Cybersecurity today would like to thank Meter for their support in bringing you This podcast Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.

You can find them at meter.com/cst.

Welcome to Cybersecurity Today, our month in review show, and we have drum roll, Laura Payne from White Tuque, who, famously gave me a white tuque this year, and, David Shipley, who not to be outdone, David made sure I got a Boer on hat, but also, and now we're upping the ante on this.

I dunno if you could read this, 'cause I couldn't take the, 'cause I drank the coffee already.

.

Ocean Air Coffee, a local New Brunswick.

Company.

yeah, so we've partnered with Salt Winds and they're a cool, tech story as well.

salt winds, discovered that, the coffee that was, that was made and shipped in the age of sail Had a distinct flavor to it.

It was often less bitter than the coffee that we have now because over the course of the journey, the salt and the air would infuse into the coffee beans and create a different kind of flavor profile.

So they actually invented a technology to do this and, my wife and I have enjoyed their coffee for years.

We've now partnered with them, to create Beauceron branded coffee.

it's called On Guard.

HA works in English and in French.

Ooh, nice.

And, very much playing up on our proud Canadian roots, and both companies being Canadian and we are bringing it to a Canadian conference, near you and any of our clients listening, you can easily request a, a taste of coffee in these age of, inflation and coffee apparently is leading the cost.

We're trying to do our part to help be patriotic.

Dear American listeners, we love you, but unfortunately, due to the tariff situation, cannot bring you coffee at this time.

We're working on it though.

The, the, yeah, so just I, and the old pitch just for the cost of a cup of coffee a day, you too can have friends, you.

But it was a great gift.

It was, the, and like I said, I went to look for the bag for the show and I realized we drank it all.

and it has a beautiful little Beauceron, Ron character in his, full on barista outfit.

it is somewhat of a collector's item.

There you go.

So we wanna get to the news from this week.

I don't know where you guys wanna start.

I put together a couple of stories, one of them, and I think I will start with it.

And, and David, there's a couple ones I know you've got, and Laurel, you'll have some as well, but the one that just got me, was not one story.

and many of these things I'm gonna bring up today aren't just one story.

We've gone back to this living off the land thing and for all of you out there, I know, I don't wanna talk down to anybody, but I, somebody, I hate using terms.

And then people, some people might not know what they mean, but living off the land means essentially you're using the tools that are natural for that environment and you stay hidden from most of the things that are used to detect malware and other threats .

And this is, it's been around for a long time.

But, I was reading a story about the Ukraine war and.

, For anybody who thinks that wars only fought with guns that know, there's a lot of intelligence that goes on, there's a lot of cyber war that goes on.

And one of the ways that they'd stayed hidden, was to use Microsoft utilities and then.

I read that story and then, what happens when you see a story and then you see it everywhere?

It was that happened to me.

And then there was a story that came up, 'cause this has been around for about 12 years, I think.

I, my research says from somebody that gave it to me, it wasn't, sorry, not my research.

The person who tuned me into this, said that it was Christopher Campbell and Matt Grabber who, Used the term living off the land first.

And that was a dozen years ago.

, So it's been around for a long time, but now I'm seeing it everywhere.

There was a Microsoft story this week we ran with it that said that attackers were using Power Shell.

WMI Task Scheduler, all legitimate Windows components and PowerShell.

Downloads a script.

That's what it does.

WMI executes commands remotely.

Yeah.

could be a scheduled task, there's nothing that involves a really suspicious binary, and it doesn't look foreign to the system.

And I saw that.

Then all of a sudden there were fake Calendly attacks.

I don't know whether you guys use Calendly.

A lot of executives do.

Now, I need to book time, so I'll put time out there.

People can book in to Calendly.

now the people are sending Calendly, I guess they're phishing, attacks.

and they're targeting them really well.

Now this was another one that came up.

They're using Calendly and a, an approach that really goes after people who are in the ad game.

yeah, so a couple different things.

Like I think you're seeing the evolution of the concept of living of the land as applied in social engineering.

living of the land, what number one, it's hella convenient, right?

you don't have to do the extra work.

You're not going to fly above the tree line and trigger all the EDR threat detection.

alerts because it looks perfectly normal.

So you use what you have it, you're much more likely to maintain persistence and, it works.

It works really well.

So why go fancy now?

I am of course gonna be as our regular AI critic, point out that Microsoft is just put the plumbing in place for the.

Evolution of living off the land with their new agentic AI framework in Windows 11.

amazing.

We used to call these, root kits, malware, all kinds of other things.

But now to the magic of social engineering and agentic ai, I don't have to sweet talk you in a phishing email.

I have to sweet talk your AI to then go and download a PowerShell script and go from there.

We keep making it harder.

And the other thing that gets interesting in the age of AI is the more and more network traffic and noise as we think about what agents are gonna be doing and the level of network traffic that's going to generate and, keep in mind most security tools that monitor for weird things that are happening on device and even over a network, go back to a central log management man, component.

And they charge by how much data is being generated.

So we're gonna see enormous pressures on how long logs are gonna be able to retain, what level of detail being logs, and a lot of noise living off the land is gonna be even more successful in the age of ai.

And then lastly on the social engineering side, it's not just Calendly, it was I Cal and Google Cal invites.

