it takes.
And we always talk aboutfeet on the street.
We need fingers on the keyboards.
And desperately for this to protect oursenior citizens and other people who are
(09:46):
getting hit by, by these types of frauds.
There's another one that came up thatjust drove me crazy, was it was a
restaurant fraud that's happening now.
And what you do is when you, when theypass the the device to you that you
normally just tap your card against,if you have if people haven't changed
the codes in these things, you canactually process a refund for yourself.
(10:07):
While the waiter's off . And for littlebus, small businesses, small restaurants,
this can be tens of thousands of dollars.
Fraud's big, it's it's a big deal.
At 13, 13.5 billion of the 16.6billion in US reported cyber crime
last year was all tied to fraud.
We get excited in cybersecurity.
(10:28):
And don't get me wrong, there's lots ofshenanigans that are happening, but the
big dollar losses happen at much smallerscale over the long tail of the fraud
side, and cops are absolutely overwhelmed.
Yeah.
And shenanigans.
You watch your language, Mr. Shipley.
We don't use words likethat on this program.
(10:50):
David, what's your big story?
Oh my God, where do you get started?
June just did not stop rocking.
But I think Scattered Spider and thechaos that they caused throughout
the spring in the UK retail sector tosee that then land on the insurance
industry, which reap sewn payingthe whirlwind of ransomware may have
(11:11):
finally come home to roost, et cetera.
But then it's really been the airlinesand they have just hammered, it's
been WestJet Hawaiian Airlines,Qantas before the end of the month,
and remarkably successful now.
They started with Co-op and withMarks and Spencers in the uk.
Yes.
They had quite the list as well.
(11:33):
Like they there were a number offashion brands that were hit by them.
Like they were working a lot of retailand they were being incredibly successful.
And, they even hit food supply ina way that was, really interesting.
There was a German food distributorthen in the us a company called
unfi unify, I think, or that doesa lot of the health food, specialty
(11:54):
product distribution had been hit.
They were massively successful.
And a lot of this comes back to theweakness of help desk processes.
And what I mean by that ishelp desks are still, even for
account resets, incented towards.
Quickest problem resolution,less friction as possible, making
(12:14):
the customer happy, et cetera.
And I point my finger squarely atyou ITIL and say that you have to fix
your standards for help desks becausethat's the role that you could play.
And actually fixing this, I just, theywere not expecting this in the podcast.
Someone who's gonna listen to this on theweekend and be like, ITIL got called out.
Yeah.
But by point being, if you have the wrongincentives you're gonna get bad outcomes.
(12:38):
And the other part is the onething I will give scattered scr,
Scattered Spider credit for.
Is that they have laid bare themyth of phishing resistant MFA.
They have shown that we will MFAbomb you, we will use evil jinx.
We will do things.
And if we could retire that language,that's not to say that MFA is not useful.
(13:02):
MFA is incredibly useful forbrute force attacks for, just
credential stuffing other things.
But a determined attacker workingsocial engineering will get by MFA if
your people don't respond effectivelyto what they're seeing and say, holy
crap, I've got a hundred alerts,I should tell someone in it, and
(13:25):
then they can actually get engaged.
So just, and maybe Tammy, maybe youknow more about these guys than I do.
They really pursued, this is not atechnical crew as I understand it.
They were really pursuingsocial engineering.
Did I get that right?
Yeah, so Scattered Spider is not asingle entity, it is not a single group.
(13:45):
It is a name, A scattered spider was aname given by CrowdStrike to a loosely
affiliated groups of individuals.
And usually there on the younger side.
And they're usually English speakingout of countries like US, UK, Canada,
and they are very sophisticatedin new ways of social engineering.
(14:07):
For example they will they willuse Steeler logs, they will use
credentials, but also they willalso look you up on on LinkedIn.
They will look you up on Googleor ZoomInfo and things like that.
They will do their research and thenthey will try to, for example, call
your help desk through teams or through.
Different methods or on the phone andtry to reset their, your password, right?
(14:32):
And they have enough information on you.
They have your email, they haveyour like LinkedIn profile.
They know your position, and if yourcompany has a lot of information out
in the public they're smart enoughto put pieces together and create
a tactical offensive blueprint onhow to gain access to your company.
They're they're known to workwith some really big gangs.
(14:54):
So they first started working off this iswhat, in terms of timeline, we know that
they, around, they started working withAlpha V or Black Cat or Alpha V. And this
was around the time when they were lookingat MGM and all of the casinos in 2023.
So this was Scattered Spiderand Alpha V and Black Cat.
And then when V got shutdown and exit scammed.
(15:16):
They moved to Ransom Hub and whenRansom Hub also shuttered they've been
moving towards now Dragon Force andthis is the Mark and Spencer's attack.
This was under the DragonForce brand of ransomware.
And now I'm waiting to see whatbrand of ransomware they're
operating under for the airlines now.
(15:37):
'Cause that information isn't completelypublic, so that would be really
interesting to see how that develops.
So they've worked theirway through verticals.
Does that help them withthe social engineering?
I guess it does.
They get a real knowledge.
They seem to move vertical to vertical.
Yeah.
So they're very skilled, like they're.
They know how companies work, right?
Because they are based in the countrieswhere these companies operate.
(15:59):
They potentially have worked for similarcompanies or know how corporate life
and corporate structures are done.
They know the corporate game.
So they know how to speak the lingo,they speak English and they can
absolutely socially engineer theirway into tricking someone who's not
expecting to be tricked like that.
(16:21):
And it's not your fault if you getsocially engineered because it's
the attackers that did it, right?
You were, it was specifically designedto target you and to trick you.
It's not your fault.
It's, there's a lot of like victimblaming and victim shaming of oh,
I'm so stupid that I fell for thiswhen, no, that's not the reality.
Yeah, and David was talking about thetimes that we put the time pressure, we
(16:44):
put help desks under I'm wondering ifwe're actually giving those people the
right training to say, Hey, wait a minuteI this could be social engineering plus.
And I don't know this for a fact.
Maybe you guys know better than I do.
You're on a help desk and somebodywho conceivably could really be a
vice president of the company startsto put pressure on you and he knows
(17:06):
all the language and he knows yourboss and all that sort of stuff.
You can bend a lot ofrules really quickly.
I could just imagine whatthese guys would be doing.
Yeah, exactly.
And they're really good.
Like I've seen as in some certain chatsfrom this, like from people who are
doing this type of stuff where they'llbe like, Hey, I need a. Female English
(17:28):
speaker, or I need a male Englishspeaker, or I need someone who's familiar
with this specific type of company.
