Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
Deepfakes & Zero-Days: Cybersecurity’s Darkest Threats!
The cybersecurity landscape is evolving at breakneck speed, demanding ever-greater vigilance from organisations of all sizes. Our latest deep dive with cybersecurity expert Chris reveals three critical threats that will shape the digital battlefield in 2025.
We begin by dissecting the SharePoint zero-day crisis that sent shockwaves through the security community. This sophisticated attack targeted on-premises SharePoint servers, allowing Chinese threat actors to bypass authentication protocols and compromise systems across universities, critical infrastructure, and government agencies worldwide. The incident highlights a sobering reality: even with perfect patch management and compliance, zero-day vulnerabilities can still leave you exposed. Chris emphasises that while robust defence is essential, having a well-rehearsed resilience plan is equally crucial when faced with inevitable breaches.
Supply chain vulnerabilities emerge as another significant concern through our analysis of the Allianz vendor breach. The discussion reveals how third-party security failures can directly impact your business operations and reputation. Chris delivers a wake-up call about vendor assessment, noting that under Australian law, you remain responsible for notifying customers of data breaches even when they occur through external suppliers. For smaller businesses, we explore how certifications like SMB 1001 offer an accessible framework for both demonstrating and verifying security compliance.
Perhaps most alarming is the rapid evolution of AI-powered threats. Chris demonstrates how deepfake technology has become remarkably accessible, with voice cloning now requiring just three minutes of audio to create convincing replicas. While large organisations may be primary targets for sophisticated deepfake attacks, AI-enhanced phishing presents an immediate danger to businesses of all sizes. We explore how criminals are bypassing multi-factor authentication through methods like device code flow, which exploits legitimate Microsoft authentication processes. Have you evaluated your vendor security requirements or tested your incident response plan recently? Join us to discover practical steps for strengthening your cybersecurity posture against these emerging threats before they find the weaknesses in your defences.
Welcome back to Tech Insights. In this episode, chris and I chat about cybersecurity trends for 2025, including some recent incidents and examples. Hope you enjoy the show. Good morning Chris.
Speaker 2:Good morning, how are you?
Speaker 1:doing? Yeah, I'm good. Thanks, how are you Good? Welcome back again. You're almost like my co-host these days. Yeah, it's good fun. I like being back. There's always something happening week to week, so definitely something to discuss. Yeah, that's what I love about having you on, because you always have something interesting and helpful to share with the listeners. So thanks for coming back on again.
Speaker 2:Of course.
Speaker 1:And today we're going to be covering some cybersecurity trends and incidents that are important for 2025. Yep, so we'll just kick off. I guess One of the first ones that we've sort of been talking about is the SharePoint zero day crisis. Did I get that right? Yeah?
Speaker 2:absolutely. It is an interesting one and it's topical at the moment because it's relatively new as of recording. Now in July, because it kind of kicked off around the kind of 20th to 22nd, microsoft started releasing patches. But let me roll back a little bit and just discuss what it is.
Speaker 2:So the key thing is it directly affects SharePoint servers. And something to note is it doesn't affect cloud hosted. So if you're on Microsoft 365 and you're using SharePoint, there's no panic around that. We're talking about companies that have, like physical or virtual servers, sharepoint servers, what we usually call on-premises servers, so kind of more kind of old school. Most people are moving to cloud, but there's a lot of companies out there that use store servers, sharepoint servers. So there is a particular vulnerability that came out and unfortunately it's one of those zero-day vulnerabilities. And what is zero-day vulnerability is when there's a vulnerability out in the wild. So in other words, a hacker, threat actor group understands that there's a particular vulnerability with something and they exploit that vulnerability. So they're using it to their gain, stealing data, et cetera, before the vendor knows. So it comes out after. So unfortunately, in this case, those attacks started happening around the 7th of July and then they escalated in severity and amount, happened around the kind of 18th to the 20th of July which is probably why it was flagged Like.
Speaker 2:All of a sudden there was a lot of activity around that and unfortunately then the Microsoft patch came out between the 20th and the 22nd. There were a few iterations, so you can see how there was a problem before the patch was available, and that's what they usually refer to as a zero vulnerability.
Speaker 1:I'm glad you explained that actually, because I was wondering. And so when you heard about it, what was your initial reaction?
