Welcome to Cyber Security Today, our week in review panel. I'm your host, Jim Love. This week we have our regular panel. We have terry Cutler, head of Cyology Labs in Montreal. Welcome, Terry. Good morning. How are you? I'm just fabulous.
We passed the million 15, 000 people fished. I haven't got my McDonald's sign yet. More than 1, 100 customers, and I've done really well. Of course, all of the chaos that we're now seeing about this whole tariff thing is an interesting situation to be in as the only Canadian, security awareness company at scale.
So he's just perfectly qualified to be here. He had a microphone that, that gets you on the show. Yeah. Good stuff. Okay. We're the format. This is, by the way, our penultimate show. I like to use the word penultimate. That's second last, I think but we're going to do a Christmas year in review show somewhere before we take our holiday, which is generally about the 20th of December. We go into reruns till the 4th of . But somewhere between there, we'll do a year end show, this is our penultimate show. And everybody by now should know the format.
cause I saw David, you actually put this one on LinkedIn as well. This got me going. There's a new hack that's gone out. Bleeping computer did the story first. We did a story on it as well. And it's a novel phishing campaign. that uses corrupted Word documents to evade security. The reason I picked this up, I gave it A plus for creativity.
So just please give me your username and password. Is that's a pretty fair assumption of it. David, you as our fishing expert, the filial fish himself. The are you seeing this? You put it on LinkedIn. Have you seen this campaign yet? I haven't personally seen one of these attachment, but I am absolutely 1000 percent not shocked by this.
Word documents, WinRAR files will also do this kind of self healing. And what the article pointed out is that, there's elements inside the headers of these files allow you to reconstitute and rebuild them when you reconstitute and rebuild them away we go. You say corruption, I say, hilarious new form of encryption .
Score something. So this is just People being clever. My the meme that came to mind when we were preparing for the show is that, Jurassic Park, classic Jurassic Park, clever girl, velociraptor that pops up because props, this was clever. I thought we were losing you as culture critic there, David.
To a financial institution near you. Yeah. Yeah, it's not a big deal, right? No, I'm kidding. , that's right. It's not a big deal, John. You're the head of cybersecurity. It reiterates the fact that, no matter what you put in, David talked about it a minute ago, that there is no silver bullet.
They will investigate it. They'll let you know if it's a problem or not. If you have a small office, you can have a conversation and have that same policy that says, Hey, come on over and look at this. So just cause you've got a two to three person shop doesn't mean you still can't do that.
There's no fix for humans stupidity. Have you seen that one? But okay. Shipley tries to be nice about it though. Okay, there, there's actually something I'm working on a, a 3000 word paper for the Canadian cybersecurity network. And I go after this one point, Terry, and I used to say the same things but here's the truth of it.
And so that's the number that you need to get down. You need to tell people, email filters aren't perfect. Trust your gut. And I think tied in with that, the big fallacy to me in corporations is that Cybersecurity is a corporate thing. Everybody that walks through the door and claims to be an employee needs to be responsible for cyber security.
And I did a story on it for, the cybersecurity today because it just amazed me. We're always talking about the technical parts of this, but off boarding, when someone leaves. And you think big companies must have that handled, right? Not exactly. Disney had an employee that left and they didn't remove him from the system for whatever reason, left him with his access to the systems.
I was flabbergasted to say, Hey, I could understand if this is what tiny business, but a big business like Disney, nobody checks to see a person we've fired left under bad circumstances is taken off all the systems. I couldn't believe that could happen.
So this is one of the things that We discussed as part of an audit and have gone through dramatic changes to our offboarding procedure to make sure that, it's easy for us from an IT perspective that we can disable everybody's account, that IT manages, but there's this little thing called shadow IT.
The moment you get hired, it creates you an account in Active Directory, in Novell Z directory. It finds an available extension in the phone system. Everything gets associated to you in one shot, in theory, right? But then eventually, once you leave the company, everything gets shut down. Once you deactivate the account, so we need to start looking at more technology like this that can help automate these processes because things get forgotten, or they'll say my last day is, next Thursday, and then you guys forget about it, or maybe there was an extension, or maybe the guy was using somebody else's account, all these things need to be looked at.
