Bear in the network.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire a joint advisory warns of Fancy Bear targeting Western logistics and technology firms A non profit hospital network in Ohio suffers a disruptive ransomware attack. The Consumer Financial Protection Bureau drops plans to subject data brokers to tighter regulations. Krebs on security and Google Block a record breaking DDoS attack campaign rerouted employee paychecks Atlassian Patches Multiple high severity Vulnerabilities A Wisconsin telecom provider confirms a cyber attack caused a week long outage. VMware issues a security advisory addressing multiple high risk vulnerabilities. Prosecutors say a 19 year old student from Massachusetts will plead guilty to hacking PowerSchool. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing deliberate simplicity of fundamental controls around zero trust and oversharing your call location data. It's Wednesday, May 21, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief.

Rob Allen

Foreign.

Dave Bittner

Thanks for joining us here today. It's great as always to have you with us. A joint cybersecurity advisory from the U.S. and allied agencies warns of ongoing cyber espionage by Russia's GRU unit 26165, also known as APT28 or Fancy Bear, targeting Western logistics and technology firms, especially those supporting Ukraine. Active since 2022. The campaign employs tactics like password spraying, spear phishing and exploiting vulnerabilities in Microsoft Exchange and Winrar. Targets include transportation hubs, defense contractors, IT services and air traffic systems across NATO countries. The GRU has also compromised IP cameras near Ukrainian borders to monitor aid deliveries. Organizations are urged to enhance monitoring, threat hunting and network defenses against these persistent threats. Kettering Group, a non profit hospital network in Ohio, suffered a ransomware attack attributed to the Interlock Group. The incident caused a system wide technology outage disrupting access to electronic health records and patient care Systems across its 14 hospitals and over 120 outpatient facilities. All elective procedures were canceled and the call center was rendered inaccessible. Emergency services remained operational, but ambulances were diverted to other facilities, prompting neighboring Premier Health to declare a code Yellow due to increased patient volumes. The attackers threatened to leak stolen data unless a ransom is paid. Kettering Health is collaborating with cybersecurity experts to investigate and restore systems. Additionally, reports emerged of scammers impersonating Kettering staff to solicit payments. The organization has suspended all payment related calls and advises patients to report suspicious contacts to law enforcement. The Consumer Financial Protection Bureau has dropped plans to classify certain data brokers as credit bureaus, a move that would have subjected them to tighter regulations. Proposed In December of 2023, the rules aim to curb the sale of American sensitive data by requiring accuracy, transparency and limiting data sales to legitimate uses like credit or employment checks. But the CFPB has now deemed further rulemaking not necessary or appropriate. Critics warn this leaves Americans vulnerable as brokers often collect data from apps or telcos, sometimes exposing users at protests or clinics. Several data breaches have highlighted the risks, with billions of records stolen from poorly secured brokers. While the US backs off regulation, the UK is still evaluating stricter oversight. CFPB's future remains uncertain amid political pressure, Krebson Security was targeted on May 12 by a record breaking DDoS attack peaking at 6.3 terabits per second, 10 times larger than the infamous 2016 Mirai botnet assault. The attack, mitigated by Google's Project Shield, lasted less than a minute but marked the biggest attack Google has ever handled. Security experts link the attack to the Asuru botnet, a network of hijacked IoT devices like routers and DVRs. Isuru's operators exploit weak passwords and software flaws, selling attack services on Telegram under the handle Forky for up to $600 per week. This botnet has been rented out since at least August 2024. Law enforcement has seized some of its related domains, but the threat remains active. With major web services still struggling to counter such powerful assaults, a phishing campaign rerouted employee paychecks by tricking users into entering credentials on fake mobile specific payroll sites. According to ReliaQuest, attackers used Google Ads and SEO poisoning to lure victims searching for HR portals on mobile devices. Clicking these ads led to fake Microsoft login pages designed to harvest credentials. Once compromised, attackers accessed SAP SuccessFactor accounts and changed direct deposit details, diverting paychecks to their own accounts. The attack used a proxy network of hijacked home routers to mask the attackers locations and evade detection. Real time monitoring tools helped attackers act before credentials could be reset. RelayaQuest recommends using multi Factor Authentication alerts for deposit changes, employee education and proactive threat intelligence to combat these mobile targeted phishing campaigns that bypass corporate network defenses. Atlassian's May 2025 Security Bulletin reveals eight high severity vulnerabilities impacting several data center and server products. The flaws found through bug bounties, testing and library scans could lead to denial of service attacks and privilege escalation if left unpatched. Notably, Bamboo and Confluence Data center are exposed to a Tomcat Coyote bug, causing memory leaks and crashes from malformed HTTP 2 headers. Confluence also faces a stack overflow risk via the xstream library. Fisheye Crucible is vulnerable to a denial of service flaw in JSON Smart, while JIRA software and service management are at risk from neti's SSL handler bug. Additionally, a privilege escalation issue threatens JIRA products, enabling attackers to gain unauthorized access. Users are urged to patch immediately to secure enterprise environments. Wisconsin telecom provider Cellcom confirmed a cyber attack caused a week long outage affecting voice and text services in Wisconsin and Upper Michigan. While some services have been restored, full recovery is expected by week's end. The company's CEO assured customers they had protocols in place and they're working with cybersecurity experts and authorities to resolve the issue. Cellcom stated no sensitive customer data appears compromised as the breach impacted a network segment without personal information. Though the company has not disclosed the attack type, the scope suggests ransomware may be involved, though no group has claimed responsibility. Cellcom emphasized its cautious, deliberate approach to recovery and pledged to provide updates on restoration efforts and the ongoing investigation. VMware has issued a security advisory urging immediate action on multiple high risk vulnerabilities across its virtualization products. Top priority is a critical VCenter server flawless that allows unauthenticated attackers to execute arbitrary commands and take control of the host. Admin interfaces should be restricted to trusted networks. Other notable flaws affect VMware Cloud foundation, including a directory transversal issue and information disclosure risk and information disclosure risks both exploitable via simple Network access to port 443. Additional vulnerabilities impact ESXi Workstation and Fusion, including denial of service bugs and a cross site scripting flaw. VMware has released patches for all affected systems and recommends organizations review and apply updates promptly to minimize risk of exploitation. Federal authorities say Matthew Lane, a 19 year old student from Massachusetts, will plead guilty to hacking PowerSchool, a major education software firm serving over 60 million students. Lane used stolen credentials from a contractor to access PowerSchool systems stealing sensitive data on students and teachers. He then issued a ransom demand in December, threatening to leak the data unless paid. Nearly $2.9 million in Bitcoin power School confirmed it paid, though the amount remains undisclosed. Lane, linked to the Shiny Hunters hacking group, is also accused of trying to extort a telecom company. He will plead guilty to charges including unauthorized access to protected computers and aggravated identity theft. Federal prosecutors call it a significant win in what may be the largest breach of US School children's data to date. Coming up after the break, my conversation with Rob Allen from Threat Locker. We're discussing deliberate simplicity of fundamental controls around zero trust and over sharing your call location data. Stick around.