It was, DocuSign and DocuSign's having a hell of a time.

And what's interesting.

Is with DocuSign, phishes, they are coming from DocuSign.

People have signed up for legitimate DocuSign accounts and they're loading malicious content into DocuSign.

And so if your business actually uses.

DocuSign, your email filter is going to allow the DocuSign emails and in fact, your ITT may have even allow listed the Calendly or DocuSign emails to come in and be delivered and your last line of defense educating your people to question the context of things coming in crazy, that still is actually an important part of it.

But for DocuSign and others that use a freemium model to recruit customers in.

That also lets criminals in, this is a whole new level of pressure now, and they're having to expend a lot of money to try and battle this issue and it's negatively impacting their brand.

Now in fairness, David, I have to say Microsoft has warned people that Windows Window's 11's agentic AI could install malware on your PC and , you should only enable this feature if you understand the security implications.

So it's not like they're doing nothing about this.

David.

So one of my favorite movies, culture critic hat on is Catch 22.

So if you're familiar with the movie at all, love the book.

The pilot is trying to get out of a very dangerous air duty during war.

and of course, he's a very sane individual, realizes that continuing to fly will get him killed.

And so he pretends to be crazy so that he can be, down listed from being able to fly the crazier he pretends, the more the military says, no, you're fine.

And they say, what do you mean?

you'd have to be crazy not to pretend to be crazy, so you're fine.

It's Catch 22.

Yeah.

Microsoft saying this can be used to use malware, will be used to install malware, is basically telling you here is the security implication.

If you understood the implication, you wouldn't enable it.

Now, to be fair, the Catch 22 also explains the economics of AI and because there's a very famous scene in there where a guy.

Buys eggs for 8 cents a dozen and sells them for 5 cents a dozen and makes a profit.

And they actually do explain it.

so that's how the math is matting now.

it's solved two problems in there.

Catch 22.

It's is like 1984.

It's it, they've turned into manuals, not novels.

and so anyway, the.

Laura, we've been taking all the oxygen outta the room.

This has gotta be something that, that you see hitting clients as well.

Very much Very much and it was highlighted in the, the threat outlook that was released by the Canadian government earlier this year.

As one of those emerging, trends that we're seeing and it, it's the equivalent of somebody, dressing up in a uniform of your cleaning crew and walking into the building, Like for people who are still like, what, what's the analogy that I can, wrap my fingers around here?

it's somebody who appears to have the authority to be where they are, but they don't.

And it, it's.

As with so many things where we created convenience models and the calendar invites are the perfect example of that, right?

How convenient calendar invite comes in, gets automatically processed.

No AI needed, right?

No, it got automatically processed into your calendar, started being used by salespeople to try to just hijack their way into your time.

guess who's on there next, right?

as soon as somebody's starting to use it for, sales and social engineering, they're very related, types of fields.

It's just whether you're trying to sell a product or trying to get a scam going.

Yeah, Laura will not be.

Will not be circulating this video to her sales team.

The principles apply, right?

yeah, it's it now.

Now, how your customers will feel about you if you apply.

Social engineering tactics are probably the way I feel about very pushy salespeoples.

the, a good sales person doesn't need to employ these.

These kind of tactics.

that's my take on it.

and I was making a joke, but I don't dis salespeople, I will tell you, as somebody who ran a consulting practice and then tried to run my own company and do the sales, I phoned every single salesperson who worked for me and said, I'm sorry you have a hard job.

it's tough.

Let's tough, let's get that outta the way.

Yeah.

But this whole thing of living off the land.

Yeah, you're right about, it's been around forever.

I, in my book, the I, once, I took one scene where somebody got past the security guard by walking in coveralls.

Why?

Because I'd lived it.

Yeah.

I walked in and saw people walking out of our building with PCs.

I asked the security guard, these guys should these guys be doing this?

And they started to run.

And I'm not, this is a real thing that happened.

Yep.

But they had coveralls.

Yep.

and clipboards.

Yeah.

And so now in my book, I updated and it's the fancy effort.

I was gonna say it's the fancy effort based version of just walking around like you belong, right?

Yeah.

yeah.

and now the, you wear coveralls and you have an iPad.

Yeah.

And you get it anywhere.

And I guess the same thing or DocuSign document.

No, yeah.

Or a DocuSign document.

Yeah.

but this is What's our wisdom on this?

Is there any Yeah, I think it really highlights.

the challenge for providers and David hit on it with, especially when you have the freemium version, right?

How do you provide that service and you want people to use it, and you want it to be available to, to organize like small companies that are starting up, right?

You want them to have the opportunity to do things.

In a better way.

Digital signature is definitely better than scanned copies of wet signatures, right?

So let, we want people to have access to these services, but wow, does it put an awful lot of onus on you as a provider to understand what content are people putting in your platform?

That's malicious.

And I mean that we picked on DocuSign a little bit here just 'cause they're a sweetheart at the moment in this space.

How much I do appreciate for them.

This is a more containable problem and challenge than what we see on social media.

which is just the bigger version of that challenge.

How do you manage when you've opened your platform for people to put content in and publish to others?

that what they are putting in there is not obviously damaging.

for the, it is not obviously for the purpose of damaging others.