And they'll hop on a call andthey'll do a bunch of they'll dial,
they're called dialers, and they'lljust bunch do a bunch of dials.
So it's it's a, andthey're all very young.
It's definitely a way to make moneyonline because you get paid in crypto
(17:48):
and a lot of it is facilitated withon Telegram and other chat platforms.
But a lot of it as well is facilitatedon other types of social media platforms
like TikTok for example where a lot ofthis type of stuff is promoted and the
lifestyle that it can bring is promoted.
And a lot of younger folks see that andbe like, Hey, I can potentially do that.
(18:13):
There's enough pseudo anonymitybetween me and this crime.
And I can do it.
And yeah.
And then you get into Sextortionand you get a whole into a whole
bunch of different extortions.
Not just like the ransomware crime,but all the other extortions.
They're all these groupsare all connected.
Yeah.
So who runs the engine of it, thecollection and somebody doing, I hear
(18:34):
you that it's a collective or, a socialgroup or whatever you wanna call it, but
who runs the organization make sure thatthey collect the money and all of that.
It's just a bunch of looselyaffiliated smaller entities and groups.
There's no single individual in control.
This is not your typical gang, that'swhy it's called Scattered Spider.
(18:56):
Because it's scattered.
There's no real head honcho type ofthing at the top of Scattered Spider.
What it's, what you're talkingabout is cyber crime as a vibe.
It's a movement.
It's a, it's an affiliation.
It's a belief system.
And it's fascinating.
These are like we see this, right?
These are the modern day hippies,but not quite, there's no central
(19:16):
organization to that particular movement.
Movement.
And it's, instead of peace, love andeverything else, and a music concert,
it's taken down airlines on a Wednesday.
And some elements of this groupthough, get real dark, real bad.
And this is where, the tie into someof the headlines are getting dangerous.
So there's a group that's alsoin this same kind of Venn diagram
called the Calm or the community.
(19:38):
And there are various players thatare seeking there to do ideologically
motivated violent extremism.
So racism writ large anti-immigration.
It is.
It is the new four chan interms of the biggest toxic
waste dump of humanity online.
I think that's a very fair sort of analogyfrom what I have observed from that.
(20:04):
And this is also where threatactor groups are also are trying
to recruit kids to commit not justcyber crimes, physical crimes.
So there's a terrifying story outof northern Europe where an Iranian
group had recruited a teenager totry and kill Jewish individuals,
Israelis as part of a murder for hire.
Like this stuff is crazy and scattered.
(20:27):
Spider is on the milder side of thecrimes and things that we're seeing.
But it speaks to hugeissues in our society.
It speaks to, you know what thisconfluence of technology I. Immature
morality minds like, the human brain'snot really dev fully developed until
your twenties, maybe for males tothirties, forties in some cases.
(20:50):
I'm kidding.
I'm speaking 62.
Yeah.
My, my wife always reminds methat the difference between.
Bonds and men are, thatbonds eventually mature
and you have a date.
Yeah.
That's what my beard's all about.
It's all about demonstrating maturity.
I wanna jump in if I can just on acouple of things and David May or may
(21:12):
not know that he was picking at mewhen with his iil comments, but that's.
I'm gonna, I'm gonna say ITIL agile hasbeen abused by people who wanna use it.
However they feel like ithelps them get their way.
And I think this is a perfect examplebecause part of what ITIL actually
does impress on people is that ifyou only measure one thing, you
will get that exhaust, that you willget that result, but it will be at
(21:35):
horrendous costs in other directions.
You all, for every measure, you needa countermeasure that ensures that you
don't have unintended consequences.
And I think this is a perfect exampleof unintended consequences, right?
And poorly implemented ITIL.
I'm going to,
So if you're doing itil, do itproperly that's my message, right?
You can't half bake it andexpect to have a good result.
But yeah it and the, yeah the scatterednature of it, the, we do see that, yeah.
(22:00):
Young people more and more are thetargets for the cr for perpetrating crime.
We have, there's so much moreaccess that young people have.
And so it, for the last I'm just gonnasay a hundred years, it's probably
a little bit more than that, right?
We've seen the age at which people takeresponsibility, move up and up, right?
People used to get married at 14, 15, 16.
(22:21):
That wasn't unusual.
That was when you were an adult andyou started a family and you started
providing for yourself 'cause nobodyelse wanted to do it for you anymore.
So we've moved up, at 21to drink in the us right?
So we have this really big movementforward in, in when people are
supposed to take responsibility.
So young offenders are in that gap.
And people know that there'smuch lower consequence threshold.
(22:44):
And we try to say, that's to protect themfrom mistakes, but these aren't mistakes.
Anymore, right?
These are, these have massive consequencesand somewhere there needs to be some
maybe readjustment in that space, right?
More education to people upfrontthat there are consequences, right?
Just consequences without educationis not going to deter people.
(23:06):
You need education so that itbecomes deterrent, but then the
consequences do have to be real.
For violent crime, for significantwhite collar crime it's not sustainable
to say that, oh, you were 17 and ahalf when you committed this crime.
Sealed records, right?
And let you go about your merry way.
And in Canada, the YouthCriminal Justice Act.
(23:29):
Never contemplated this world.
And in, in similar sort of thinkingin the western world is exactly
what ideological opponents ofthe west are going to leverage.
This is straight sortof brilliant playbook.
I can, these people knowthere are no consequences.
They make good bank and away they go.
(23:50):
And so it's really interesting.
The, remember the PowerSchoolhack we were talking about earlier
this year, it was a 19-year-old.
He got caught because as, as dumbas he is to commit these crimes,
he also then used the traceablecrypto to buy some high fashion.
And I gotta point out very welldressed for his court appearance
in the photos that I saw.
Clearly he put the money to gooduse, but also fashion critic
(24:13):
he's doing eight to 10, but.
Got a nice suit, possibly17 years for this.
And that's the other side of what Laura'ssaying is that our caddle culture is,
when these people do graduate to ffojustice system, territory then that's it.
That their life is gone.
And so we need a big rethink onthis, but the comm's not going away.
(24:35):
And I think the other driver of thisrisk, and it I know this is bigger
than our sort of IT security audience,normal sort of thinking, but I put it
to you this way, unemployment ratesin the west for people under 25 are a
lot higher than the national average.
And AI wiping out entry level jobs,which is a thing right now, rightly or
(24:57):
wrongly, is gonna put pressure on that.