Speaker 2:Did you realize, like the severity of it, or I suppose it's the same as anything when you see this, like I saw the first alert, I think I saw it from the actual government's cyber security center alert, because we are a network partner so you get those alerts relatively quickly, but again all over LinkedIn et cetera it was a big one and, yeah, the severity was an immediate because it's a remote execution vulnerability, which means someone remotely can do something on those servers.
Speaker 2:That's always a big problem and it's high on a severity list and it basically bypasses authentication, which is a problem straight away, and they can actually steal what's called the machine key, decryption keys, etc. So what that allows is them to embed a tool and exfiltrate data straight off those systems. And what we saw straight away is it was widespread. So we had mostly Chinese threat actors against them. They got special names like Typhoon, this and that because they'd like to name these things, but basically Chinese threat actors and literally going after companies in the US, australia, european Union, et cetera. And they were going after pretty much everyone but universities, critical infrastructure like electricity generation businesses. Even the US's Nuclear Security Association was targeted.
Speaker 2:They didn't tell you whether they got into that one, because obviously it's a national security, so you could see the severity immediately and it's a problem.
Speaker 1:It definitely sounds like it could be a major problem. So why should executives be worried about this if they think they're running like a pretty secure environment?
Speaker 2:Well, number one, it's a zero day. So even if you've got all your patches up to date as you should, you know you could be essential aid compliant, all those sort of things, and it wouldn't matter in this case. So it's a case of like one of the engineers or something reading about it and going, oh, we run SharePoint servers. The one of the engineers or something reading about it and going, oh, we run sharepoint servers and they need to immediately get on top of this, so why should executives care? Something needs to be done. You can't just leave it. And the problem is is that the type of attack also has persistence to it, which means if they've got in before and made the changes, if you patch after or reboot or something, they're still going to be in. So you've got to, you've got to treat if you've got a server that a sharepoint server that you've not patched, you haven't checked, etc. At this point and it's the first time you're hearing about hopefully not- hopefully you've got to treat that system as compromised.
Speaker 2:So everything that's on that server has probably been taken, exfiltrated and you'd need to go through and fix that server up. So applying the patches, rotating those machine keys I was talking about, et cetera, would be super important to do.
Speaker 1:Wow. So for those that potentially have been affected, what's the worst-case scenario, like ransomware, data theft?
Speaker 2:Look, I think the key thing is the data theft. Um, you could be up for a double extortion type situation as well, like you know where they. They could run a standard ransomware thing, lock you out of your files and then go hey, we've taken a copy of your files, pay us money, or we selling it on the dark web. That's the general modus operandi of these ransomware groups, so you could be affected by all of that. At the end of the day, though, you're back to the usual problem of your reputation as a business Again, not your fault. It's a zero day. You're doing everything you're supposed to be doing, which kind of brings us back to a point that I've made a couple of times, where it doesn't matter that you are doing all the right things if you don't have a strategy for resilience as well.
Speaker 1:Yes, we have spoken about that Exactly.
Speaker 2:You've got to have that full spectrum view on it, because you know if you've put all your eggs in the one basket around defense and then something happens, where does it leave you? So you know it's really going to come down to for these businesses how quickly they can recover, how they treat those customers doing the notifications properly, all those sorts of things super critical. And if again, if you're not practiced in what that incident response looks like and what you say to your legal teams, depending on how big your business is, et cetera, and the confidentiality of the data, there's a lot to take care of and trying to do it all on the day because of something happening you've got to be prepared.
Speaker 1:I mean, that's the worst idea, isn't it? When you're under stress and can't think.
Speaker 2:clearly, it generally doesn't go well.
Speaker 1:No. Do you think that executives are still underestimating how fast these situations can escalate?
Speaker 2:Yes, they are, and you normally find out. Uh, hopefully you're doing an exercise, like a tabletop exercise, of an incident response planning a day, and then executives do get to learn very quickly how fast something can escalate. And that's just by. Like, when we do these tabletop exercise, we call them injects. So basically what that means is okay, it's bumping along. It's like oh, you've got ransomware, what are you? You doing next? What's your response? And then you'd feed the next piece of information and from an escalation point of view. Typical example the CEO gets a call from a reporter.
Speaker 2:Yes, and you haven't announced it publicly yet. That's an escalation point.
Speaker 1:That definitely is. That's when the reputation is on the line. For sure, yeah, straight away.
Speaker 2:So, yeah, I think it is probably underestimated. But yeah, you learn very quickly. Again, if you've practised the drills, then you actually practise for escalation as well.