And social media's got a whole other gray area though, not obviously for the purpose of damaging others.

But, yeah.

And oh, and many services have this problem.

And not so gray area like, this is, probably stretching the boundaries on cybersecurity, but because it enables, it's about digital fraud.

I'm gonna ask Jim for a hall pass on this one.

But, in, in November, Reuters dropped a blockbuster story, and I am still pondering the full implications of it.

But Reuters discovered is Facebook's own, Meta's own documentation showed that they estimated that 10% of their global ad revenue.

Was knowingly coming from fraudsters and scammers, and they still took the money, why they had bills to pay.

What does that translate into?

Roughly 15 billion scam ads per day in social media platforms.

So the root of this is something banking's had to do because of money laundering laws.

Know your customers, KYC, and the Americans have poked at the edges of this with, requiring hyperscalers cloud providers to start implementing some basic KYC.

and that's gonna be increasingly important.

segues nicely, Jim, into the, The stupidest move I've seen of 2025 going to Microsoft.

stop, hold that thought.

'cause I want to comment on the social media thing because I don't, I think they are related.

Perfect.

I think fraud is something that, that, that has victims and it is part of the cyber threats that are out there.

But, and we'll do our crappy person of the year award or something soon, but, or the crappy person of the month from this, but.

Meta's coming close on this one.

my wife is on social media.

I'm not a big Facebook guy.

Just I don't have, I got a lot of things to do with my life beyond watching people crab at me.

And I, I get enough of that on LinkedIn now to go.

I don't need to go looking for more.

no, but, and I love comments.

That's why I always say I like constructive criticism.

'cause you suck.

Or when I'm doing an interview with David and somebody who's a former CSIS person and somebody tells me that this person knows nothing about security, Criticism is okay .

, But the rage baiting the word of the ear.

Yes.

on social media.

I can live without, but when I hear some of the stories, 'cause my wife reads me some of these stories about people who have been taken time and time again by these ads.

And unfortunately many of the people who are taken by these things can't afford it.

So it's, I don't wanna give Meta a pass on this.

This is not a victimless crime.

Fraud is something that inordinately affects people who can least afford it.

And this money, and I would call out to, I, we know in business money talks, right?

So for the big advertisers, who are spending real large amounts of money, in single shots with these platforms.

I think there's an opportunity there to really push for change because your brand gets diluted by every crappy scam ad out there.

So if you want the platform to be a place where your ad dollars actually return for you, make that noise, right?

or walk right.

Show the platform that it's not where you can be anymore because they don't support an integrity environment.

As always, dear listeners, Laura always finds like the brilliant, easier, better path.

My, my harder roll of, we need government to employees, KYC regulation on these.

And so it's gonna be a cold day in hell to get government to act.

I'll tell you.

Yeah.

That's brilliant.

Laura.

I did this thing on a long time ago about hoop Does purchasing online.

Everybody's pitching me.

I see the girls in tight sweaters and I'm human, but you're not selling me anything, guys.

it's just, but they're, my wife is person just.

A ton of online shopping and a lot of buying.

So if Meta thinks that they can impress a guy like me and they can toss away, cut people who actually talk to each other and share these stories and then stop buying on Facebook, they're gonna be sorely of.

they will, there's a day of reckoning on that, and I, so I totally agree with you, Laura, is the best thing people can do is push these companies and these companies should be pushing meta to say, when you pee in the pool, nobody goes swimming.

Yeah.

No.

I guess it's probably, I should, yeah.

I love it.

Be this colorful someday.

I, you know what I think it's.

It makes the point about the poisoned environment.

and you know what's interesting?

I was interviewed by, That's my culture.

Toy story.

Yeah.

There we go.

Somebody poisoned the waterhole.

Yeah, there we go.

CBC, did a big thing on Black Friday scams and the rise in scams, by the way, it increases 300%.

in the holiday season.

It's.

It's nuts.

And BMO and RBC in Canada did phenomenal jobs as banks with press releases and consumer education around the rise of fraud.

JP Morgan Chase, it did 22 targeted in-person sessions in cities across the United States.

as much as we're gonna give potentially Microsoft or Meta the Stinky for this episode for their various shenanigans, I don't know what the champion award is gonna be, but banks are stepping up.

And, it's good to see.

One thing I was giving you my advice to CB.

C was,, stop.

Using ads.

Stop clicking on the ads, stop following them.

If you see something interesting from your best buy your Walmart, your Costco, wherever, go to the website and go find it there.

purposely bypass it.

One, it'll be safer for you two.

it'll send a message about exactly the point that you've both made so well, in various ways.

it's time for the pool to get cleaned up.

I think it's a ge good general rule.

Whenever it works.

I think that should be one of the things that people adopt.

If it's at all possible for me to not click on something and just go and do a search on the name myself or type in the URL myself, that's what I do.

And as I figure, I don't know what deal that.

I'm a prime customer.

What deal is Amazon gonna offer me on an ad that they're not gonna offer me on the site?

And by the way, a hundred percent the good part of AI is you can say, check the prices for me, and it will hallucinate well.

if a deal's too good to be true, it probably is.

even if AI tells you, even if AI tells you which, speaking of deals that, aren't the deal, you think they're, so segwaying back to, living off the land a little bit.

