September 19, 2024 • 41 mins
You've seen it in the headlines—the ongoing crisis of cyberattacks threatening our hospitals, corporations and even law enforcement agencies. Sami Khoury from the Canadian Centre for Cyber Security (CCCS) joins us to discuss how the rapid digital transformation triggered by the pandemic has opened new doors for hackers. Later in the episode, we're joined by award-winning journalist Joseph Cox (404 Media) to discuss the broader implications of data privacy in the digital age.
Host Takara Small also sheds light on the shadowy, high stakes world of ransomware negotiations and the unexpected targets of these attacks—like libraries and zoos—that fall victim due to overlooked vulnerabilities.
We close out the episode by sharing ways to improve your personal cybersecurity and recognize the shared duty we all have in safeguarding our digital identities.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Takara Small (00:03):
Organized crime gangs.
Typically, they prey on easyvictims and stay clear of
lawmakers, but something's beenhappening in Canada recently.
In the last few years, some ofthe biggest public institutions
in the country have been hit byhackers.
Newfoundland's health caresystem, the LCBO in Ontario, the
(00:25):
Alberta Dental ServicesCorporation, the government's
Global Affairs Department InToronto alone, the public
library system, the transitcommission and the zoo have all
been held ransom.
The RCMP says it is dealingwith what it calls an alarming
cyber attack targeting itsnetwork.
Even the Royal Canadian MountedPolice themselves became
(00:49):
victims this year.
The hunter became the hunted.
So today, on what's Up With theInternet, we want to find out
how and why this is happeningand what are the implications
for ordinary people who engagewith these institutions.
This show is created by CIRA,the Canadian Internet
(01:10):
Registration Authority, which isbuilding a trusted internet for
Canadians, and I'm your host,takara Small.
So Canadian institutions arefacing unprecedented attacks
from hackers and, as well as thefinancial implications, our
personal data is also extremelyvulnerable.
Private corporations likeLondon Drugs, sobeys and many
(01:33):
others have also been hit in ahuge way.
We know how precious our datais, because it's estimated to be
a trillion-dollar industry.
Many experts now say data isthe most valuable resource on
Earth, even more so than oil,and criminals are trading it in
massive quantities.
(01:54):
So public institutions andcorporations are facing huge
challenges in protectingthemselves and us.
But are they up to Sami Khouryis the head of the Canadian
Centre for Cyber Security.
He joined us to help shed somelight on what's going on.
Why are so many bigorganizations such as the
(02:17):
Toronto Public Library and theRCMP being targeted these days?
Sami Khoury (02:22):
You know, I think the pandemic has accelerated our
digital transformation insociety.
So more and more we live in aconnected world, which
unfortunately has created thethreat surface has increased.
Whereas previously, you know,your IT was confined to your
(02:42):
work or your home, now IT iseverywhere.
We're all connected and as aresult, you know there's a lot
more vulnerabilities.
Now why are they going afterbig companies?
Because the sad part is thereis money to be made by cyber
criminals and the bigger thecompany, the more money can be
made because they can hold moreinformation kind of ransom.
(03:07):
So there is money to be made inthis underground world of
cybercriminality.
Takara Small (03:15):
Can you tell me how an attack like this actually
unfolds?
Sami Khoury (03:22):
Usually the perpetrator of these attacks
tend to be cyber criminals.
There are a lot of cybercriminal gangs out there that
have developed over the years orhave acquired some cyber
capabilities to exploit thesystem.
So essentially, whether it's abig company or a small company,
(03:45):
they have ways to hack into thesystem and exploit the systems
and then deploy on that systemcode to lock it up.
So imagine you show up at yourdesk and you cannot log into
your computer.
Somebody has either changed thepassword or has taken over your
system and is now asking youfor a ransom to unlock it.
(04:08):
They often do it throughphishing email and phishing
emails are becoming a lot moresophisticated.
So we have to be extra vigilantthese days on phishing email.
But they can also do it throughfinding vulnerabilities in the
IT that is on our system, on ournetwork.
So on a big corporation there'slots of IT, there's lots of
(04:33):
various software, lots ofvarious hardware, and keeping
that up to date is a bigchallenge and unfortunately,
cybercriminals, hackers, havefound ways to look for which
system isn't up to date, whichsystem isn't patched, and can I
find a way to exploit it?
Takara Small (04:51):
So there are so many companies that are falling
victim to cyber criminals, andI'm wondering, then you know, if
that happens, who negotiateswith these hackers and how do
they do it?
Is it over email?
Is this a phone call?
Sami Khoury (05:07):
So you're absolutely right.
I mean, we've, in our nationalcyber threat assessment that we
issued in November of 2022,we've assessed that ransomware
continues to be the number onethreat that Canadian companies
are going to face, and not a daygoes by without us hearing a
story of somebody falling victimto ransomware.
(05:29):
It could be a big corporation,it could be a hospital, it could
be a public sector, it could bea small-medium business.
So, unfortunately, ransomwarecontinues to be out there and I
can talk a lot about how do weprevent these things from
happening or what are our role,but essentially, when you fall
victim to ransomware, you haveto make a decision of whether or
(05:51):
not you want to pull the threadof paying the ransom.
It's a choice.
Some companies have good backupsand maybe they feel that they
don't have the need to pay aransom because they have a
backup.
Some companies might feel theneed to pay, to pay the ransom,
(06:11):
and there are, I would say, forthose kind of incidents.
There are professionals, Iwould say, out there.
Some of them are breach coachesthat with handhold the company
into the whole negotiationprocess.
We at the Cyber Center don'tget involved in those activities
(06:33):
, but there are people out therewho know how to communicate
with the cyber criminal.
Often, those cyber criminalsleave some indication on the
system of how to get in touchwith them.
Takara Small (06:45):
And so you know myself and many people.
We are constantly sharinginformation online.
It's made life a little biteasier since the pandemic to be
able to, you know, rent items,to purchase items, to have it
delivered straight to your houseimmediately.
It makes me wonder whatinformation do these hackers
(07:06):
want when they infiltrate andhack these types of companies,
and what do they actually dowith it?
Sami Khoury (07:13):
So when an actor hacks into a company, well,
first of all there's a couple oftypes of actors.
Some are purely in it for themoney, so they hack into the
company.
Sometimes they would lock theIT and ask for the ransom.
So this is very much a kind ofa I will lock your system.
(07:36):
The only way to unlock it isfor you to give me the money and
if you have a backup, you cantell them to go away because
you're not going to pay it,because you have a backup and
you can recover from the backupand carry on your operations.
More and more we're seeing them.
They go in and they stealinformation from your network
and then threaten you withreleasing the information
(07:58):
publicly if you don't pay theransom.
Now, if you're a hospital andthey steal patient records,
that's very private information.
So there is a huge risk whenthat information, when you're
threatened to release thatinformation publicly, if you're
a big corporation, there mightbe some corporate intellectual
property or corporate secrets oryou know, I don't know your
(08:22):
sales information or yourcustomer list that are on your
network and again, putting thatout there becomes challenging
because those companies areentrusted to safeguard this
information.
So once you're on the inside.
You know those cyber criminalswill go and get that information
(08:45):
that can generate the biggestreturn on their investment and
then threaten to leak thatinformation if the ransom is not
paid.
Takara Small (08:56):
So where are all these you know hackers coming
from?
Is this you know?
Are they Canadian?
Are these international actors?
There just seems to be so manythese days.
Sami Khoury (09:09):
You're absolutely right.
There's many, many cybercriminal groups out there with
names like Lockbit and Black Catand other similar Hive and
other similar names.
They form in the underground ofthe internet the dark web as
(09:30):
it's often called, and theyessentially operate from there.
Physically, many of thosepeople that are part of these
groups hide in countries thatare beyond the reach of law
enforcement, so they would goand hide not hide, but they
operate out of places likeRussia or some of the Russian
(09:54):
republics or some of the Russiansort of countries affiliated
with Russia, where it's verydifficult for Western law
enforcement agency to pursue anarrest or to exactly or to do
even an extradition.
There are cases of some ofthese actors being in Canada.
(10:16):
The RCMP is the lead in thatcase and there's been a case of
in Gatineau where there's beeneven an arrest of somebody who
was involved in ransomware, butthat's the RCMP.
