Episode 493 Security With Tim Nash Predictions For 2025

---

---

Show Summary

This podcast features a discussion between Rob Cairns and Tim Nash about cybersecurity predictions for 2025. **AI’s increasing role in both offensive and defensive cybersecurity** is a major topic, with concerns raised about AI-powered phishing scams and the accelerated exploitation of vulnerabilities. The conversation also **addresses the challenges in the WordPress plugin ecosystem**, including abandoned plugins and the need for improved update notifications and distribution mechanisms. Finally, they **discuss the evolution of multi-factor authentication**, highlighting the trade-offs between security and user experience, and the weaponization of security vulnerabilities by some vendors. The overall tone is one of concern about the increasing sophistication of cyberattacks and the need for improved security practices for small businesses in particular.

Show Notes

Hey everybody, Rob Cairns here and today I’ve got my good friend, Mr. Tim Nash with me and and we’re going to talk all about security. How are you, Tim?

I’m doing all right. How are you today?

I’m doing good. I You know, it’s funny. We were saying before we went to record, I’m looking out your window and your weather is better than my weather and I think you’ve sent me ugly UK weather cuz it’s that bad out there.

I mean, it it it is going to tip it down with rain during this call and you’re going to go, “Oh, the clouds are forming.” But at the moment, it looks quite nice out there. Yeah, I’ll take that though. It’s um what is it today? It’s about six degrees Celsius, but it’s foggy. It’s rainy. It’s Sounds like the UK.

Oh, that sounds beautiful. That’s That’s home.

I know. I know. So, today I thought we were talking. We thought we’d do a little bit of a prediction show. So, of what we see coming next year, which is interesting. And I’m going to jump in and start with my favorite two letters, AI, right now. Um I should tell you I’ve been I’ve been playing around with um Gemini and notebook and LM again and some other tools. So that’s okay. But as we know AI is making your job and my job a little more difficult. So let’s start with that. Where where’s AI and how much grief is it going to cause you and I next year?

So AI is a bit of a weird one in that I think a lot of people think that it is uh somehow taking the security area by storm that we’re being we’re being we’ve got like these advanced computers that are attacking things and the reality is that everyday hacks that occur on the web are being done in the same way as they’ve always been done. What we are seeing is perhaps where AI is in places like fishing it it’s popping up more often but also in getting to that proof of concept quickly.

Um where AI’s really taken strides in development areas just when your average coder now can hook on to something like cursor and they can quickly develop code at 10 times the speed they used to be able to. Good news. So for bad actors and a bad actor can give a bunch of code and say find me the vulnerabilities in that. It’s an interesting it makes it very easy for them to do. Um so we’re seeing I we’re seeing that whole um the time between a vulnerability become being published and it being exploited has been reducing over the years. But I think we’ve in the last few months we’ve seen that accelerate and I suspect that’s a lot of that’s down to AI um and the ability for people to just now be able to throw these tasks instead of to their minions to their AI overlords. Um which is fine. Uh but the bigger area where I think we’re going to see more happening with AI that’s going to be more obvious with security is uh fishing and the various scams that we’re going to see, security scams, because it is scary how easy it is now to have a artificial voice, be it one that sounds like somebody or that is just a generic voice, uh, that can just be generated now and you can just type words in and it will speak them. We’ve had these demos for years, but now they’re believable and they’re in production and they can be used.

Well, quite in check notebook.lm Google’s product all you got to do is take a audio podcast say for example this one say generate me a summary since I did it last night and say by the way generate me a voice copy of that summary push a button and I’m done there you go I mean and what did that take me two minutes to upload it two minutes to gen the summary one minute to do and I got a voice and here we go and we’re off to the races but the other problem is with fishing scams. We used to identify fishing scams by the language and the bad English. I got to tell you, it’s disappeared. I was saying before we went to record, I’ve had two real good ones hit my box this week. One was um a Bank of Montreal scam. For those who don’t know, Beimo is one of the top five banks in Canada. And this one wanted people to click here to get notifications, but you got to start to look at reply to addresses and there’s giveaways. And the other which you’ve seen and I’ve seen it’s a PayPal scam saying you owe $3,000 or some exorbitant fund and the language in it is actually pretty good. So the scammers are using the AI and getting a little smarter.