Speaker 1:Is there any other points that you'd like to share on this particular situation that might be helpful for business leaders?
Speaker 2:Look, I think there's two things that come out of it. Number one, defense is super important. So you essentially are compliant, or ISO 2700, you're doing your patching, you're doing the right things Very, very important From an executive perspective, so at a board level, etc. Executive perspective, so at a board level, et cetera. I would be looking at the questions of are we compliant with that assessment that we've put in place, especially something like Essential 8.
Speaker 2:Essential 8's not audited, it's not certified. There's nothing that can hold you account at the end of the day, except for you holding yourself account. So if you're holding yourself accountable, then you're holding the board accountable going. Are we patched up to date? Are we in line with what we've laid out that we said we're going to be in line with? So, whether that's quarterly reporting or something like that, so there's accountability. I think that's really really important. In this case it wouldn't have helped you. I think that's really, really important. In this case it wouldn't have helped you right. But looking at a reputation perspective, there's a vast difference between speaking to customers around, the company's done all the right things and this happened because you're a victim, versus you haven't done the right things and this happened right. All of a sudden, you're at fault. All of a sudden're at fault.
Speaker 1:All of a sudden, there's no forgiveness.
Speaker 2:Correct and it doesn't play out well. So, making sure you've done the right thing, so you've got a leg to stand on and go look, we've done the right things. Point number two, your response. So, having a resilience plan, have you practiced the systems that you're going to use? Have you practiced the messaging that's going out? So you've run it so that it's smooth and people don't have to think too much while it's happening, so it runs. So again, it comes down to those two things as far as I'm concerned. Have you done all the defenses? Have you done all the right things? Have you invested properly in your cybersecurity up front around defense, and then have you set up the resilience things? Have you invested properly in your cybersecurity upfront around defense, and then have you set up the resilience correctly? Those are two very, very important questions, I think, from an executive perspective.
Speaker 1:Plenty to think about there if you haven't got those things in place.
Speaker 2:Yes, exactly.
Speaker 1:We'll move on to the next one that we're going to talk about. Today. It was the Alliant vendor breach liability to talk about today. It was the Alliant Vendor Breach Liability.
Speaker 2:Yeah, that was an interesting one. It was in the US so kind of I didn't even see it until later. I mean, there's so much cyber security news and breaches. It's like you know, I do the Cyber Insights monthly and I send you all the breaches to collate into our news.
Speaker 1:Yes, I'm like no more breaches, Too many.
Speaker 2:And there's always a ton of them and, and the thing is, I try to um focus just on the australian ones, so it's more relatable to businesses here. But if I didn't, I I could, I could send probably over 50, you know, uh, that have actually been reported in the news well, that's it, and then there's all the other ones that haven't been that haven't been reported in. The news is around supply chain attacks.
Speaker 2:And that's what happened again. And Qantas was similar, right, because the attack happened at their help desk, so it was outsourced system, right? So it's the same sort of thing. And I don't know much about the Qantas one, so I'm not going to comment on it. But at the end of the day, the lessons coming out for businesses in Australia is going you need to have vendor controls in place. And when I say controls, it's not like you can control them, it's not. You know, that's not the point. The point is looking at the vendors that you've chosen, asking the right questions, at a minimum, around their cybersecurity efforts.
Speaker 2:Because if you're taking all the effort to get your defense and your resilience and all these things in place and you're essentially compliant and et cetera, what if your supplier isn't? Then the supplier gets hit with ransomware and all of a sudden, you can't supply to your customer. Then what do you say? And it kind of feels like that's not about cyber security, it's a. It's a supply and demand issue. Right, all of a sudden, I'm not getting my raw material to be able to create whatever widgets I'm creating and selling to my customer. Now, all of a sudden, I can't sell it. Well, I can't meet contractual requirements because I'm not getting the supply in because they've got ransomware. So that's where it's like. This lens, this view of cybersecurity, is expanded out to your supply chain, because you don't want to be left in that situation whereby you're not supplying, you can't supply, but it's not your fault. But again, customer reputation is impacted.
Speaker 2:That's it so you've got to look at it and go okay, what are you doing, right? And you'll see this with larger organizations. So let's say, for instance, you're a physiotherapist, right, and you are going to subcontract to a Bupa as an example.