But they tend to be maybe theexception and most of these that
inflict a cost on Canadianeconomy, on Canadian business,
(10:38):
are these cyber criminalorganizations that operate
beyond the reach of lawenforcement, that operate beyond
the reach of law enforcement.
Takara Small (10:50):
Okay.
So if oftentimes money is themain or one of the main
motivations, I don't reallyunderstand why these hackers
would target libraries and zoos.
I mean, wouldn't banks andhedge funds be maybe a little
bit more of a perfect target?
Sami Khoury (11:06):
In many cases these are targets of opportunity.
So they scan your system andthey find a vulnerability and
then they exploit thatvulnerability.
So we don't usually talk aboutspecific cases or specific
incidents.
We maintain thatconfidentiality or we respect
the privacy of of whomever fellvictim to one of those cases but
(11:30):
one of those incidents.
But essentially, a cybercriminal will scan the internet
and they will find avulnerability in a system
somewhere and if they can usethat vulnerability to get a
foothold on on the network, uh,then that would be their first
step.
And then you know, differentgroups have different tactics.
(11:51):
Some of them will lock theinformation, will lock your
system and then ask for theransom.
Others will steal theinformation and then try to
monetize that information.
So they're not necessarily goingafter your money information,
but the fact that you have ausername and a password, or you
have a username and a homeaddress and maybe a social
(12:13):
insurance number storedsomewhere on that system that
has value for them.
Hack into an organization wherethere's tens of thousands of
people records, whatever thoserecords are, then they can sell
that information to other cybercriminals and then other cyber
criminals.
So first they will threaten youby asking you for a ransom to
(12:37):
not release that informationpublicly, and then, if you
choose not to, or even if you dopay the ransom you know whether
or not they will end up holdingtheir end of the bargain is a
different story but they canthen sell that information to
other cyber criminals, who thencan use it for phishing email,
or can use it to scam, or theycan use it to, if they have your
(13:01):
social insurance number or theyhave your home address, to
create new identities, and soit's a second order and third
order effect of them stealingthat information.
Takara Small (13:14):
Is it likely that some of these attacks are maybe
sometimes politically motivated?
Sami Khoury (13:21):
There is definitely so in the category of who's out
there hacking, you have thecyber criminals who hack for, to
make money out of their hack,but also there are other people
who hack for what I would callan information advantage, and
many of those people who are init for an information advantage
(13:45):
tend to be nation states, and weagain, in our national cyber
threat assessment, we talk aboutthe four countries that we have
named publicly basically Russiaand China, north Korea and Iran
as having cyber programs thathave targeted Canada in the past
and continue to target Canadato precisely do that the
(14:07):
information advantage, to findout what is the government up to
, what are some of thegovernment secrets.
But also, in some cases, weknow that they have gone after
the private sector to stealinformation from the private
sector, and sometimes we catchthem and we call them out
publicly.
And sometimes we catch them andwe call them out publicly, and
sometimes we catch them and callthem out or privately tell them
(14:29):
not to do that again.
Takara Small (14:31):
So how difficult then is it to catch these, you
know, criminals, these hackers?
Sami Khoury (14:38):
Catching the criminals.
The sad part is that we knowabout it after the fact.
And the sad part is that weknow about it after the fact,
except we have started todevelop some capabilities to we
call them pre-ransomwarenotification.
When we start to see chatter orwhen we start to see
indications that something isbrewing and we notify.
(14:58):
We try to notify company asquickly as possible that hey, we
have information that there ischatter or there's an IP of your
company being directed at by aransomware group.
So this, we're getting there,and last year we've issued a
little bit over 400pre-ransomware notification to
(15:18):
Canadian companies.
So essentially these are up to400 maybe cases of ransomware
that have been avoided.
But we don't have absolute,100% coverage.
So we continue to refine ourtechniques.
But that is one way that we aremaking a difference in the
ransomware For the nation statesit's extremely sophisticated.
(15:42):
So these are countries with veryadvanced cyber programs, like
Russia and China.
There are.
Some of their signatures areknown publicly and some of them
can be stopped by antivirussoftware or some other
capability that the privatesector has out there.
(16:03):
But some you know you need tocall.
You need to call us and we willcome in and we will work with
you and we will confirm who isbehind that attack.
So there are some knowledgethat is still within the
intelligence community and stillclassified, but by and large, I
think we are trying to push asmuch of that information out
(16:25):
there because they have verysophisticated capabilities.
Takara Small (16:30):
I can just imagine there are listeners who are
really worried right now justbecause we all have to engage
with many of these big publicinstitutions.
I mean, it makes our liveseasier, but sometimes it's just
part of our job.
So what can an individual do ona personal level if an
institution that has our datagets hacked?
Sami Khoury (16:53):
So the important thing is that you know we all
have to make, we all have tocontribute to making Canada more
resilient and whether it's aSecurity, seriously.
So that's that's on them and,and you know they have to invest
in cyber security.
They have to invest in ensuringthat their security is up to
(17:15):
date, that their systems arepatched and and so on.
But as individuals, we alsohave to do our part, our part,
in ensuring that you know,starting with individually, that
your passwords are not one, two, three, four, five, that
individually, that yourpasswords are not 12345.
But sadly, to this day, thereare still people that their
password is the same password onall the systems and it's 11111
(17:39):
or 12345 or something like that.
So we have to raise the bar onensuring that we use complex
password and I know it'sdifficult, but there are some
good password password keepersout there where you can store
all your passwords, but makesure that you still you use
distinct passwords so if one ofthem gets hacked or if one of
(18:01):
them gets lost, you don't loseaccess to everything.
You have to make sure that alsothat, for, as individual, we
enable things like multi-factorauthentication.
You know it adds an extra layerof security that you know.
It verifies that it is you thatlogged into your bank account
and not somebody who managed toimpersonate you or managed to
(18:24):
steal your password or guesswhat your password is.
So MFA adds this second layerof of protection that your home
system is up to date, thatyou've've patched it, that you
keep it up to date whether youhave a Mac or a window machine.
That when there is a littlesymbol that says that there is
an update available, that youtake advantage of the
(18:45):
opportunity and update it andupdate it.
Sometimes it's newfunctionality, but more often
than not it's security, update,security features that make it a
little bit more secure as asystem.
These are some things that wewould recommend you do as a user
.
If you're traveling or if you'reout of the house, know where
(19:06):
you're connecting using Wi-Fi.
Not all Wi-Fi systems or notall Wi-Fi are of equal security,
and you could be connecting toa Wi-Fi that has malicious
intent and wants to steal yourusername and password as you try
to log in somewhere.
So all of these are littlethings that you could do as an
(19:28):
individual to protect yourselfso that you don't fall victim to
a cyber attack, but also to beextra on guard to be critical of
emails that you receive, of SMSmessages that you receive that
say why am I getting an SMSmessage about a package that I
never expected?
(19:48):
Why am I getting an SMS messagefrom this company who says
click here to update yourdelivery information, when I'm
not expecting anything?
Is it normal that this companysends me an SMS to update my
delivery information?
Is it normal that I mean that Iwould get an email out of the
blue that says click here toreceive a free iPhone?
No, these are so to be a littlebit more critical.
Takara Small (20:11):
Yeah, I mean just unrelated.
I've received so many of thoseemails in the past and I'm
always just like I look at themand I'm like, wow, they are
stepping up their game, thegrammar, the syntax, it's a
little bit better.
Every single time I can see howmaybe someone would fall for
something like that.
Sami Khoury (20:30):
It's so dangerous and it's so simplistic in their
phishing methods that it's yeah,it's a little scary and it's
becoming, you said I mean youeven observed it that it's
getting more sophisticatedbecause many of them have turned
to things like ChatG, gpt andother similar capability to
(20:52):
craft those emails.
So it's no longer you knowemails written by somebody whose
English is not the mothertongue and you can pick up the
grammar, said the sentence doesnot make any sense.
Now they can go on on theselike ChagiPT and others, and
(21:12):
type three, four words and atheme and suddenly it creates an
email.