Yeah. And we’re going to see more of those start particularly with spear fishing. Uh one of the reasons we don’t see so so spear fishing for people who might go oh what’s the difference between fishing and spear fishing? Spearish is targeted. Fishing is I’m going to send you a a PayPal scam which says, “Hey, you owe $3,000,” but it’s going to have very little information that it’s directly to you. A spear fishing attack might be to your actual PayPal address that they’ve verified with your name and details attached to it

and then that comes to you and it’s it’s a lot harder to spot a spear fishing attack because it’s it’s got a lot more trust markers because they’ve done the research and it is a targeted attack. Now, we’ve we’ve got so much data and the one thing that AI is really good at on the whole, you know, lots of astrophysics here is if you give it a bunch of data and then ask it to extrapolate information, you get stuff out. Um, well, there are plenty of really bad examples. Um, Twitter’s Grock can’t draw a person for love or money or and people ask um, OpenAI, hey, what do you know about me? And it comes up with funny things. If you ask the right sort of questions, you can get quite a of information about a person

and if you’ve got a data set you can pass to the AI that can become very targeted very quickly. So you can quickly create profiles which can be used in spear fishing campaigns. The big saving grace we have at the moment is that um AI is expensive and AI by that I mean that to generate something using AI is computationally expensive. It’s also often behind big services. So I imagine that open AI and uh uh Anthropic Anthropic, the people behind Claude and um similar are currently struggling with lots of attacks against their endpoints, lots of API credentials being compromised because at the moment running your local LMS is hard to do, requires more CPU usage than most CPUs have. requires GPU usage. However, what I haven’t seen yet in the wild too much, but I expect for next year is you know how when uh WordPress sites in particular get compromised.

Now, they’re often compromised and people will throw a Bitcoin miner on there

for the CPU. So, they use the CPU to mine Monero or Bitcoin or one of these other

do whatever they’re doing. Yep.

I think and one of my predictions for next year is that we’re going to start seeing a lot of that being replaced with LLM based jobs.

Yes, I agree.

So they’re going to dist So you already see distributed LLM systems. So distributed um AIS effectively and that you basically they’ll hack your site to use your CPU

so that they can use this for their own computational stuff to do other things. No, I I would agree. I would agree with that. And that’s why small business owners, not always big businesses, are more the targets for these because they tend not to keep their websites up to date. I I don’t know about you, Tim, but usually when I get a call from a small business owner who’s not on a website security care plan, they’re already over their head and in trouble because they’ve been hacked. And they’re like, why would they hack me? Well, because we all know small business owners don’t do a good job unless they hire somebody like yourself or me or somebody else to do it for them to keep their websites up to date. So, they’re a prime target for those kind of attacks.

I always say to uh customers who get hacked when they ask me why did they hack me? And the answer is they didn’t. They don’t know you. They don’t care about you. They don’t know anything about your site. They didn’t hack you. They hacked the server via you

and they’re they’re after the resources in the server. or they’re after your customers. It’s really rare to see a targeted hack. They happen um but they tend to be happening against as you say bigger businesses and if a small business is being hacked that’s either because specifically and they’re been targeted then they are being targeted because of something that is very specific to that need.

For example, law enforcement um for years I managed um I don’t anymore because I blasted on a website for the Ontario Police Memorial. And what the Ontario Police Memorial is is it’s a um it’s a an area that memorial for fallen police officers who die in the line of duty. Very important. And every year, the first uh May in April um sorry, the first Sunday in April or Maine, it’s a ceremony. And one year I sat in the communication construct with my iPad and want to have attempts on the server go up as the ceremony was going on. So that’s a targeted attack because you can almost guarantee those are haters. I have clients in the political space. I can tell you those are targeted attacks.

Yeah. Uh anything that has got a political bent possibly goes through and it’s often some surprising ways. Um I have a client who’s I’m going to have to make up what industry they’re in because well we identify them but they basically run a uh a magazine and that might sound really from for where they are and who they are as far as they’re concerned their magazine is a perfectly normal thing but in certain countries just possession of their print magazine would be enough to have you literally stoned to death.

