Episode Transcript
[00:00:01] Speaker A: What if I told you there was something that cost the world more than natural disasters in the illegal drug trade combined? What if I told you that this crime, if it was a country, would have the third biggest GDP on the planet? I'm talking about cybercrime. In 2024, it cost all of us around the world $9 trillion. And there are times we feel completely and totally helpless to stop it. What can we do? We have someone that will tell you what we can do. Foreign I'm thrilled to be joined by Montreal's Terry Cutler. Terry is an ethical hacker and a psychologist from Psylogylabs.com and an expert on cybercrime in Canada and around the world. Terry, thank you for joining us.
[00:00:50] Speaker B: Thanks for having me. How are you?
[00:00:52] Speaker A: Thank you. Very good, thank you. Auditor General Karen Hogan in 2004 warned that 30% of RCMP cybercrime posts remain unfilled, slowing incident responses and intelligence sharing. Terry, from your vantage point, a psiology labs, how do these staffing gaps translate into real world risk for Canadians when it comes to cybercrime?
[00:01:14] Speaker B: Look, we have a problem in our industry where there's over 3 million personnel short in our industry. So, so the problem is you can't just jump into cybersecurity and get up to speed. You have to have a bit of an IT background in order to jump into cyber or else it's not going to work very well. So right now they're severely understaffed and under trained. So think of it as, you know, firemen responding to a fire and they show up with a garden hose because cybercrime is happening so much that there's so much piling up on their desk that they just can't keep up.
[00:01:44] Speaker A: Well, I know in education they're always focusing different streams because they think the country needs physicians, in engineers, accountants. Should there not be a bigger push for computer scientists to get into IT security and cyber security?
[00:01:58] Speaker B: There is, but there, there is the, the content that exists. The problem is our field is very, very specialized and people burn out very, very quickly. It's, it's very.
What's what I look for? It's very.
A lot of stuff in our industry is not working the way it should. Okay? So it's very discouraging because a lot of stuff that we recommend or try to implement is somewhere between not working and barely working at all. So it's very, very difficult to stop the cyber criminals because they can be, they can be hiding their tracks coming from anywhere in the world, and to be able to do attribution to these guys and find out where they're coming from is very, very difficult. And not only that, you're stuck with jurisdictional problems too, because if this guy's coming in from another country, how are you going to go and prosecute? Or how do you even know it's that guy behind the screen when it happened? So right now everything favors the bad guys in Canada.
[00:02:46] Speaker A: I know there's plans for tracking cybercrime and, but it's been delayed. In, in your view, what steps should Ottawa and different levels of government take right now to accelerate development and reduce sort of the drag from the bureaucracy to accelerate cybercrime investigations?
[00:03:03] Speaker B: Look, they're going to have to come to a point where they're going to start working with private companies that are vetted to, you know, to work with them. So here's an example. So we just went through certification for the Canada Controlled Goods program. This allows us to work with the military, defense, critical infrastructure, government. It means that we've been vetted to work with this highly classified information.
And so they're gonna have to start looking at companies that have this, this designation that can help bring forth better technology and such. Because we work a lot with municipalities as well. Right. And a lot of times these guys are just so overwhelmed, understaffed, and they just can't keep up with the threats that are, that are occurring.
[00:03:42] Speaker A: And Terry, I think it seems like every week or two weeks in Canada there is a municipality, a public library, public, a government building that's been hacked and they've held ransom.
[00:03:52] Speaker B: Absolutely. And the challenge that is that because they don't have a very large IT team, sometimes they have one person and like some of the ones we work with, maybe they have maybe three, four people.
And just when we do vulnerability scanning as an example, so we do scanning on a weekly basis to show them what's new, what did they fix, what did they miss.
And just with that alone, they're overwhelmed by how much stuff gets found. They just can't keep up with the updates.
And today's threats, that's, that's the unfortunate reality. They're going to start learning to outsource this stuff to like companies like ours, for example.
[00:04:25] Speaker A: Absolutely. Joined by Terry cutler from psiology labs.com and Canada's own spy agency has flagged Russia and Iran, for example, as safe havens for organized cybercrime groups.
Terry, in your opinion, how should law enforcement in this country use maybe a psyology lab style ethical hacker to collaborate and push back against these state sponsored criminals? Who, who are affecting Canadians and people around the world every day.