And you wonder why you had instabilityin some countries like Greece and
other places where you have highyouth unemployment and they are
going to rage against the machine.
And they have to make money.
So we are putting a pay in place themacro socioeconomic conditions that are
driving people into the arms of thesegangs and they are going to turn them
(25:20):
on us in increasingly expensive ways.
I.
It's an amazing business model though.
You have to admire that.
They've, they're recruiting from apool of people who are technically
savvy have time on their hands canbe brought into initial rebellion.
I know what you guys, I was back inthose days, I was just smoking pot.
Yep.
I was like and that I think wastechnically illegal at that point.
(25:44):
But no, but you, there was, there'sthe act of rebellion and you get into
that and then some people just getfurther and further along with it.
And that's something that,that these groups are good at.
And that could, that hurts us all.
Yeah.
No.
And and the bill is starting to add up.
And yeah, it's, it is what it is.
Yeah.
Other, I guess there are otherstories might wanna come.
(26:06):
Can I just, Tammy wants to say something.
I can tell.
I can I, 'cause I can I,'cause I'm watching you.
I wanted to say this and this trendof seeing threat actors recruiting
younger and younger, it's actuallysomething that we're seeing as also
online more and more specifically,for example a group called Qilin or
Quillin they are they're one of the topgroups right now after the downfall of,
(26:29):
and of the shuttering of Ransom Hub.
And what they're doing is thereis right now a bit of a lack in a
va, in a gap, in a vacuum for thereally top performing affiliates.
Like the top level red teamers.
There's a bit of of adeficit for those guys.
So the groups now are likefighting and are trying to promote
(26:50):
themselves to attract as many ofthe top level talent as possible.
But they're, because this is likethe old guard is moving away.
They're like, they have the money now.
They're starting families.
They're doing what they need to do.
They're exiting the crime space the, butnow the new generation has to come in and
we actively see like groups like Qilin whohelp moderate on a forum called duty free.
(27:15):
And they are basically helping trainthe new like training the lower English
speaker kids into becoming the top levels.
Because they understand thatthis is, this needs to be done
to continue the fill in the.
And one last quick point I wanted tosay is when these kids do crime, we
(27:38):
shouldn't necessarily depending onthe crime, this is case by case, we
should try to incorporate them intosome form of program of rehabilitation.
Similar to what the NCA did with IntelBroker in the UK where they, he is
incredibly intelligent troubled, butincredibly intelligent and they saw
(28:01):
this, they recognized this and they puthim into a training program for the NCC
As NCA and they were able to keep himunder their radar for about a year or so.
And then he still left and did his crimes.
But I think that is a good blueprint.
We should try to be doing morebecause that way we get to recruit
(28:22):
talent, which we need and wecan also keep an eye on things.
Yes.
I love what you said, Tammy, but I'mactually terrified because what you're
telling me is Qilin actually hasbeen listening to all of the security
influencers, keynote speakers and everyonesaying, Hey, this multimillion dollar
unfilled, multimillion person unfilledsecurity jobs is because you want seven
(28:43):
years experience in a three-year-oldtechnology and you're not willing to train
the next generation up to fill the jobsand criminals went, you have a good point.
Let's implement that.
And meanwhile, back in cybersecuritydefender land, we're still
going to the same keynote.
You guys get what I'm dropping downon this because I if only feel like
the criminals would have a regulatorybody that would make it much more
(29:03):
difficult to get the initial hires done.
Wait a second.
So that slowed down a lot.
They need an HR departmentto slow things down.
That's what so what you're saying isthe criminal gang does not care about
your badge from insert credentialingorganization, X, Y, Z that charges
$6,000 for this forensic course.
(29:23):
But they train them up, put 'em towork and promote based on skill.
What a crazy concept.
And last I checked, they don'teven do a background check.
It's but on the serious part of thisthough, even if the jobs were open, the
entry level jobs of, staring at a screenand responding to all of this sort of
stuff that's, that, that doesn't have theexcitement of you're gonna be a hacker.
(29:44):
And maybe.
We're thinking about this wrong sometimes.
Maybe it should be guys my age thatyou get to, to watch the screens have
a glass of wine, maybe, do you know,deal with a few things in there?
No, but we're just, I could saywe're not the newspaper ad now, Jim,
it's, do you like to watch securityfootage of in your condo building?
(30:06):
I have a job for you.
Exactly.
But Walmart greeter, SOCoperator, Walmart reader.
SOC operator, yeah.
Yeah.
But it's not only that we'renot training, not that we're not
accepting people into that experience.
We're not training them.
Maybe we should give them a little bitof excitement in what they do as well.
Because it's some of these entry leveljobs, I'm sorry but it's, they're
(30:28):
mostly dull at, as they need a clearpath or objective like you put up
with the boredom as a young person,because there's a next step that looks
pretty interesting and, there's a,there's that dangled promise, right?
You put in your time andyou get to the next step.
But that loyalty, andit's two ways, right?
Employers to employees and employees toemployers is practically non-existent.
(30:52):
So there's no longer the promiseif I put in my grunt work
time that I get that next job.
And so yeah, there's a lot of bigproblems to solve around how do we deal?
And I think what you wanna get to,I'm sure is the question of how
AI is is adding to that effect.
David wants to get there.
I made my digs earlier.
I will note to fascinating reportingin academic studies coming out that
(31:16):
AI is perhaps making us stupiderbecause of cognitive offloading.
But I know Jim will probably not let meget away without, a rich report to that.
I'll probably pursue you on that one.
I think we were stupid 10 years ago.
Trust me, the people whoare stupid are still stupid.
But the issue though of this is,and I think it is a realistic
one, is not, we are in a soperiod of social transformation.
(31:39):
It is going to happen.
I'm sorry.
I don't believe Sam Altman thatwhen he says that, don't worry,
everybody will get much better jobs.
We're in a period of social upheaval, andthis is going to cause problems . We as
cybersecurity professionals can't solveworld hunger or the problems of the world.
But we need to be aware of the factthat this is going to be something we're
(32:00):
seeing sharper, brighter . These arekids who are really good at what they do.
They're being recruited well,and this is gonna hit us over
the next couple years for sure.
And as as I, I don't even know ifyou need youth unemployment for this
is gonna be, this is still flashy,it's exciting, and it's a better
career than an entry level job.
And these guys are good social engineeringexperts, and they're gonna social
(32:24):
engineer their way to get recruitment.
Now the thing is, what I'm saying though,and I think come, came out of this loud
and clear, is maybe we should starttaking some of this, learning a little
bit about this in the way we recruit.