So there needs to be, as part of that off boarding, where do you pass on the, files, old emails and those types of things to, so that they're still accessible for somebody within the organization that still needs them. Getting the documents in is one thing, but you pointed out if you've got, shadow IT or, SaaS programs that are out there.
We said show up at the guy's house unannounced. We knew about it like a day or two before we knew that guy was going to have a bad day on next Wednesday, show up, take all his equipment. And analyze it and then, send them, take them to court kind of thing. Would you like to have Cutler arrive at your doorstep with two other big guys behind him saying, We're here for your equipment.
Cases and just double check. All the work was done according to the checklist. And if they find a gap in the process or an error that's consistent, possibly consistent across all three. Oh, we missed this. Then you improve your process. One of the things that I worry about in this field is that we forget that continuous improvement is a good thing.
I look forward to them coming in because they're either going to tell me I'm doing a good job or they're going to show me areas where we need to improve. And I'd much rather the audit team find that than cyber hackers. We had a situation we do a lot of work in health care. We just did one a couple months ago Doing out on an active directory.
And then, I'll share That, I have a higher risk for colon cancer, so I have a five year screening program and I don't dread. I don't say I'm excited by the colonoscopy, but, I'm not running away in fear from that because the doctor's not there to cause me harm he's there to go and find and see if there's something that needs to be dealt with that we can improve and that we can preventively catch early.
John, you had a couple of stories you wanted to bring to us both of my stories are a little closer to home. The stories themselves are interesting and informative.
And you also need to incorporate, these vendors in your incident response plans or your own cyber readiness. It's one thing to say, okay, if something happens to us, if we get hacked, here's what we're going to do. But as soon as you start having a reliance on third party vendors to run your business, they need to come under the umbrella of your, corporate cyber readiness.
And so was that because Delta got hit worse than anyone else, or was it because Delta wasn't prepared? The same way that others were. And so that's the, I guess my message behind this story is that you can offload the work to somebody else, but you can't offload the responsibility and the ownership.
So that's a great point. So we do a lot of audits, right? So Office 365 is another example. Another gate is not 100 percent secure. There could be vulnerable plugins, 2FA is missing on certain accounts, whatever it is. And, we'll sometimes get pushback. Why do I want to audit somebody else's system?
It applies to vendors, John, I was looking at blue yonder Thousand customers, huge names here. We're talking grocery stores had, their actual supply of food disrupted. And the days are over where it is a cute little thing. That is on the side of the organization. I was at a global bank, customer and I walked by and it said in 1984, 83, we had 25 personal computers and that kind of scale, not paying attention to these supply chain vulnerabilities.
It's not material today. It's very material, but I would argue. That we need to take the same approach to structural systemic risk in technology that we do in the global financial system. And I sure hope it doesn't take a 2008 style event in the tech ecosystem, but I feel like we're cruising for one of those because you've got Blue Yonder, you've got CrowdStrike, you've got other things that have happened.
And you make a great point, David, that, you talked about, Blue Yonder hitting over like 3, 000 customers there's no regulation. It doesn't say that you have to do this. And I don't know whether it's once you get beyond, if you have more than a hundred customers, then you have to, step up your game from an audit perspective or whatever.
So the SaaS piece is something that people need to pay attention to. For sure. I want to run to your next story on, John and that's the city of Hamilton. The hits just keep on coming as they say in FM radio for those guys. This was back in February, so it's not a recent story, but they're still suffering from it.
6 million into the battle. They are a long way from being finished. And to add insult to injury, in trying to bring their systems back up. They've been hit by over 800, 000 worth of imposters, imposter vendors, stealing money from them and, they don't know because, if somebody sends in an invoice saying, you're past due with this invoice, they have no systems to go back to look to see whether that's right or not.
And when they finally did, the IR on the city, they found out that the hackers have been in the system since April 2019. Most likely, a lot of companies use technology that relies on logs. And logs get delayed, logs get modified, logs lie. When an attack occurs, a lot of times these sims and whatever don't see this stuff.