It creates a letter that isabsolutely perfect from a
grammar standpoint and maybethey can Google you and find out
where you live, because youpost things online and you have
(21:33):
a dog and you like to go hiking.
And suddenly you go on some ofthese engines and type three,
four words, put your name in itand generate an email to invite
you to click on a link topartake in a hiking adventure
over the weekend with your dogin the park, in Gatineau Park or
wherever it is.
Takara Small (21:57):
And finally, what should institutions and
companies do to better protectthemselves and us?
To be honest, I meancybersecurity.
Sami Khoury (22:07):
We don't do cybersecurity for the sake of
cybersecurity.
We do cybersecurity because wewant to protect our communities,
protect our values, our way oflife.
Maybe down the road, maybe in10, 20, 50 years, there won't be
cybersecurity because all thesystems will be secure, but we
still live in a world wherethere is a lot of vulnerability
(22:29):
in IT and we are pushingcompanies to design systems,
design capabilities that aresecured by design but also
secure by default.
You know, but what can you doin the meantime, until these
products come to market and aresecure by design and secure by
default is to recognize that avulnerability to one is almost a
(22:51):
vulnerability to many and,because of that, the fact that
we live in a connected world.
So, take cybersecurity seriously.
Play your role, whether you arean individual or whether you
are a business.
Recognize that you have assets,you have information of value
to somebody and that somebodywill not hesitate to go after
(23:15):
you if they think that they canmake money off of it or if they
can use it to their advantage.
So, whether you are a startupworking on the best, coolest
idea, or whether you are a veryestablished big company that has
a lot of information, you areat risk, and the risk is that if
you don't take cybersecurityseriously, that somebody will
(23:36):
find a way to get into yoursystem and to steal your coolest
idea or to disrupt your system,and that generates this
disruption will have an impacton us, will have an impact on
our communities, will have animpact of the services you
provide, and so that's why Ifeel that we each have to do a
(23:58):
part.
You know, we say cybersecurityis a team sport, and we each
have to play our position tomake sure that the team
functions in a coherent way.
Government, academia, privatepublic Every one of us has
something to do.
None of us can solve it alone.
So, I hope that's a bit ofpublic service announcement on
(24:23):
how do we do cybersecurity inCanada.
Takara Small (24:26):
I love it.
It's a good PSA.
It should run on TV in betweenshows.
Well, thank you so much.
I have been fully educated andI'm sure our listeners have as
well.
Thank you for taking the timeto chat with me today about this
.
Sami Khoury (24:39):
Thank you, I very much appreciate the opportunity.
Takara Small (24:42):
We live in a weird era.
So much of our personalinformation lives online.
Much of our personalinformation lives online.
That means tech corporationsand our devices know more about
us than we do ourselves.
The novelist James Joyce onceboasted that if the city of
Dublin ever disappeared, itcould be rebuilt from the
(25:04):
information in his books, andGoogle and Meta could do the
same thing with most of ourpersonalities.
Cambridge Analytica famouslyused extensive online data
analysis on voters to influencethe American elections and the
Brexit referendum in 2016.
Eight years later, the datapoints being collected on us are
(25:27):
only growing, so our privatedata is vulnerable in ways other
than being directly hacked.
Joseph Cox is an award-winninginvestigative journalist who's
worked extensively on thissubject and set up a media
company called 404 Media withsome other like-minded reporters
.
We caught up with Joseph tolearn more.
(25:48):
We caught up with Joseph tolearn more.
Joseph Cox (25:50):
I mean, I think at this point it is near impossible
for especially an ordinarymember of the public who, you
know, just wants to get on withtheir life.
Really, they're going to haveto interact with corporations
because they provide theinfrastructure, our
communication tools, and that's,you know, messaging from one
(26:13):
person to another or your familyor even broader.
They will make the tools thatallow you to then communicate
with the public institutions,whichever they are, and then
when you do interact with thoseas well, you're, of course,
providing them data as well, andthey are.
They could fall victim to hacks, just like anybody else as well
.
I think that for an ordinaryperson, it's going to be
(26:33):
exceptionally difficult not onlyto not provide your data in the
first place, because you needto do that to interact with
these services, but also youessentially have no idea what
happens to that data after thefact.
Takara Small (26:46):
So, Joseph, what are the threats to ordinary
people?
Joseph Cox (26:51):
I would put the threats into two main buckets,
the first being low-levelhackers, who will target
everybody and anybody simplybecause they can, and that will
be stuff like sending you aphishing email to get your
password.
It will be finding yourpassword in another data breach
and then using that on a websiteyou're using elsewhere.
And then secondly I would saythe broad one are privacy
(27:14):
threats.
Now, this could be you gavelocation data to an app, which
then sold it to a data broker,which then sold it to somebody
else.
That is really really difficultfor an ordinary person to keep
tabs on, and it's much moreabout bearing in mind well, what
apps am I going to install,what services am I actually
(27:36):
going to use.
But those are the two mainbuckets of threats I think
ordinary people should keep inmind when they're just going
about their day-to-day lives.
Takara Small (27:45):
So I'm really curious to know whether you've
seen or if you've writtenanything about how things have
changed since COVID, becauseduring lockdowns in Canada,
there was a push to get peopleto stop using in-person services
and to go online for everything.
Joseph Cox (28:02):
Yes, I mean, you're exactly right.
During the pandemic, andcertainly after it as well,
there has been this massmigration by various companies
and services to get us ontothese apps to communicate, the
communication platforms, serviceplatforms, whatever they are.
I'm actually working on a pieceat the moment I'm still in the
process of reporting it butsomebody tipped me off that a
(28:24):
totally ordinary person wasessentially banned from a
medical practice because theyrefuse to use an android or an
apple phone.
You know they have a normaltelecommunications device.
It can, I presume, send textmessages, receive phone calls,
all that sort of stuff, but it'snot a smartphone, it's for lack
of a better term, a dumb phone,and this medical practice
(28:46):
simply refused to service them,even though they offered to
actually go in person to theirappointments.
That is simply not an optionoffered by some organizations
now, and I think we're going tosee more and more of that,
because there are people whostill don't use smartphones and
don't want to.
And you know, as populationsage and it is predominantly
(29:10):
older people who will use anormal phone, I think we're
going to see more of that.
There's going to be more ofthat divide.
Takara Small (29:18):
You worked on a story about the New York subway
system where you were able totrack a subway user and, you
know, find out where they work,where they lived.
It wasn't, you know, atraditional hacking story, but
it did really showcase some ofthe weaknesses that exist in our
public systems.
And I'm curious, you know howcommon are weaknesses like that?
How often do they occur?
Joseph Cox (29:41):
There are almost always tradeoffs when it comes
to implementing some sort offeature, and I mean that in the
broadest possible terms.
The story you're referring tois that, yes, when people use
the New York subway, they scantheir card when they enter and
then they go use a subway andthey leave.
What I found was that there's afeature on the New York
(30:04):
subway's website where you couldgo and check your own trip
history, the the idea being likeoh, where did I go?
How much have I spent on thesubway?
That sort of thing.
But I found it was trivial for athird party, such as an abusive
spouse, maybe a stalker,somebody like that, to use that
system as well to track atarget's whereabouts.
(30:27):
As you say, that's not really ahack, it's more of a privacy
leak and it's it's hard to say.
You know, I don't have data infront of me for how common it is
um across countries or entitiesor organizations, but with
every single featureimplementation, every single
design of a feature, there arealways going to be trade-offs,
(30:49):
and privacy is going to be oneof them.
I think another case is goingto be that Apple somewhat
recently released AirTags, thosesmall GPS little tokens you can
put in your bag, or you couldmaybe put on your bike so it
doesn't get stolen.
And what they found was that,very quickly, stalkers were
using these.
I think that we just have to bevery careful of the unforeseen
(31:12):
consequences of the technologythat we use or design or
purchase.
Takara Small (31:17):
You know a lot of the trade offs that happen when
it comes to technology.
It's usually for convenienceand it disproportionately
affects women, low income, bipoc.
I'm wondering, though, you knowis this due to incompetence?
Is this due to sometimes, techbeing very siloed?
(31:38):
Why does this happen?
What is the cause behind it?
Is that an easy thing to state?
Is it knowledge gap?
