October 4, 2025 • 51 mins
In this episode of 'Cybersecurity Today: Our Month in Review,' host Jim welcomes a panel including Tammy Harper from Flair, Laura Payne from White Tuque, and David Shipley, CEO of Beauceron Securities. The discussion kicks off with an overview of their plans for Cybersecurity Month, including reviving the MapleSEC show and the CIO of the Year awards. David shares his experiences at SECTOR, Canada's largest cybersecurity conference, discussing the importance of security awareness training and the risks of irresponsible tech journalism on public perception. The panel also delves into the resurgence of the Clop ransomware group, their shift to data extortion, and their exploitation of vulnerabilities in Oracle EBS applications. Laura highlights a concerning case of insider threats at RBC, emphasizing the importance of process-driven controls. The episode also touches on the human side of cybersecurity, particularly the impact of romance scams and the growing violence in cybercrime. The panelists underscore the need for improved security awareness and the role of AI in identifying scams. Tammy, Laura, and David conclude by discussing the role of insider threats and the ethical boundaries in cybercrime, sharing insights from recent real-world cases.
00:00 Introduction and Panelist Introductions
00:43 Cybersecurity Month Initiatives
02:46 Security Awareness and Phishing Training
04:03 Impact of Irresponsible Tech Journalism
08:27 AI and Cybersecurity: Hype vs. Reality
10:43 Conference Experiences and Networking
18:33 Clop Ransomware and Data Extortion
23:45 Tammy's Insights on Clop's Tactics
24:58 Scattered Lasus and Cyber Warfare
26:32 Media Savvy Cybercriminals
31:36 Human Impact of Cyber Scams
37:17 Insider Threats and Security Awareness
43:21 Physical Security and Cyber Threats
48:33 Cybercrime Targeting Children
50:58 Conclusion and Upcoming Topics
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
welcome to cybersecurity today, our monthin review as we start cybersecurity month.
Our panel today isTammy Harper from Flair.
Hi everyone.
Thanks for having me.
Laura Payne from White two.
Laura, welcome.
Thanks, Jim.
Always a pleasure to be hereand my co-host, on our, the
host of our Monday morning show.
(00:20):
and you do something elsetoo, David, what is that?
Oh, yeah.
CEO of Beauceron Securities.
David Shipley.
Sorry, I it all about me, buddy.
this guy gives me Monday morning off.
I, IIII was, I was gonna say, I thoughtyou were gonna say culture critic,
slash new travel influencer, but no.
(00:41):
Okay.
All kinds of different roles.
Okay.
So I wanna start talkingabout cybersecurity month.
One of, one of the things I dowant to get to is what are you
folks up to in cybersecurity month?
Somebody said that we hadn'treally talked about cybersecurity
month, and that's true.
One of the things I'm hoping to do is,and I'm still gonna try and do it, is
we're gonna do a revival of MapleSEC.
And if anybody remembers that,it's something I started a,
(01:01):
the Canadian, security show.
We're gonna do a end of monthshow, probably a couple hours,
maybe, at, with some hosts.
And we're just gonnado a slow start of it.
and we'll be back bigger nextyear, but I want to do that sort
of thing, so I'll be planning that.
we'll have a couple of presenters,we'll have a live audience, and
we've been experimenting with liveaudiences and it's really cool to
have a live audience for the show.
(01:21):
So that's something we'll be doing.
And, I'm also at, and this is probablynot as well known, but, We're gonna
do the CIO of the Year awards.
We're reviving those in honor ofmy friend and colleague Fawn Anon.
and I've turned that over tothe CIO Association of Canada.
We ran it with Fawn for, I don't know,10 or more years so that's being picked
(01:44):
up by the CIO Association of Canada.
CIOCAN, and you're gonna bewondering, why am I mentioning
that on a cybersecurity show?
'cause there's a CSOof the year of War two.
Ooh.
And so that's something, and by the way,if you are a CSO and you're not a member
of CIOCAN, you're missing out buddy.
or the, this is a place where it, thisorganization is run by CIOs and CSOs,
(02:09):
so it's not a sponsored thing wheresomebody's gonna try and sell you a
pile of stuff and things like that.
, It's one of those private meetingsyou can have as a Canadian
executive where you can get.
You can get people who will mentor you.
You get people, you can liaise withyou a peer group type of thing.
I'm a member, have been for yearson the CIO side, they let me
(02:29):
occasionally over to the CSO side,but only with training wheels.
But but if you're not in thatorganization, you're missing
out on something big, just go toCIOCAN just Google it and join up.
it's, the dues are minor,but the benefits are big.
that's my month.
What are you guys doing?
I guess I'll kick off and then, but,so this is the busiest month of the
(02:50):
year for me, I was super excited and.
And really honored.
I got to give my first ever talkat SECTOR so that's Canada's
largest cybersecurity conference.
it's our black hat conference.
And, to the shock of absolutely, probablyno listener that's heard me before,
I was talking about why we need to dosecurity awareness and why phishing
training does work when you do it well.
And, use the data that we've had,things we've talked about in the show
(03:13):
before, and it was really well received.
I got some excellent que questions.
And one of the things that was reallyheartbreaking though, was a couple
of professionals came and they said,listen, our senior executives, or
in, in one case, the CISO, they hadseen these clickbait headlines that
said security awareness didn't work.
And they just we're not, wedon't wanna do this anymore.
It, it doesn't work.
(03:34):
and they had to battle it.
And they asked me for some factsthat they could actually use.
And it was, It was eyeopening.
and I think it speaks to theirresponsibility of some of the
tech journalism that I've seen,that took, the headlines and ran
amuck with them far beyond what theresearch actually said, with respect
to the limitations of some methods.
(03:55):
so that was there.
And then a huge amountof client, whoa, whoa.
Presentations.
Whoa.
hang on.
I'm just gonna stop you for a second.
'cause I, yeah.
I caught everything.
I heard every individual word you said,but I When you got to irresponsible tech
journalism, what was, what's the issue?
Just, I just wanna makesure I'm, I'm clear on that.
Yeah, since Black Hat in the States, whenthe University of California San Diego
(04:16):
Paper, some of the authors, not all ofthem decided to play up their findings
beyond what the research actually said.
We have seen dozens of headlinesthat have gone beyond, phishing
training doesn't work to, up, tosecurity awareness isn't worth it.
And so they, they have literallycaused tremendous harm and damage
(04:41):
to, To this effort to educate people.
and I do, I get extraordinarily angryabout this because, some of these folks
are medical doctors and they're tryingto tell me that education doesn't work.
And I'm like, that's fascinating, buddy.
clearly your educationwas worth something.
So maybe we should be talking aboutwhat is the right education approach
(05:02):
to this, which is ironically,there were some really responsible
researchers involved in some of thesestudies who had very specific points.
And that's been lost now.
and, yeah, so it's been an ongoingthing to see the impact of that
overhyped research in, headlines.
(05:22):
Even like just last week, ZD Net ranit again, and the worst part is the
journalists didn't even read this study.
they just.
It just kept compounding, this doesn'twork, and playing into this notion that
we can only fix cyber with tech toolsand I'll be the first to admit it.
If there was a tech solutionthat 100% shut down criminals.
(05:43):
I would be the first, fromthe top of the mountains to be
shouting at everyone using it.
But there's not, I, you and Iwould've formed a company and been
out there making ourselves rich.
but.
But we need layers of defenses and thatincludes people and yes, it's tricky.
It's hard.
It's, it's not as easy as binaryones and zeros, but it is valuable.
(06:06):
And to wholeheartedlydismiss it is irresponsible.
so that's, that was the black Hat talk.
and I've actually publishedsome research on LinkedIn.
we've expanded our Why People Click study.
We're now up to 6,293 respondents.
the data continues to getmore interesting on that.
We thought I'd asked my data science teamto run an experiment to see if survey
(06:28):
responses changed on Monday mornings,which still is our highest click time.
And I was convinced we were gonna seea significant shift in the responses.
And we didn't.
and so that, and we did a c chi square,which is for the stats nerds out there.
Like we really tested the math on this andthere was not a significant relationship
(06:48):
between the time of the day peopleclicked and the reasons that they clicked.
which means it's a deeper, and thework style and there's something
else driving the Monday morning clickrate beyond what I thought was there.
but what was interesting is that peoplethat did our survey and answered it within
24 hours of being assigned it, they hadstatistically significant chi square
(07:10):
validated outcomes six months after.
they had the, we don't know all the why's.
I can't give you causation on this.
It's just, it's reallyinteresting on that side.
So anyway, sorry to pro on about that,but, so its a lot of this is important
this, and I want to go back to thisbecause this drives me crazy about
tech journalism in cybersecurity is.
(07:32):
Wise up folks.
the journalists are listeningin there, or readers go back
and tell people, our listeners.
Yeah.
They'd be, I would hear about it.
But, and to be quite honest,we have a YouTube version.
It drifts along.
I get people pitching me all the timesaying, your headlines aren't good enough.
You get, and I know what we're notdoing, we're not doing clickbait.
I'd rather have a hundred or 200 or 300.
(07:54):
And by the way, we'renot dying for audience.
Our audience keeps growing andgrowing, but it, and I try to put
stuff out that, that catches attention.
But this is just frickingirresponsible, these guys.
Yeah.
And David and I did awhole program on this.
It's a couple weeks back.
I'll put a link into it, but check it out.
We brought in a real researcherfrom the University of Montreal,
(08:15):
and we talked about these thingsand it is really important.
We need to improve not just a research we.
We need to improve howjournalistically, how we report it.
Anyway, that's so off of soapbox.
and I'll let the other guys.
so the, yeah.
And the rest of the month is talks.
But what's interesting in the amount oftalks that I'm giving now about the impact
of AI on, destroying the shared conceptof truth and reality, on the enablement
(08:39):
of social engineering is through the roof.
And even the last thing I'll end up withis the amount of folks who I spoke with
at SECOR who are disillusioned with ai.
Both, the just deluge of the attacksthat they're dealing with and just just.
Feeling it, like really feeling it.
(09:00):
But also there's a growing disillusionmentwith the over-hyping of AI in the
marketing on the defensive side.
And it was palpable.
And that was really interesting to see.
Like I had folks come to my talk andthey were like, I'm just glad you're
just talking about humans right now.
Or basically talking about humans.
I've just, I've had it to hearag agentic AI has become the new
(09:22):
zero trust in security marketing.
And I think people are,they're peaked out for a bit.
so that was interesting.
Anyway, Tammy and Laura probablyhave more interesting things to say.
Always pretty interesting.
I was gonna build a little bit on that.
It's just the, we've preachedfor many years, right?
security is not the same as compliance.
And the, that, the way thatstudy has been put out there
(09:46):
is the classic example of that.
What they really were, we're finding.
Is straight up compliantsecurity awareness.
I checked a box, I did a thingonce a year is not effective for
teaching people how to spot phishingand to be effective gatekeepers.
That seems pretty, pretty true.
(10:08):
Which isn't to say we shouldn'tdo annual awareness training,
it serves a different purpose.
Yes.
training on the wrong thingwill not yield results.
Shocker.
Ooh, that's a headline right there.
Bad headline, bad training doesn't work.
stop the presses.
Yeah.
Yeah.
So anyway, just my take on that.
But I think, that's oftenone of the themes during,
cybersecurity Awareness Month is.
(10:30):
it's not enough to check the box.
It's not enough for yourinsurer to check the box.
It's not enough for your securityprogram to check the box.
It really is about doing the right thingsfor the right reasons, and then doing
them consistently and doing them well.
similar to David, I was out at Sector.
I've got my Sector shirt on today.
and, at various conferenceswe're trying to get out into
other industry conferences.