Vanta Representative

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.

Dave Bittner

So if you're ready to trade in.

Vanta Representative

Chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.

Dave Bittner

Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire Rob Allen is Chief product officer at ThreatLocker. I recently caught up with him at the RSAC conference for a sponsored Industry Voices segment discussing deliberate simplicity of fundamental controls around zero Trust.

Interviewer

We are continuing with our conversations here at RSAC 2025 and I am pleased.

Dave Bittner

To be joined by Rob Allen.

Interviewer

He is Chief Product Officer at Threatlocker Rob, welcome.

Rob Allen

Thank you. It's good to be here.

Interviewer

For folks who may not be familiar with the company, give us the brief description of what ThreatLocker is.

Rob Allen

Threat locker is awesome. Is that brief enough?

Interviewer

Thanks for joining us here today.

Rob Allen

Thank you. Thank you.

Dave Bittner

Thank you.

Rob Allen

No, so Threat Locker is an endpoint protection platform, zero trust focus. So denied by default, basically. So it's a slightly different approach to most cybersecurity, which is typically reactive. Just waiting for something bad to happen, basically, or some indication of bad things happening. We are more proactive, so we're more about stopping it happening than responding to it happening. There's a lot of different ways we do that. So we start with allow listing. So just allowing what needs to run to run. And we've got ring fencing and lots of really cool stuff. But it's all based around that principle of deny by default, permit by exception. So rather than letting everything happen except what we know to be bad, we only allow what's required.

Interviewer

Can we talk about the challenge with endpoint protection of lateral movement and protecting against that?

Rob Allen

Sure. Well, I mean, there's a couple of different types of lateral movement. There's lateral movement between programs on an endpoint because very often a lot of these breaches start with, for example, something like Outlook calling something like PowerShell. Now, in reality, in most environments, there's no reason for outlook to call PowerShell. But someone in their infinite knowledge and wisdom in Microsoft decided one day, hey, it'd be really cool if we'd make this possible. Now it's being exploited so we can control that lateral movement between applications, but we can also control lateral movement across the network because that's another huge problem. So once one machine gets compromised, typically it doesn't take them very long to move to another machine or to another machine or to another machine, and eventually they get to something that's really important. So controlling network access, same principle, denied by default, permit by exception, but only allowing trusted devices connect to other trusted devices and basically just limiting access to the network will stop. As I said, that lateral movement as well.