Um so they get targeted in surprising ways and they are directly targeted but they are in these these cases we’re talking about these are the extreme ends and the vast majority of people are not targeted their resources will be targeted and the bad actor doesn’t care doesn’t know doesn’t and that’s it they do not care about the site um which makes for some people that is a thing that they can sort of hold on to and feel like oh I haven’t because often when uh a site owner gets a site gets hacked, the site owner thinks um why me? Why do this? And it can feel like personal violation. It can feel similar to uh the experience you get if your house gets robbed or you something gets stolen from you. It has that sort of emotional connection.

And so for some people, the idea that I wasn’t targeted gives them a little bit of h sense of okay, it wasn’t about me. It wasn’t about our business. was just a thing that happened and they can rationalize it. Whereas others find that even more upsetting that it was like, “Oh, I’m not I just got caught up on it.”

Yeah, I I agree with you. Um, let’s cut to the WordPress space because you mentioned that word. Lately, we’ve been seeing I don’t know a large number of plugins and themes that are being abandoned in the repository. Now, I don’t know if that’s because of the DR Emma going on which I really don’t want to get into or if that’s just because it’s going full cycle and that’s a concern because again small business owners aren’t keeping up to date with this stuff and they need somebody in their corner to help them. What do you see going on there with all the increase in abandonments?

So it’s weird because literally half an hour ago I was talking about pretty much exactly the same thing. And I was saying that one of the problems that we have with our current setup with with updates coming from WordPress.org is that if you go on to the WordPress.org website and someone has given up doing something on the plugin and they’ve told the WordPress.org now I’m not updating it anymore, there’s a banner that comes up saying this plug-in has been archived.

Y

it’s taken a long time to get there to have that banner, but that banner’s there. You also can see if the plug-in hasn’t been updated for a period of time, x number of releases, there’s a similar sort of banner there. Um, but if you’re on your WordPress site looking at your plugins to do your review of what you’re looking at, that information is not passed over at all. So, you have no easy way of knowing which one of these plugins is being supported or not without going and checking each one individually.

And yeah, as we we are losing people, there is um I think it’s fair to say that you know the people who do things with WordPress the general people who started with WordPress and have been doing this for the last 15 20 years they are now 15 20 years older we do actually have people we are losing developers as in they are lally dying out and I don’t think we’re replacing them as quickly as we’re losing them and the people leaving the WordPress ecosphere not through death but just through natural I don’t want to be here I’ve got another job I found a cool thing that want to do because that’s it. A lot of these people started because WordPress was a cool thing and they wanted to do a cool thing and now they’re on to their next cool thing, but we’re not getting enough new people in. So there therefore the whole area is stagnating.

No, I I would I would agree. How

how we fix that is I think we’ve got So we got two problems. We got a bunch of things that are stagnating and we have no way of showing that. A a really good fix would be a better explanation as to what plugins are being updated and when things have been archived. Now, that could be done by simply as where we do the WordPress update checks which happen every 12 hours on your site. It could just ping back and in the API this one needs to be this has been no longer updated and you could have that displayed on the plugins page. The plug-in installer page is probably the oldest page to not have some sort of update.

That’s correct.

That page I think has stayed the maybe the setting the general settings page, but I think other than the general settings page, the plug-in page is probably the one page that has stayed constant

for a decade plus so we could do with that getting updated. Now, it would be nice if after all of this uh stuff that’s happening in the WordPress community that we’re not talking about uh that something comes out of this where we do have a better distribution mechanisms and the option to have multiples because that will help if if we can have a mechanism where I can let’s say I decide I really fancy the hellish job of becoming a plug-in repository owner

yeah

don’t fancy doing this but let’s say I do and I open Tim’s repos and you can subscribe to Tim’s repos and then I can dictate which ones plugins are archive and out of date. And if I have that if you have the mechanism to subscribe to my repo, maybe that’s a good thing. Maybe that will help that because then we we’re allowing people to take more control and more ownership because at the moment we don’t have any control and ownership of the distribution system and we can’t even see when these things are going wrong. So that was a very waffly answer to there isn’t an answer yet, but there are roots to get there.