Speaker 2:So you want to become a Bupa preferred supplier, right, they will send you a very large spreadsheet with a lot of security questions. Yeah, so and it's so. Those larger companies are well aware of supply chain checking and auditing, and that doesn't mean small businesses don't have to do it either. You know you can do your own version of checking a vendor, and if you don't want to do the thinking around it, a really really easy way is coming back to what we've spoken about before is looking at a certification like SMB 1001. So it's built for small business, it's kind of Australian-led, and that becomes really, really easy because then I'm SMB 1001, certified as bronze silver, gold, whatever I feel like I need to be right or working towards, and I can easily just go to my vendors, my suppliers, and go. You know, I'd really like have you looked at this or do you have some other certification that assures me that you're doing the right thing?
Speaker 1:Yeah, and with the smb 1001 it's so affordable, isn't it? And that's the whole point of it is to try and get more people, uh, smaller businesses with less budget to get on board with it absolutely.
Speaker 2:It's kind of like, uh, let's say, uh, you're that physiotherapist, and bupa turns around and goes you need to be iso 27001 compliant like that's it's just, uh, yeah, that's not gonna happen, right.
Speaker 2:So but if they turn around and go, hey, our minimum requirements is that our suppliers need to be smb 1001 silver. Now I did choose silver specifically because it kind of pre-qualifies you for, uh, cyber, uh, cyber security insurance. So that that's actually another easy way to check, right is going back to your suppliers and going do you? So you might have a list of questions, but one of them should be do you have cybersecurity insurance?
Speaker 1:And I bet there's a lot of small businesses that aren't asking those questions.
Speaker 2:Correct and I think it's high time and we are there now as a maturity of a of the country and where we going with cybersecurity and the national strategy for you know, 2030 moving forward and everybody's cybersecurity maturity is lifting to protect everyone. At the end of the day, that's where we going, like everyone's got to do their part about okay, I've protected myself, I've done the right thing. Then I'm turning around and I'm educating at've done the right thing. Then I'm turning around and I'm educating at the end of the day. So I'm turning around to the supplier and going, hey, they might never have heard of it.
Speaker 1:Yes.
Speaker 2:But then that's great. Then we'll be like, okay, well, look at this. Hey, speak to my guy that knows about it.
Speaker 1:You know how it works. Yeah, yeah, I know how it works.
Speaker 2:This is the person that helped us Call them. They'll work it out with you, you know, and, like you said, smb 1001 is affordable. It's something that they can do.
Speaker 1:Yeah, which is amazing. Yeah, With regards to the Allianz breach, so would you say that was more like a vendor failure or an executive oversight?
Speaker 2:Oh, it's a difficult one because you don't. You don't necessarily get the whole truth coming out.
Speaker 2:It's kind of like looking back at medibank and all of those and there's. There's some stuff that you hear and like maybe maybe not like. I've heard from people that were in the like new people in the the you know the med as an example and they were like their cybersecurity team is top notch, They've got everything in place. So where's the? It becomes really, really hard, so I wouldn't really want to comment on it. I don't know if it's, it isn't fair unless you're in it, I think.
Speaker 1:Yeah.
Speaker 2:Is key there. Yeah, Hopefully there was right oversight. I mean it's Allianz. They're huge, I would assume. I'd have to assume that the oversight's correct and the team's right. So maybe it is just that supplier that becomes an issue. I'll probably leave it there.
Speaker 1:Fair enough. Is there anything else you'd like to add to business owners around that situation?
Speaker 2:I think it is a case of making sure that you are checking your supply chain. I'll give you one other thing just to maybe put some impetus or importance on this, and that is you know, we, most businesses in Australia, fall under a notifiable data breach scheme, so it falls under the Privacy Act around. If you lose that data through a hack or whatever the situation is, or even by mistake, you have to notify those customers. So those customers that have lost the personal identifiable information you know, the PII data that they keep talking about.
Speaker 1:Yes, we have spoken about that a few times.
Speaker 2:Yes, If you have lost it, you have to notify that. So you also have to notify the information commissioner around. You know what's happened, what you're doing about it, all those sort of things. There's a form to fill in, et cetera. So just a note on outsourcing stuff to vendors or a supplier. So, for example, let's say that you actually push your customer database out to an external marketing engine like MailChimp or something like that, which many of us do, of course.