And all of a sudden you've got to rebuild the building, but you discover that the ground is also contaminated from a hundred years of history. And so you now have to do environmental reclamation while rebuilding your building, while still running your organization. That's a lot. That's a lot to expect an organization.
We know who their suppliers are. We now know the right asks. We know the people to target. So as they're in bunker recovery mode, the actual money play here, this feels like Oceans 15 cyber is to actually go after the invoicing and it's Terrifyingly frigging brilliant. But I will also say as the official semi official self appointed probably is the most accurate self appointed maintainer of Canadian cyber Guinness world records, that's now 9.
We get brought in to assess people's cyber insurance, the questionnaire. And a lot of times they say, yeah, we have this. Yeah. We have all this stuff. No problem. They submit it. And they get accepted. I'm like, yes, of course you're gonna get accepted. But when something happens and you check, yes, and you don't have it like log monitoring, are you doing a penetration test once a year?
Between that November 15th and April 15th and you don't have snow tires on. They won't cover you. Yeah, it's like what I used to say, I was a non smoker for my life insurance. You always forget when you fall off the wagon. I haven't smoked in 20 years. Terry, what would you bring us? One of them is the story about, Andrew Tate. You may have heard this name before online, long story short, who Andrew Tate is, a former athlete turned internet personality, and he's got a lot of controversial views, about how men should act, how women should act, and it draws up a lot of both positive and negative attention.
I don't need, I don't need cyber security, who's going to want to hack me? I'm solo. I don't have a system. But when something like this happens, all of a sudden now, you wish you would have had it. So my, my gut is that because all these usernames and passwords have been extracted, they're going to go after the, the users, the user accounts that have registered with the platform.
And one of the things, if I had to lay a prediction for 2025, hacktivism is back, baby, it's going to be back in a big way for the next couple of years. And, it's going to be hilariously awful for a lot of people. That's like having a disgruntled employee in one way, right? You say something that no one agrees with and all of a sudden you get hacked because no one likes you.
And, you can't take any joy in watching these guys come down. But it's, it's like when the Chinese are hacking Donald Trump's phone and tell me they're not, you look at it and say, Oh God, I hope he's not telling people his friends, what the nuclear codes are, we'll find out.
So what we've known has been publicly disclosed is numerous major big name us telecommunications operators were compromised by a Chinese state sponsored group. Allegedly leveraging the very inherent tools built into them for lawful intercept for things like wiretaps, et cetera. Originally when the story first broke in the fall, we thought that this was an opportunity for the Chinese to understand the American intelligence apparatus and who's, They were looking at on their side since then, we learned that the targeting was highly intentional targeting the political campaigns of the U.
That is. Unprecedented as far as I can tell in terms of these big hacks. Like you go back to big national security hacks before the Microsoft ones, notably Solar Winds, you didn't have people come out and say, and the Russians are still in Solar Winds. This is, it's bad. And it's particularly bad, given the instability, that we're experiencing geopolitically.
There's a vulnerability that goes right across the nation, which allows you to have, SS7 attacks, which allows you to intercept phone calls. You could be on the other side of the planet and still intercept it. But in order for that to be fixed, you need to change the entire Infrastructure like in North America,
I encourage your readers to go back to the ancient history of the first crypto war in a crypto not being cryptocurrency encryption and learn about the clipper chip. The intelligence agencies have to have a back door to the encryption system because how are they going to monitor for terrorist threats?
Do that. Do exactly that. Create malware that can intercept the actual device. And if you own one end of the telephone string, end to end encryption, you don't need the damn crypto keys. You could listen live. Amazing. Or do the Europeans did bust somebody, take their phone and pretend you're them.
So they have 7. 5 percent answer rate. So I've always been wondering why they kept saying that reported fraud was 570 million, but we suspect it could be 10 times higher. It's because the 570 million comes from the phone calls they were able to answer. And that was only 7. 5 percent of the total number of calls.
Other than that, they're not doing the face to face things anymore. It's all of the online backdoor hidden ways into systems and when you've got An agency that you're being told that if you have an issue, you need to report it to them And they're only reviewing or getting through 30, 000 of 400 and some odd thousand reports.