(10:51):
So it's not just the echoChamber of security people
talking to security people.
and just, bringing the word out therethat, it's, it's not impossible.
It is necessary in every industry.
More and more people are getting it.
but they need to figureout where to get started.
And, that's the big thingwith security awareness month.
What else are you looking forwardto in, in cybersecurity month, Dora?
(11:13):
Just in terms of, you know what, honestly,it felt like this year, September
was cybersecurity Awareness month.
Everything's a little early.
It's German, October Fest.
If you ever go to Germany for OctoberFest, you have to go in September.
that's when all the parties are.
If you go at the end ofOctober, you've missed it.
It's, and this year I thinkit, it just feels like
everything's been pulled forward.
But, it, it doesn't mean there's nothinggoing on in October, but it feels like
(11:33):
we've already been racing through alot of opportunity to get out in front
of people and share that awareness.
So we'll keep doing that throughOctober, but I'm looking forward to
being maybe just a little quieterthan September in a good way.
And Tammy, you've gotsome stuff coming up.
Yeah.
So I, I also was at Sector and, Iam, I'm very much like a researcher
(11:55):
and I don't really have that desirefor all the flashy corporate stuff.
I think the only, swag that I tookfrom SECOR was, the white tuque, from
White Tuque, so the, for me, like as aresearcher going around and, as someone
who's really deep into, into the industrygoing around like sector, when I was at
(12:18):
the, at the booths and I would want totalk to people, most of them were just
salespeople, And or account executives.
And they wouldn't know whatI'm talking about, right?
And so it, it was very like.
I felt like that conference wasnot, for me, at least, like the,
that whole floor was not for me,as a cybersecurity practitioner.
(12:40):
it was basically like the talkswere all Gentech, ai, most of them
like, so I was trying to figureout like, what am I doing here?
, But this weekend I'm going to,BSides Toronto and I am very
much looking forward to that.
seeing some really interesting talksthere and, seeing some way more, like
(13:00):
talking to other researchers, right?
More grassroots, more, morelike in the trenches of people.
what are you seeing?
What are you talking about?
and not necessarilytalking to salespeople.
If BSides is a very interesting,very interesting thing.
David turned me onto itfrom the US point of view.
So we've got one going on here next.
(13:22):
Is it this weekend?
Yeah.
Yeah, it's Saturday, Sunday.
Okay.
Because we're gonna go to Air Saturday,so we can give them a shout out.
Whereabouts are they?
this year they're, hosting it at,Toronto Metropolitan University.
And, okay, so TMU used to be Ryerson,is that Yeah, I gotta see if they've
already, they usually sold out, sell out.
So BSides, besides it's Toronto,might luck out this year.
(13:44):
I know David's checking rightnow, but they, didn't open ticket
sales until maybe 10 days ago.
so Okay.
You might, it, this might be theyear where the procrastinators win.
Yeah, no, there, there were stilltickets available as of Friday morning.
you know what, we'll go fromthere I personally liked the
talk at Sector last year.
I wasn't there this year, but itwas the meeting people and being
(14:06):
able to discuss some of the stuff.
I'm not as interestedin the booths as I am.
The people that meet thehall, the hallway track what?
Yeah, the hall track.
The hall track.
Yeah.
Yeah.
that's the thing about being at aplace like this is being able to meet
people, catch up, chat with them.
I didn't get a white too though.
I'm gonna actually talk, I tohave Jim, we gotta get some, I'm
(14:27):
gonna have, yeah, I'm gonna havea talk with somebody about that.
I didn't, there was a real white too,and I had to find it out on this.
That's what the show is for the stickersfor learning great things, right?
so the white too, stickersare going on my very awesome,
luggage, that are getting tagged.
So it's like Peak Canada stamp.
(14:48):
so no, I agree with Tammy.
The, the merch and I will actuallygive a shout to White Tuuk as well
because, Eldon Senoff, who's one ofthe founders of East Entire, one of the
biggest Canadian cybersecurity, techstories, that we have, and also one of
the nicest guys you'll ever meet, he isa board member, I believe, for, white
Tuuk or certainly a fan advisory board.
Fan advisory board, yeah.
Advisory board member.
(15:08):
and he was signing copies of hisbook, committed and, in his book.
Plays on that idea in multiple ways.
Has committed, have,has multiple meetings.
I haven't read the book yet, I haven'thad time, but I actually have a
signed copy now thanks to White Duke.
so I'm excited.
the other thing, good thing Iwould say about SEC is, you get
to see folks like some of our,we have some amazing superstars
(15:29):
in this country, and Tanya Jenka.
and there's a host of others, that are,you get a chance to meet and learn from.
that, that is awesome.
And I would say the last thing.
I enjoy seeing the different booths,particularly the Canadian startup
side, and the little startup village.
And, I continue to root for,'cause they're New Brunswick.
Yes, I'm biased.
I'm just gonna own it.
(15:50):
But it's a, an amazing littlecompany called TRO ai that's been
working years ahead of time onthis issue of AI data poisoning and
protecting AI models, et cetera.
so they were there, but there were ahost of other really good, there's a
Canadian alternative to CloudFlare now.
and that's a, that's based outta Quebec.
And so I'll be ringing them up tolearn more about what they're up to.
(16:12):
There's a Quebec basedemail filter as well.
Quebec's doing some really coolthings in the cyber flair and
others obs I'm gonna give Tammyand the crew a shout out on that.
but, yeah, it was awesome to see.
There was even a really sharp startupthat's working on, stopping bad Python
packages from getting into your deveCloperenvironment and into your stack.
(16:36):
So I, I may drop in that card ifyou're listening, Ben, my ciso Yes.
I'm sending you to go learn yet anothertechnology and, that, but there were
really some really good things andagain, I've been at sector a few times,
but to be able to actually have thaton the resume was a pretty big moment.
pretty happy to startSecurity Awareness Month.
Yep.
If I can throw one, sorry.
(16:58):
Love the folks from Quebec, but don'tforget, CloudFlare has a Canadian founder.
We're all around the world.
We're getting everywhere.
we're invasive in our ownway, in our very polite, kind.
Yeah.
Yeah.
I can't wait.
Underrated way.
Wait until the TOS starts spreadingthrough the us Like right now,
everybody's traveling with Canadian flags.
(17:20):
Next thing they'll betraveling with the tuks.
My unofficial slogan is convertingbeanies to tos one customer at a time.
Awesome.
But Tammy, to your point,it's very well received.
I, and, so I sit on the reviewboard and the res the feedback
is always welcome and, taken.
And all I can say is, where's yourtalk submission for next year?
I wanna see it.
(17:41):
Absolutely.
I wanna see that.
and the view review board lovesseeing that blend of content.
We did not want it to be the AI show,but I gotta tell you, you couldn't,
you can throw, I don't know, assomething at your screen and not hit
an AI talk in the list this year.
so we look forward to next yearwhen maybe it'll be the, we're over
AI because, Worse has come along
(18:04):
or the new book, if somebodybuilds it, everybody dies.
spoiler alert, everybody dies at the end.
that was my, I love that book reference.
Sorry.
Let's go on to the stories for this month.
what's getting at everybody?
what are the stories that aremost affecting you and that
you most want to talk about?
And, oh God.
Tammy, I hope you're gonna talkabout Clop 'cause of being back.
(18:27):
no, I'm actually notgonna talk about Clop.
I'm joking.
I'm joking.
so yeah, absolutely.
so what's really interesting is, sowe started to see, rumblings around
September 29th of, a new Clop campaign.
and so Clop, is a, Is a RAs ransomwareas a service that is private.
(18:47):
and so I, I'm just gonna explain a littlebit of how they work because there's like
a lot of like information about how, likeLock Bit works, where they have an open
affiliate program if you pay enough, ifyou're vetted in or vouched in or you pay
a deposit, you can start accessing thetools and start deploying, campaigns and
attacks, on corporations and enterprises.
(19:08):
but op functions a little differently.
so they have ransomware.
But it's not their breadand butter anymore.
They're, they are mainly a data extortionand a data broker at this point.
And they partner and, leverage theirinfrastructure and their tools,
and their deveClopment, to privategroups known as Fin seven, fin 11.
(19:29):
so Fin seven and Fin 11.
and these are closed groups.
These are not necessarilygroups that are super public.
You'll see a few handful ofmembers on forums talking, but it's
not like they have a banner andthey, they really rally on them.
it's a really closed group.
It's like similar to Akira or theInk groups where, shobby and, LYX,
(19:50):
these are, or even play, like theseare groups that are really closed.
We've seen since a few yearsnow, we've seen Clop move
towards like data extortion.
And how they're doing it is that they'retargeting files, sharing applications.
So they targeted go anywhere.
They, then they targeted moveit, and then they targeted Clio.
and now they're targeting, as of September29th, we've started hearing rumbles of
(20:14):
them targeting, Oracle EBS, applications.
That's the story we did yesterday.
And that blew me away because, and I'dforgotten how big Oracle had become.
people had, people remember Oraclefrom buying PeopleSoft and apparently
PeopleSoft is still exists out there,but this is your Oracle ERP, which
surpassed SAP last month in sales.
(20:37):
This is a lot of installations and maybeyou can help me out with this because.
I think, and I don't want tofalsely attribute this to Oracle,
but they more or less said, we'renot, there's nothing wrong here.
we don't see anything wrong.
And the reality is, I don'tknow how that can happen.
I don't know how you can be, how youcan find so many, different Oracle
(20:59):
installations and be writing to themsaying you've exfiltrated their data
without it having some startup withthe ERP itself, I just can't, like
you're not, so you're not hackingindividual instances that quickly.
Something in the main coresystem is allowing you access.
And that was, so that's the story we did.
(21:20):
I've, I nothing to prove it, but I justcouldn't walk away from that story.
And this is huge.
This is this, this is another supplychain piece that is going to be massive.
I, but Klaw had gotten wiped out.
I. And then came back.
Guess who's back?
Shadys back.
(21:41):
these guys never go away, right?
unless they get pushed outtathe window by the FSB 'cause
they upset the wrong person.
They're, they just rebrand, right?
It's like Clop plus now with dataextortion instead of ransomware.
and it also good to go back, clapis actually a reference to like
an insect blood sucker parasite.
I just always like to go back to theirbranding because at least these guys are
(22:04):
really into honesty in their advertising.
but to your point, and because I'mthe pop culture critic, and I'm
gonna have a little bit of fun overthis is, number one, Oracle's PR
response to the Oracle Health breachesearlier this year was essentially
that scene where the Springfieldcops were putting the jeans on.
They're like nothing to see here, boys.
And I'm like, come on,like there's a problem.
(22:25):
And then they get sued and they'relike, yeah, we got breached.
And now what they're doing is Shaggy.
It wasn't me.
It's Hey man, we had a patchout in July, so if you didn't
patch, that's your problem.
It wasn't me.
and it's okay.
but to your point about the speedof all this, Jim, this is where I'm
gonna say the words, I hate to sayit probably AI is helping out the
ability to do mass programmatic,exploits using and deveCloping
(22:49):
POCs faster and pulling data out.
But.
The last point I'll make about this is, itused to be that these gangs really needed
to protect their brand and reputation.
So they didn't lie that they had data,but they very well could be lying.
and this could be Clops going at abusiness sale, in terms of cashing in
all their brand wrap and the fear of it.
(23:11):
'cause the demands they're asking for arein like the seven and eight figure ranges.
and even if they only get a fractionof panic execs to pay some of those
seven figure amounts, this hasbeen a good, bad day, on that side.
so this is a. This is a new evolution.
'cause we don't know if it's real.
(23:31):
and no one's taking responsibilityto confirm if it's real.
the vague blog post from Oracle waslike, Hey man, if you didn't patch
your stuff, maybe could be real.
But they're not saying Yeah.