No, no, I I agree with you. Um, and we we can not talk about that stuff, but that’s, you know, not not kind of where I was going. I don’t want to talk about the drama, but I agree. Multiple distribution points would be I think you and I have talked about before is is a really good idea. Actually, one point of failure is not necessarily a good answer to a lot of things. Personally,

I mean, if nothing is s really simple as At the moment, we are a worldwide community with various laws depending on which country you’re in.

And those laws vary quite dramatically around security, privacy, software expectations. You know, here in uh the UK, we are probably a bit more uh information security focused, especially around uh data protection, but also with things like our new cyber resilience laws. are coming in that are mimicking the EU cyber resilience laws which are already in place which have certain requirements at the moment as a plug-in owner you can’t actually meet the requirements for the European laws if you use WordPress.org as your distribution point now that’s fine because if that if WordPress doesn’t want to meet those requirements they shouldn’t necessarily have to because they’re if they’re if they are deemed a US entity or wherever they want to be as an entity and they don’t need to meet certain things. They don’t have to. But only if we have the mechanism to be able to say, “All right, you do your thing, we’ll do our thing and they’ll do their thing.” That’s fine if we we can have that. But where we’re in a scenario where we can’t we have a centralized distribution system, it has to support all the users if it wants to be a worldwide thing. And that’s a big strain. And I think it’s showing now that that’s it’s buckling a little bit. under that strain.

Yeah, I I agree with you just a little bit and it’s grown so much that you know it’s been an issue. Um where where else do we see going? We’ve we’ve had the discussion in the last year around 2FA around pass keys around using a security key. Where do you see that? Do you use a password manager? Do you not? Where do you see that whole mess going next year? Because there’s different people in different camps. I’m in the camp where I use either a security key or a password manager, but I also put a string of characters at the end of every password that’s not in my password manager or my security key on purpose. Um, where do you go with that?

I mean, I think for the vast majority of users, the frack model that they are facing means that using a password manager will get them over 90% of the way. If some sort of two-factor authentication And that can be you know whenever we talk about two factor authentication and we people will immediately well sending an email with a key is insecure. It’s like yeah

but it’s better than not

that that’s the basis we’re starting at. Sending it via text message is not secure. If someone spoofing my text messages. Yeah. But my threat model doesn’t have someone spoofing my text messages. Very often and that that’s a very and my I hope my telecom’s provider is better than that.

Obviously, I’d much rather they all had, you know, proper hardware tokens, but I also realized that at $50 a pop, not everybody is going to be able to afford two because you can’t just have one. You need to have the spare.

I have three.

If you only got one,

I have three.

Yeah.

Yeah. Having literally ran over my uh two a hardware token with a car. I can tell you you need more than one

and not have both of them on you at the same time, which is another example of where it goes on. But so it really that becomes quite expensive quite quickly. Um so I would

and then and then you got to and then you got to worry about updating them and keeping them in sync too, which is another issue all together.

I’d much rather people use things that provide that that they can that they can just use easily. Um In fact, I I’m almost I think I’m now moved into the camp where I actually would prefer you to use a hardware token.

Okay.

Or use your email over a standalone two-factor authentication app.

Okay.

Now, there is some caveats to that.

If the standalone two-factor authentication app can be distributed to more than one device,

but so many people got trapped in Google Authenticator world where they had a Google Authenticator app on their phone. Mhm.

And then their phone died and then they had no mechanism to get their two-factor authentication keys.

But hang on. Do you know you can take Google Authenticator and make a backup and import it into another device in

you can now. But only for new only new one only new codes that were in there. So the old ones you’re stuck.

So here’s the problem and let me share this very publicly and we haven’t talked about this.

Don’t mind me. I’m just bleeding bleeding in on the call.

That’s okay. We’ll just kill you any later. That’s all.

Yeah. Yeah.

Um what happened was two months Oh, we did talk about this. We did talk about my Google chargebacks and my issue.

By the way, I did get my money back and I did not get my Google account suspended.

So, that was a it took from the time I talked to you about this last month to time it happened, four business days because the bank had emails saying We screwed up and not our problem. But here’s the problem. If they can do that to my Google wallet, what’s to say my authenticator is not going to get compromised either? And that’s where I went.