That's, yeah.
No I think to Sarah I think for otherstories, this got notified in July 5th but
still, I think we can tie into our monthin review is we just had our asteroid.
(32:48):
Passed close to the Earth slashColonial pipeline slash Holy Mother
ransomware attack with Ingram MicroJuly 5th, which I will note they are
back up and running four days later.
And I, I believe, can't believethis, believe that's a record.
I can't believe this.
They got hit Thursday and theirbackup, I'll buy stuff from
Ingram Micro just on that alone.
(33:10):
Oh, yeah.
Hey I am in, this is textbook of what weshould be aspiring people to talk about.
They got a little bit of flack onReddit from their community because
the initial communications waswere down and no one was talking.
Take that in for who it is.
But I have seen governments.
(33:31):
Us states, the move it breach, wait afew months before they fess up, they
lost everybody's driver's license.
So with that as a comparator it'sstill pretty fast turnaround on
this, but what scared the hell outof me was, this is a company that's
integral into the supply chain.
This is this fourth party riskbecause they're a broker for cloud
(33:55):
services, Microsoft 365, Azure,Dropbox, et cetera, to MSPs.
And so the idea of a really goodhit at that level, that potentially
could have gone on for a time basedon the bragging notes that the group
was putting out there, which I wouldstill love to see more transparency
(34:15):
keep coming from this Ingram.
You're doing good, but don't stop.
That could have really, that makes Kaseya.
Which itself was pretty scary.
Looked small potatoes.
So one, I am blown away.
I'm not blown away that they got hit.
'cause anybody in 2025 that's oh my God.
Clutch the pearls.
I can't believe someone got hit, man.
Dude.
(34:36):
Ns a's been hacked.
CIA's been hacked.
Like everybody, it happens.
I have not seen anyone recover that fast.
If we had Bob Dylan, now,he wouldn't be singing.
Everybody must get stoned.
He'd be Everybody will get hacked.
Yeah.
Hacked.
That's for anybody out there over 60.
Who remembers who Bob Dylan was?
(34:56):
But this thing, two things aboutthe Ingram Micro thing though.
One was interesting and funny forme, and that was how fast Palo
Alto got on there and went, not us.
Not us.
They did a great job of communicatingand Ingram Micro got, gets an a plus
for recovery and like a D minus for for.
(35:17):
Any sort of communication.
I looked at their website,I couldn't see a darn thing.
I found out more from stuff thatbleeping computer and others had gotten.
That was how they got their message out.
They could have got an a plus knockit outta the park if they had a great
plan and a great communicator that hadstepped up, that, that would've, yep, that
would've been just absolutely first rate.
(35:39):
In there.
Sorry.
And often, oh, sorry.
In my experience with tabletops, the commspeople aren't in the tabletop, right?
Hey.
Yeah.
No, legit.
Like a lot of legals there.
You wanna bet legals there,the security team's there, all
compliance executives there.
But oftentimes, like comms is not giventhe amount of thought that it needs
(36:00):
to be given in these conversations.
Yeah.
Trust me, like aroundthe box, I trust you.
I'm more I must confess, I get more andmore into the journalistic side of this
and less into the hands-on side of it.
Haven't worked in a large companyfor several years, but you don't
bring your communications peopleinto your red team blue team.
They'll say, oh, yeahwe have a plan for that.
But they don't exercise them in thator really dive into it the same way
(36:24):
that they dive into everything else.
And yet every advisor I talk totalks about the communications
plan being one of the biggestelements of your recovery plan.
You don't get an A because you didreally well studying the perfect
notification that we have been hacked.
Yeah.
Since.
(36:45):
And then editing hell.
You can't say that.
Oh no, you can't say that.
You wonder why it took 48 hoursfor them to say it was ransomware.
'cause 36 of that 48 or 39, 47 ofthe 48 hours, whatever it is, where
back and forth do we wanna say this?
We're gonna move this verb thisway, this adjective like, no.
That, that should have been practice.
(37:06):
You should have had that in the can.
Yeah.
If you get those people,throw 'em out of the room.
There are really goodprofessionals out there.
We've had some of them on a show who aregreat at communication, our lawyers and
understand the ramifications of what theysay and still will tell you, be honest,
be straightforward and get out there.
And matter of fact, everybody who'sdone this well has probably been on
(37:29):
the edge of the legal thing of sayinga good lawyer will tell you to shut
your mouth on this sort of stuff.
You get points for being straightahead and saying, we got hacked.
This is something we're working onit, we're telling you everything.
I don't know, Tammy, you look likeyou wanna say something this, so
companies that recover reallyquickly, that's what you want to do.
And when it comes to incidentresponse, I think we need to have,
(37:53):
like David said, you need to havea clear message and we don't wanna
see threat actors doing it for you.
'cause there is a big trend rightnow where threat actors will go to
regulatory bodies and they will startto talk to the SEC or talk to different
types of regulatory bodies in yourcountry and saying Hey they got hacked.
(38:16):
We have the data.
And they're not cooperating,they're not being truthful about it.
So you don't want threat actorsto do it on your behalf either.
Yeah, what was the story, Jim, thatwe saw that one of the gangs, was it
Qilin Again, has hired or allegedlyhas hired lawyers to help give your
company some pro bono legal advice abouthow screwed you are after they're in.
(38:37):
Don't want them to be your PRagency or your legal, so Wow.
On, on, on that as well.
Qilin is also ramping things upand what they're doing is they're
going to be deploying througha third party call centers now.
And those call centers are going tobasically be down using the Exfiltrated
(39:00):
data to go through it and see if they canfind more stuff to extort from the victim.
And they're gonna be calling thevictim, but they're also gonna be
calling the clients of the victim.
And they're just gonna be puttinga lot more pressure now on
the victims to pay the ransom.
'Cause this is a good thing in general,that the ransom payments have been
(39:20):
going down like over the years.
Like the amount of people payingransoms is diminishing, which is
a good thing because this is howyou stop funding these groups.
But the groups are getting moreaggressive now, and they're recruiting
more, they're being more aggressive.
They're coming up with new techniquesand tactics to extort better.
So yeah, it's gonna be,it's gonna be a tough ride.
(39:41):
Wow.
Tammy, you got a story for us.
So I, again, in the line of ransomware, Iand this is you took the story I wanted to
talk about right at the beginning of ourlittle discussion there at the beginning.
But I wanted to talk about groupsmoving from extortion, like
encrypting groups to extortion.
(40:04):
So there was a group calledHunter's International and.