So Microsoft and it's infinite wisdom.

IE its intense competition with Slack.

has decided to roll out by default as of January to all tenants, a new invitation to chat that can be delivered by email.

Now, what's interesting about this chat is it's different.

It's a new feature on top of the ability for your users to communicate with other external teams tenants, which by the way, I dis.

Buys way to turn teams into email.

Again, great, but don't worry, they're taking the logical conclusion of polluting the team's environment even further with this guest invite.

Now, what's really cool about this is Microsoft and others have taught people for years that in a properly licensed IE spend more Microsoft Teams environment.

We have features such as Safe Links, Microsoft Defender for Office 365, and other key features that will automatically protect you except.

If you're invited with one of these new guest chat invites and the tenant doesn't have these things termed on IE, it's Dave Cybercrime Incs, Microsoft 365 tenant inviting you to a chat.

When you arrive in that environment, all your protections are off.

It's who's hosting the chat.

and yeah, we wanna walk through this really carefully because, 'cause when you first brought this story up to me, I went.

not, I read it the first time and I think, I don't know if they changed it, but I went, oh, you can invite outside people.

Big deal.

What's the big deal?

The big deal is, don't invite the outside people.

You invite their rule structure.

Yes.

So when you follow that invite, you're not in your own environment, you're in whatever.

Rule structure, they have whatever malware they have, whatever they've got going.

And you think you're being protected.

Yes.

And you're not exactly that.

and.

Yes.

And that's the, and to the average user, it's just Teams.

I'm just having a Teams chat.

I was told by my IT team, we had certain protections.

and, but they don't realize those rules don't apply.

it's almost when you cross the border, right?

It's the rules of the land you have now entered is the closest analogy I can come up with.

You are no longer operating under your country's laws.

You're in the new country's laws.

and that's where the risk applies.

I understand the business reasons for wanting to make Teams as easy and popular and well used as possible.

Completely get this.

But this is not complex.

The rules of the participant should be governed by their organization regardless of where they're having the conversation, if those rules are higher, so simple logic, we could build in whatever environment has the more stringent controls those laws apply.

Microsoft.

Please in your infinite wisdom, if anyone is listening and is not assigned to some bizarre AI project right now, whatever scant humans are assigned to this particular rollout, please steal my idea and go with the law of the higher rules.

If you do not.

You have created the greatest second greatest living off the land gift after Windows 11, agentic ai.

And we're not going to have a good year in 26.

we're not gonna have a good year for a lot of reasons.

You are making it worse.

Please stop.

And I will say without being, having time in the last five seconds to fully deep dive into where the options are, I will say.

For anybody who's concerned about this and has the opportunity to do look into the rules because Microsoft does tend to give control, may not be super granular, but does tend to give control to the people who manage the tenant to allow certain activities, including being allowed to, join external chats.

So that's the kind of thing that as a, a.

configuration holder, right?

You should be looking into and making sure the, you have made the right choices.

And I will say a lot of large organizations that I've either worked in or worked with have done that, right?

They've made teams an insular kind of organization, or they can allow people to, they can invite people, but you can't go join random other places.

so just, I think to maybe just wrap that one up that it may not.

I'm not saying it's not as bad as it is, but you may have choices and you may need to just check and look into those.

I think David's point, 'cause, , when he called me about this, 'cause he actually, we, he went, I gotta, talk to somebody.

What's happening here?

This is enabled by default.

And if there are ways to shut it down, the proper way to introduce this would've been to make it new.

Leave the defaults on as, as pro as most protective.

And if you want to take this and take the risks.

Then know what they are.

And I think that would've been a better introduction as well.

I agree with you.

So yes, but there are things you can do about it, and you should and Laura's a hundred percent correct.

So you can, you can put in place cross tenant policies so that guest access is only allowed to vetted partner tenants.

But my point that this mc 1 1 8 2 0 0 4 feature being rolled out globally and on by default because I study human behavior.

and the irony is, here's Microsoft saying after they get hacked royally by the Chinese and the Russians, we're gonna put a memo up from the CEO O Secure Future Initiative.

Every executive is incented by security.

That was cute before we were incented by ai.

and then we're like, we're gonna roll out on default, the single greatest gift to phishing in 20 years.

Oh, these things don't reconcile kids.

Your competitive urge is overwhelming.

Secure future initiative on this one.

Somebody in Redmond call somebody raise the red flag because when a US government department, and it probably will be a US government department, forgets about this feature and leaves it on by default and they lose something important.

You are going to hear the screams from a certain US senator who really doesn't like you already, and you don't want that.

So this is my gift to you, Microsoft, the gift of foresight.

There you go.

And Laura's been able to talk him down a little bit.

that's good.

You're gonna be the David Whisperer Laura, so that, that's good.

So do you wanna let us keep clobbering this stuff?

Or you got something you want to bring up on, on this one?

I will bring this one up because I feel like it's, I, for me, it, it flew a little bit under the radar until I was doing my review.

but just highlights the importance of understanding, what's happening in the larger enterprise.

So Oracle had a significant, vulnerability earlier and that led to multiple large organizations being breached through, let's see, business suite.

and this is, again, lop that's, doing what they do right?