Is it money?
Joseph Cox (31:47):
Yeah, I generally want to give designers the
benefit of the doubt.
Of course there are going to besome who are just incompetent,
but I want to give them thebenefit of the doubt in that
regard.
But I would say that thesemistakes are still being made.
Features are still beingimplemented with privacy issues
in them, and I think it's justthat privacy or security
sometimes as well, they're oftentreated as an afterthought.
(32:11):
You know, it's like oh, we'redesigning the product, we're
launching this service and wewant to focus on how usable it
is, as you say, how frictionlessit is, the ease of use.
They're very much focused onthat and then stuff with privacy
or security is sort ofauxiliary, it's an afterthought.
When, really, when we'rethinking about designing a
feature, launching a product orrolling out some sort of I don't
(32:34):
know even healthcare computersystem across the country,
privacy and security needs to beat the start of that
conversation and there needs tobe conversations with various
stakeholders and, as you say,that can touch on race, that can
touch on class, it can touch ondomestic violence as well.
They need to be part of theconversation at the point of
inception rather than well, nowan issue has emerged and we have
(32:58):
to deal with it.
Takara Small (33:00):
The tricky thing about conversations like this is
where do the responsibilitieslie?
Where do the obligations lie?
You know, is it with?
Is it companies?
Is it governments?
Particularly in Canada, there'san ongoing conversation about
data privacy, specifically whenit comes to social media, but
(33:22):
it's a very convoluted.
It's a very noisy space to havethis conversation because a lot
of the time, each group ispointing the finger at the other
.
It's like that Spider-Man meme,you know.
Joseph Cox (33:34):
Yeah, I mean, you're absolutely right.
It is the Spider-Man meme andit's going to vary case by case,
but I would hope.
I would hope that a governmentsorry, I would hope that a
company designing some sort ofnew feature or platform would
take it upon themselves to thinkabout this, rather than just
waiting for some sort ofgovernment regulation or
(33:56):
intervention or whatever it maybe.
But at the same time, I wouldhope that governments would take
it seriously to police thecompanies as well.
I mean, the short answer is Ijust hope everybody would do
their job, but that is a mucheasier said than done, so I
think it really should be up tothe responsibility of everybody
involved.
The one sort of group who Idon't think the burden should
(34:19):
fall on to is basically the user.
You know the, the normal personat the end of that technology.
There's often a refrain in cybersecurity and sometimes privacy,
where it's like oh, the humanis the weakest link.
You're the one that clicked onthat suspicious email link, and
then you're, and then that's thereason you got hacked.
Well, maybe the system shouldbe designed in such a way that
(34:40):
makes it very, very difficultfor the ordinary person to click
that link, or the betterhighlights that it's very, very
suspicious and you shouldn't goanywhere near that phishing page
.
I don't think the user reallyshould be blamed or the burden
should be on them.
Of course there can be someexceptions, but you know why put
it on their shoulders when youcould just design it better in
the first place?
Takara Small (35:02):
And what do you think might help, you know,
create a safer space for theaverage person to share their
information online?
Is it government regulation?
I feel like that's what mostpeople go to.
The government needs to putstricter laws in place.
There has to be fines.
What do you see as a possiblesolution?
Joseph Cox (35:21):
Yeah, so in Europe they have the General Data
Protection Act, I think GDPR,and that's a massive sweeping
data protection and privacy lawand there are really big fines
if companies mess around withyour data.
The regulation is not perfect,but I absolutely think that, at
(35:42):
you know a bare minimum, morecountries should be emulating,
replicating or getting closer tosomething like GDPR.
It allows users to request fromcompanies hey, I want to know
exactly what you're doing withmy data, what you have on me,
and can you please delete it.
Sometimes that can be anarduous process, but if the
(36:04):
companies implement it properly,it gives the control back to
the user and allows them to makean informed decision of you
know what.
I don't want this data to beheld with you anymore and
legally, the companies have tofollow that.
Takara Small (36:18):
You know, because you know hacks, data breaches,
are always in the news.
I sometimes feel that theaverage person could easily
believe that they are as much ofa target as a Fortune 500
company.
Should the public be worried?
Do you think that they perhapsare likely to be the I don't
(36:39):
know a victim of hacking?
Joseph Cox (36:41):
is our ordinary people, uh, should be worried
about these type of threats sothe typical ordinary member of
the public is not going to havethe same sort of threat model,
as we call it, as an executiveof a fortune 500 company or
whatever.
But that is not to say thatpeople are immune from data
breaches.
(37:01):
There's a very common refrainwhich people say, which is well,
I'm not important enough to behacked, and I think that's a
fundamental misunderstanding ofhow especially lower level
hackers operate.
I spend a sizable amount of myworking day every day in hacker
chat rooms and in there they'renot going.
(37:22):
Oh, let's find the next bigjuicy target, although some of
them do that as well.
It's more.
Here is 10,000 email address andpassword combinations.
Let's try them, them all, andwe'll see if we get in.
And then we'll see what's ofvalue.
And maybe they break in to a USemail address and they find a
social security number.
Then they can do some identitytheft or whatever.
(37:44):
You know it could be any numberof different things, but
hackers hackers are opportunists.
They are just looking to breakinto anything and then they'll
see how they can monetize itlater.
So in a way, everybody doesneed to take their security
seriously, even if they're notrunning a super profitable
(38:06):
billion dollar multinationalcorporation or something.
I know it sounds terrifying,but it's not like it's.
Not everybody now has to shutdown their digital life.
It's more just.
I think that shift in thinkingto oh, the hackers don't
actually care who I am, becausethey don't.
They just care what data I have.
And when you think about that,I think you can protect your own
(38:26):
data a little bit better.
Takara Small (38:28):
Are there any tools or services you think the
average individual should knowabout or should adopt?
I'm thinking VPNs, for example.
That's an easy, low-hangingfruit.
Joseph Cox (38:39):
I think the number one tool that people should use
is a password manager, andthere's been a lot of I wouldn't
say misinformation, becausethat's probably a little bit too
harsh, but the common thinkingis that, oh, you should never
write down your passwordsbecause somebody could break
into your house and steal thenotepad and get into all your
accounts.
But what is more likely, thehacker is going to take your
(39:03):
password from one data breachand use it on the website where
you use the same password very,very likely.
Or they're going to put onbalaclavas and climb through
your window and take your littlenotepad of all your passwords.
That's super unlikely.
So what I would recommend isthat people use a password
manager Now.
Maybe that's the default onethat's built into Google Chrome,
(39:23):
maybe that's the default one inyour iPhone or on your Mac and
I believe Windows has somethingequivalent and what this will do
is that it will oftenautomatically generate strong
and, more importantly, uniquepasswords for every website you
use and then store them securelyon your computer.
The biggest threat to youronline security is that some
(39:46):
random website gets hacked whereyou had a password.
You use that password elsewhere, somewhere more valuable, such
as your gmail, and then thehackers get into that as well.
Takara Small (39:56):
So basically, everybody should be using a
password manager if they can andI'm just curious is it
challenging for you to just kindof go throughout your day, your
week, your life, etc.
Without a smartphone?
Is that hard for you?
Joseph Cox (40:15):
yes, it's exceptionally difficult.
Um, I will use special appsthat allow me to receive text
messages, for example, onto myipad, but not every bank allows
that, so sometimes I can't havea bank account with a certain
institution.
Maybe some medical practicesdon't like it as well, and
that's just an extra layer offriction which, to be clear,
I've put on myself and it's veryextreme and most people should
(40:37):
absolutely not do it.
But, yes, it's difficult.
And then there's also just thesocial aspect, which I'm okay
with but my friends hate, inthat you know, I'm on a plane or
something and I have aconversation with somebody and
they say, oh, it's been greattalking to you, can I get your
number?
And it's like, well, I only usethis encrypted messaging app
and they don't.
And then you know, I don't getinvited to the barbecue after
(40:58):
that, basically.
So it's tiring, it's exhausting, but it's just a personal
decision I've made.
Takara Small (41:04):
Yeah, and that was Joseph Cox of 404 Media, and,
of course, joseph is welcome atour barbecue anytime.
Okay, next week we're going tobe looking at the way
cybersecurity intersects withpolitics and national security.