[00:04:49] Speaker B: I think the biggest problem is going to be bureaucracy, red tape. That's always been an issue. So like, we work with some sensitive companies and just to get a contract signed or a document reviewed takes weeks. There was even one we were working on, it was two years in the making.
It's like, like the legal department and all these people, they're just slowing so much things down. And you know, hackers aren't waiting around, waiting for you to have your contracts and stuff signed. They're attacking you 24 7. And a lot of times they have technology in place that is not giving the proper alerts.
So they don't even know that they are being attacked. So in one case, when we get brought in to do intrusion tests, where we get hired to legally hack their business, you know, we run these attacks and one of the things we provide to the customers is what's called an activity report. It's like every time we run an attack, there's a timestamp and their own technology is not even picking it up. So they never get a call from their managed provider saying, hey, are you guys under attack? Like, what's going on there? Or they get a call maybe three hours later saying, I think there's something going on here. We're not sure. So the response time is just out of whack right now.
[00:05:55] Speaker A: And Terry, I've heard stories that in some of these state sponsored cyber crime organizations, there's actual office buildings filled with cyber criminals working around the clock every day, trying to hack into places.
[00:06:07] Speaker B: They're, they're, they're better funded than us. It's great. And These scammers have 24 hour support too, right? From the, from other, especially, let's talk about ransomware gangs. For example, these guys have 24 by 7 support, even provides like a target list of companies that are vulnerable right now because they maybe have, you know, proof of, proof of, it's called proof of life that's on the dark web saying, we have access to this guy's infrastructure right now. So if you pay us, you know, 50 bucks or 100 bucks for this access, you know, we'll share the profits of the ransom.
So.
[00:06:41] Speaker A: And Tara, you brought up a good point about the red tape can take up the two years. And at the same time, you're saying the ransomware that's happening to Canadians around the world is, is happening at a lightning speed. So what is the, the current ransomware threat in Canada that we need to be concerned with, okay, so they give.
[00:06:58] Speaker B: You a real example. So this is in the public media, but I didn't want to mention a name. What happened was in 2024, three or 24, I believe, they, they, they, they got hit with a ransomware and they realized that the attackers have been in their system since 2019.
Okay, so they've been in their system the whole time shuffling through people's emails, through the servers. They're there to, to stay as long as they can't undetect it so they can siphon out this data right under their nose. So even if they ransom the municipality and say we're not going to pay it, like they didn't pay it, they, they, they could threaten to leak the data online and still charge them for that for them not to leak it.
And you know, still till to this day, years later, they don't have all their infrastructure still up and running. Because once an attacker is in your environment, like it's very, very hard to find out what did they get access to?
Are they still in here? They're like ghosts. So it's very, very difficult to find out what they're doing.
[00:07:58] Speaker A: And Terry, I think of something like Hudson, Quebec or Timmons, Ontario, Prince Albert, Saskatchewan. How in the heck are they fight and fight back against something like that?
[00:08:08] Speaker B: Yeah. So the easiest way and less expensive ways to outsource this.
So I'll mention what we do. So we have a managed security service where we can look at your network, your endpoint, in your cloud, all in one dashboard and it's bilingual. Where the magic secret sauce for us is in what's called an appliance. We ship you a physical server that does what's called a port mirror off your firewall. So we look at all the information coming in and out of your organization and we see in real time what's going on. Most companies today are using what's called log based solutions. They're relying on logs, and logs get delayed, logs get modified and logs lie. Because as ethical hackers, we can go in there and modify this information to look like, yeah, everything's all fine, hunky dory. But in fact we're over here stealing your credit card database. So but when you have an appliance like this, it's real data, like it's unaltered information.
So we can see, hey, there's a large amount of data leaving your company that's not normal. Or we could see things like, hey, there's, there's an attack happening inside your network, there's enumeration there's discovery occurring from this machine over here. Did you, Are you aware of this? Like, we can, we can alert you on all these things and most companies don't have that. That in place.
[00:09:18] Speaker A: So for people watching this and maybe don't realize that Terry Cutler is an ethical hacker and a psychologist from Psylogylabs.com and it's the marriage between technical hacking skills in human psychology and maybe people for not aware, educate them on the social engineering behind what you do.