Finding, finding juicy, low hanging fruit, and, bearing, doing their homework and, and then, really executing.

congrats to them for.

Doing a good job, and being able to take advantage of that.

But, this is a case, the patches for the flaw actually came out in October.

but Oracle, and this is, sorry.

I wanna be clear.

This isn't a commentary about Oracle.

This is more about the hygiene around making sure.

You stay on top of these things, right?

it's easy to get caught up in the big windows patches and you have a really good cycle of patching for that.

And it's easy to get, for Windows workstations, software on workstations, have lots of auto updates and things like that.

But these really big core systems where people are, tend to be a little bit cautious and not without good reason around it, getting a patch applied because of how much it can impact from an availability perspective if the patch doesn't work well, but it doesn't mean you have weeks and weeks to patch, a critical vulnerability.

It needs to still be done.

I wanted to highlight that one.

and we're talking about universities, we're talking about major global suppliers, that, had their data extorted on them as a result of it being extracted from.

From these core systems, and a couple of interesting things about this.

So first of all, ha, clop is back shady, iss back.

man, this group, by the way, their name is a, a play on a, Russian play, on a blood sucking tick.

which I guess that they're a parasite and they continue to do their thing.

remember like to see people who live up to their brand.

Yeah.

they really have done the full ownership of this.

so what's interesting is, so this gang picks a software supply chain target and they really think about it and they work it and they work it and they work it.

these big file transfer breaches, remember those that.

Basically caused a year's worth of nightmare for so many folks.

They move it.

We got to move it.

Sorry, I just can't resist making a pun on this.

And I'll have to watch that, that, that animated movie again, but it was the Move It File Transfer.

these guys took that on, which was an enormous one.

And so with Oracle E-Business.

They're back.

it's a number.

This is at least a hundred customers who are significant.

Of the 10,000 people in the Washington Post, these are not small installations, numerous Ivy League universities and of course, which segues well into poor.

U Penn, university of Pennsylvania, and they're like, d, disclosing a data breach sucks disclosing a data breach after a group of very, angry hackers.

Send some of the worst content you can imagine using your email addresses and downloading your entire donor database.

God a double suck.

and I want to say that without humor and just with absolute empathy, oh, this is their, the queen used to say the horrible years, right?

The Anna's horrible billis.

this is like for Penn.

This has not been a great year.

and of course it comes in this may multiple class action lawsuits.

And the thing about the, the Penn stories that have been standing out is of course.

The standard questions now emerge faster than ever.

Did you have multifactor authentication?

Not that it's a silver bullet, but that it's like a necessary question of were you wearing your seatbelt in the car crash?

And it turns out that some executives were exempted from having to wear the seatbelt, because it was too inconvenient.

And that is gonna be a massive problem for them.

and a reminder that when we talk about security culture.

It's not just assigning mandatory security awareness training once a year.

It's people see your leaders and if your leaders get treated differently, not only does that send a signal to your employees, but attackers really appreciate you.

Yeah.

And and maybe it's not you or I, the hotheads of the world to, maybe it's the Lauras of the world who could sit people down and have a calm conversation with 'em and say, do you know what messages you're sending?

Yeah.

Yeah.

Yeah.

and you know what?

Sometimes it's I will also say you just turn it back on for them.

yeah, they asked for that exemption five years ago, and people are still tiptoeing around them.

It's you know what?

I bet they're probably a little bit more ready now, right?

Like they're.

It's probably fine.

It's just not top of their agenda to think about Hey, how come I don't have MFA on my account?

Yeah, So revisit those decisions.

but yeah, I think too, it's a red flag for any organization at this point.

If you have leadership who resists core controls that are now very much there's public awareness and understanding.

There are very few people I think in the workforce who do not know.

At least the letters MFA and understand that's appropriate to have on your accounts.

so yeah, I don't think there's any excuse anymore for that.

as we've discussed multiple times.

and it, there is something to be said as well for, yeah, the types of exploits that are really, really difficult usually are not.

Preventable by MFA.

Remote code execution has nothing to do with MFA.

In fact, it may even be a vulnerability as part of the authentication process.

But keep a good thought.

Jeez.

Can tell you.

But every time you have, I always, I'm always so cheered up after we have these little talks.

I, yeah.

I'm thinking about that one now.

It's my gift to you.

But, but the thing is, yeah, anytime you have an incident.

The first questions asked to David's point are always about the basics.

Did you at least do the basic things that everybody says you should do?

And if you're not even doing those, then the rest of what you're doing comes into question.

So do yourself a favor.

Everybody's going to have an incident.

It's not a question of if, it's just when the more things you have done.

That's that.

Just take question off the table of your integrity and your intent.

The easier it will be to have real discussions about what actually happened.

I think you can have a polite discussion right now.

if executives are bypassing security and don't take career advice from me.

I'm the guy who had a CFO of an insurance company.

, Throw something at 'em.

'cause I told them no on something.

And it's not great career that you can be better, you can be a better communicator.

But I think you can sit them now down right now and say.

When we're hacked and we will be, and the insurance company comes looking , or the press comes looking , if we have obvious holes in our security or exemptions, we've got, it's not gonna look good for us.

I'll leave that with you, Mr.