Yeah.
Some people got hitbecause they didn't patch.
Okay.
So Tammy, what's your takeon this what do you think?
knowing Clop, yeah, David, you,you hit , the nail on the head.
It's Clop doesn't really lie.
(23:55):
they haven't lied so far.
And, they've made some, like reacheswith some attributions and some claims
in the past, but they're still one ofthe, the most serious about leaking
data and keeping it online and makingit really easy to download data.
And so I'm looking at what Klaw isdoing now, and it's just an extension
(24:16):
of their mo, their recent mo, andthey're, and to your point of this
is going fast because we've seen themgo from movie Clio and now to Oracle.
the, it's just a refocus of the groupbecause now they're putting, instead
of deploying ransomware, they're justdeploying, on POCs and on exploits
of these end days, vulnerabilities.
(24:36):
And the group is very focused.
They're very much, they have made a lotof money and they are very well funded.
and plus they have access toFin seven and Fin 11, which is
also very well funded groups.
so these are not like some script kitties.
These are very well, fundedindividuals and sophisticated groups.
(24:58):
but what's interesting as well is, andthis ties into another story a little
bit that I wanted to cover becausethey're connected, is there was another
group called, scattered Lasus, hunters.
And this is basically the whole,story of, shiny hunters scattered
spider and Lasus, coming togetherand creating this coalition.
(25:18):
and it's a bunch of like real brainrotten nonsense in terms of their chats.
'cause they, their chats goup, there's 10 people in there.
They get boughted and then there's 11,000subscribers in their telegram chats.
And then all of a sudden,They get taken down.
they're taunting lawenforcement constantly.
They're name callinglike the FBI director.
They're, essentially, makingit really hard to focus.
(25:40):
And there's, so many key words that theykeep putting in that, they're, it's really
difficult to make sense of the noise.
Now, they called out Clop in one oftheir latest posts saying that because
now they're basically, these are the twobig groups in the headlines right now.
And they're, basically calling the othergroup out again, part of this distraction,
(26:00):
part of this noise, like cyber, likewarfare mentality of let's attack them.
And, they're basically, leaking.
they allegedly leaked theexploit that co-op is using.
And so that's a really fascinating twistwhere you can see two groups basically
trying to compete now in the headlinesand very well aware of the, of the, the
(26:21):
media now and how they're being perceivedand how journalists basically will like,
be an extension of their extortion now.
And so we have to be very careful of that.
And like bleeping computers wasone of the first to report on coop
and they had an interview withCoop and it was done over email.
But basically kLab said we're not readyto disclose anything at this point,
(26:44):
and, but we are going to definitelybe collab, like reaching out to
you, when we have more information.
But the groups now are very mediasavvy now, and we have to be careful.
Wow.
Amazing.
Dave, did anybody else haveany more comments on that?
I'm just trying to absorb it.
All these two huge groups.
(27:04):
I, yeah, I'd love to get Laura's take'cause it's just interesting, right?
I'm curious if these are now the twobig, groups, like which ones is the
Yankees, which one is the Blue Jays?
but it's just making a, a small littleproud Canadian moment that maybe
we can win, win the MLB this year.
Yeah.
Yeah.
you know what?
If you wanna jinx baseball,you have me comment on it.
So I'm just gonna keep myopinion to myself over here.
(27:26):
yeah, no, you know what?
It just shows the continuing evolutionof these groups and how they are
responding and adapting, right?
Like they figured out people arelistening, so they're gonna throw
a whole bunch of garbage andobfuscation within their chats.
It will be really interesting to seeover the course of time, if we can
figure out, and I'm sure we will, right?
Like how they are using that obfuscation.
and to be able to crack into it.
(27:47):
it, in some ways it's, the, all theold things are new again, right?
The same techniques were used in WorldWar I, world War ii, trying to mask how
the communications were happening andin coding and in mass communication.
And, so we'll see.
We'll see where it goes.
But, I do find it really interesting.
Tammy, I'll let you have the lastword, but I think my last piece on
this would be, that I've taken awayis if they're getting media savvy.
(28:12):
They're in a position tomanipulate any story they want.
Now 'cause we're allgoing, oh, gimme clickbait.
And we've proven that.
so this is a smart group.
And I don't know when we say, are theylying or are they manipulating us?
and one thing I wanna just add isthat the moment that these guys figure
out that they can talk in Jen Alphaslang with SC Toilet Riz, and they're
(28:34):
gonna just confound a whole bunch ofmiddle aged cops, that's just gonna
be like the 21st century, a answer tothe, wind talkers and Navajo, right?
what the hell are these people we'regonna need an AI to translate from?
I'm getting to that point nowwith anyone under 10 years old.
I don't know what language they use,but, yeah, no, it's, it is interesting
to see because they're responding andit's interesting ecologically, right?
(28:56):
So you've got smart folks like Tammyand Flair and other dark web, firms.
Their job is to be private sectorintelligence agencies, counterintelligence
agencies gathering these things.
And now to your point, Jim, like thecriminal ecosystem has to evolve.
and trying to deveClop allthese different things.
the moment we see numbers stationspop back up and those not familiar
(29:16):
with Cold War era shenanigans.
this one's there.
it's just interesting.
so yeah.
but the other thing that was interestingis, you mentioned, we thought for a brief
moment that, shiny hunters lapses andsome of the scattered folks, scattered,
spider folks had posted early in themonth and said, we're out, we're retiring.
And absolutely zero.
People believe that.
(29:38):
but they were havinga lot of fun doing it.
it's honestly, it's, it feels like slimshady, without me, these gangs really
have a, yeah, have a sense, an inflatedsense of their impact on the scene.
For those who can't, who can't watch.
They aren't watching this on YouTube.
I saw Tammy's head just shaking.
No, they're not retiring.
(29:58):
Tammy, I'll let you dothe wrap up on this.
What's what, yeah, what's, whatshould we take away from this?
I just wanted to like, just give alittle bit more of a little bit of a
detail on this one, but, and wrap it up.
It's like they're very savvy and toyour point, David, you, again, exactly
what you said was they are very awareof what the private intelligence firms
are doing and they're very aware, wellaware of what law enforcement is doing.
(30:19):
like to a point where, in one of their,telegram channels, they were basically
talking about, style metric analysis is,which is what we use to detect and to
put patterns to how people are talkingand how people are writing so that we
can potentially identify authorship.
And so they were talking about like howthere may be one or more authors in this,
(30:41):
with like admin privileges to basicallybe writing and we are just not looking
at one person, but multiple people now.
And so it was really fascinating to seelike their adaption and also they named
their, new leak site, which leaked today.
like they named it a DLS, whichis an industry term for, darknet
or dark web or data leak site.
(31:04):
And I haven't seen a, a blog, like aransomware blog or an ex data extortion
blog like brand itself as a DLS before.
So they are very well aware of the lingoand what is going on in, in the industry.
and it is a very much like a counteroperation and they're very savvy.
and what's interesting, it'slike it's getting into the.
(31:25):
We know that, but you only getto know what we want you to know.
and it's just oh man, this onion'sgonna get really complicated.
so I'm glad smarter people likeyourself and others are into that space.
but on the, just different storytrack this one was, Just broke
today, so I, I'm gonna count it ina month to review, but Little Gander
International Airport on their Facebook.
(31:45):
No's not familiar.
Gander was one of those places in nine 11that a lot of American planes landed on.
And, it's famous in the, come from away.
I think I'm gonna go forlike most cultural references
in a podcast episode today.
they posted on Facebook something thatreally hit me right in the heart in
Security Awareness Month, and they weretalking about they have seen a significant
increase in people showing up at theairport waiting for a someone they love,
(32:11):
who's apparently coming from overseas.
To arrive and the planelands and no one's there.
And they've been dealing with a lotof the emotional fallout of that.
And they describe it as catfishing,but we often talk about romance
baiting or what Aaron West earlierthis year talked about in terms of
pig butchering and other things.
but it's to the point now whereairports are starting to talk about
(32:31):
it because they're seeing it so much.
and to me that just put areal human feel on this.
And as much as we talk about theimportance of educating people about scams
and it is, and doing it the right ways.
We also have to have a big conversationabout the loneliness epidemic in our
society and how we're reaching outand caring for people and making sure
they've got genuine human connectionsthat we biologically are wired to need.
(32:55):
and we're seeing it show up.
and it's not just aboutthe money being lost.
imagine someone's entire world comingto a crash, what they thought was about
to happen, and, walking up with thesefraudulent flight itineraries and someone,
some poor staff member at an airport whois not trained to be a grief or trauma
counselor is basically encountering that.
(33:16):
and nothing seems more 2025 interms of the human impact than that.
Just that one story.
and it just hit me like,there's been lots of big scary
cyber stuff in the last month.
the, the sand worm.
Shy Ude, which honestly like I wasswallowing real hard for a few hours,
just wondering to see how bad thatAI powered shenanigan could have.
(33:38):
And it, thank God it didn't,but it's, it, we're building to
a big worm moment on that side.
we've got a whole bunch ofother things now with the
shutdown with the US government.
So CSA is gutted.
this is, we're getting pounded left,right, and center with vulnerabilities
and the defenses, the shields, remembershields up, shields are down kids and,
that's gonna hurt, on that side, but it'sthe human side that really landed for me.
(34:02):
Two, two things.
One is we did a story just this morning,I think on CIS, which is, we hear about
cisa, but there's a whole organizationthat CISA supported for states and small.
Places in the US small municipalities,people that couldn't afford, or
people, groups that couldn't afford,their own cybersecurity protection.
That's defunded now.
(34:23):
And that's, what happycybersecurity month.
talk about irony, but I wanna go backto this other thing and I'm gonna
leave you with one, 'cause I knowI'm the AI apologist in the group.
and I, but here's somethingyou teach people to do.
Any AI program, PerplexityClaude ChatGPT, ask them to
learn to type in, is this a scam?
(34:47):
especially for older people.
Get them familiar with that.
And just say, when somebodycalls you, just ask this.
This is a big, smart thing here.
Just ask it if it's a scam,because it will tell you.
And, that's, so there's a plus sideto the education from ai and that
is that, that people can look thisstuff up and say, is this a scam?
And it, it will tell you.
(35:09):
and maybe that will help reduce someof this stuff because it's just,
it seems to get worse every month.
and now with the ability forus to be able to do audio.
Voice fakes in real time.
And I'm talking in real time.
Substitute my voice for your son,your daughter, your whatever,
(35:31):
your head of accounting.
And I said I was doing a speech at,I was in Perry Sound doing a speech
for, at the Seg Business Council.
And I said to anybody, if you haveinstructions that you are giving, anybody
who can give instructions, be it thepresident, be anybody for a fire, for a
transfer, get code words in place now.
(35:52):
'cause this is gonna run.
And I don't think it's gonna takevery long, Tammy, for one of these
groups to grab a hold of thisand just run the table with it.
'cause who's, the president calls you.
This is his voice.
I know it.
And he, I have to do this.
And he's saying, look, I'm saying Igotta talk to my, the security people.
I'm the damn president.
I want this done now.
(36:12):
It's gonna work more times than not.
Anyway, I'm off that soapbox or thosethree soap boxes and I'll go back to you.
Laura, what's your story for the month?
Oh, yeah, that, that was a big soapboxto, to follow just 'cause I, sorry.
No, it's a, it's one that, yeah.
Very passionate about as well.
And for me it's process controls.
Sorry, I'm, I'm gonna take twoseconds just to build on that.
(36:35):
Safe word is one option,but all, whatever it is.
Process driven controls aroundthings that are important.
So it never matters who they saythey are and how important it is.
That's not our procedure.
I will follow the directive when I get itdone through the right channel and, and
that saves companies over and over again.