Sami Khoury (41:21):
This will turbocharge everything bad that
we've already seen in a huge way.
Takara Small (41:27):
As ever, you can email the show That at .
T IRAca and you can visit CIRA.
ca/ cybersecurity for moreinformation.
It would also be great if youcould leave us a review on
Spotify and Apple podcasts.
Thanks for listening and we'llsee you again next time.
Organized crime gangs.
Typically, they prey on easyvictims and stay clear of
lawmakers, but something's beenhappening in Canada recently.
In the last few years, some ofthe biggest public institutions
in the country have been hit byhackers.
Newfoundland's health caresystem, the LCBO in Ontario, the
(00:25):
Alberta Dental ServicesCorporation, the government's
Global Affairs Department InToronto alone, the public
library system, the transitcommission and the zoo have all
been held ransom.
The RCMP says it is dealingwith what it calls an alarming
cyber attack targeting itsnetwork.
Even the Royal Canadian MountedPolice themselves became
(00:49):
victims this year.
The hunter became the hunted.
So today, on what's Up With theInternet, we want to find out
how and why this is happeningand what are the implications
for ordinary people who engagewith these institutions.
This show is created by CIRA,the Canadian Internet
(01:10):
Registration Authority, which isbuilding a trusted internet for
Canadians, and I'm your host,takara Small.
So Canadian institutions arefacing unprecedented attacks
from hackers and, as well as thefinancial implications, our
personal data is also extremelyvulnerable.
Private corporations likeLondon Drugs, sobeys and many
(01:33):
others have also been hit in ahuge way.
We know how precious our datais, because it's estimated to be
a trillion-dollar industry.
Many experts now say data isthe most valuable resource on
Earth, even more so than oil,and criminals are trading it in
massive quantities.
(01:54):
So public institutions andcorporations are facing huge
challenges in protectingthemselves and us.
But are they up to Sami Khouryis the head of the Canadian
Centre for Cyber Security.
He joined us to help shed somelight on what's going on.
Why are so many bigorganizations such as the
(02:17):
Toronto Public Library and theRCMP being targeted these days?
Sami Khoury (02:22):
You know, I think the pandemic has accelerated our
digital transformation insociety.
So more and more we live in aconnected world, which
unfortunately has created thethreat surface has increased.
Whereas previously, you know,your IT was confined to your
(02:42):
work or your home, now IT iseverywhere.
We're all connected and as aresult, you know there's a lot
more vulnerabilities.
Now why are they going afterbig companies?
Because the sad part is thereis money to be made by cyber
criminals and the bigger thecompany, the more money can be
made because they can hold moreinformation kind of ransom.
(03:07):
So there is money to be made inthis underground world of
cybercriminality.
Takara Small (03:15):
Can you tell me how an attack like this actually
unfolds?
Sami Khoury (03:22):
Usually the perpetrator of these attacks
tend to be cyber criminals.
There are a lot of cybercriminal gangs out there that
have developed over the years orhave acquired some cyber
capabilities to exploit thesystem.
So essentially, whether it's abig company or a small company,
(03:45):
they have ways to hack into thesystem and exploit the systems
and then deploy on that systemcode to lock it up.
So imagine you show up at yourdesk and you cannot log into
your computer.
Somebody has either changed thepassword or has taken over your
system and is now asking youfor a ransom to unlock it.
(04:08):
They often do it throughphishing email and phishing
emails are becoming a lot moresophisticated.
So we have to be extra vigilantthese days on phishing email.
But they can also do it throughfinding vulnerabilities in the
IT that is on our system, on ournetwork.
So on a big corporation there'slots of IT, there's lots of
(04:33):
various software, lots ofvarious hardware, and keeping
that up to date is a bigchallenge and unfortunately,
cybercriminals, hackers, havefound ways to look for which
system isn't up to date, whichsystem isn't patched, and can I
find a way to exploit it?
Takara Small (04:51):
So there are so many companies that are falling
victim to cyber criminals, andI'm wondering, then you know, if
that happens, who negotiateswith these hackers and how do
they do it?
Is it over email?
Is this a phone call?
Sami Khoury (05:07):
So you're absolutely right.
I mean, we've, in our nationalcyber threat assessment that we
issued in November of 2022,we've assessed that ransomware
continues to be the number onethreat that Canadian companies
are going to face, and not a daygoes by without us hearing a
story of somebody falling victimto ransomware.
(05:29):
It could be a big corporation,it could be a hospital, it could
be a public sector, it could bea small-medium business.
So, unfortunately, ransomwarecontinues to be out there and I
can talk a lot about how do weprevent these things from
happening or what are our role,but essentially, when you fall
victim to ransomware, you haveto make a decision of whether or
(05:51):
not you want to pull the threadof paying the ransom.
It's a choice.
Some companies have good backupsand maybe they feel that they
don't have the need to pay aransom because they have a
backup.
Some companies might feel theneed to pay, to pay the ransom,
(06:11):
and there are, I would say, forthose kind of incidents.
There are professionals, Iwould say, out there.
Some of them are breach coachesthat with handhold the company
into the whole negotiationprocess.
We at the Cyber Center don'tget involved in those activities
(06:33):
, but there are people out therewho know how to communicate
with the cyber criminal.
Often, those cyber criminalsleave some indication on the
system of how to get in touchwith them.
Takara Small (06:45):
And so you know myself and many people.
We are constantly sharinginformation online.
It's made life a little biteasier since the pandemic to be
able to, you know, rent items,to purchase items, to have it
delivered straight to your houseimmediately.
It makes me wonder whatinformation do these hackers
(07:06):
want when they infiltrate andhack these types of companies,
and what do they actually dowith it?
Sami Khoury (07:13):
So when an actor hacks into a company, well,
first of all there's a couple oftypes of actors.
Some are purely in it for themoney, so they hack into the
company.
Sometimes they would lock theIT and ask for the ransom.
So this is very much a kind ofa I will lock your system.
(07:36):
The only way to unlock it isfor you to give me the money and
if you have a backup, you cantell them to go away because
you're not going to pay it,because you have a backup and
you can recover from the backupand carry on your operations.
More and more we're seeing them.
They go in and they stealinformation from your network
and then threaten you withreleasing the information
(07:58):
publicly if you don't pay theransom.
Now, if you're a hospital andthey steal patient records,
that's very private information.
So there is a huge risk whenthat information, when you're
threatened to release thatinformation publicly, if you're
a big corporation, there mightbe some corporate intellectual
property or corporate secrets oryou know, I don't know your
(08:22):
sales information or yourcustomer list that are on your
network and again, putting thatout there becomes challenging
because those companies areentrusted to safeguard this
information.
So once you're on the inside.
You know those cyber criminalswill go and get that information
(08:45):
that can generate the biggestreturn on their investment and
then threaten to leak thatinformation if the ransom is not
paid.
Takara Small (08:56):
So where are all these you know hackers coming
from?
Is this you know?
Are they Canadian?
Are these international actors?
There just seems to be so manythese days.
Sami Khoury (09:09):
You're absolutely right.
There's many, many cybercriminal groups out there with
names like Lockbit and Black Catand other similar Hive and
other similar names.
They form in the underground ofthe internet the dark web as
(09:30):
it's often called, and theyessentially operate from there.
Physically, many of thosepeople that are part of these
groups hide in countries thatare beyond the reach of law
enforcement, so they would goand hide not hide, but they
operate out of places likeRussia or some of the Russian
(09:54):
republics or some of the Russiansort of countries affiliated
with Russia, where it's verydifficult for Western law
enforcement agency to pursue anarrest or to exactly or to do
even an extradition.
There are cases of some ofthese actors being in Canada.
(10:16):
The RCMP is the lead in thatcase and there's been a case of
in Gatineau where there's beeneven an arrest of somebody who
was involved in ransomware, butthat's the RCMP.
But they tend to be maybe theexception and most of these that
inflict a cost on Canadianeconomy, on Canadian business,
(10:38):
are these cyber criminalorganizations that operate
beyond the reach of lawenforcement, that operate beyond
the reach of law enforcement.
Takara Small (10:50):
Okay.