Or Mrs.

Executive or Ms.

Executive.

I'll leave that with you, but you really need to think this through and I need you to tell me in writing that you want me to do this.

Yeah.

and I think, this gets to an interesting segue between the battle about what basic good advice looks like.

and it's become a heated topic for me, because to, to a degree of credit, a group of security leaders, led by Bob Lord, got fed up with some bad.

Security advice, some, mythology and folklore and other things around risks.

And, published an open letter and emphasized the importance on some basic things.

Multifactor authentication, patching and updating, devices, strong passwords and password managers.

These are all good, fundamentally sound pieces of advice.

Some of the things they challenge are worth questioning.

Juice jacking at the top of the list.

This, for those not familiar with juice jacking, it became an incredibly popular sort of security esoteric sort of concern.

After a research paper said it's theoretically possible to leave, malware infection via USB charging because you don't filter out the data components of USB for and just get the power it has never been seen.

Or publicly disclosed in the wild as a valid attack method for a variety of reasons.

so it's one of those things from a risk management perspective, where it's is it possible?

Yes.

Is it probable low?

Okay.

That's good sound advice.

Old advice, rotate your passwords every 90 days.

That's bad old advice.

The person at NIST who came up with the NIST password guidelines apologized years ago, did not understand the unintentional consequences of telling people to create passwords that were hard to remember and rotated them would result in people creating patterns that could be guessed so.

So that's good advice.

But here's where I get upset.

Sometimes what we communicate requires context and nuance and clarity.

And by lumping, the old advices, all qr, never scan a QR code.

And that was never quite the advice that was being given by most people.

But it's been interpreted by some people, as in, QR codes are just URLs, they're fine.

We're gonna talk about that in a minute, and also avoid public wifi.

When the advice needed not to be scrapped, but to be evolved, to be cautious about certain things on certain, public networks.

Yes, and the problem is that, when you read through the DNA of the advice that's being given in hacker lore is it's very rooted in a technological bias.

you can see it in some of the writing where it says, modern OSS and browsers protect you from this, my friends, not all the time.

That, also, technology controls fail and technology controls can be social engineered and bypassed.

MFA can still be bypassed if I put enough effort in.

So I really hate that they've created confusion around QR codes, particularly lines if Bob is listening, saying there's no evidence of widespread criminality with QR codes, which as Jim knows, I spent an entire episode in November dissecting multiple parking campaigns across the world using QR codes.

They absolutely are using QR codes, criminality.

And this morning out of Calgary, we have reporting in the holiday season.

A family lost $10,000 to an interact email fraud that relied on using QR codes 'cause it obscures, the actual proper sort of signals that you'd know you're on, interact, et cetera.

It's real people losing real money QR codes in from people you don't know in public.

Should be treated extraordinarily, cautiously.

That's not to say at a conference.

Dear security folks, where a trained professional and I talked to a brilliant woman about this is giving you a talk.

And she has been up there for an hour and she's a world renowned expert and puts a QR code at the top that should all grasp your t-shirt neckline, and then just be like a QR code.

No, I You're adults.

We can use some context.

A professional delivering a QR code in that context is likely safe.

You can infer from context, but running around and telling average everyday users like QR codes, oh, it's fine.

It's a stupid bad idea.

And I think that the key there is it's not black and white.

and at least red, it's at least red, yellow, green, right?

Yes.

Yes.

But, there's things that are definite don't dos, right?

And there are things that are definite do these things and then there's things where it's just a proceed with caution.

And I think that's what the list really missed out on the opportunity for.

Yeah.

Interacting in the public with things that use your digital device, or those are, proceed with cautions.

WiFi's in that category.

QR codes are in that category.

Read reading a URL off the sign, it doesn't have to be a qr, it's still in that category.

Interacting with ads is in that, like all of these things, it's if you have questions about the trust or the provenance and then, giving people some idea of where to look for how do I know how to trust something, I, the list.

Isn't going to go into the details of look for stickers on QR code that, that's for further, campaigns and research.

But I do agree.

I think the list was a little bit too, just a little bit too straightforward on some of those topics and we will see definitely problems and we do see, free wifi is an, is another category.

Doesn't mean don't use free wifi.

but be thoughtful about it.

Look for trusted real ones.

Understand what's usual about using a free wifi.

and make some choices about what you're going to do when you're on free wifi.

Just in case it turns out it wasn't as trustworthy as you thought it was.

Absolutely.

Like the story and just, I'm stop for a second, David, because I, I, we're presuming everybody listens to the show every day.

this story, I just want to give some background to this story 'cause David covered this on Monday.

And I'll let you, I'll let you, you magnify my description of it, or, but basically someone came out and with and did something that, you know.

There are doish moves you can do and sometimes I as a writer might even do them.

you go for something clever and he said, this is all hack law.

all of these things are hack law.

Yes.

Some smart stuff in there.

Anyway, published this on LinkedIn.

I forget who it was, but they published it there and there are security professional and sometimes you gotta call people on the stuff that they do and say, did you really think that through?

and it's been amplified by really smart, prominent people because some of the advice in there is good advice around those four best practices.

But the problem is in which they've framed it and communicated, and yes, you can be a CISO and a technical expert, and I absolutely admire you for a lot of things, but you can also be a bad communicator.