I so many things you can avoid, makinga bad decision in isolation because
(36:59):
there's good company proceduresaround how it should be done.
and just living on that.
I think I'm gonna, I'm gonnapick up on, the Canadian, news
I was gonna pick on first.
and I will caveat this, that, yes, thisexample is definitely sensationalized
because of, the profiles involved.
but, R-R-R-B-C, is, has a formeremployee now who is being prosecuted
(37:22):
by the I-R-C-M-P, as insider threat.
And that's one of thebiggest areas that we.
Have to talk about as far as securityawareness and actually ties right into our
procedures, discussion just a moment ago.
so in this particular case, they werecaught for, accessing the profiles
of Mark Carney and a Justin Trudeau.
It's, as far as the reportinggoes, it's believed it's not the
(37:45):
Justin Trudeau that we all thinkof in Canada, but a Justin Trudeau.
But that was the headlinethat's the exciting part.
but it's another case where somebodymet, this group online and you can look
this up, and I'm not gonna give himany more fame by bringing his name into
this, But, he, met this group online,and got sucked in and they were paying
(38:07):
him for creating false accounts, andfraudulently extending lines of credit.
'cause that was something withinthe scope of what his job could do.
and, over the course of, a couple ofyears, defrauded the bank and then was
starting to go after sense or tryingto go after sensitive information.
And that, has not worked outfor him, in the long run.
But it just shows how, these groupsare operating and they're looking for
(38:30):
people who are in positions of trust.
this person probably wouldn't havedone it if it wasn't a payday.
He wasn't particularlypolitically motivated.
He was financially motivated.
and what we can see as thisstory is still breaking and
it's, just going to court now.
which is why it has started to be.
out in the public.
but, we put a lot oftrust in the institutions.
They do have very good programs.
(38:52):
but, for anybody listening and they'rethinking about how much trust they
put in their employees, having thatprogram to be keeping track of what's
going on inside your organization.
it can be intentionally malicious,it can be coerced, maliciousness.
So in this case it was for financial gain.
But you get somebody who has beenfished into a situation, where
(39:15):
they are now being coerced underexternal pressure to do these things.
They can be the unintentional ones.
And our, our phishing clickersare those ones as well.
who open the door and let peoplein or let information out.
But I think this is important,Laura, in, in as well in the.
Okay.
In my career, one time I, somebodyapproached me and said that they had
(39:37):
actually stolen some bonds from a vault.
And they were very young.
It was the very start of their career.
It's 30 years, so I guess , nobodycan prosecute me for my advice,
which was I said, what should you do?
Tear them up, burn them, andnever mention it to anybody.
But you've been given a chance in life.
(39:58):
Just go and sin no more, more or less.
And because I knew, I, at thattime, I was actually trained
in this stuff and I was, I knew
you'd never get them back in the vault.
You'd do more damage doing that.
Sad to say so, and I'm just beinghonest about this, but if I had
been dishonest about that, I couldhave blackmailed that person.
(40:19):
Taking more and more.
Remember it, you may have agood person working for you.
You who does one little thing wrong andcan then be used by criminals for the rest
of their career inside your organization.
It's not that people are necessarilybad, there are bad people protect against
those, but you could have good people whoget phished in by a romance scam who are
(40:45):
people are threatening them, threateningtheir children, or just blackmailing them.
And th they're smart people whoare going after these folks.
And so you need to protect them aswell from by having good controls.
Yeah.
And a couple of things here is that you.
they caught it themselves.
So that, that, that is asecurity control success story.
(41:07):
They caught it, reported itto police and prosecuted it.
So that's the way the system works, is aslong as you have human beings, as you both
have pointed out, there'll be a variety ofreasons for people to make poor choices.
In this case, this individual,one of the reports they saw
was like, maybe made $5,000.
Now the damage that they caused wasmuch larger than 5,000, and that's part
(41:28):
of the charging parade that they'renow facing is significant jail time.
And by the way, I'm aformer crime reporter.
I can tell you that stealing from your.
Judges drop the absolute hammer onthat because the principles of justice,
that they look for is deterrence,but also denunciation of the crime.
(41:51):
And breaking that trustis seen as a huge moment.
So this person is facing significantpenalties and the operators who
made the most money will not likelyface any real sanctions from this.
Now, the other point, your pointof coercion we are aware of in
(42:12):
numerous sectors now much more use ofthreats, intimidation, and violence.
cyber crime used to be, frankly,low effort, high return.
As we are seeing investments inimproving defenses, and we've
introduced friction and cost to thecriminal equation, they are responding.
With their toolkit, which includesviolence, and it's, it's something
(42:37):
that cybersecurity and IT teamsare not currently trained, staffed,
or thought about in most areas.
Banking has more depth and experience,but this goes far beyond banking.
And we are going to need to form morerelationships with criminologists, with
policing agencies and others becausecyber is going to get more violent.
(43:02):
We've already seen this in the last12 months with cryptocurrency thefts,
and we've talked about this a lot,but those cases that were infrequent.
They are almost weekly now ofkidnappings, assaults and other things
to access cryptocurrency wallets.
And that's an example of the risinguse of physicality in the space.
as we head into Security AwarenessMonth, it, and actually cybersecurity
(43:25):
Awareness Month, we're increasingly,it's becoming security awareness month.
physical is a rising part of our dynamic.
And Laura, I'm gonna give you a last,unless time you wanna jump in, but I'll
give you the last word on this piece.
'cause this is an important pieceand I, we don't talk about it enough.
Yeah.
and if you've taken your C-I-S-S-P oryou're studying for it, you'll remember
(43:48):
physical security is a piece of it,If I have access to an entry point,
I'm already, 75% of the way there.
And we often think of that as far asprotecting the servers, protecting the
network access, but it's also, yeah.
To, to the point here, right?
Helping protect people.
And, with everything that's going onaround, polarization of individuals.
(44:11):
of really, sucking people inideologically, into different, ways
of thinking, that are unfortunatelyno longer aligned with reality.
it, these are real threatsto, to organizations.
and that, that ideological problemisn't so much the physical threat,
but it's all in the same vein, right?
The, it's things happening to peopleoutside of their work sphere are
(44:33):
creating risks inside the work sphere.
So something for everybody to be aware ofand, and also dehumanizing of each other.
Unfortunately, it makes it much easierfor people to, on the attacking side,
to dissociate from the humanity oftheir victims, and to see them as just
a means to the end and not as anotherhuman being who has family, who, has
(44:54):
a life, who has people who depend onthem, and who they are about to ruin,
completely with what they're doing.
Yeah.
And just going back to my examplein there, if somebody tried
that, tried to blackmail me, wehad good controls on the vault.
We always had two people.
We never slipped up onthose sorts of things.
I would, you're protecting youremployees by having good controls.
(45:18):
So as much as we talk about,we love to talk about the tech
talk of all that sort of stuff.
Yes.
Training works and process works.
Yep.
I guess is the answer.
That bank manager example from back inthe day, too many banks were getting,
stolen from, because the attackerwould go after the manager at their
home, after hours, haul them overto the bank and hold a gun to their
head and make them open the vault.
(45:39):
then they put in a control.
The vault just will not openafter the bank is closed.
it just doesn't work.
And then it was great 'cause peoplestopped attacking bank managers
'cause it didn't matter anymore.
you couldn't get what you wanted.
Yeah.
and to your point, Laura, aboutprocess, but also all this has happened
before, like cyber, we love to thinkthat we're, we've invented new things
(46:00):
and it's no, man, this is, these arecrimes from time immemorial and it's
just doing it with the computer.
And so we're gonna see this blendof old school physical crime, which
is, it's been interesting, right?
Like we, we went the first yearwhere, I can't remember which European
country it was, but it, they went anentire year without a bank robbery.
And they're like, wow, this is amazing.
And I'm like, no, this is reallybad, because they figured out I
(46:23):
don't need to rob banks anymore.
so that's been fun on that side.
But, but yeah, no, process isprobably the most underappreciated
part of our security control stack.
And I'm really glad that you mentionedthat because the biggest cyber
crime out there is business emailcompromise and the best defense
for it, not an ai, it is process.
(46:43):
And MFA.
Yeah.
Tammy, Did you, do you want to addsomething about the BBC ? Yeah, talking
about insider threats, there was, aquick story about, Joe tidy or, basically
from the BBC who does a lot of, likecyber crime reporting, was offered by
a, unmanned group, for access to hislaptop so that they could basically
(47:03):
pivot into, BBC infrastructure.
but absolutely people are gettingreached out all the time and.
Like the insider threat is not onlylike known employees that are getting
approached, but there's the wholelike, north Korean tech worker,
story where everyone, like peopleare getting hired as insider threats.
so yeah, it's an absolute problemand we have to have protections
(47:26):
to, to mitigate against that.
we're just about allwrapping up on this one.
we'll be backing in with our panel nextmonth, so thank you folks for dropping in.
and Tammy, I we were gonnado a show this month,
yeah, absolutely.
So I am working on a new talk.
it's about, the future of cyber crime.
So it's not gonna be a sci-fistory, but it's a look at what the
(47:47):
current trends are of like, wherecyber crime can go and not go.
so I'm gonna be taking a look atemerging technologies like quantum,
for example, artificial intelligence,malware, and basically trying
to look at what's coming next.
but this is not like wild predictions.
This is really based on re my researchand based on as much, of a conservative
(48:08):
approach to these predictions as possible.
Fabulous.
And Laura, what's happening in your month?
Oh, in my month coming up.
Yep.
you know what?
it's, just a little more of thesame, a little bit quieter than
September, but we'll be getting outand doing things and then, focusing
on, actually doing the work, right?
getting the security donewith the folks we work with.
So we're excited for that.
Plan your work, work your plan.
(48:28):
Yeah.
But I wanna maybe one quick tag ontowhat Tammy was talking about there.
and, from the September news, it is niceto see that people still are repulsed by
attacks that target children or leveragechildren, with the kiddo breach in the
UK and the attacker group there, feelingthe pain enough to go, yeah, me a culpa.
Now they said they deleted the, nobodybelieves they deleted the data, but,
(48:52):
they seem to, be feeling the pain.
Somebody is putting alot of pressure on them.
I, the public clearly isrepulsed, but I am sure somebody.
With fewer guardrails than the publicis putting their pressure on them too.
Yeah.
Even other cyber, criminals, I knowyou're talking about the gradient group.
they, other cyber criminals vowedto dox them and to go after them.
(49:13):
because it's the same thing with like reallife criminals, like kids are off limits.
the, a lot of the other like well-knownand well-established groups basically
said we're going, don't do this.
We don't want you in ourforums, we don't want you here.
But also it was really dark, a darkthing to see was what some other
groups were saying, I respect whatyou're doing as an extortionist.
(49:35):
So that was a really like darktake on things and I was like, wow.
That's dark.
Yeah.
Laura, can you just give us a quickrundown on the story just to make, just.
Oh yeah.
a daycare, company in the UK was breached.
The, photos and other informationabout the children in the
daycares was, held ransom.
(49:55):
And, basically they were trying to extortthe company, by drip dripping information
into the online forums, for sale.
and, yeah, people were pretty quickto respond and say, that's not okay.
and I don't believe the ransom was paid.
'cause of course that just encouragesbad behavior and really makes no
sense, from the daycare's perspective.
(50:15):
there's not a whole lot right now thatI have seen, and I have to admit, I
didn't spend a ton of time digginginto it to see how much has been
discussed about what would've maybeprevented the breach in the first place.
But I'm not here to blame the victim.
It, it's just not okayto use kids as leverage.
Never.
And I'm glad, I don't have a greathigh opinion of the cyber criminal
community, but I'm glad that at leastthat there is a line we won't cross.
(50:40):
at least some people won't.