This group essentially hasbeen Target been around since
2023, has been very successful.
They were known originally forpotentially reusing Hive source code.
And they highly disputed that.
They said that they acquiredinfrastructure from Hive, and, but
(40:24):
they've been able to rewrite a lot oftheir source code and it's all theirs.
They are not Hive.
And what they're doing now is, andthis is something that they posted
on their affiliate panel, and they'resaying that due to new regulations
in the states encryption now isbeing punished a lot more severely.
And so they don't wanna be encryptingnetworks anymore, and they're
(40:47):
gonna be moving away from thatand going purely exfiltration.
So they started a rebrand, andthat rebrand is called World Leaks.
And what they're doing nowis purely exfiltrating data.
The problem with purely as abusiness model, if you think
about it, the return on investmentis much slimmer on exfiltrating
data than it is on encrypting.
(41:08):
Because you have to pay for servers,you have to pay for bandwidth, you
have to pay for storage and youhave to pay for all of those things.
And if you are host and then the, yourthreat of hosting this data is only as
good as the availability of that leakdata and it resiliently staying up.
So you can't take it down.
(41:28):
It's not like on mega, you can'tdo A-D-C-M-A take down or any
other like type of take down.
And it has to become,it has to be resilient.
It has to be fast because youdon't want people to wait like
weeks to download the data set.
It has to be available and speedy.
So you have to have adecent infrastructure.
Now if you're using Bulletproofhosters, that's quite expensive.
Because Bulletproof hosting, yesthey'll go above and beyond what
(41:51):
traditional VPS providers will do toprotect your data and your privacy.
But that comes at a price.
They're significantly more expensivethan the traditional, like Vulture,
digital Ocean or AWS type of thing.
And, but, so if you're hostinglike in on your own infrastructure,
you gotta pay for all of that.
So we're seeing them use likeBitTorrent and trying to get really
(42:11):
creative and stuff like that, butyou still have to pay for that.
Now, if you are, if you're just doingencrypting, you will have, you just
have to send them a decryption, likejust a decryptor, and then that's a few
kilobytes or a few megabytes, and thenthey can decrypt their own environment.
The client pays forstoring all of that data.
They have to back it up and makesure that the decryptor works.
(42:34):
You're offloading all of the therisk to the client and to the victim.
And when you're doing exexfiltration, you're putting all of
that responsibility on hosting andcaring for that data on yourself.
We'll see if that pays off.
There have been groups that havebegrudgingly gone exfiltration only.
So for example, Bian Leanne when Avast wasable to reverse engineer their encrypter
(42:56):
and release a free decryptor in the worldbeyond then switch to exfiltration only.
And for the most of it, theirdata was not available on their
dedicated leak site, their DLS.
If you had to go back and download it,like if you weren't downloading that
data set within the first initial daysthat it was up, you could not, it was not
archived and you could not go like two,three months down the line and pick it up.
(43:19):
It really puts a it really dampensthe threat of saying, Hey, I'm gonna
leak your data, but it's only gonnabe available for a couple of days.
And it's gonna be really slowand probably only four people
are gonna be able to download it.
So it's interesting to see whathappens with this new Doesn't sound
like a great sales pitch to me
.Exactly.
But this whole thing of encryption versusexfiltration I haven't heard, I haven't
(43:44):
seen any legislation or any or anythingthat I've heard of coming out of the US.
Now, the way the US regulates is some guyin an office somewhere wearing, or orange
makeup goes, do this and they do it.
So you never know.
But the issue, this seems to besomething that they must firmly
believe 'cause they've done a lot ofmovement and they even gave away their
(44:07):
original encryption keys, didn't they?
So they even allowed peopleto, to decrypt their data
so maybe they know something we don't.
Yeah, I haven't seen any specificregulations specifically targeting
encryption, but they mentionedthat it was classified as an act of
terrorism now, and, but specificallytowards critical infrastructure.
This is not if you're attackingmom and pop shops or like
(44:30):
businesses and private businesses.
This was only specificallytowards critical infrastructure.
So think hospitals,think things like that.
So it's but a lot of groupsdon't do that anymore.
They have it in rules.
They're affiliate rules that you're notallowed to attack, like CIS ex-Soviet
X-U-S-S-R states and countries andyou're not allowed to attack hospitals
(44:51):
or governments and things like that.
So they, a lot of these groups have rules.
And, but now encryption is a new one.
A new rule that we're alsoseeing is you're not allowed
to attack Bricks Nation.
So that's like Brazil that'sRussia, India, South Africa China.
So that's a new rule and anew restriction on targeting.
(45:14):
The main reason for not targeting BRICS issimply for monetary payout because those
countries tend not to pay out as much.
And they want to focus their affiliatesattention on the Commonwealth
and Europe and like Australia.
Even hitting Australia is really hardnow since medi the medi ME aid breach.
So that's a really tough market.
(45:34):
I think David mentioned somethinglike that a little earlier.
And so it's it's a reallyinteresting ecosystem.
Now I seeing, before I make a joke, Lori,I think you were gonna add in or we're
looking on some of these shenanigans.
Oh, I was just looking up to see whenthis kind of shift happened and, this
is a very quick search that I did,but it looks like it goes back to 2021
(45:57):
after the Colonial Pipeline attack,that it was a focus on investigation.
So putting more emphasis onspeed and getting to conclusion
when there's ransomware attackson critical infrastructure.
Which totally makes sense why thatwould start to cause criminals to
pivot away to things where they knowthere's less resources and people
(46:18):
are gonna take longer to investigate.
And the likelihood of ever havinga true conclusion on the side of
the law is going to be a lot lower.
Yeah so essentially we're saying is onelittle terrorism charge, and my mom got
scared and I'm off to living with myauntie and uncle in Bel Air, AKA data
extortion only sorry to all you FreshPrince fans and my version of that.
(46:41):
But my, my, my serious point aboutthis is government actions matter.
When the United States decided thatthey were gonna treat ransomware on
critical infrastructure as a whole ofgovernment, the WOG, which terrorism
is the other thing, the global Waron Terror in, in, the first part of
this millennium got that attention.
(47:01):
All of a sudden now you'reseeing this and, start throwing
around tomahawk missiles andstrike teams every now and then.
And people are starting tothink, eh, this is not the line
of business I want to be in.
And on the Australian side.
The Medibank hack that you mentioned,Tammy, that was horrible, right?
10 million people'sdetailed health information.
The first thing they leaked was everybodywho had a reproductive health procedure.