And in case, but this happens, people did this big thing where they want to talk about how cybersecurity education.

Was overrated.

Yeah.

And that we should be, we could, should be relying on technical tools.

And I You don't go off on this one.

I will David.

'cause you're the education guy.

I was doing this thing and I went, how many cybersecurity rescue stories do we have?

precious few of them, but you know what they all have in common, including this one guy at Microsoft who late at night looked at that.

They say, should that be happening?

Cybersecurity rescues happen because people are courageous enough to ask a question and say, is that there's something strange about that, and that's where these, don't educate People call it hack law.

I don't know if you're contributing to the community in a meaningful way.

I have no problem taking on a big company.

I have no problem with that, but I think we have to watch our language at times in terms of how we communicate as cybersecurity professionals.

And to Laura's point, I, I think that as always, she nails it on the nuance red, yellow, green.

Give, and for me, I, I mentioned this in the episode, the grok famously said, your threat model is not my threat model.

the assumption in hackler is some of a universal consumer threat model.

lemme tell you if you're being stalked by a former partner who has any kind of it sophistication, your threat model ain't the same as the regular person.

So my job is to inform you.

Of the general environment and the context and give you examples, then your job as an individual is to give them the choice of your, the information and your understanding of your risk appetite, your threat environment and other things to choose how to apply that.

Because I treat humans as intelligent actors making choices in their lives, I am not text explaining to them.

I'm not talking down to them.

I believe in the potential of people, and I think that's one of the big red flags in our industry is when we text explain, and you're like, oh, they, the average people, they, they're simple.

They can only remember four things.

So if there's only four things they can remember, these are the four things we need to remember.

And I think what the, the sad thing about that is that it's a self-fulfilling prophecy or actually a demoting prophecy, right?

If you think people can only remember four things, by the time you've told them the four things you thought that they needed to know, they're not even gonna remember those because you've presented it in such a way that it's not meaningful anymore.

So David, I really believe in what you said as well.

I think, you need to put the information out there in a way that respects that, that people do have brains.

The average human deserves a lot more credit.

But while we get fed so much garbage online and our, brain rot is Yeah.

Is real.

Right?

don't contribute to ba brain rot.

Don't send out garbage information.

and try to be part of, treating people as people who can make choices.

And in part of that's the best you can do.

Yeah.

and part of the hackler thing on, on, oh, avoiding public wifi is old news.

The awful case of Australia guy got seven and a half years, prison time.

He was using evil twin.

pineapple's been around a long time, man.

it's pretty easy to do.

What he was doing was social engineering and again, the problem with the Hackler kids, as I see them, I will admit this is my perception, is they're still seeing this as well.

These are missed because they're not attacks on devices.

Dudes, my ladies.

It's not about the devices, it's about the people using the devices.

Oh, social engineering.

Stop downplaying it, please.

'cause it's the number one way.

We still p people anyway.

he targeted.

Among the people he hauled in and predominantly in the treasure trove of awful information he harvested were women travelers compromising their social media accounts to take intimate images and other sensitive information about them.

and, once again, my threat model is not the same, right?

My, my risk profile.

But what we missed in this golden opportunity is that when you're using public wifi, red yellow grain.

If the wifi says you need to authenticate using your social media account.

Nope, we're out.

We're done.

No, you might it might sound funny, who the hell would do that?

I've been to airports that have asked you to authenticate an account.

They legitimately asked you to do that.

Airports, stop doing this.

Like you, you are creating the premise that predators will use.

Stop it.

And I'm more strict on this.

I think too, part of it, and there was a legitimate part of it was, the idea that, if you're gonna use the hackler, right?

I guess that's, that really has developed is oh, just use A VPN and you're safe on public wifi.

and that has become a challenge and certainly has some commercial incentive linked to it for certain.

Organizations.

Does that mean VPN is useless?

No.

There's lots of reasons you might use A VPN.

Some of them are security related, some of them are not, or they're anti security related.

That's neither here nor there.

It's a tool.

and that's how it is.

But that's, I think, the other part that's complicated about the hackler type things is the reason why somebody put something on a list of, don't worry about this.

may have come from a really good place, but by the time it's been diluted down to a forward bite on a list, it's lost that context.

So I, anyway, we, I have, we beat this one down?

we have.

I just wanna point, I do not believe that the intentions behind Hackler were.

I do not believe they were bad.

I believe people are trying to do their best in this side of things.

I'm asking them to listen to that very clear point that you just made about signal to noise and about the degradation of messages.

And just because you're a technical expert does not mean you're expert in communication.

And you should think about the unintended ways that multiple layers of your message play together.

By lumping everything in together as folklore or myth, you then take.

Things that have never happened, like juice jacking and QR codes, and in a, an average reasonable person's mind, they are now equating these as the same, when they're not.

When you tell people you just need to focus on these four things, you're telling them, the tech will always protect you and it won't, and you need people to use their discernment, judgment and vigilance to know this.

And oh, by the way.

Circling back to our point about MFA, if you don't give real examples of real threats in the application of technology, like how MFA helps in various scenarios, then they're not gonna do it.

So you, you have to remember explaining why is important when you communicate with adults.