And on the city of Toronto, so two weeks ago, we found out from the Globe and Mail that one of the most innocuous music nonprofits in the country called factor, they get something like 15 million a year for the federal government had 9. 5 million. taken from a Scotiabank bank account. They're now suing Scotiabank.
And that is the ability of companies to get past. Two factor authentication by stealing session cookies was one of the stories you came up with and I think this is a big one in fact, you want to just run by that? Yeah, in fact, it actually segues to the Andrew Tate story because now everybody's accounts, you know Using as passwords have now been taken and a lot of people say I got two step verification I don't care about this stuff But they don't realize that If they get a phishing email or they get a message on Facebook and they click on a link and ask them to log into a service Like Facebook.
And now, so now the content on your website becomes, Arab, we've seen that or there's fake ads going out and you're paying for all this because you can't access the account to change your credit card. So it's a trickle down the mess. One of the things that I got from reading this story and just reading your notes on it, was, I may never click that checkbox again that says, keep me logged in.
All they need to do is hack into your computer and they've got it all. And the one thing I'll say is this ties back into how we sold multi factor authentication to get corporations to deploy it. And the compromises that we made. How, they can do things and save session cookies, or if they're on premise, they're not MFA in, because these were just different compromises made on the path to getting social acceptance within an organization of these security tools. And gang. It's going to be really hard to do the easy technology thing of saying we need to do more MFA challenges.
very much. Target your inconvenience to the areas of greatest risk because you are not going to get carte blanche to roll this block. What we did, David, when we deployed MFA a year and a half ago is we went what I would consider one step further. We went Windows Hello for Business and we're not passwordless yet.
But this is Terry, like the exact same thing we saw with Genesis marketplace. I think your points are valid that. It's going to be an interesting year, ahead of us. And one of the things that grabbed me about this was even if you've got, passwordless access, you've got tokens, you've got some sort of other, if you've got a passkey, You could still get beat if somebody could get ahold of your session cookies.
This one goes to GitLab, perhaps overly promoting the AI advantages of the Stinky. CoPilot lies, damn lies and statistics. Dan Campano, the registrar's covered it really well, where there were some bold claims about how great CoPilot was at improving developer accuracy, efficiency.
And what I'll say is this. In my time in technology and in the team that I have, the developers we have are not code translators from business analysts with requirements. They are creative problem solvers crafting well done solutions thoughtfully and carefully, and that requires a level of reasoning still not present in these auto magic statistically driven generative AI solutions.
So David, did you have another story? I think we actually covered the, the major stuff that I was looking for, which was the, the telephone hack, the fact that they're still not, kicked out of the system, it's extraordinarily disquieting, on that front. I'm going to actually send out a note to Rogers and Bell to see if anybody will give me any information on that. I'm not expecting that they're going to tell me. Two things give me comfort that are different.
It's probably not going to make it through and we're in the hole going to be worse off for it. So I went there. I pointed out there was still flaws said, get it done, but come back and fix it. And then I found out. A typographic error in the actual wording of the bill, as it was passed on from the House of Commons to the Senate has forced the Senate to send the bill back to the House of Commons through all 3 stages with the corrected ordering number, which is jeopardized the entire bill.
But I'm going to leave a warning on this piece because it comes up and as much as I don't want to be political with the show, but I got to say, I don't want some idiot running my government who comes in and says, I'm from private industry slash, slash, get rid of all that bureaucracy.
They want to play those games. They want to do all of these things they want to do, and they seem harmless. They are not. When political survival is at stake and we decide we're going to do a half baked vote buying GST, HST rebate, program. Holy crap. You can get legislation written up and passed in the house and commons and man, six years, critical infrastructure. And when people in the Senate were challenging me with my rhetoric, my heart probably saying that the government does not care about cyber security and I point out six years It takes to get this done and one week when their necks are on the line, even when it's really bad idea Yeah, so to all of our American listeners Looking at the insanity of their government, Canada joins you, but we're going to build a wall and the U S is going to pay for it.
Thanks to our guest Terry Cutler.