If you’re going to export, if you got to have the Google authenticator and you do want to distribute it, well, now it’s behind a Google account.

Whereas the one of the advantages of the Google authenticator initially

and in case anybody’s not familiar with what this is, this is an app that was installed on your phone. that basically gave you one-time passwords that repeated every 60 seconds or in later versions gave you proper top passwords, but uh initially it just let you scan the QR code, it would add them, there wasn’t any back end to this at all.

More recently, and uh you can tell that me and Rob work in um sort of periods of time that we don’t think of because we’re like more recently that’s probably in the last couple of years, not in the last couple of decades. But more recently, uh, you have been able to distribute it to to other phones and other devices and store it in their cloud

in a hopefully secure way.

Yeah, I know. And and then when you look what I went through with Google Wallet, you say, “Really? So if it happened there, what’s to say it doesn’t happen here?” And that’s my whole premise.

Yeah. If if Google locks your account, your two-factor authentication codes are blocked. Yes,

it’s very difficult to block hardware tokens. Um, not impossible depending on the tokens. Um, but it is very difficult for hardware tokens to be blocked. It’s quite difficult for email to be blocked. Obviously, your email accounts themselves might be compromised and blocked or the the your provider may block your email, but you can go and set up a new email account and new DNS records. So, as long as you have control of the domain, email is a pretty valid route. As long as you control the phone number, it’s the phone is a potentially valid route. Less control over than a domain name, though. Domain names are something that you genuinely you control and there’s very few times that can be taken away from you as long as you’re using reputable providers and you’re not being a complete ass. So, um yeah, it’s really weird how I’ve gone from being this person that’s like, “No, don’t do this.” to actually I’m okay with you uh you using email for two factor if that’s what you’ve got. I’d rather you use this, but if you haven’t got this, I’d just make at least it’s a step. And that’s all we’re doing. We’re putting barriers in and we’re just putting extra barriers for bad action.

But every barrier we put in, if we put in too much friction, the user won’t do it.

Yeah.

It’s like saying, “Oh, I’ll add a two I’ll have a password manager, but I add extra characters.” It’s like, yeah, but we don’t we’re not going to ask other people to do that because that’s too much friction and that be too much for them. But if we can just get them to put the password in a password manager or even better, the password manager to have generated the password. Excellent. Next step, we’ve actually now got unique passwords. We’re getting there. We’re slowly building them up and uh it is helping. Uh things like um Apple implementing their own password manager.

A lot of hate came out about it because why is a OS managing this? Um

but at least it put a password manager in front of people and that’s got to be a good thing. Um, not the password manager I would use, nor would I use the built-in password manager in my browser.

I wouldn’t do that.

But that but if a client comes to me and says that’s what they use, I’m going to go cool because you’re using a password management and that to me is the threshold that I care about.

No, I I agree with you. Um, it’s funny and the other thing we got to stop getting people to do and then we’ll kind of move on and stop using free Wi-Fi to do financial transactions. I was in a Starbucks the other day and there was a guy talking to his friend and the guy was a an executive and he’s like, “Oh, I have no concern about doing financial transactions or free Wi-Fi.” So, I walked up to him and handed him his his Visa card and his Oakland number on that piece of paper and said, “Uh, I would rethink that.” And here you go. Have a nice day.

I mean, that says something about the natting of the Wi-Fi. Uh but

yes it does.

I mean I obviously whatever network you’re passing over you have to either trust or don’t trust. If I if you’re using free Wi-Fi and you’re not VPNing back home then you are doing what you’re doing.

Uh I I personally find that um

I don’t know whether it’s that my devices have become more finicky, whether Wi-Fi has got more rubbish, whether cap if portals have become more more aggressive or what it is, but I found that free Wi-Fi and Wi-Fi in general that isn’t belonging to like myself and a few other people is incredibly difficult to get on to these days.

So, I tend to just use my SIM cell, you know, just hotspotting off my phone because that is actually easier. It’s much like when I go into a hotel, if I am going to use the hotel’s Wi-Fi, I’m doing it through a travel router because it turns out that’s a hell of a lot easier. than it is to try and use the hotel’s own interface.