So if oftentimes money is themain or one of the main
motivations, I don't reallyunderstand why these hackers
would target libraries and zoos.
I mean, wouldn't banks andhedge funds be maybe a little
bit more of a perfect target?
Sami Khoury (11:06):
In many cases these are targets of opportunity.
So they scan your system andthey find a vulnerability and
then they exploit thatvulnerability.
So we don't usually talk aboutspecific cases or specific
incidents.
We maintain thatconfidentiality or we respect
the privacy of of whomever fellvictim to one of those cases but
(11:30):
one of those incidents.
But essentially, a cybercriminal will scan the internet
and they will find avulnerability in a system
somewhere and if they can usethat vulnerability to get a
foothold on on the network, uh,then that would be their first
step.
And then you know, differentgroups have different tactics.
(11:51):
Some of them will lock theinformation, will lock your
system and then ask for theransom.
Others will steal theinformation and then try to
monetize that information.
So they're not necessarily goingafter your money information,
but the fact that you have ausername and a password, or you
have a username and a homeaddress and maybe a social
(12:13):
insurance number storedsomewhere on that system that
has value for them.
Hack into an organization wherethere's tens of thousands of
people records, whatever thoserecords are, then they can sell
that information to other cybercriminals and then other cyber
criminals.
So first they will threaten youby asking you for a ransom to
(12:37):
not release that informationpublicly, and then, if you
choose not to, or even if you dopay the ransom you know whether
or not they will end up holdingtheir end of the bargain is a
different story but they canthen sell that information to
other cyber criminals, who thencan use it for phishing email,
or can use it to scam, or theycan use it to, if they have your
(13:01):
social insurance number or theyhave your home address, to
create new identities, and soit's a second order and third
order effect of them stealingthat information.
Takara Small (13:14):
Is it likely that some of these attacks are maybe
sometimes politically motivated?
Sami Khoury (13:21):
There is definitely so in the category of who's out
there hacking, you have thecyber criminals who hack for, to
make money out of their hack,but also there are other people
who hack for what I would callan information advantage, and
many of those people who are init for an information advantage
(13:45):
tend to be nation states, and weagain, in our national cyber
threat assessment, we talk aboutthe four countries that we have
named publicly basically Russiaand China, north Korea and Iran
as having cyber programs thathave targeted Canada in the past
and continue to target Canadato precisely do that the
(14:07):
information advantage, to findout what is the government up to
, what are some of thegovernment secrets.
But also, in some cases, weknow that they have gone after
the private sector to stealinformation from the private
sector, and sometimes we catchthem and we call them out
publicly.
And sometimes we catch them andwe call them out publicly, and
sometimes we catch them and callthem out or privately tell them
(14:29):
not to do that again.
Takara Small (14:31):
So how difficult then is it to catch these, you
know, criminals, these hackers?
Sami Khoury (14:38):
Catching the criminals.
The sad part is that we knowabout it after the fact.
And the sad part is that weknow about it after the fact,
except we have started todevelop some capabilities to we
call them pre-ransomwarenotification.
When we start to see chatter orwhen we start to see
indications that something isbrewing and we notify.
(14:58):
We try to notify company asquickly as possible that hey, we
have information that there ischatter or there's an IP of your
company being directed at by aransomware group.
So this, we're getting there,and last year we've issued a
little bit over 400pre-ransomware notification to
(15:18):
Canadian companies.
So essentially these are up to400 maybe cases of ransomware
that have been avoided.
But we don't have absolute,100% coverage.
So we continue to refine ourtechniques.
But that is one way that we aremaking a difference in the
ransomware For the nation statesit's extremely sophisticated.
(15:42):
So these are countries with veryadvanced cyber programs, like
Russia and China.
There are.
Some of their signatures areknown publicly and some of them
can be stopped by antivirussoftware or some other
capability that the privatesector has out there.
(16:03):
But some you know you need tocall.
You need to call us and we willcome in and we will work with
you and we will confirm who isbehind that attack.
So there are some knowledgethat is still within the
intelligence community and stillclassified, but by and large, I
think we are trying to push asmuch of that information out
(16:25):
there because they have verysophisticated capabilities.
Takara Small (16:30):
I can just imagine there are listeners who are
really worried right now justbecause we all have to engage
with many of these big publicinstitutions.
I mean, it makes our liveseasier, but sometimes it's just
part of our job.
So what can an individual do ona personal level if an
institution that has our datagets hacked?
Sami Khoury (16:53):
So the important thing is that you know we all
have to make, we all have tocontribute to making Canada more
resilient and whether it's aSecurity, seriously.
So that's that's on them and,and you know they have to invest
in cyber security.
They have to invest in ensuringthat their security is up to
(17:15):
date, that their systems arepatched and and so on.
But as individuals, we alsohave to do our part, our part,
in ensuring that you know,starting with individually, that
your passwords are not one, two, three, four, five, that
individually, that yourpasswords are not 12345.
But sadly, to this day, thereare still people that their
password is the same password onall the systems and it's 11111
(17:39):
or 12345 or something like that.
So we have to raise the bar onensuring that we use complex
password and I know it'sdifficult, but there are some
good password password keepersout there where you can store
all your passwords, but makesure that you still you use
distinct passwords so if one ofthem gets hacked or if one of
(18:01):
them gets lost, you don't loseaccess to everything.
You have to make sure that alsothat, for, as individual, we
enable things like multi-factorauthentication.
You know it adds an extra layerof security that you know.
It verifies that it is you thatlogged into your bank account
and not somebody who managed toimpersonate you or managed to
(18:24):
steal your password or guesswhat your password is.
So MFA adds this second layerof of protection that your home
system is up to date, thatyou've've patched it, that you
keep it up to date whether youhave a Mac or a window machine.
That when there is a littlesymbol that says that there is
an update available, that youtake advantage of the
(18:45):
opportunity and update it andupdate it.
Sometimes it's newfunctionality, but more often
than not it's security, update,security features that make it a
little bit more secure as asystem.
These are some things that wewould recommend you do as a user
.
If you're traveling or if you'reout of the house, know where
(19:06):
you're connecting using Wi-Fi.
Not all Wi-Fi systems or notall Wi-Fi are of equal security,
and you could be connecting toa Wi-Fi that has malicious
intent and wants to steal yourusername and password as you try
to log in somewhere.
So all of these are littlethings that you could do as an
(19:28):
individual to protect yourselfso that you don't fall victim to
a cyber attack, but also to beextra on guard to be critical of
emails that you receive, of SMSmessages that you receive that
say why am I getting an SMSmessage about a package that I
never expected?
(19:48):
Why am I getting an SMS messagefrom this company who says
click here to update yourdelivery information, when I'm
not expecting anything?
Is it normal that this companysends me an SMS to update my
delivery information?
Is it normal that I mean that Iwould get an email out of the
blue that says click here toreceive a free iPhone?
No, these are so to be a littlebit more critical.
Takara Small (20:11):
Yeah, I mean just unrelated.
I've received so many of thoseemails in the past and I'm
always just like I look at themand I'm like, wow, they are
stepping up their game, thegrammar, the syntax, it's a
little bit better.
Every single time I can see howmaybe someone would fall for
something like that.
Sami Khoury (20:30):
It's so dangerous and it's so simplistic in their
phishing methods that it's yeah,it's a little scary and it's
becoming, you said I mean youeven observed it that it's
getting more sophisticatedbecause many of them have turned
to things like ChatG, gpt andother similar capability to
(20:52):
craft those emails.
So it's no longer you knowemails written by somebody whose
English is not the mothertongue and you can pick up the
grammar, said the sentence doesnot make any sense.
Now they can go on on theselike ChagiPT and others, and
(21:12):
type three, four words and atheme and suddenly it creates an
email.
It creates a letter that isabsolutely perfect from a
grammar standpoint and maybethey can Google you and find out
where you live, because youpost things online and you have
(21:33):
a dog and you like to go hiking.
And suddenly you go on some ofthese engines and type three,
four words, put your name in itand generate an email to invite
you to click on a link topartake in a hiking adventure
over the weekend with your dogin the park, in Gatineau Park or
wherever it is.
Takara Small (21:57):
And finally, what should institutions and
companies do to better protectthemselves and us?