Absolutely.

And the thing in the lesson from this story is, and I took it away because I think I actually am a.

A, a cybersecurity journalist.

I never, I don't really think of, I think of myself as an old CIO who's retired, who's got a great hobby of doing a podcast.

But the reality is people actually do listen to us, and I did a think about this and saying, are we.

Exaggerating stories.

Are we giving?

Are we giving the right weight to stories?

I think these guys had a valuable wake up call for all of us and I think we should all take that and think about that.

But equally I'd ask that they do the same.

And asked Yes.

did they make, did they do this in a way that made the best contribution?

as somebody once said, we're all in this together, Yeah.

and by the way, take Laura's idea.

here's, here is, this is red, yellow, green.

it's really new.

Yeah, this is groundbreaking for 2025.

Red, yellow, we call it the traffic light.

Wait, no, I'm not gonna get into that.

Nevermind.

Listen, we gotta wrap in a minute, but I do, we, David invented this thing called the Stinkies and there were some awards that are gonna go out and I'm not, I hate picking on people like this, but , one of our.

Our listeners wrote about SonicWall and their issues they had with SonicWall, and I think, I'm not saying SonicWalls not a great product or they're not great people.

They what?

I'm not referring to any of that, but for heaven's sakes guys, if it's true that SonicWall management devices must enable and use the default user admin.

If that's true and if you must disable all MFA on all devices you wish to manage with SonicWalls NSM appliance before it works.

You, what the heck were you thinking?

And in fairness, I wrote to SonicWall before and I gave them three days before I published this story.

And I've, I have heard crickets.

Now, if they went to my spam folder, sorry, but that's just guys give your head a shake.

and thank you to the listener who wrote in and tuned us into that story.

because now customers will do what customers do.

I'm not trying to get Sonic Wall, take away any of their business or anything like that.

I'm just saying, if you're a customer, ask that question and keep asking it till they go, it'd be really important to fix this.

Because, and it, yeah.

I'll just head as that it's, we are always happy to be corrected.

That's a cool thing about this.

so if we've missed something here Yeah.

please get on the phone now and say, oh, no.

It's to, it's not like that.

There was a misinterpretation.

You got some splaining to do on this one.

if, however.

It was the case and you changed.

Please be in touch.

Say, no.

We've changed that.

Here's how we've learned.

We, there, there's lots of opportunity here.

we, we don't want to give you the stinky, you have a, maybe a conditional one.

yeah.

we'll let, we'll plug our nose now and ask whether or not you fixed it.

But the reality is we didn't, we don't do this stuff lightly.

I got.

I was sent copies of the emails that people had gone back and forth with, and I did, we did alert the company.

we're not gonna give you a stinky, but we are gonna give you a nudge to say, and if you're, and if you fixed it, send me a note.

I'd love to tell people on the next episode that you guys stepped up and took and 'cause we're just as good at that.

We just want it to be better.

and I will whoever reserve the Stinky for Meta for taking $16 billion in fraud ads do better.

I think Meta gets, I think we're gonna call it like the early election call.

Meta, meta wins out on this one in there.

Yeah.

I.

Laura, David, thank you very much.

I'm gonna get everybody together for a year end show, so our next month in review will be a year end show.

Bring your eggnog.

and, and I'll wear my white to, I feel like I have to check.

That might be my, my anniversary of guesting on the show.

It's, I think it's around this time of year.

I meant to look, but.

oh, we will definitely celebrate that.

Laura, thank you so much as always, for being the voice, not only of reason, but really good nuance and clear.

Always great advice.

always appreciate it.

I always enjoy learning from you.

you're great.

I, I enjoy having lots to riff off of from you, David.

Yes, Jim just gets to herd the cats there's two seasons, there's t-shirts and plaid.

So we'll continue the plaid season and, and we'll see you guys in a couple of weeks for our year end show.

Thanks a lot.

David Shipley from Beauceron Securities.

Great coffee, nice hats .

Laura Payne from White Tuuk and I actually have the authentic white tuque.

Thanks again.

And to you out there listening to this, I was we meandered around, but a lot of things.

But I think we made some good points.

Love to hear from you.

Send me a note you can find, just go to tech newsday.com.

You can leave a note on the contact us page there.

you can, if you're watching this on YouTube, you can leave a comment.

We check them all the time.

And some of you just hunt me down on LinkedIn and that's perfectly fine as well.

Love to hear from you any way you can.

Thanks a lot.

David will be back on Monday with the cybersecurity news, and Laurel will be back in a couple of weeks for our year end show.

Thanks again.

And that's our show for today.

We'd like to thank Meter for their support in bringing you.

The podcast Meter delivers full stack networking infrastructure, wired, wireless, and cellular to leading enterprises.

Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space they design the hardware, the firmware build, the software, manage deployments.

Even run support.

It's a single integrated solution that scales from branch offices, warehouses, all the way to large campuses and data centers.

Book a demo at me.com/cst.

That's METE r.com/cs.

And you can reach me@technewsday.com With your tips, comments, or even constructive criticism.

if you're watching this on YouTube, you can just leave a note under the video.

Or as some of you do, track me down on LinkedIn.

Love to hear from you.

I'm your host, Jim Love.

Thanks for listening.