Oh, no, no question. Exactly what I do. So, what what other predictions do you have for next year? Anything big, small, medium?

I guess I’m going to put a negative prediction. I mean, not that these have all been positive, but um I guess a negative spin, which is I think we are going to see more of the uh the tit fortat security vulnerability and weaponizing of security vulnerabilities. We We we’ve seen this to a certain extent already within the uh WordPress space. We’ve seen outside of the WordPress space as well where uh a company will go, “Ah, we found a vulnerability in their plug-in. Haha, ours is better. Oh, we found a vulnerability in their plug-in. Haha, ours is better.” Um there was a a very disappointing scenario which um I saw one and vendor who published this vulnerability and they published this big long blog post saying we want to talk about this blog. vulnerability um because we think it’s interesting and you looked at the vulnerability and went there’s nothing interesting about this. This is really minor. This is even more minor than some of the things that were that got ACF taken over.

Why have they published it? And then you look and go, “Oh, because they just took funding from that company over there.”

That’s disappointing. But this is seemingly happening more and this weaponization of security is a a thing that’s happening more and more and I don’t know whether this is political whether it’s down to people feeling happy to use security this way or whether it’s simply that people have we’ve now convinced people that take security seriously and so now people think that they can abuse this uh privilege that we have where we say something is a security vulnerability people go oh I must update I must do this I must pay attention.

Um, but yeah, the weaponization of security is is something that’s going to continue and I think get worse because it’s incredibly effective.

Mhm.

Or is or some or is some of this being done just to generate income for the security firm? Like we all know back in the day Macaffy uh and the founder of Macaffy passed away last year, the year before,

was originally a company that created viruses, right? We all know that. So, So you have to question and I’m not I’m kind of I’m a patch stack user here. I I admit that and I don’t think Oliver Sid and his team are in it to generate revenue but it’s a fine line because they have to report all this stuff to do to generate revenue. So like where do we draw that line?

It it’s very difficult because it is very uh hard for um security vendors to de how how better to demonstrate your security credentials than by publishing these things. But they are self by publishing these things they are indeed promoting themselves. They are promoting their services. They’re promoting and and it’s a really hard balancing act within plugins themselves. You know when you get there and it’s like we blocked 60,000 attacks upgrade for us to block more.

But you just block the 60,000 attacks. Why would I need to upgrade?

You know and scare tactics are are annoying.

You know who’s notorious at that is the virus checker manufacturers. It sounds like Norton. Oh, we found all these cookies on your PC and there are such thing as good cookie folks. But we found them all. Yeah, I know.

Yeah, but but pay us for us to find more of them.

Yeah. Yeah. You see the revenue matter. Um is there anything else that you think we should uh touch on or do you think we’re pretty well covered? I think they they were my big ones. Um I I am sure we are going to find the world is in turmoil, things will change. Uh odd things happen, but they those were the big ones for me.

I I would agree with you. Canada is about to be in turmoil. We have a uh we’re just coming out of a postal strike. Uh 31 days, by the way, just for fun. The

Well, it’s good. They’re doing that just in time for Christmas. And I’m sure there’s not going to be any backlog whatsoever.

Oh, there’s at least a month of backlog and we’re not even taking international shipments for another week. So, there you go. Um, that that has happened. They have been ordered back by the labor board. So, that has happened and we have a federal election coming up probably in the spring. It’s just uh our system is based on your system, which means if you have a minority government, the house can fall any day now. And uh we’re in that position. We’ve had the longest running minority government we’ve ever had and it’s a walking pine bomb. So that turmoil and then you just have to go south of me and look at the turmoil going on in the US right now. And then you look at uh the mess in Syria that has come up the last couple days and um and everything else going on. It’s just joyous fun.

So we want to wish everybody a merry Christmas

and and a and a very happy new year and uh thank you so much Tim. Uh go check out Tim’s work on LinkedIn because he posts quite regularly and read his posts because they actually make sense. So yeah,

thank you.

You’re welcome. And thank you and all the best to you and your family, Tim. Have a great day.

You too. Bye.