Speaker 2:Because you're not going to send bulk email from your tenant. It's not a great idea, so you'd use a service to do it. But you sharing that customer information potentially sensitive it's not a great idea, so you'd use a service to do it, but you sharing that customer information potentially sensitive. It depends what you're putting in there to an external supplier. Now, what if they get hacked? Well, number one, it affects you directly because you can't get your message out or whatever. The story is. Plus, that customer data is lost. Now you and rightly so you can go, can go. Well, that's not our fault. We've got everything in place. We've trusted them with the data. You could even go. We've done our vendor checks. Yes, they ISO certified and all that sort of stuff. Tick, tick, tick, tick. Everything's correct. But it's happened because there's a zero day or whatever. There's nothing you can do about. Right, you are, because it's your customer, even though you're not breached, you're going to have to do the notification.
Speaker 1:And I guess you're the one that supplied the customer's details to the third party, correct?
Speaker 2:So you know, sometimes there's a case of you have to do dual notification, so MailChimp would have to notify as well as you. But as far as the law is concerned, the primary relationship is between you and your customer you would have to do the notification.
Speaker 2:So even now and sorry, I'm picking on MailChimp your, your your mail provider, right? Whoever that is, um, you know gets gets breached. You're the one doing the notification. So what happens to your reputation, even though it's sitting with another provider? So that's the type of stuff you have to think about. So where you go like, oh, we're not thinking about supply chain attack, you need to be thinking about supply chain attack. Yeah, because it directly falls on you.
Speaker 1:No one really wants to be making those calls, preferably not. Yeah, well, again, much to think about. Yep, there is. So the last thing that we were going to talk about is actually, I find, probably the most interesting, because we have had quite a few conversations about it and you have shown me some very scary examples is deep fakes and targeted executive phishing.
Speaker 2:Yes, this is interesting. I do quite a bit of work in AI now because, I was literally forced into it because our customers, businesses, et cetera, are using AI and it's like well, here's a comment as well is, if you're thinking your staff is not using AI, you are sorely mistaken, so you do need to look into it. Like one of the stats I read and I might need to put it in a comment and cite it. I'll go and look for the report, but it's something like 70%.
Speaker 1:Oh, and I would absolutely believe that Our staff are using it.
Speaker 2:So, yeah, unless you've got some technical controls and blocking it within your environment, but then again, again, you're still not blocking it on their phone or from their home or whatever. And you know, are you sure company data is not being put in there? It's, it's a minefield. So I'm I'm doing a lot of work around uh ai, deep fake, all that kind of stuff to make sure that I understand where that sits and then to advise businesses of you know where that sits, and then to advise businesses of you know where that sits as well. So, from a deep fake perspective, the concerning thing is, like, we've heard about this for the last few years. Right, there's been deep fake, either voice or full video. You know there was the one around Ferrari. There's just, there's a lot of it, right?
Speaker 1:The executives that got done for like $25 million or something.
Speaker 2:Yeah, absolutely Like yeah between the US and Europe, so I can't even remember which business that was, but yes, that happened and that was a full video one, like on a Zoom call you know yes. So, and the thing is like 18 months ago, two years ago, that was hard to do, really really difficult to do. You needed special hardware et cetera to get it done. Now it's really easy to do, like really easy, like you know, even playing around with voice cloning stuff, you know.
Speaker 2:You've got companies like Eleven Labs doing it very well, and then I saw another one launched the other week and they only need like three minutes of your voice I mean three minutes is not long it's not long at all and if they can get three minutes, like whether it's on a call and asking you about stuff and you just answer it, it's enough to like mimic your voice with a high degree of accuracy Like 11 Labs with my voice, gets my South African accent down.
Speaker 1:I mean, that was pretty spot on.
Speaker 2:It's pretty spot on, exactly. So you know that video that I put on LinkedIn with the VO3 video that people were watching. It was quite interesting. That voice my voice. At the end there is purely AI. I didn't utter a word of it you know, and I did that just to make sure that the video was completely AI, just as a funny put it out there, you know, and yeah, that's not my voice on there, and anybody that knows me would be like, yeah, it sounded like you.
Speaker 1:Oh, it definitely did sound like you, and it's only that I know that you're in there playing around with all their ai tools and absolutely so.
Speaker 2:The concerning thing, I think, is just the ease at which it can be done now, which means it's going to be done a lot more yes so that that's the thing. And if anybody's seen, like the video production out of vo3, out of google's vo3, it's pretty good, you know, can you say it's AI? Yeah because it's clipped together in eight-second bursts but there's another one not VO something else that's got out to 60 seconds already, so it's just going to get better. So that is concerning.