We'll wait and we'll see if it, turnsinto, a follow up attack, just like we saw
with the school boards, breach earlier.
maybe it's almost ayear now since that one.
where they start going after individualsinstead of trying to extort the
organization where the data came from.
Yeah.
So that's our show.
Tammy Harper, thank youvery much for joining us.
(51:02):
Thank you very much for having me.
Laura Payne always a pleasure.
And I want that white too.
I. Yeah, Jim, I will be in touch.
I will be in touch for sure.
we have to get you so some sweet swagand, always a pleasure to be here.
And I know David's, had to sign off, butI know he always enjoys being here too.
. And thank you to our audience.
If you've been listening this long, you'vestayed with us, then we appreciate it.
(51:25):
Always want to hear your comments.
We wanna turn this monthly show intosomething that makes really good
sense for you and is valuable to you.
So send us your comments,your constructive criticism,
and of course your swag.
Talk to you soon.
Thanks for listening.
welcome to cybersecurity today, our monthin review as we start cybersecurity month.
Our panel today isTammy Harper from Flair.
Hi everyone.
Thanks for having me.
Laura Payne from White two.
Laura, welcome.
Thanks, Jim.
Always a pleasure to be hereand my co-host, on our, the
host of our Monday morning show.
(00:20):
and you do something elsetoo, David, what is that?
Oh, yeah.
CEO of Beauceron Securities.
David Shipley.
Sorry, I it all about me, buddy.
this guy gives me Monday morning off.
I, IIII was, I was gonna say, I thoughtyou were gonna say culture critic,
slash new travel influencer, but no.
(00:41):
Okay.
All kinds of different roles.
Okay.
So I wanna start talkingabout cybersecurity month.
One of, one of the things I dowant to get to is what are you
folks up to in cybersecurity month?
Somebody said that we hadn'treally talked about cybersecurity
month, and that's true.
One of the things I'm hoping to do is,and I'm still gonna try and do it, is
we're gonna do a revival of MapleSEC.
And if anybody remembers that,it's something I started a,
(01:01):
the Canadian, security show.
We're gonna do a end of monthshow, probably a couple hours,
maybe, at, with some hosts.
And we're just gonnado a slow start of it.
and we'll be back bigger nextyear, but I want to do that sort
of thing, so I'll be planning that.
we'll have a couple of presenters,we'll have a live audience, and
we've been experimenting with liveaudiences and it's really cool to
have a live audience for the show.
(01:21):
So that's something we'll be doing.
And, I'm also at, and this is probablynot as well known, but, We're gonna
do the CIO of the Year awards.
We're reviving those in honor ofmy friend and colleague Fawn Anon.
and I've turned that over tothe CIO Association of Canada.
We ran it with Fawn for, I don't know,10 or more years so that's being picked
(01:44):
up by the CIO Association of Canada.
CIOCAN, and you're gonna bewondering, why am I mentioning
that on a cybersecurity show?
'cause there's a CSOof the year of War two.
Ooh.
And so that's something, and by the way,if you are a CSO and you're not a member
of CIOCAN, you're missing out buddy.
or the, this is a place where it, thisorganization is run by CIOs and CSOs,
(02:09):
so it's not a sponsored thing wheresomebody's gonna try and sell you a
pile of stuff and things like that.
, It's one of those private meetingsyou can have as a Canadian
executive where you can get.
You can get people who will mentor you.
You get people, you can liaise withyou a peer group type of thing.
I'm a member, have been for yearson the CIO side, they let me
(02:29):
occasionally over to the CSO side,but only with training wheels.
But but if you're not in thatorganization, you're missing
out on something big, just go toCIOCAN just Google it and join up.
it's, the dues are minor,but the benefits are big.
that's my month.
What are you guys doing?
I guess I'll kick off and then, but,so this is the busiest month of the
(02:50):
year for me, I was super excited and.
And really honored.
I got to give my first ever talkat SECTOR so that's Canada's
largest cybersecurity conference.
it's our black hat conference.
And, to the shock of absolutely, probablyno listener that's heard me before,
I was talking about why we need to dosecurity awareness and why phishing
training does work when you do it well.
And, use the data that we've had,things we've talked about in the show
(03:13):
before, and it was really well received.
I got some excellent que questions.
And one of the things that was reallyheartbreaking though, was a couple
of professionals came and they said,listen, our senior executives, or
in, in one case, the CISO, they hadseen these clickbait headlines that
said security awareness didn't work.
And they just we're not, wedon't wanna do this anymore.
It, it doesn't work.
(03:34):
and they had to battle it.
And they asked me for some factsthat they could actually use.
And it was, It was eyeopening.
and I think it speaks to theirresponsibility of some of the
tech journalism that I've seen,that took, the headlines and ran
amuck with them far beyond what theresearch actually said, with respect
to the limitations of some methods.
(03:55):
so that was there.
And then a huge amountof client, whoa, whoa.
Presentations.
Whoa.
hang on.
I'm just gonna stop you for a second.
'cause I, yeah.
I caught everything.
I heard every individual word you said,but I When you got to irresponsible tech
journalism, what was, what's the issue?
Just, I just wanna makesure I'm, I'm clear on that.
Yeah, since Black Hat in the States, whenthe University of California San Diego
(04:16):
Paper, some of the authors, not all ofthem decided to play up their findings
beyond what the research actually said.
We have seen dozens of headlinesthat have gone beyond, phishing
training doesn't work to, up, tosecurity awareness isn't worth it.
And so they, they have literallycaused tremendous harm and damage
(04:41):
to, To this effort to educate people.
and I do, I get extraordinarily angryabout this because, some of these folks
are medical doctors and they're tryingto tell me that education doesn't work.
And I'm like, that's fascinating, buddy.
clearly your educationwas worth something.
So maybe we should be talking aboutwhat is the right education approach
(05:02):
to this, which is ironically,there were some really responsible
researchers involved in some of thesestudies who had very specific points.
And that's been lost now.
and, yeah, so it's been an ongoingthing to see the impact of that
overhyped research in, headlines.
(05:22):
Even like just last week, ZD Net ranit again, and the worst part is the
journalists didn't even read this study.
they just.
It just kept compounding, this doesn'twork, and playing into this notion that
we can only fix cyber with tech toolsand I'll be the first to admit it.
If there was a tech solutionthat 100% shut down criminals.
(05:43):
I would be the first, fromthe top of the mountains to be
shouting at everyone using it.
But there's not, I, you and Iwould've formed a company and been
out there making ourselves rich.
but.
But we need layers of defenses and thatincludes people and yes, it's tricky.
It's hard.
It's, it's not as easy as binaryones and zeros, but it is valuable.
(06:06):
And to wholeheartedlydismiss it is irresponsible.
so that's, that was the black Hat talk.
and I've actually publishedsome research on LinkedIn.
we've expanded our Why People Click study.
We're now up to 6,293 respondents.
the data continues to getmore interesting on that.
We thought I'd asked my data science teamto run an experiment to see if survey
(06:28):
responses changed on Monday mornings,which still is our highest click time.
And I was convinced we were gonna seea significant shift in the responses.
And we didn't.
and so that, and we did a c chi square,which is for the stats nerds out there.
Like we really tested the math on this andthere was not a significant relationship
(06:48):
between the time of the day peopleclicked and the reasons that they clicked.
which means it's a deeper, and thework style and there's something
else driving the Monday morning clickrate beyond what I thought was there.
but what was interesting is that peoplethat did our survey and answered it within
24 hours of being assigned it, they hadstatistically significant chi square
(07:10):
validated outcomes six months after.
they had the, we don't know all the why's.
I can't give you causation on this.
It's just, it's reallyinteresting on that side.
So anyway, sorry to pro on about that,but, so its a lot of this is important
this, and I want to go back to thisbecause this drives me crazy about
tech journalism in cybersecurity is.
(07:32):
Wise up folks.
the journalists are listeningin there, or readers go back
and tell people, our listeners.
Yeah.
They'd be, I would hear about it.
But, and to be quite honest,we have a YouTube version.
It drifts along.
I get people pitching me all the timesaying, your headlines aren't good enough.
You get, and I know what we're notdoing, we're not doing clickbait.
I'd rather have a hundred or 200 or 300.
(07:54):
And by the way, we'renot dying for audience.
Our audience keeps growing andgrowing, but it, and I try to put
stuff out that, that catches attention.
But this is just frickingirresponsible, these guys.
Yeah.
And David and I did awhole program on this.
It's a couple weeks back.
I'll put a link into it, but check it out.
We brought in a real researcherfrom the University of Montreal,
(08:15):
and we talked about these thingsand it is really important.
We need to improve not just a research we.
We need to improve howjournalistically, how we report it.
Anyway, that's so off of soapbox.
and I'll let the other guys.
so the, yeah.
And the rest of the month is talks.
But what's interesting in the amount oftalks that I'm giving now about the impact
of AI on, destroying the shared conceptof truth and reality, on the enablement
(08:39):
of social engineering is through the roof.
And even the last thing I'll end up withis the amount of folks who I spoke with
at SECOR who are disillusioned with ai.
Both, the just deluge of the attacksthat they're dealing with and just just.
Feeling it, like really feeling it.
(09:00):
But also there's a growing disillusionmentwith the over-hyping of AI in the
marketing on the defensive side.
And it was palpable.
And that was really interesting to see.
Like I had folks come to my talk andthey were like, I'm just glad you're
just talking about humans right now.
Or basically talking about humans.
I've just, I've had it to hearag agentic AI has become the new
(09:22):
zero trust in security marketing.
And I think people are,they're peaked out for a bit.
so that was interesting.
Anyway, Tammy and Laura probablyhave more interesting things to say.
Always pretty interesting.
I was gonna build a little bit on that.
It's just the, we've preachedfor many years, right?
security is not the same as compliance.
And the, that, the way thatstudy has been put out there
(09:46):
is the classic example of that.
What they really were, we're finding.
Is straight up compliantsecurity awareness.
I checked a box, I did a thingonce a year is not effective for
teaching people how to spot phishingand to be effective gatekeepers.
That seems pretty, pretty true.
(10:08):
Which isn't to say we shouldn'tdo annual awareness training,
it serves a different purpose.
Yes.
training on the wrong thingwill not yield results.
Shocker.
Ooh, that's a headline right there.
Bad headline, bad training doesn't work.
stop the presses.
Yeah.
Yeah.
So anyway, just my take on that.
But I think, that's oftenone of the themes during,
cybersecurity Awareness Month is.
(10:30):
it's not enough to check the box.
It's not enough for yourinsurer to check the box.
It's not enough for your securityprogram to check the box.
It really is about doing the right thingsfor the right reasons, and then doing
them consistently and doing them well.
similar to David, I was out at Sector.
I've got my Sector shirt on today.
and, at various conferenceswe're trying to get out into
other industry conferences.
(10:51):
So it's not just the echoChamber of security people
talking to security people.
and just, bringing the word out therethat, it's, it's not impossible.
It is necessary in every industry.
More and more people are getting it.
but they need to figureout where to get started.
And, that's the big thingwith security awareness month.
What else are you looking forwardto in, in cybersecurity month, Dora?
(11:13):
Just in terms of, you know what, honestly,it felt like this year, September
was cybersecurity Awareness month.
Everything's a little early.
It's German, October Fest.
If you ever go to Germany for OctoberFest, you have to go in September.
that's when all the parties are.
If you go at the end ofOctober, you've missed it.
It's, and this year I thinkit, it just feels like
everything's been pulled forward.
But, it, it doesn't mean there's nothinggoing on in October, but it feels like
(11:33):
we've already been racing through alot of opportunity to get out in front
of people and share that awareness.
So we'll keep doing that throughOctober, but I'm looking forward to
being maybe just a little quieterthan September in a good way.