To be honest, I meancybersecurity.
Sami Khoury (22:07):
We don't do cybersecurity for the sake of
cybersecurity.
We do cybersecurity because wewant to protect our communities,
protect our values, our way oflife.
Maybe down the road, maybe in10, 20, 50 years, there won't be
cybersecurity because all thesystems will be secure, but we
still live in a world wherethere is a lot of vulnerability
(22:29):
in IT and we are pushingcompanies to design systems,
design capabilities that aresecured by design but also
secure by default.
You know, but what can you doin the meantime, until these
products come to market and aresecure by design and secure by
default is to recognize that avulnerability to one is almost a
(22:51):
vulnerability to many and,because of that, the fact that
we live in a connected world.
So, take cybersecurity seriously.
Play your role, whether you arean individual or whether you
are a business.
Recognize that you have assets,you have information of value
to somebody and that somebodywill not hesitate to go after
(23:15):
you if they think that they canmake money off of it or if they
can use it to their advantage.
So, whether you are a startupworking on the best, coolest
idea, or whether you are a veryestablished big company that has
a lot of information, you areat risk, and the risk is that if
you don't take cybersecurityseriously, that somebody will
(23:36):
find a way to get into yoursystem and to steal your coolest
idea or to disrupt your system,and that generates this
disruption will have an impacton us, will have an impact on
our communities, will have animpact of the services you
provide, and so that's why Ifeel that we each have to do a
(23:58):
part.
You know, we say cybersecurityis a team sport, and we each
have to play our position tomake sure that the team
functions in a coherent way.
Government, academia, privatepublic Every one of us has
something to do.
None of us can solve it alone.
So, I hope that's a bit ofpublic service announcement on
(24:23):
how do we do cybersecurity inCanada.
Takara Small (24:26):
I love it.
It's a good PSA.
It should run on TV in betweenshows.
Well, thank you so much.
I have been fully educated andI'm sure our listeners have as
well.
Thank you for taking the timeto chat with me today about this
.
Sami Khoury (24:39):
Thank you, I very much appreciate the opportunity.
Takara Small (24:42):
We live in a weird era.
So much of our personalinformation lives online.
Much of our personalinformation lives online.
That means tech corporationsand our devices know more about
us than we do ourselves.
The novelist James Joyce onceboasted that if the city of
Dublin ever disappeared, itcould be rebuilt from the
(25:04):
information in his books, andGoogle and Meta could do the
same thing with most of ourpersonalities.
Cambridge Analytica famouslyused extensive online data
analysis on voters to influencethe American elections and the
Brexit referendum in 2016.
Eight years later, the datapoints being collected on us are
(25:27):
only growing, so our privatedata is vulnerable in ways other
than being directly hacked.
Joseph Cox is an award-winninginvestigative journalist who's
worked extensively on thissubject and set up a media
company called 404 Media withsome other like-minded reporters
.
We caught up with Joseph tolearn more.
(25:48):
We caught up with Joseph tolearn more.
Joseph Cox (25:50):
I mean, I think at this point it is near impossible
for especially an ordinarymember of the public who, you
know, just wants to get on withtheir life.
Really, they're going to haveto interact with corporations
because they provide theinfrastructure, our
communication tools, and that's,you know, messaging from one
(26:13):
person to another or your familyor even broader.
They will make the tools thatallow you to then communicate
with the public institutions,whichever they are, and then
when you do interact with thoseas well, you're, of course,
providing them data as well, andthey are.
They could fall victim to hacks, just like anybody else as well
.
I think that for an ordinaryperson, it's going to be
(26:33):
exceptionally difficult not onlyto not provide your data in the
first place, because you needto do that to interact with
these services, but also youessentially have no idea what
happens to that data after thefact.
Takara Small (26:46):
So, Joseph, what are the threats to ordinary
people?
Joseph Cox (26:51):
I would put the threats into two main buckets,
the first being low-levelhackers, who will target
everybody and anybody simplybecause they can, and that will
be stuff like sending you aphishing email to get your
password.
It will be finding yourpassword in another data breach
and then using that on a websiteyou're using elsewhere.
And then secondly I would saythe broad one are privacy
(27:14):
threats.
Now, this could be you gavelocation data to an app, which
then sold it to a data broker,which then sold it to somebody
else.
That is really really difficultfor an ordinary person to keep
tabs on, and it's much moreabout bearing in mind well, what
apps am I going to install,what services am I actually
(27:36):
going to use.
But those are the two mainbuckets of threats I think
ordinary people should keep inmind when they're just going
about their day-to-day lives.
Takara Small (27:45):
So I'm really curious to know whether you've
seen or if you've writtenanything about how things have
changed since COVID, becauseduring lockdowns in Canada,
there was a push to get peopleto stop using in-person services
and to go online for everything.
Joseph Cox (28:02):
Yes, I mean, you're exactly right.
During the pandemic, andcertainly after it as well,
there has been this massmigration by various companies
and services to get us ontothese apps to communicate, the
communication platforms, serviceplatforms, whatever they are.
I'm actually working on a pieceat the moment I'm still in the
process of reporting it butsomebody tipped me off that a
(28:24):
totally ordinary person wasessentially banned from a
medical practice because theyrefuse to use an android or an
apple phone.
You know they have a normaltelecommunications device.
It can, I presume, send textmessages, receive phone calls,
all that sort of stuff, but it'snot a smartphone, it's for lack
of a better term, a dumb phone,and this medical practice
(28:46):
simply refused to service them,even though they offered to
actually go in person to theirappointments.
That is simply not an optionoffered by some organizations
now, and I think we're going tosee more and more of that,
because there are people whostill don't use smartphones and
don't want to.
And you know, as populationsage and it is predominantly
(29:10):
older people who will use anormal phone, I think we're
going to see more of that.
There's going to be more ofthat divide.
Takara Small (29:18):
You worked on a story about the New York subway
system where you were able totrack a subway user and, you
know, find out where they work,where they lived.
It wasn't, you know, atraditional hacking story, but
it did really showcase some ofthe weaknesses that exist in our
public systems.
And I'm curious, you know howcommon are weaknesses like that?
How often do they occur?
Joseph Cox (29:41):
There are almost always tradeoffs when it comes
to implementing some sort offeature, and I mean that in the
broadest possible terms.
The story you're referring tois that, yes, when people use
the New York subway, they scantheir card when they enter and
then they go use a subway andthey leave.
What I found was that there's afeature on the New York
(30:04):
subway's website where you couldgo and check your own trip
history, the the idea being likeoh, where did I go?
How much have I spent on thesubway?
That sort of thing.
But I found it was trivial for athird party, such as an abusive
spouse, maybe a stalker,somebody like that, to use that
system as well to track atarget's whereabouts.
(30:27):
As you say, that's not really ahack, it's more of a privacy
leak and it's it's hard to say.
You know, I don't have data infront of me for how common it is
um across countries or entitiesor organizations, but with
every single featureimplementation, every single
design of a feature, there arealways going to be trade-offs,
(30:49):
and privacy is going to be oneof them.
I think another case is goingto be that Apple somewhat
recently released AirTags, thosesmall GPS little tokens you can
put in your bag, or you couldmaybe put on your bike so it
doesn't get stolen.
And what they found was that,very quickly, stalkers were
using these.
I think that we just have to bevery careful of the unforeseen
(31:12):
consequences of the technologythat we use or design or
purchase.
Takara Small (31:17):
You know a lot of the trade offs that happen when
it comes to technology.
It's usually for convenienceand it disproportionately
affects women, low income, bipoc.
I'm wondering, though, you knowis this due to incompetence?
Is this due to sometimes, techbeing very siloed?
(31:38):
Why does this happen?
What is the cause behind it?
Is that an easy thing to state?
Is it knowledge gap?
Is it money?
Joseph Cox (31:47):
Yeah, I generally want to give designers the
benefit of the doubt.
Of course there are going to besome who are just incompetent,
but I want to give them thebenefit of the doubt in that
regard.
But I would say that thesemistakes are still being made.
Features are still beingimplemented with privacy issues
in them, and I think it's justthat privacy or security
sometimes as well, they're oftentreated as an afterthought.