[00:09:35] Speaker B: Yeah, so. So part of the, part of our job is what's called site social engineering. The psychological, the psychological manipulation of people. This is where I befriend you, gain your trust, and you're going to give me information that you typically wouldn't give out. Then we're going to use it against you in a cyber attack. How's that for a friend?
But we're paid to legally do this because we can walk into city hall and trick an employee into, into the divulging information that they, they shouldn't have given us, and we can use that to get access.
So, you know, one example, we did a, an attack on a retail company, and I walked into one of their stores and I looked to see the least looking paid employee that was stocking the shelves with his headphones on. I said, hey, I'm from it. We're doing an upgrade in your server room. Can you bring us to the back?
So he brings us to the back, and that's where the equipment was. So like, okay, this is where. This is all good. I'm gonna go for lunch. I'm gonna come back with my colleagues who are also ethical hackers. And so we're gonna finish the upgrade. So went for lunch, strategized, came back, went to see the same guy, and he hands us the keys.
Never asked us who we are, what we're doing there. We had no ID and we're in the lunchroom and all of our equipment was on all the tables. The employees couldn't even come to eat in there.
And not one single person asked us what we're doing. And within three hours, we compromised the whole place.
[00:10:55] Speaker A: Is Terry, is that just a human nature thing? As Canadians that we're so trusting, we assume that you, because you said you're with it. Oh, okay, Here you go.
[00:11:03] Speaker B: It is because as human nature, we want to help people.
Unfortunately, sometimes that's helping. Yeah, it's not a, it's not a bad thing. But at the same time, you need to have some precautions around this stuff and that's an unfortunate thing with cybersecurity is that, you know, and I do a lot of awareness training for individuals. And so in my digital course, I have 42,000 students in it from hundreds of countries.
Most people don't care about cybersecurity until it's too late. And then when.
[00:11:29] Speaker A: Great point.
[00:11:30] Speaker B: Yeah, yeah. Then when they get breached, they come for help and to help resolve their situation. Could be thousands of dollars.
And, you know, they think they're just going to best buy for 50 bucks.
It's not.
[00:11:42] Speaker A: Terry, is it? Not like not having fire insurance because you don't think you'll ever need it. Then your house burn down and go, I wish I had fire insurance.
[00:11:48] Speaker B: That's exactly it. People are losing their shirts. I mean, you're seeing the stories, right? People losing $300,000 in a scam, you know, their retirement is gone.
And yeah, like, like it was one story we had. Her name is Allison. She was on one of my live shows. She has what's called two step verification. Turn on all of her accounts. This is, this is an added protection that most people need to have on there, which you type in your username and password and then A2, a six digit code will appear on your phone either through the app or through a text message to enter that information. That means that we can validate, you know, the username and password and we can actually verify you because you have the device. So she had this on all of her accounts except for one, her Hotmail. And what happened was they got into her Hotmail address.
They, they were able to see all the security questions and the answers, and they managed to log into her Telus account and transfer her line from Telus to Bell. And when they did that, all the codes went to the bad guy's phone. They logged into her bank account and drained it. They bought stuff on Amazon and ebay.
They did this on a Friday night, so she had to wait till next business day to get to with the banks.
So it's, it's crazy, the scams out there now, Terry.
[00:12:58] Speaker A: I have a mother in a retirement home in Nova Scotia in her 80s. And my sister and I, we worry about her all the time because there's so many seniors now being taken advantage of with things like this.
[00:13:07] Speaker B: There is, because the, especially with the grandparents scams and there's so much stuff, especially with AI occurring right now. AI is really a beast to try and tame. It's incredible.
[00:13:21] Speaker A: Terry. We recently had a first minister's conference in the Muskokas with Prime Minister Carney and all the premiers, and I think as Canadians, we assume there's one universal umbrella for cybersecurity. But you have pointed out that it could be different. Quebec to Alberta to New Brunswick to the federal government.
[00:13:39] Speaker B: Yeah, we need to be. We need to have a unified framework. That's. That's one of the problems we have. And the other challenge we have, too, is there's not one size fits all, because we're moving to what's called a zero trust model, which means that we don't trust nothing or nobody. Everything's logged, everything is validated. Everything has to be authenticated. But when you start bringing in technology like this, it could be tens of thousands of dollars or hundreds of thousands of dollars to bring this tech in, and these small businesses can't pay for that.