And Tammy, you've gotsome stuff coming up.
Yeah.
So I, I also was at Sector and, Iam, I'm very much like a researcher
(11:55):
and I don't really have that desirefor all the flashy corporate stuff.
I think the only, swag that I tookfrom SECOR was, the white tuque, from
White Tuque, so the, for me, like as aresearcher going around and, as someone
who's really deep into, into the industrygoing around like sector, when I was at
(12:18):
the, at the booths and I would want totalk to people, most of them were just
salespeople, And or account executives.
And they wouldn't know whatI'm talking about, right?
And so it, it was very like.
I felt like that conference wasnot, for me, at least, like the,
that whole floor was not for me,as a cybersecurity practitioner.
(12:40):
it was basically like the talkswere all Gentech, ai, most of them
like, so I was trying to figureout like, what am I doing here?
, But this weekend I'm going to,BSides Toronto and I am very
much looking forward to that.
seeing some really interesting talksthere and, seeing some way more, like
(13:00):
talking to other researchers, right?
More grassroots, more, morelike in the trenches of people.
what are you seeing?
What are you talking about?
and not necessarilytalking to salespeople.
If BSides is a very interesting,very interesting thing.
David turned me onto itfrom the US point of view.
So we've got one going on here next.
(13:22):
Is it this weekend?
Yeah.
Yeah, it's Saturday, Sunday.
Okay.
Because we're gonna go to Air Saturday,so we can give them a shout out.
Whereabouts are they?
this year they're, hosting it at,Toronto Metropolitan University.
And, okay, so TMU used to be Ryerson,is that Yeah, I gotta see if they've
already, they usually sold out, sell out.
So BSides, besides it's Toronto,might luck out this year.
(13:44):
I know David's checking rightnow, but they, didn't open ticket
sales until maybe 10 days ago.
so Okay.
You might, it, this might be theyear where the procrastinators win.
Yeah, no, there, there were stilltickets available as of Friday morning.
you know what, we'll go fromthere I personally liked the
talk at Sector last year.
I wasn't there this year, but itwas the meeting people and being
(14:06):
able to discuss some of the stuff.
I'm not as interestedin the booths as I am.
The people that meet thehall, the hallway track what?
Yeah, the hall track.
The hall track.
Yeah.
Yeah.
that's the thing about being at aplace like this is being able to meet
people, catch up, chat with them.
I didn't get a white too though.
I'm gonna actually talk, I tohave Jim, we gotta get some, I'm
(14:27):
gonna have, yeah, I'm gonna havea talk with somebody about that.
I didn't, there was a real white too,and I had to find it out on this.
That's what the show is for the stickersfor learning great things, right?
so the white too, stickersare going on my very awesome,
luggage, that are getting tagged.
So it's like Peak Canada stamp.
(14:48):
so no, I agree with Tammy.
The, the merch and I will actuallygive a shout to White Tuuk as well
because, Eldon Senoff, who's one ofthe founders of East Entire, one of the
biggest Canadian cybersecurity, techstories, that we have, and also one of
the nicest guys you'll ever meet, he isa board member, I believe, for, white
Tuuk or certainly a fan advisory board.
Fan advisory board, yeah.
Advisory board member.
(15:08):
and he was signing copies of hisbook, committed and, in his book.
Plays on that idea in multiple ways.
Has committed, have,has multiple meetings.
I haven't read the book yet, I haven'thad time, but I actually have a
signed copy now thanks to White Duke.
so I'm excited.
the other thing, good thing Iwould say about SEC is, you get
to see folks like some of our,we have some amazing superstars
(15:29):
in this country, and Tanya Jenka.
and there's a host of others, that are,you get a chance to meet and learn from.
that, that is awesome.
And I would say the last thing.
I enjoy seeing the different booths,particularly the Canadian startup
side, and the little startup village.
And, I continue to root for,'cause they're New Brunswick.
Yes, I'm biased.
I'm just gonna own it.
(15:50):
But it's a, an amazing littlecompany called TRO ai that's been
working years ahead of time onthis issue of AI data poisoning and
protecting AI models, et cetera.
so they were there, but there were ahost of other really good, there's a
Canadian alternative to CloudFlare now.
and that's a, that's based outta Quebec.
And so I'll be ringing them up tolearn more about what they're up to.
(16:12):
There's a Quebec basedemail filter as well.
Quebec's doing some really coolthings in the cyber flair and
others obs I'm gonna give Tammyand the crew a shout out on that.
but, yeah, it was awesome to see.
There was even a really sharp startupthat's working on, stopping bad Python
packages from getting into your deveCloperenvironment and into your stack.
(16:36):
So I, I may drop in that card ifyou're listening, Ben, my ciso Yes.
I'm sending you to go learn yet anothertechnology and, that, but there were
really some really good things andagain, I've been at sector a few times,
but to be able to actually have thaton the resume was a pretty big moment.
pretty happy to startSecurity Awareness Month.
Yep.
If I can throw one, sorry.
(16:58):
Love the folks from Quebec, but don'tforget, CloudFlare has a Canadian founder.
We're all around the world.
We're getting everywhere.
we're invasive in our ownway, in our very polite, kind.
Yeah.
Yeah.
I can't wait.
Underrated way.
Wait until the TOS starts spreadingthrough the us Like right now,
everybody's traveling with Canadian flags.
(17:20):
Next thing they'll betraveling with the tuks.
My unofficial slogan is convertingbeanies to tos one customer at a time.
Awesome.
But Tammy, to your point,it's very well received.
I, and, so I sit on the reviewboard and the res the feedback
is always welcome and, taken.
And all I can say is, where's yourtalk submission for next year?
I wanna see it.
(17:41):
Absolutely.
I wanna see that.
and the view review board lovesseeing that blend of content.
We did not want it to be the AI show,but I gotta tell you, you couldn't,
you can throw, I don't know, assomething at your screen and not hit
an AI talk in the list this year.
so we look forward to next yearwhen maybe it'll be the, we're over
AI because, Worse has come along
(18:04):
or the new book, if somebodybuilds it, everybody dies.
spoiler alert, everybody dies at the end.
that was my, I love that book reference.
Sorry.
Let's go on to the stories for this month.
what's getting at everybody?
what are the stories that aremost affecting you and that
you most want to talk about?
And, oh God.
Tammy, I hope you're gonna talkabout Clop 'cause of being back.
(18:27):
no, I'm actually notgonna talk about Clop.
I'm joking.
I'm joking.
so yeah, absolutely.
so what's really interesting is, sowe started to see, rumblings around
September 29th of, a new Clop campaign.
and so Clop, is a, Is a RAs ransomwareas a service that is private.
(18:47):
and so I, I'm just gonna explain a littlebit of how they work because there's like
a lot of like information about how, likeLock Bit works, where they have an open
affiliate program if you pay enough, ifyou're vetted in or vouched in or you pay
a deposit, you can start accessing thetools and start deploying, campaigns and
attacks, on corporations and enterprises.
(19:08):
but op functions a little differently.
so they have ransomware.
But it's not their breadand butter anymore.
They're, they are mainly a data extortionand a data broker at this point.
And they partner and, leverage theirinfrastructure and their tools,
and their deveClopment, to privategroups known as Fin seven, fin 11.
(19:29):
so Fin seven and Fin 11.
and these are closed groups.
These are not necessarilygroups that are super public.
You'll see a few handful ofmembers on forums talking, but it's
not like they have a banner andthey, they really rally on them.
it's a really closed group.
It's like similar to Akira or theInk groups where, shobby and, LYX,
(19:50):
these are, or even play, like theseare groups that are really closed.
We've seen since a few yearsnow, we've seen Clop move
towards like data extortion.
And how they're doing it is that they'retargeting files, sharing applications.
So they targeted go anywhere.
They, then they targeted moveit, and then they targeted Clio.
and now they're targeting, as of September29th, we've started hearing rumbles of
(20:14):
them targeting, Oracle EBS, applications.
That's the story we did yesterday.
And that blew me away because, and I'dforgotten how big Oracle had become.
people had, people remember Oraclefrom buying PeopleSoft and apparently
PeopleSoft is still exists out there,but this is your Oracle ERP, which
surpassed SAP last month in sales.
(20:37):
This is a lot of installations and maybeyou can help me out with this because.
I think, and I don't want tofalsely attribute this to Oracle,
but they more or less said, we'renot, there's nothing wrong here.
we don't see anything wrong.
And the reality is, I don'tknow how that can happen.
I don't know how you can be, how youcan find so many, different Oracle
(20:59):
installations and be writing to themsaying you've exfiltrated their data
without it having some startup withthe ERP itself, I just can't, like
you're not, so you're not hackingindividual instances that quickly.
Something in the main coresystem is allowing you access.
And that was, so that's the story we did.
(21:20):
I've, I nothing to prove it, but I justcouldn't walk away from that story.
And this is huge.
This is this, this is another supplychain piece that is going to be massive.
I, but Klaw had gotten wiped out.
I. And then came back.
Guess who's back?
Shadys back.
(21:41):
these guys never go away, right?
unless they get pushed outtathe window by the FSB 'cause
they upset the wrong person.
They're, they just rebrand, right?
It's like Clop plus now with dataextortion instead of ransomware.
and it also good to go back, clapis actually a reference to like
an insect blood sucker parasite.
I just always like to go back to theirbranding because at least these guys are
(22:04):
really into honesty in their advertising.
but to your point, and because I'mthe pop culture critic, and I'm
gonna have a little bit of fun overthis is, number one, Oracle's PR
response to the Oracle Health breachesearlier this year was essentially
that scene where the Springfieldcops were putting the jeans on.
They're like nothing to see here, boys.
And I'm like, come on,like there's a problem.
(22:25):
And then they get sued and they'relike, yeah, we got breached.
And now what they're doing is Shaggy.
It wasn't me.
It's Hey man, we had a patchout in July, so if you didn't
patch, that's your problem.
It wasn't me.
and it's okay.
but to your point about the speedof all this, Jim, this is where I'm
gonna say the words, I hate to sayit probably AI is helping out the
ability to do mass programmatic,exploits using and deveCloping
(22:49):
POCs faster and pulling data out.
But.
The last point I'll make about this is, itused to be that these gangs really needed
to protect their brand and reputation.
So they didn't lie that they had data,but they very well could be lying.
and this could be Clops going at abusiness sale, in terms of cashing in
all their brand wrap and the fear of it.
(23:11):
'cause the demands they're asking for arein like the seven and eight figure ranges.
and even if they only get a fractionof panic execs to pay some of those
seven figure amounts, this hasbeen a good, bad day, on that side.
so this is a. This is a new evolution.
'cause we don't know if it's real.
(23:31):
and no one's taking responsibilityto confirm if it's real.
the vague blog post from Oracle waslike, Hey man, if you didn't patch
your stuff, maybe could be real.
But they're not saying Yeah.
Yeah.
Some people got hitbecause they didn't patch.
Okay.
So Tammy, what's your takeon this what do you think?
knowing Clop, yeah, David, you,you hit , the nail on the head.
It's Clop doesn't really lie.
(23:55):
they haven't lied so far.
And, they've made some, like reacheswith some attributions and some claims
in the past, but they're still one ofthe, the most serious about leaking
data and keeping it online and makingit really easy to download data.
And so I'm looking at what Klaw isdoing now, and it's just an extension
(24:16):
of their mo, their recent mo, andthey're, and to your point of this
is going fast because we've seen themgo from movie Clio and now to Oracle.
the, it's just a refocus of the groupbecause now they're putting, instead
of deploying ransomware, they're justdeploying, on POCs and on exploits
of these end days, vulnerabilities.
(24:36):
And the group is very focused.