(32:11):
You know, it's like oh, we'redesigning the product, we're
launching this service and wewant to focus on how usable it
is, as you say, how frictionlessit is, the ease of use.
They're very much focused onthat and then stuff with privacy
or security is sort ofauxiliary, it's an afterthought.
When, really, when we'rethinking about designing a
feature, launching a product orrolling out some sort of I don't
(32:34):
know even healthcare computersystem across the country,
privacy and security needs to beat the start of that
conversation and there needs tobe conversations with various
stakeholders and, as you say,that can touch on race, that can
touch on class, it can touch ondomestic violence as well.
They need to be part of theconversation at the point of
inception rather than well, nowan issue has emerged and we have
(32:58):
to deal with it.
Takara Small (33:00):
The tricky thing about conversations like this is
where do the responsibilitieslie?
Where do the obligations lie?
You know, is it with?
Is it companies?
Is it governments?
Particularly in Canada, there'san ongoing conversation about
data privacy, specifically whenit comes to social media, but
(33:22):
it's a very convoluted.
It's a very noisy space to havethis conversation because a lot
of the time, each group ispointing the finger at the other
.
It's like that Spider-Man meme,you know.
Joseph Cox (33:34):
Yeah, I mean, you're absolutely right.
It is the Spider-Man meme andit's going to vary case by case,
but I would hope.
I would hope that a governmentsorry, I would hope that a
company designing some sort ofnew feature or platform would
take it upon themselves to thinkabout this, rather than just
waiting for some sort ofgovernment regulation or
(33:56):
intervention or whatever it maybe.
But at the same time, I wouldhope that governments would take
it seriously to police thecompanies as well.
I mean, the short answer is Ijust hope everybody would do
their job, but that is a mucheasier said than done, so I
think it really should be up tothe responsibility of everybody
involved.
The one sort of group who Idon't think the burden should
(34:19):
fall on to is basically the user.
You know the, the normal personat the end of that technology.
There's often a refrain in cybersecurity and sometimes privacy,
where it's like oh, the humanis the weakest link.
You're the one that clicked onthat suspicious email link, and
then you're, and then that's thereason you got hacked.
Well, maybe the system shouldbe designed in such a way that
(34:40):
makes it very, very difficultfor the ordinary person to click
that link, or the betterhighlights that it's very, very
suspicious and you shouldn't goanywhere near that phishing page
.
I don't think the user reallyshould be blamed or the burden
should be on them.
Of course there can be someexceptions, but you know why put
it on their shoulders when youcould just design it better in
the first place?
Takara Small (35:02):
And what do you think might help, you know,
create a safer space for theaverage person to share their
information online?
Is it government regulation?
I feel like that's what mostpeople go to.
The government needs to putstricter laws in place.
There has to be fines.
What do you see as a possiblesolution?
Joseph Cox (35:21):
Yeah, so in Europe they have the General Data
Protection Act, I think GDPR,and that's a massive sweeping
data protection and privacy lawand there are really big fines
if companies mess around withyour data.
The regulation is not perfect,but I absolutely think that, at
(35:42):
you know a bare minimum, morecountries should be emulating,
replicating or getting closer tosomething like GDPR.
It allows users to request fromcompanies hey, I want to know
exactly what you're doing withmy data, what you have on me,
and can you please delete it.
Sometimes that can be anarduous process, but if the
(36:04):
companies implement it properly,it gives the control back to
the user and allows them to makean informed decision of you
know what.
I don't want this data to beheld with you anymore and
legally, the companies have tofollow that.
Takara Small (36:18):
You know, because you know hacks, data breaches,
are always in the news.
I sometimes feel that theaverage person could easily
believe that they are as much ofa target as a Fortune 500
company.
Should the public be worried?
Do you think that they perhapsare likely to be the I don't
(36:39):
know a victim of hacking?
Joseph Cox (36:41):
is our ordinary people, uh, should be worried
about these type of threats sothe typical ordinary member of
the public is not going to havethe same sort of threat model,
as we call it, as an executiveof a fortune 500 company or
whatever.
But that is not to say thatpeople are immune from data
breaches.
(37:01):
There's a very common refrainwhich people say, which is well,
I'm not important enough to behacked, and I think that's a
fundamental misunderstanding ofhow especially lower level
hackers operate.
I spend a sizable amount of myworking day every day in hacker
chat rooms and in there they'renot going.
(37:22):
Oh, let's find the next bigjuicy target, although some of
them do that as well.
It's more.
Here is 10,000 email address andpassword combinations.
Let's try them, them all, andwe'll see if we get in.
And then we'll see what's ofvalue.
And maybe they break in to a USemail address and they find a
social security number.
Then they can do some identitytheft or whatever.
(37:44):
You know it could be any numberof different things, but
hackers hackers are opportunists.
They are just looking to breakinto anything and then they'll
see how they can monetize itlater.
So in a way, everybody doesneed to take their security
seriously, even if they're notrunning a super profitable
(38:06):
billion dollar multinationalcorporation or something.
I know it sounds terrifying,but it's not like it's.
Not everybody now has to shutdown their digital life.
It's more just.
I think that shift in thinkingto oh, the hackers don't
actually care who I am, becausethey don't.
They just care what data I have.
And when you think about that,I think you can protect your own
(38:26):
data a little bit better.
Takara Small (38:28):
Are there any tools or services you think the
average individual should knowabout or should adopt?
I'm thinking VPNs, for example.
That's an easy, low-hangingfruit.
Joseph Cox (38:39):
I think the number one tool that people should use
is a password manager, andthere's been a lot of I wouldn't
say misinformation, becausethat's probably a little bit too
harsh, but the common thinkingis that, oh, you should never
write down your passwordsbecause somebody could break
into your house and steal thenotepad and get into all your
accounts.
But what is more likely, thehacker is going to take your
(39:03):
password from one data breachand use it on the website where
you use the same password very,very likely.
Or they're going to put onbalaclavas and climb through
your window and take your littlenotepad of all your passwords.
That's super unlikely.
So what I would recommend isthat people use a password
manager Now.
Maybe that's the default onethat's built into Google Chrome,
(39:23):
maybe that's the default one inyour iPhone or on your Mac and
I believe Windows has somethingequivalent and what this will do
is that it will oftenautomatically generate strong
and, more importantly, uniquepasswords for every website you
use and then store them securelyon your computer.
The biggest threat to youronline security is that some
(39:46):
random website gets hacked whereyou had a password.
You use that password elsewhere, somewhere more valuable, such
as your gmail, and then thehackers get into that as well.
Takara Small (39:56):
So basically, everybody should be using a
password manager if they can andI'm just curious is it
challenging for you to just kindof go throughout your day, your
week, your life, etc.
Without a smartphone?
Is that hard for you?
Joseph Cox (40:15):
yes, it's exceptionally difficult.
Um, I will use special appsthat allow me to receive text
messages, for example, onto myipad, but not every bank allows
that, so sometimes I can't havea bank account with a certain
institution.
Maybe some medical practicesdon't like it as well, and
that's just an extra layer offriction which, to be clear,
I've put on myself and it's veryextreme and most people should
(40:37):
absolutely not do it.
But, yes, it's difficult.
And then there's also just thesocial aspect, which I'm okay
with but my friends hate, inthat you know, I'm on a plane or
something and I have aconversation with somebody and
they say, oh, it's been greattalking to you, can I get your
number?
And it's like, well, I only usethis encrypted messaging app
and they don't.
And then you know, I don't getinvited to the barbecue after
(40:58):
that, basically.
So it's tiring, it's exhausting, but it's just a personal
decision I've made.
Takara Small (41:04):
Yeah, and that was Joseph Cox of 404 Media, and,
of course, joseph is welcome atour barbecue anytime.
Okay, next week we're going tobe looking at the way
cybersecurity intersects withpolitics and national security.
Sami Khoury (41:21):
This will turbocharge everything bad that
we've already seen in a huge way.
Takara Small (41:27):
As ever, you can email the show That at .
T IRAca and you can visit CIRA.
ca/ cybersecurity for moreinformation.
It would also be great if youcould leave us a review on
Spotify and Apple podcasts.
Thanks for listening and we'llsee you again next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.