(47:24):
The second thing they leaked waseveryone's mental health files.
And Australia said, that's it.
We're done.
We're out.
We're we?
If we can't get you with cops,we're gonna break your stuff
and we're gonna change our laws.
And they've gotten serious about nomoney's coming outta this country.
And what was funny, on one of theRussian forums, there was this long
post and I still chuckle about itbecause Tammy doesn't, the one I'm
(47:46):
referencing, it was like, guys Ithink we ruined Australia as a market.
Yeah, you did.
And Dear Canada, take the Australianmethod 'cause you don't got the cruise
missiles for the American method.
Yeah.
And we'll spend a billion dollars inCanada to, to get a pound of fentanyl.
So like we could actually pass somelaws and maybe even put some money
(48:08):
behind enforcing and seriouslyenforcing these laws 'cause it
seems to be having an impact.
And if they know they're gonna get areally heavy penalty for this, they
might, it might discourage some of them.
Yeah.
So the good news is C 26 AKA, the neverending law that David spent two and a
half years of his life besides running astartup, pounding away on and testified
(48:31):
three times about because I'm not better.
I'm absolutely better that itdied because of a typo is back.
Yay.
Because we are a serious country nowwith a new serious prime minister
that gets serious stuff done it'llwait till after the summer break.
I not that serious.
(48:52):
Still thought his firstmeeting in David come.
Yeah.
Come on.
That's pretty good for Canadian politics.
It's almost as bad as the parliamentarianthat looked me dead in the eyes and said.
Parliament moves at thespeed of parliament.
And to which I replied backto 'em, I said, hackers move
at the speed of digital.
Guess who's winning?
So to your point, Laura, it is good thatthey got the first thing again and voters
move at the speed of throw you out.
(49:13):
Yeah, I wish they would do moreof that but in all seriousness,
this is the consequences coming onthe critical infrastructure side.
The downside of it is they still have agun pointed at the head of CISOs right now
in terms of individual liability, whichhas got a whole bunch of people who are
in their fifties going, my net worth is X.
This will wipe me out.
I don't wanna do this job anymore.
So I'm having some conversationsback room in, in Ottawa and very
(49:38):
vocally, publicly right hereand now saying, did really dumb.
Could you please work thisout before you finalize it?
Now that we've got some more time,but but yeah, consequences are coming.
I do think, I'm gonna geton my favorite hobby horse.
I. And I'm not gonna say this isthe last time, stop paying the
ransoms, ruin the business market.
Don't pay it for the extortion.
Don't pay it for the encryption.
(49:58):
The only other thing I can hope for inthe world of Crime, on crime is that
these Tammy, I loved your story aboutthe cost of hosting all this data,
is that some criminal groups starttargeting the leak only groups and
encrypting their shit and ransomingthem because that would be amazing.
There's an interesting story Afew months ago when Ransom Hub was
(50:23):
missing and they were MIA for a while.
Dragon Force was trying to make aname for its themselves and they
spin off and they started saying,Hey, we're gonna start a cartel.
And this is basicallya fancy little thing.
We're gonna white label our RATinfrastructure, and if you wanna
start a new group basically you useour payloads, you use everything that
(50:43):
we have, use our infrastructure, andwe'll just put your logo and your brand
all over our stuff and you'll haveyour own onion site and everything.
And so what they did as part ofa, like marketing campaign is that
they started to hack smaller groups.
So they basically hacked a groupcalled Blacklock and they got
(51:04):
their logo on their DLS site.
And then when it came to Ransom Hub,they're like, Hey, we're hosting
Ransom Hub right now and we hopeyour group follows us along and
all your affiliates come to us.
So yes, there is a lotof infighting with these.
Groups, you'll love to see it happen.
And a lot of better marketing thatI've seen in a lot of companies.
(51:24):
So here's my story, we'll, I'llwrap up with my story in this.
'cause I know Davidloves to hear about ai.
And I'm, I don't worry, David, I'llsay something negative at this.
You you could relax.
Everything in ai, if you've beenfollowing it, has been ag agentic, and
it is the marketing end of ai, and thatis, and for those of you want to know
what agentic means, basically meansinstead of just asking questions of a
(51:47):
chat bot, these things can take action.
But not as an algorithm,not as a simple program.
They will develop a strategyand they will go and execute it.
And that's been the big thing in ai.
The second thing though, that's come up,and it's been very recent, is the start
of integration with enterprise systems.
And there's a couple ofthings that have come up.
(52:07):
Model control, pro protocolfrom Anthropic which has been a
way to integrate with software.
Google has recently just released awhole toolkit of this, and the Linux
the Linux Foundation, I guess it is, hasalso put together what they call A two
A, which is another way of communicating.
The bottom line is for anybody whothought oh God, let these guys play
(52:31):
with this, often their own office,they'll never touch the enterprise
systems those days are coming to an end.
There will, as I've said, whenyou put productivity and profit
versus security security loses.
Now, the, these are actuallyin my mind, good things.
They are things that will allow usto integrate with our enterprise
(52:54):
software, be able to do thingsthat we could never do before.
However, this run and breakthings attitude that's out
there is, could be a little bad.
Anthropic Bright guys introduced theirMCP were, a model control protocol.
It has now been adopted by everybody.
They're very sharp people.
(53:14):
First couple of weeks out, they'vegot a 9.4 outta 10 vulnerability
in their MCP toolbox now.
And if anybody wants to know howeasy it is to hack an AI, it is.
There, there's just so many plaHow do I hack the, let me count the
ways, you can do prompt injection,you can do all kinds of things.
(53:36):
These are still notoriously loosepieces of software and easy to get into.
My favorite hack, and this is ifyou wanna know how extreme this is,
my favorite hack is that you justflood them with bullshit Now and I'm
using bullshit as a technical term.
You actually just give allkinds of jargon and fancy words
and all that sort of stuff.
(53:56):
The same thing you hear in a corporatemarketing presentation, and you just fire
all those words and bury your commandin there, and you'll get one group did
this and they beat almost every LLM.
So what I'm saying is there, we'renot as advanced in security on
the LLM models as we need to be.
We're not we're running a littletoo fast on this, but that.
(54:19):
Sorry, cybersecurity professionals.
That's the world we're in.
We need to start to get ahead of thisand start to talk about these issues in
our companies and start to roll this out.
You're not gonna get by beingDr. No, it's just not gonna work.
We have to start having intelligentdiscussions about the dangers of
AI used improperly and how we're,how it links to the enterprise.