They're very much, they have made a lotof money and they are very well funded.
and plus they have access toFin seven and Fin 11, which is
also very well funded groups.
so these are not like some script kitties.
These are very well, fundedindividuals and sophisticated groups.
(24:58):
but what's interesting as well is, andthis ties into another story a little
bit that I wanted to cover becausethey're connected, is there was another
group called, scattered Lasus, hunters.
And this is basically the whole,story of, shiny hunters scattered
spider and Lasus, coming togetherand creating this coalition.
(25:18):
and it's a bunch of like real brainrotten nonsense in terms of their chats.
'cause they, their chats goup, there's 10 people in there.
They get boughted and then there's 11,000subscribers in their telegram chats.
And then all of a sudden,They get taken down.
they're taunting lawenforcement constantly.
They're name callinglike the FBI director.
They're, essentially, makingit really hard to focus.
(25:40):
And there's, so many key words that theykeep putting in that, they're, it's really
difficult to make sense of the noise.
Now, they called out Clop in one oftheir latest posts saying that because
now they're basically, these are the twobig groups in the headlines right now.
And they're, basically calling the othergroup out again, part of this distraction,
(26:00):
part of this noise, like cyber, likewarfare mentality of let's attack them.
And, they're basically, leaking.
they allegedly leaked theexploit that co-op is using.
And so that's a really fascinating twistwhere you can see two groups basically
trying to compete now in the headlinesand very well aware of the, of the, the
(26:21):
media now and how they're being perceivedand how journalists basically will like,
be an extension of their extortion now.
And so we have to be very careful of that.
And like bleeping computers wasone of the first to report on coop
and they had an interview withCoop and it was done over email.
But basically kLab said we're not readyto disclose anything at this point,
(26:44):
and, but we are going to definitelybe collab, like reaching out to
you, when we have more information.
But the groups now are very mediasavvy now, and we have to be careful.
Wow.
Amazing.
Dave, did anybody else haveany more comments on that?
I'm just trying to absorb it.
All these two huge groups.
(27:04):
I, yeah, I'd love to get Laura's take'cause it's just interesting, right?
I'm curious if these are now the twobig, groups, like which ones is the
Yankees, which one is the Blue Jays?
but it's just making a, a small littleproud Canadian moment that maybe
we can win, win the MLB this year.
Yeah.
Yeah.
you know what?
If you wanna jinx baseball,you have me comment on it.
So I'm just gonna keep myopinion to myself over here.
(27:26):
yeah, no, you know what?
It just shows the continuing evolutionof these groups and how they are
responding and adapting, right?
Like they figured out people arelistening, so they're gonna throw
a whole bunch of garbage andobfuscation within their chats.
It will be really interesting to seeover the course of time, if we can
figure out, and I'm sure we will, right?
Like how they are using that obfuscation.
and to be able to crack into it.
(27:47):
it, in some ways it's, the, all theold things are new again, right?
The same techniques were used in WorldWar I, world War ii, trying to mask how
the communications were happening andin coding and in mass communication.
And, so we'll see.
We'll see where it goes.
But, I do find it really interesting.
Tammy, I'll let you have the lastword, but I think my last piece on
this would be, that I've taken awayis if they're getting media savvy.
(28:12):
They're in a position tomanipulate any story they want.
Now 'cause we're allgoing, oh, gimme clickbait.
And we've proven that.
so this is a smart group.
And I don't know when we say, are theylying or are they manipulating us?
and one thing I wanna just add isthat the moment that these guys figure
out that they can talk in Jen Alphaslang with SC Toilet Riz, and they're
(28:34):
gonna just confound a whole bunch ofmiddle aged cops, that's just gonna
be like the 21st century, a answer tothe, wind talkers and Navajo, right?
what the hell are these people we'regonna need an AI to translate from?
I'm getting to that point nowwith anyone under 10 years old.
I don't know what language they use,but, yeah, no, it's, it is interesting
to see because they're responding andit's interesting ecologically, right?
(28:56):
So you've got smart folks like Tammyand Flair and other dark web, firms.
Their job is to be private sectorintelligence agencies, counterintelligence
agencies gathering these things.
And now to your point, Jim, like thecriminal ecosystem has to evolve.
and trying to deveClop allthese different things.
the moment we see numbers stationspop back up and those not familiar
(29:16):
with Cold War era shenanigans.
this one's there.
it's just interesting.
so yeah.
but the other thing that was interestingis, you mentioned, we thought for a brief
moment that, shiny hunters lapses andsome of the scattered folks, scattered,
spider folks had posted early in themonth and said, we're out, we're retiring.
And absolutely zero.
People believe that.
(29:38):
but they were havinga lot of fun doing it.
it's honestly, it's, it feels like slimshady, without me, these gangs really
have a, yeah, have a sense, an inflatedsense of their impact on the scene.
For those who can't, who can't watch.
They aren't watching this on YouTube.
I saw Tammy's head just shaking.
No, they're not retiring.
(29:58):
Tammy, I'll let you dothe wrap up on this.
What's what, yeah, what's, whatshould we take away from this?
I just wanted to like, just give alittle bit more of a little bit of a
detail on this one, but, and wrap it up.
It's like they're very savvy and toyour point, David, you, again, exactly
what you said was they are very awareof what the private intelligence firms
are doing and they're very aware, wellaware of what law enforcement is doing.
(30:19):
like to a point where, in one of their,telegram channels, they were basically
talking about, style metric analysis is,which is what we use to detect and to
put patterns to how people are talkingand how people are writing so that we
can potentially identify authorship.
And so they were talking about like howthere may be one or more authors in this,
(30:41):
with like admin privileges to basicallybe writing and we are just not looking
at one person, but multiple people now.
And so it was really fascinating to seelike their adaption and also they named
their, new leak site, which leaked today.
like they named it a DLS, whichis an industry term for, darknet
or dark web or data leak site.
(31:04):
And I haven't seen a, a blog, like aransomware blog or an ex data extortion
blog like brand itself as a DLS before.
So they are very well aware of the lingoand what is going on in, in the industry.
and it is a very much like a counteroperation and they're very savvy.
and what's interesting, it'slike it's getting into the.
(31:25):
We know that, but you only getto know what we want you to know.
and it's just oh man, this onion'sgonna get really complicated.
so I'm glad smarter people likeyourself and others are into that space.
but on the, just different storytrack this one was, Just broke
today, so I, I'm gonna count it ina month to review, but Little Gander
International Airport on their Facebook.
(31:45):
No's not familiar.
Gander was one of those places in nine 11that a lot of American planes landed on.
And, it's famous in the, come from away.
I think I'm gonna go forlike most cultural references
in a podcast episode today.
they posted on Facebook something thatreally hit me right in the heart in
Security Awareness Month, and they weretalking about they have seen a significant
increase in people showing up at theairport waiting for a someone they love,
(32:11):
who's apparently coming from overseas.
To arrive and the planelands and no one's there.
And they've been dealing with a lotof the emotional fallout of that.
And they describe it as catfishing,but we often talk about romance
baiting or what Aaron West earlierthis year talked about in terms of
pig butchering and other things.
but it's to the point now whereairports are starting to talk about
(32:31):
it because they're seeing it so much.
and to me that just put areal human feel on this.
And as much as we talk about theimportance of educating people about scams
and it is, and doing it the right ways.
We also have to have a big conversationabout the loneliness epidemic in our
society and how we're reaching outand caring for people and making sure
they've got genuine human connectionsthat we biologically are wired to need.
(32:55):
and we're seeing it show up.
and it's not just aboutthe money being lost.
imagine someone's entire world comingto a crash, what they thought was about
to happen, and, walking up with thesefraudulent flight itineraries and someone,
some poor staff member at an airport whois not trained to be a grief or trauma
counselor is basically encountering that.
(33:16):
and nothing seems more 2025 interms of the human impact than that.
Just that one story.
and it just hit me like,there's been lots of big scary
cyber stuff in the last month.
the, the sand worm.
Shy Ude, which honestly like I wasswallowing real hard for a few hours,
just wondering to see how bad thatAI powered shenanigan could have.
(33:38):
And it, thank God it didn't,but it's, it, we're building to
a big worm moment on that side.
we've got a whole bunch ofother things now with the
shutdown with the US government.
So CSA is gutted.
this is, we're getting pounded left,right, and center with vulnerabilities
and the defenses, the shields, remembershields up, shields are down kids and,
that's gonna hurt, on that side, but it'sthe human side that really landed for me.
(34:02):
Two, two things.
One is we did a story just this morning,I think on CIS, which is, we hear about
cisa, but there's a whole organizationthat CISA supported for states and small.
Places in the US small municipalities,people that couldn't afford, or
people, groups that couldn't afford,their own cybersecurity protection.
That's defunded now.
(34:23):
And that's, what happycybersecurity month.
talk about irony, but I wanna go backto this other thing and I'm gonna
leave you with one, 'cause I knowI'm the AI apologist in the group.
and I, but here's somethingyou teach people to do.
Any AI program, PerplexityClaude ChatGPT, ask them to
learn to type in, is this a scam?
(34:47):
especially for older people.
Get them familiar with that.
And just say, when somebodycalls you, just ask this.
This is a big, smart thing here.
Just ask it if it's a scam,because it will tell you.
And, that's, so there's a plus sideto the education from ai and that
is that, that people can look thisstuff up and say, is this a scam?
And it, it will tell you.
(35:09):
and maybe that will help reduce someof this stuff because it's just,
it seems to get worse every month.
and now with the ability forus to be able to do audio.
Voice fakes in real time.
And I'm talking in real time.
Substitute my voice for your son,your daughter, your whatever,
(35:31):
your head of accounting.
And I said I was doing a speech at,I was in Perry Sound doing a speech
for, at the Seg Business Council.
And I said to anybody, if you haveinstructions that you are giving, anybody
who can give instructions, be it thepresident, be anybody for a fire, for a
transfer, get code words in place now.
(35:52):
'cause this is gonna run.
And I don't think it's gonna takevery long, Tammy, for one of these
groups to grab a hold of thisand just run the table with it.
'cause who's, the president calls you.
This is his voice.
I know it.
And he, I have to do this.
And he's saying, look, I'm saying Igotta talk to my, the security people.
I'm the damn president.
I want this done now.
(36:12):
It's gonna work more times than not.
Anyway, I'm off that soapbox or thosethree soap boxes and I'll go back to you.
Laura, what's your story for the month?
Oh, yeah, that, that was a big soapboxto, to follow just 'cause I, sorry.
No, it's a, it's one that, yeah.
Very passionate about as well.
And for me it's process controls.
Sorry, I'm, I'm gonna take twoseconds just to build on that.
(36:35):
Safe word is one option,but all, whatever it is.
Process driven controls aroundthings that are important.
So it never matters who they saythey are and how important it is.
That's not our procedure.
I will follow the directive when I get itdone through the right channel and, and
that saves companies over and over again.
I so many things you can avoid, makinga bad decision in isolation because
(36:59):
there's good company proceduresaround how it should be done.
and just living on that.
I think I'm gonna, I'm gonnapick up on, the Canadian, news
I was gonna pick on first.
and I will caveat this, that, yes, thisexample is definitely sensationalized
because of, the profiles involved.
but, R-R-R-B-C, is, has a formeremployee now who is being prosecuted
(37:22):
by the I-R-C-M-P, as insider threat.
And that's one of thebiggest areas that we.
Have to talk about as far as securityawareness and actually ties right into our
procedures, discussion just a moment ago.
so in this particular case, they werecaught for, accessing the profiles
of Mark Carney and a Justin Trudeau.
It's, as far as the reportinggoes, it's believed it's not the
(37:45):
Justin Trudeau that we all thinkof in Canada, but a Justin Trudeau.