Speaker 1:Well, it's just evolving so fast isn't? It yeah, absolutely so why should board members and executives be concerned about it happening more and more now Look.
Speaker 2:I don't think like deepfake is probably the top concern for a business unless you're Fortune 500, et cetera, and there's a good impetus to attack that particular business because you're more of a target If we keep it real around, know small medium business that we generally speak to. What should they be concerned about? I would be concerned about the targeted phishing right and the reason for that is those phishing emails are just getting really really good because of AI. So you know, your threat actor, your hacker, can basically just use chat, GPT, Claude, whatever they want, even the free one, and it can craft an email really really well. Like we used to say, like oh, you watch for spelling mistakes and grammar and that's like. That's just not there anymore.
Speaker 1:Yes.
Speaker 2:So you've got to, you've got to be across it, and then bypass of MFA is a thing now as well.
Speaker 1:I mean that's a scary thing, because we have been talking about MFA and how important it is to have it and now to hear that that's potentially the ability to bypass it.
Speaker 2:Absolutely. Look, there's a few things there. So an MFA bypass has literally been put in place now in the threat actor world, the hacking world, as a service. So they can literally go and buy a service that will bypass mfa. There's one called evil proxy there's there's various others that they can just purchase as a service crafted.
Speaker 1:These cyber criminals aren't.
Speaker 2:Exactly, and what it does is it does something like a man in the middle attack. So it sits in between you and the actual service and it just forwards the request. So you think you're logging onto Microsoft sites. You're putting in the details. The attacker in the middle is pushing those details to Microsoft, getting the response, copying the response and then sending it to you. So generally how this works is you would get what's called a token. That means that you're authenticated to the service, like your email or whatever it is. But the problem is because there's someone in between. They've taken a copy of the token. You get the token and you log in. It looks completely normal from your side, but the hacker also has your token so they can also log in as you. That's it. They don't have to enter your username and password. They literally put the token into the browser. Refresh the page. Alicia's email like instantly.
Speaker 1:So you wouldn't even be aware that that had happened.
Speaker 2:No, you would not. So unless you were on the fact that, oh, you got a link and you clicked on a link and you got to that point right, which, again we say don't click on links you need to be very, very careful about. Well, why was that link sent to you? Who sent it to you? Why would you need to click on it? You've got to run through that, unfortunately. Unfortunately it slows business down, but it's something that you need to look at.
Speaker 2:So we're already moving a lot of our customers onto fish resistant MFA methods, which is saying like, okay, we don't use an SMS to your phone, an email or push authentication to your app, you know, or where you enter code. All of those can be bypassed. So we move on to either using something like Windows Hello for Business. So we move on to either using something like windows hello for business, so fingerprint, facial recognition, logon or you're moving into a hardware key like a ub key, so literally a usb key that you're plugging in and because those can't be, you can't have a man in the middle type situation in that particular case and even now, like we're moving our customers over to this sort of thing, educating them look, there is a bypass method, so we need to move on to this. Even then, I'm sure that's going to be bypassed at some point as well.
Speaker 2:They just keep getting exactly quicker and quicker with what they come up with to bypass absolutely well, I'll tell you what I learned a couple of weeks ago, which is very, very interesting as well. So it's a way to bypass MFA Again. That's absolutely like evil evil genius, let's say. So it is something I think our viewers will be interested in and maybe they go ask some questions to their it people around. How do we actually stop the situation? So I'll give you the example. So it's called a device code flow, so it's microsoft's way of authenticating a, um, a device. So I'll give you an example of. So. When you buy a smart tv, right, or like a streaming stick or something like that that you want to connect into your provider, so let's just assume the provider's microsoft, that this is going to connect to you, typing in your email and your password, because obviously you use long, complex passwords of course, doing that on a remote is.
Speaker 2:I don't know if you've done it before on a TV. It's horrendous.
Speaker 1:Oh, it is horrendous. Yeah, it takes a long time.
Speaker 2:So to speed that up, they use device codes. Very, very, very smart. It basically goes right we need to log into Microsoft for you and it just says, oh, go to Microsoftcom forward slash device login and enter this four digit code. And you're like sweet. So you get out your phone, you go to microsoftcom forward slash device, you enter the code, it asks you to log in on your phone because it's your authentication. So you log in, you might have mfa on you, mfa your stuff, and it logs in and your tv goes and and it connects. It's so cool.