(54:42):
That's , my story for the month . DidI say enough negative David, or do
you want to come in and dump all?
Yeah, I could have used somesprinkles on that, ice cream,
that 9.4 was pretty funny.
But I will save my commentary tothe end 'cause I would love to hear
from Laura and Tammy about, yourthoughts nightmares about Agen ai.
(55:03):
It's a very short and succinctthought, which is if you don't really
know what you're doing, don't do it.
Maybe that's a very Canadianregulatory approach.
I'm not sure.
But why would you, especially if you'rein a, I get it for startups, like
you're doing things that are new anddifferent and whatever, go to town, but
like you're an established business.
(55:24):
You have clients who depend on youand are you willing to bet the farm on
just letting whatever these are loose.
Like you wouldn't let an internloose in your environment.
Why would you let this stuff that hasno ethics or morals attached to it?
Anyway, that's, I, it's not that I'mthe department of no, it's like just
(55:45):
everybody and everybody needs tobe at the table thinking about it.
It's not the CTO's job, it'snot the security person's job.
It's really the business needsto think about how bad is this
gonna be if it goes wrong?
So let's make sure we do our best todo it right, because it's not worth
losing your business and impacting allof those other people who will also
(56:08):
be impacted if you lose your business.
Over wanting to play with the flashy newtoy or hoping for a productivity gain.
'cause I think that's the other thing too.
It's not just that they don't knowwhat they're doing on the setting it
up properly side, but there's an awfullot of not knowing how it's actually
gonna turn a positive result forthe business as part of it as well.
(56:29):
So two things.
I am gonna steal what youjust said for a t-shirt
and I think that Laura is a phenomenalpositioning of how we need to, I've heard
people say the department of know howbut the department of how can we do this?
I love that.
But I'll make my otheranalogy in a second.
Tammy, I'd like to get your thoughts
.Yeah.
On the subject of Anthropic.
Also this happened in June.
(56:50):
Philanthropic put their ai, theiringen AI in a vending machine.
I don't know if you've heard that story.
No.
Yeah.
They were saying, okay, so you area business owner and what you need
to do is you need to make surethat you're selling what you want
and you need to be great at this.
And again, it was not ready.
(57:11):
And people started asking it fortungsten cubes, which are worth
hundreds of thousands of dollars.
And it was basically stockpiling tungstencubes and selling them at a loss.
And people were able to hack theknowledge of it and basically make
sure that it couldn't understandsupply and demand properly.
Yeah, so putting that type ofintelligence, or if you can
(57:34):
really call it intelligence,it's more like of a predictive.
F engine of what you might want to getout of a response as close as possible
to then put that into and integrate thatinto your enterprise data, which you've
worked so hard for, and then having itpotentially read and write access to it,
(57:55):
and then talk to clients on your behalf.
That just sounds like a nightmare.
And even if you're trying to putguardrails, but if you're depending on
the AI companies to put in guardrailsfor you, it's not gonna work.
'cause they don't know whatthey, what type of guardrails you
specifically need for your company.
So we need to have alot more transparency.
(58:16):
And this is where I want to I'm gettingto the point where I wanted to get to
is we need something called AI bombs.
And so these are AI Bill of materials.
So this is the same software bombsor and so this is basically gonna
tell how your a, your agents aretrained, how, what the data sets are.
And this is basically gonna tell youeverything that you need to know about
(58:39):
the implementation of how these agentsare gonna be used into your corporation.
And we need more support for stuff likethis because there needs to be more
transparency from the, from these agentson how things work under the hood.
So here's my analogy about what'scurrently happening with the world
of generative ai, particularlylarge language based ai.
(59:02):
They hovered up every single nonpassword protected piece of content they
could possibly get over the internet.
Good, bad, horrendous, and evenworse than horrendous on the
whole, they vastly underpaid.
The folks trying to weed out the awfulfrom that, and they just rushed it,
underpaid it traumatized the hell outof the, these unfortunate individuals
(59:25):
repackage it, publish it out.
This is the equivalentof a garbage dump now.
What they're selling us is abeautiful urban environment.
Think, celebration, USAfor urban geographers.
I'm, I know that I just said is a horrificexample of a beautiful environment, but
I'm being very stereotypical, the perfect,idyllic, suburban kind of environment.
(59:48):
That's what they're selling us.
But it's built on top of the garbage dump.
And right now, every now andthen we get a sniff of what
it's actually sitting on top of.
And we're like, oh, this isn't what Iwas expecting from my beautiful ideal
sort of, this isn't what you sold me.
And sooner or later we're gonna havea methane explosion in our little
(01:00:12):
celebration town analogy on this.
And it is going to be awfulbecause garbage in, garbage out.
Eventually.
And I think the overpromising ofthis industry is going to be for
this generation, the.com boom.
That isn't to say that inthe long run, Jim is wrong.
(01:00:33):
In the long run, Jim is goingto beat David, and I'm just
going to admit that right now.
This is not it.
That we can learn from this,prepare from it, get better at it.
I have my eye on the kinds ofcompanies that are building something.
And these are the ones that are buildingvisual systems that are a different
(01:00:55):
branch of AI that are understandingthe world we actually exist in.
And the way that they'rebuilding those models is how the
human intelligence developed.
And if they crack that nut, it's gonnablow this stuff out of the water.
But this stuff, as it's currentlybeing rushed to be sold in the gold
race, is a dump with a celebration.
(01:01:17):
USA built on top of it, and it, whenit collapses, it's gonna be worse
than the little vending machine.
From the ashes of that,the next thing is coming.
But in the short term, that's not to saythat you can't live in the town, but.
You're gonna get some weird smellsand be careful what you build on.
(01:01:39):
I'm gonna throw my fun sarcastic commenton, which is, don't worry, David, we're
filtering out the real content fromentering the AI Cloudflare has announced
that they are putting up the first AIblocking capabilities to keep owned
content that is intellectual propertyof certain people from being scraped.
So it's only gonna get betterfor the garbage in the dump.
(01:02:04):
But to Tammy's point, the the,and I love this, I hadn't heard
of the AI bill of materials.
The problem is the lack of abilityof transparency about what got
into the model in the first place.
And in credit to Jim as a handoverback over, I actually heard of
an ethical generative AI company.
So they're actually building.
Licensed content model based generativeAI video solutions where they paid for
(01:02:30):
the right to actually use the material.
And in their hope is that thiswill be much friendlier to creative
types by saying, Hey we recognizethis is how we could do this
ethically, so maybe less garbage.
And in fairness, I'm moreof a techno optimist.