But that was the headlinethat's the exciting part.
but it's another case where somebodymet, this group online and you can look
this up, and I'm not gonna give himany more fame by bringing his name into
this, But, he, met this group online,and got sucked in and they were paying
(38:07):
him for creating false accounts, andfraudulently extending lines of credit.
'cause that was something withinthe scope of what his job could do.
and, over the course of, a couple ofyears, defrauded the bank and then was
starting to go after sense or tryingto go after sensitive information.
And that, has not worked outfor him, in the long run.
But it just shows how, these groupsare operating and they're looking for
(38:30):
people who are in positions of trust.
this person probably wouldn't havedone it if it wasn't a payday.
He wasn't particularlypolitically motivated.
He was financially motivated.
and what we can see as thisstory is still breaking and
it's, just going to court now.
which is why it has started to be.
out in the public.
but, we put a lot oftrust in the institutions.
They do have very good programs.
(38:52):
but, for anybody listening and they'rethinking about how much trust they
put in their employees, having thatprogram to be keeping track of what's
going on inside your organization.
it can be intentionally malicious,it can be coerced, maliciousness.
So in this case it was for financial gain.
But you get somebody who has beenfished into a situation, where
(39:15):
they are now being coerced underexternal pressure to do these things.
They can be the unintentional ones.
And our, our phishing clickersare those ones as well.
who open the door and let peoplein or let information out.
But I think this is important,Laura, in, in as well in the.
Okay.
In my career, one time I, somebodyapproached me and said that they had
(39:37):
actually stolen some bonds from a vault.
And they were very young.
It was the very start of their career.
It's 30 years, so I guess , nobodycan prosecute me for my advice,
which was I said, what should you do?
Tear them up, burn them, andnever mention it to anybody.
But you've been given a chance in life.
(39:58):
Just go and sin no more, more or less.
And because I knew, I, at thattime, I was actually trained
in this stuff and I was, I knew
you'd never get them back in the vault.
You'd do more damage doing that.
Sad to say so, and I'm just beinghonest about this, but if I had
been dishonest about that, I couldhave blackmailed that person.
(40:19):
Taking more and more.
Remember it, you may have agood person working for you.
You who does one little thing wrong andcan then be used by criminals for the rest
of their career inside your organization.
It's not that people are necessarilybad, there are bad people protect against
those, but you could have good people whoget phished in by a romance scam who are
(40:45):
people are threatening them, threateningtheir children, or just blackmailing them.
And th they're smart people whoare going after these folks.
And so you need to protect them aswell from by having good controls.
Yeah.
And a couple of things here is that you.
they caught it themselves.
So that, that, that is asecurity control success story.
(41:07):
They caught it, reported itto police and prosecuted it.
So that's the way the system works, is aslong as you have human beings, as you both
have pointed out, there'll be a variety ofreasons for people to make poor choices.
In this case, this individual,one of the reports they saw
was like, maybe made $5,000.
Now the damage that they caused wasmuch larger than 5,000, and that's part
(41:28):
of the charging parade that they'renow facing is significant jail time.
And by the way, I'm aformer crime reporter.
I can tell you that stealing from your.
Judges drop the absolute hammer onthat because the principles of justice,
that they look for is deterrence,but also denunciation of the crime.
(41:51):
And breaking that trustis seen as a huge moment.
So this person is facing significantpenalties and the operators who
made the most money will not likelyface any real sanctions from this.
Now, the other point, your pointof coercion we are aware of in
(42:12):
numerous sectors now much more use ofthreats, intimidation, and violence.
cyber crime used to be, frankly,low effort, high return.
As we are seeing investments inimproving defenses, and we've
introduced friction and cost to thecriminal equation, they are responding.
With their toolkit, which includesviolence, and it's, it's something
(42:37):
that cybersecurity and IT teamsare not currently trained, staffed,
or thought about in most areas.
Banking has more depth and experience,but this goes far beyond banking.
And we are going to need to form morerelationships with criminologists, with
policing agencies and others becausecyber is going to get more violent.
(43:02):
We've already seen this in the last12 months with cryptocurrency thefts,
and we've talked about this a lot,but those cases that were infrequent.
They are almost weekly now ofkidnappings, assaults and other things
to access cryptocurrency wallets.
And that's an example of the risinguse of physicality in the space.
as we head into Security AwarenessMonth, it, and actually cybersecurity
(43:25):
Awareness Month, we're increasingly,it's becoming security awareness month.
physical is a rising part of our dynamic.
And Laura, I'm gonna give you a last,unless time you wanna jump in, but I'll
give you the last word on this piece.
'cause this is an important pieceand I, we don't talk about it enough.
Yeah.
and if you've taken your C-I-S-S-P oryou're studying for it, you'll remember
(43:48):
physical security is a piece of it,If I have access to an entry point,
I'm already, 75% of the way there.
And we often think of that as far asprotecting the servers, protecting the
network access, but it's also, yeah.
To, to the point here, right?
Helping protect people.
And, with everything that's going onaround, polarization of individuals.
(44:11):
of really, sucking people inideologically, into different, ways
of thinking, that are unfortunatelyno longer aligned with reality.
it, these are real threatsto, to organizations.
and that, that ideological problemisn't so much the physical threat,
but it's all in the same vein, right?
The, it's things happening to peopleoutside of their work sphere are
(44:33):
creating risks inside the work sphere.
So something for everybody to be aware ofand, and also dehumanizing of each other.
Unfortunately, it makes it much easierfor people to, on the attacking side,
to dissociate from the humanity oftheir victims, and to see them as just
a means to the end and not as anotherhuman being who has family, who, has
(44:54):
a life, who has people who depend onthem, and who they are about to ruin,
completely with what they're doing.
Yeah.
And just going back to my examplein there, if somebody tried
that, tried to blackmail me, wehad good controls on the vault.
We always had two people.
We never slipped up onthose sorts of things.
I would, you're protecting youremployees by having good controls.
(45:18):
So as much as we talk about,we love to talk about the tech
talk of all that sort of stuff.
Yes.
Training works and process works.
Yep.
I guess is the answer.
That bank manager example from back inthe day, too many banks were getting,
stolen from, because the attackerwould go after the manager at their
home, after hours, haul them overto the bank and hold a gun to their
head and make them open the vault.
(45:39):
then they put in a control.
The vault just will not openafter the bank is closed.
it just doesn't work.
And then it was great 'cause peoplestopped attacking bank managers
'cause it didn't matter anymore.
you couldn't get what you wanted.
Yeah.
and to your point, Laura, aboutprocess, but also all this has happened
before, like cyber, we love to thinkthat we're, we've invented new things
(46:00):
and it's no, man, this is, these arecrimes from time immemorial and it's
just doing it with the computer.
And so we're gonna see this blendof old school physical crime, which
is, it's been interesting, right?
Like we, we went the first yearwhere, I can't remember which European
country it was, but it, they went anentire year without a bank robbery.
And they're like, wow, this is amazing.
And I'm like, no, this is reallybad, because they figured out I
(46:23):
don't need to rob banks anymore.
so that's been fun on that side.
But, but yeah, no, process isprobably the most underappreciated
part of our security control stack.
And I'm really glad that you mentionedthat because the biggest cyber
crime out there is business emailcompromise and the best defense
for it, not an ai, it is process.
(46:43):
And MFA.
Yeah.
Tammy, Did you, do you want to addsomething about the BBC ? Yeah, talking
about insider threats, there was, aquick story about, Joe tidy or, basically
from the BBC who does a lot of, likecyber crime reporting, was offered by
a, unmanned group, for access to hislaptop so that they could basically
(47:03):
pivot into, BBC infrastructure.
but absolutely people are gettingreached out all the time and.
Like the insider threat is not onlylike known employees that are getting
approached, but there's the wholelike, north Korean tech worker,
story where everyone, like peopleare getting hired as insider threats.
so yeah, it's an absolute problemand we have to have protections
(47:26):
to, to mitigate against that.
we're just about allwrapping up on this one.
we'll be backing in with our panel nextmonth, so thank you folks for dropping in.
and Tammy, I we were gonnado a show this month,
yeah, absolutely.
So I am working on a new talk.
it's about, the future of cyber crime.
So it's not gonna be a sci-fistory, but it's a look at what the
(47:47):
current trends are of like, wherecyber crime can go and not go.
so I'm gonna be taking a look atemerging technologies like quantum,
for example, artificial intelligence,malware, and basically trying
to look at what's coming next.
but this is not like wild predictions.
This is really based on re my researchand based on as much, of a conservative
(48:08):
approach to these predictions as possible.
Fabulous.
And Laura, what's happening in your month?
Oh, in my month coming up.
Yep.
you know what?
it's, just a little more of thesame, a little bit quieter than
September, but we'll be getting outand doing things and then, focusing
on, actually doing the work, right?
getting the security donewith the folks we work with.
So we're excited for that.
Plan your work, work your plan.
(48:28):
Yeah.
But I wanna maybe one quick tag ontowhat Tammy was talking about there.
and, from the September news, it is niceto see that people still are repulsed by
attacks that target children or leveragechildren, with the kiddo breach in the
UK and the attacker group there, feelingthe pain enough to go, yeah, me a culpa.
Now they said they deleted the, nobodybelieves they deleted the data, but,
(48:52):
they seem to, be feeling the pain.
Somebody is putting alot of pressure on them.
I, the public clearly isrepulsed, but I am sure somebody.
With fewer guardrails than the publicis putting their pressure on them too.
Yeah.
Even other cyber, criminals, I knowyou're talking about the gradient group.
they, other cyber criminals vowedto dox them and to go after them.
(49:13):
because it's the same thing with like reallife criminals, like kids are off limits.
the, a lot of the other like well-knownand well-established groups basically
said we're going, don't do this.
We don't want you in ourforums, we don't want you here.
But also it was really dark, a darkthing to see was what some other
groups were saying, I respect whatyou're doing as an extortionist.
(49:35):
So that was a really like darktake on things and I was like, wow.
That's dark.
Yeah.
Laura, can you just give us a quickrundown on the story just to make, just.
Oh yeah.
a daycare, company in the UK was breached.
The, photos and other informationabout the children in the
daycares was, held ransom.
(49:55):
And, basically they were trying to extortthe company, by drip dripping information
into the online forums, for sale.
and, yeah, people were pretty quickto respond and say, that's not okay.
and I don't believe the ransom was paid.
'cause of course that just encouragesbad behavior and really makes no
sense, from the daycare's perspective.
(50:15):
there's not a whole lot right now thatI have seen, and I have to admit, I
didn't spend a ton of time digginginto it to see how much has been
discussed about what would've maybeprevented the breach in the first place.
But I'm not here to blame the victim.
It, it's just not okayto use kids as leverage.
Never.
And I'm glad, I don't have a greathigh opinion of the cyber criminal
community, but I'm glad that at leastthat there is a line we won't cross.
(50:40):
at least some people won't.
We'll wait and we'll see if it, turnsinto, a follow up attack, just like we saw
with the school boards, breach earlier.
maybe it's almost ayear now since that one.
where they start going after individualsinstead of trying to extort the
organization where the data came from.
Yeah.
So that's our show.
Tammy Harper, thank youvery much for joining us.
(51:02):
Thank you very much for having me.
Laura Payne always a pleasure.
And I want that white too.
I. Yeah, Jim, I will be in touch.
I will be in touch for sure.
we have to get you so some sweet swagand, always a pleasure to be here.
And I know David's, had to sign off, butI know he always enjoys being here too.
. And thank you to our audience.
If you've been listening this long, you'vestayed with us, then we appreciate it.
(51:25):
Always want to hear your comments.
We wanna turn this monthly show intosomething that makes really good
sense for you and is valuable to you.
So send us your comments,your constructive criticism,
and of course your swag.
Talk to you soon.
Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.