And. And unfortunately, you know, they're left. They're left holding the bag when there's a breach.
[00:14:13] Speaker A: I. I guess for before we wrap up, Terry, I think for a lot of people, okay, I. I have a family. I have a daughter in school and university. I have a grandparent or parent. What is some of the two or three most important steps to protect people against cybercrime?
[00:14:28] Speaker B: Okay, so the big one is obviously passwords.
The challenge you're gonna have here is that a lot of people create lousy, crappy passwords, like a john. One, two, three. Right? So the best way to create an unbreakable password is you want to have between 16 and 25 characters long. Now, I know what you're thinking, right? Is this guy nuts? Like how you remember a password like this, but your password needs to have a combination of uppercase and lowercase and symbols in it. So if you can think of song lyrics or phrases. So, for example, the one I always give in the seminars is, I had a great day at work. 20, 25, exclamation point, right? Simple phrase, remove the spacing, capitalize each letter of the word, and that password alone will take 10 years to break.
Or you can replace the O's with a zero and the A's, when that symbol and that password will take 39 centuries to crack.
[00:15:12] Speaker A: But that makes it next to impossible for the hacker to break your sort of secret code that way.
[00:15:18] Speaker B: That's it. But the problem we're seeing is that once the hackers get access to the server, we could see your password in an encrypted form.
So we can do what's called a pass the hash attack. And just to confirm, I'm talking about the good old college days. Here, this is where we can actually log in as you without ever knowing what that password is. And that's why you need that two step verification to add that extra layer.
[00:15:39] Speaker A: And Terry, there's nothing in this world now, in society that isn't run by your phone or your laptop or computer. So everything we do now, everything in the world is done through the computer.
[00:15:52] Speaker B: Exactly that. And that's what's scary, that we're so interconnected right now. If there's one break in the chain, like everything can fail. That's why humans, they always say that the human element is always the weakest link. It's because we can be manipulated, we could be tricked. And now with AI like some of these phishing emails that are coming in are very, very difficult to detect.
[00:16:11] Speaker A: As a matter of fact, while we're talking, just before our conversation, Terry, I got a phishing text saying hi dad, I lost my phone, here's my new number. And she's in Ottawa. So it's a six month the area co. But I know it's, but it seems so real.
[00:16:26] Speaker B: Yeah, yeah. It's because we put as humans, we put so much stuff online and the AI can actually pinpoint where you are based on your browser data, browsing history, stuff like that. You can look at where you're going and formulate an email.
[00:16:41] Speaker A: Unbelievable. He is Terry Cutler, ethical hacker and psychologist from psychology labs.com please check them out if you want to be cybersafe. Terry, for you and everyone@psiology labs.com what's next?
[00:16:54] Speaker B: Right now we're focusing a lot on the managed service we're offering also now what's called continuous penetration testing.
One of the situation we're seeing with a lot of companies is that they try to get budget for one penetration test a year. That's where we get hired to legally hack their business. And this service is pretty expensive, so which means that they have to wait an entire year to get their budget to get that one test done. And the moment they get that test done, that report is a point in time test.
So once you start fixing stuff up, that report theoretically is obsolete. So that means you have to wait an entire year to get your budget back to be able to retest.
So now with the service that we're offering, we can launch a penetration test every six months or every three months to keep your information fresh. So you get to see what you fixed, what you missed, what's new.
So and we can, and we can actually do that for the price of one.
[00:17:40] Speaker A: But Terry, as you mentioned earlier, if you don't do it more than once a year, by the time you wait a year, the technology, the hackers are used are way ahead of you.
[00:17:49] Speaker B: Oh, yeah. So we've even seen situations where this one company outsources their, their IT to a managed service provider. And we came in, do a penetration test, and we uncovered stuff that should have been fixed a year ago. The, the IT company said, yeah, we fixed it. But no, they didn't, because it was revealed on our test. They were really upset with them, unfortunately.
[00:18:08] Speaker A: I bet they would. Terry Cutler, it's absolute pleasure to speak to you. Keep up the great work and thank you for keeping us safe.
[00:18:13] Speaker B: Thanks so much for having me. Appreciate it.