Speaker 1:That's easy. Yeah, because-.
Speaker 2:Unfortunately, hackers were like hold on a second. So a hacker sits on their machine. They send a request for device code to Microsoft. It comes back with a four digit code. I send you a phishing email right With the link to Microsoft site. So it's not a fake site, it's going to microsoft. And I say, hey, I've got this document but as an extra security precaution, because it's it's got salary stuff on there and stuff, um, I've got this code just to check that it's you. Can you please enter the code when you access the document and you're like okay, like it's, maybe it's come from your accounts department, whatever, and it's Microsoft. You hover, it's Microsoftcom forward slash device login. Fair enough, click, it's definitely Microsoft site. It's asking for the code.
Speaker 2:You put the code and it goes oh, you haven't authenticated. Now, if you've previously authenticated, it won't even prompt you for authentication because it's already authenticated. But if it hasn't, it's going to ask you for your username and password, which is on microsoft site. You're going to do. It's going to prompt you for mfa. You're going to put your mfa, even if you've got a yubi key, because I've tested this boom logs in and like nothing happens. It just goes. Okay, you logged in like okay, but what happens on the hacker's side? A token comes back and goes there you go and I go refresh and there's alicia's email on my device so you're like I think we need to stop having these conversations not good.
Speaker 2:So you know, yes, that makes things really really easy to like authenticate a device, like you've got a smart TV in your boardroom or something like that. But hackers also know that At the end of the day, it requires education for users. Again, right, why was something sent to you asking you to put a code in?
Speaker 2:Yes, well, that is it, isn't it you need to be questioning this stuff and unfortunately, you know again, I'm using AI to craft that message. You know what, if you get an email from your security team or someone on your security team because they've checked LinkedIn who works for the business, who's in IT and you get an email from the security team going hey, we almost had a breach last night, so we've locked down the security protocols. We're re-authenticating all devices. Unfortunately, you are going to need to go and put this code in. Please click here in the next 24 hours. If you're going to be offline for longer than 24 hours, please call us. You go?
Speaker 2:oh well, at least we weren't breached click code.
Speaker 1:Now you're breached I mean for a lot of people you know that don't work in it or cyber. They would just do that because they wouldn't.
Speaker 2:I mean it's why the education is so important. I'd be in big, big trouble if I did that it's hard and you've got to experience it and you've got to hear about it. It's why we do this podcast right, yeah, exactly, so you've got to get that message out there and go. Hey, out there and go. Hey, there is this type of attack. Speak from an executive perspective again. Hopefully now you've heard about that. You go to your IT team or your incumbent provider and you go hey device code, like we don't use that here.
Speaker 2:Can we switch that off? Or can we put some sort of conditional access policy around it, like a good one, for instance, is just going? Device code flow can only come from the office. Like when I'm setting up a printer or I'm setting up a smart device, someone in China is not allowed to do it.
Speaker 1:Yes, exactly yeah. That would make it a bit easier, wouldn't it?
Speaker 2:So yeah, there's stuff to do there.
Speaker 1:Yes, it sounds like there's lots of stuff to do there. Well, we've certainly covered quite a bit today. Yeah, is there anything?
Speaker 2:that you'd like to add before we finish up for today. I think those are the key ones. Again, you know it's around making sure your defence stuff is correct, making sure you've got your resilience policies and testing stuff is correct, because it's all minimize your fallout. You know when something does happen because it's going to right, um, check on the device code flow stuff and whether you can switch it off, because if you don't need it, switch it off, um, and you know you can test it and check that you don't break anything, because you know check with your it team. Yes, um, and yeah, ai is an interesting one. I would definitely start having a conversation at the board level. What is your strategy? Start talking to staff, find out what's happening, because if data is already being leaked, like, you're going to want to lock it down.
Speaker 1:You're going to want to lock it down.
Speaker 2:So definitely start having that conversation now, absolutely.
Speaker 1:Yeah, okay, well, well, thanks again for joining us again today and, uh, people can reach out to you on linkedin, you're always sharing content on there as well, so keeping people updated as we do on the mercury it page as well, yep, so I'm sure you'll be back on the podcast again very soon absolutely.
Speaker 2:Thank you thanks.
.png)
.jpg)