And I say this in terms of wherewe're going with ai and technically
I understand the foundations ofit were predictive based on text
(01:02:55):
and all of that sort of stuff.
We've gone way beyond that.
And the models are much, muchmore sophisticated than simple
predictors at this point.
The fact is we don't know what happensin most of the models, and that's
a scary point as we get through it.
My prob problem with this is not thatthis is going to follow the same curve
(01:03:15):
that Gartner has been showing us.
We'll get overhyped, wewill come crashing down.
We will work our way out of it.
, The problem with Gartner's model is you'dnever know where you are on that curve and
so that, let's take that off to the side.
The point I'm making though isI've been doing this for 40 years.
Every major technology thatwe brought into businesses,
(01:03:38):
we have screwed up royally.
We have gotten ahead of it.
We have not dealt with security oreven with the fact that our data's
so messed up and still is messed up.
After 40 years of doing this,everybody's still saying Our data's crap.
So we haven't solved thefoundation problems, and we keep
doing it over and over again.
Mini computers, micro computers,the cloud, all of these things.
(01:04:02):
We've had these big rush it in, oversellit, and somehow we muddled through and
somehow we do, we muddle through andwe managed to get it together enough.
And Laura, you've worked in a bank.
You know what the, what or if you'veworked in a government, you know what
those legacy systems are like, and we putstuff on top of that is just impossible.
(01:04:23):
And we demand that it work.
And of course it falls apartand a bunch of people work late
at night and keep it running.
We've been doing that forever.
We can't do that with AI.
I honestly believe it.
It's too dangerous.
And, and because for the first timewe're trusting the machines not to
do algorithms, not to be where we canpull the plug, but to be out there
(01:04:45):
executing things in ways that we don'tunderstand, where, ways that we can't
audit and where we can never fullyunderstand what's happening in the model.
That's a really good opportunity forus to actually say, why don't this
time we start to think about howwe're gonna implement it earlier.
Just a thought, maybe we start toget some red teams going now maybe we
(01:05:08):
start to get some data people goingnow, and we start to to put some time
aside to plan ahead for the inevitablebecause it, , it is inevitable.
I. It's not gonna stop.
We are going to be in an AI drivenworld, and that may be dysfunctional
in dystopian, or it may be thewonderful land of milk and honey.
(01:05:29):
I don't know.
And anybody thinks theyknow is lying to you.
I just wanna go back to, to, to whatLaura had said earlier when I made my my
from the corner ice cheap shot on itel.
And it was, if you have the wrongNorth star and no counter to balance
it out, you get bad outcomes.
(01:05:50):
And I think, Jim you've nailed iton the head if we don't think better
about this, and what I'm desperatelyafraid of is all people are talking
about all executives let me very,let me take my next cheap shot.
All the C-suite wants to see isproductivity, profit, and they
are not doing those things.
And I have zero confidence.
(01:06:13):
That we are not going torepeat the sins of 40 years.
Oh, worse than that.
They're, they want bodies off the orgchart, regardless what anybody tells you.
The irony's not lost on me asa CEO, that actually the most
AI friendly job to target.
And, but that's, theydon't realize, right?
(01:06:33):
Like I'm doing a show.
I do the, my AI show, I'm doing a showwith a guy who has actually got a co CEO
that's an AI and she's doing a great job.
So I'd watch out.
Laura, you were gonna say something?
I know you, I was gonna, there,there may be some small hope or
just more to ignore, I dunno.
But if I look at the pace thatit took, from, I'll say the
(01:06:57):
early two thousands, right?
Was early security days of frameworks andstructuring how we should think about it.
A lot of those lessons seem tohave been applied in the AI space.
The rate at which we are producingrelatively, completely thought out
frameworks, relative is an importantword in that, but that are built for AI
(01:07:20):
The materials and the thought leadershipis available if people choose to apply it.
So OWASP, this is relevantto a June update, right?
OWASP launched its AItesting guide this month.
So it is just one example of manywhere people are putting their
attention and trying to sharepublicly good practices that could
(01:07:40):
save your butt from a bad decision.
Yeah.
But it all comes down to having thatwill and that desire to actually
put the brakes on a little bit todo it right in the first place.
So may for the people who care.
There, there is material andsupport and good thinking out
there that that you can find.
It's not pay walled in a lot of cases.
'cause people realize that people whocare enough to put these things together
(01:08:03):
also realize that it's not proprietary.
It is something that applies toeverybody and it needs to be out there.
Yeah, that's a good place.
And my message for them is if you'rea CISO and you do have any sway, sit
down and tell people this is coming.
I'm not gonna try and stop it, butI'd like it sandboxed and I'd like
(01:08:24):
us to be playing with it and I'dlike us to be experimenting with it.
And I'd like us to be educatingourself before that development
team that you don't even see.
Has bought something with MCP and withall of this stuff and got it integrated
and keep yourself open so that youknow what's happening out there.
That's just my message on this.
It's a new thing.
We fixing it afterwards can be painful.
(01:08:45):
Be the Department of doing ai, right?
Trademark.
Yeah.
Laura Payne.
I think we get, I think we'regonna get, thanks, David.
No, but I think doing it we're gonna,we're gonna get this t-shirt together.
And we'll start to do merch on this.
That'll be that'll be one wayto make money on a podcast.
Tammy's what did I sign up for?
Yeah.
Thank you.
Thank you for coming in.
This has been mild.
Thank.
Yeah, thank you everybody.
(01:09:06):
That's our show.
We'll call it a wrap.
To the audience out there, send us a noteand let us know what you thought of this.
You can write me a tech newsday.ca or.comand you just use the Contact Us form
on the website, or if you're watchingon YouTube, you can, you know what to
do, make comments under the video, butbe nice in, or not, doesn't matter.
(01:09:27):
Thanks to our panelists, DavidShipley from Beauceron Securities.
. Thank you, David.
Thank you.
Laura Payne from WhiteTuque Thanks, Laura.
Thanks Jim for having me and Tammy,what a pleasure it was to meet you.
We gotta have you back.
We, we've got a, thewealth of knowledge there.
. Thank you so much for having me.
It was a pleasure.
Yep.
And I'm your host, Jim Love.
(01:09:48):
Thanks for listening.
You had other things you could have beendoing with your weekend, especially in
the summer, and you joined us for thislittle discussion and we appreciate it.
Have a good time.
And, you'll be hearing thison the weekend most likely.
So you look forward to seeing DavidShiple with the news on Monday morning.
Talk to you later.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.