Interviewer

Help me understand how much of this is, say, signature based. How much of it is behavioral? Is there a blend?

Rob Allen

None and none.

Interviewer

Okay.

Rob Allen

Generally speaking, so what we're talking about, I actually have a really interesting example to give you about this. But basically what we're talking about is fundamentally controlled controls. So it's about applying controls to your environment. So the control over what can run and what can't run, the control over what things can do, controls around the network so it's not about detecting or recognizing bad behavior per se, it's about saying, well look, we're going to control the environment in such a way that that bad behavior can't take place. I'll give you an example, if you don't mind. So we did a podcast some time ago with a guy called Jacoby, David Bombal. And Jacoby and Jackby is an absolute genius. He was Hak5's hacker of the year number of years. He came up with something that is unbelievably cool, which is basically API based polymorphic PowerShell reverse shell. So basically he reaches out to an API using PowerShell, it gives him code, PowerShell code, basically. But it's polymorphic, so it changes every time. So signature base detections just don't find it.

Dave Bittner

Right.

Rob Allen

So he tested that against every major Ed or every tool that he could find. He tested that against and none of them recognized it as what it was. He tried it against ThreatLocker and Threat Locker, immediately blocked it. Now he was convinced that we were doing some behavioral based recognition of what he was up to. And what we were actually doing was just blocking PowerShell from Access on the Internet. So it was a really simple basic control that solved a very advanced, complex, quite frankly brilliant exploit. So that might explain somewhat better. So we're not about behavior. We don't care what the behavior is. We care about applying controls to the environment in such a way that it can't be.

Interviewer

So is it fair to say a deliberate simplicity to the approach?

Rob Allen

Absolutely. The beauty about that simple approach is that you don't need to, you don't need to know everything that's bad because if you block everything, then you're going to block all the bad stuff. You're also going to block good stuff that could be misused. And that's something else that people need to consider is things like WinRAR, for example. I mean, WinRAR has all of the characteristics of ransomware. You can encrypt data, you can transfer data and you can delete data, all with one convenient program that is not in itself malicious. Things like putty, We've seen putty being used for data exfiltration. Now again, putty is not a bad program, it's not a bad application. But can it be used for bad purposes? Absolutely, it can. So the beauty about the deny by default approach is you don't need to know all of the bad things, you don't need to know all of the exploitable things. You just need to allow what's required and Block everything else. It's so simple. But once you actually get your head around it, it's like, why isn't everybody doing this?

Interviewer

Well, so how do you do the things you need to do and at the same time not introduce undue friction?

Rob Allen

Because in reality, the vast majority of users do the same things in the same way with the same software every single day. And fundamentally all we're doing is setting guardrails around that. I'm saying, look, you operate within these guardrails, you're not going to even know we're here. Now, if you step outside of those guardrails and try and download that coupon clipper from China or run a remote access tool, absolutely, we're going to step in and stop that. But that's what organizations need, that's what they need to keep them safe.

Interviewer

What about things like token theft, you know, that sort of thing? How do you come at that?

Rob Allen

So token theft is an interesting one. So we've recently started expanding. We were typically endpoint based or exclusively endpoint based for many years now. The reason for that was basically most of the action was taking place in the endpoints. Most breaches started at the endpoint. But we realized that customers also have challenges with the cloud, specifically controlling access to cloud resources. So what we did for that is we have, and it comes back to this idea of deny by default, permit by exception. So Microsoft actually have some quite advanced conditional access functionality in Office 365, for example. So you can have what are called named locations. You can have a bunch of IP addresses in a named location and say, look, allow these IP addresses to connect to my office365 and block everything else. That's fine until somebody has had an event like this. My IP address has probably changed five times today, right? So it's not, it's, it's fine. Static but dynamic presented a challenge. So what we did is we've got obviously Threat Locker Agent installing people's machines. It's checking in, reporting its IP address. We have an app on our phone which basically is checking and reporting my phone's IP address. We take all those IP addresses, we upload them to a named location in Office 365 and those IP addresses are allowed to connect while the entire rest of the Internet is not. So the way a lot of people have approached this is fundamentally a lot of people will do countries. So they're going to say, look, allow the United States and block the rest of the world, which is fine until your CEO goes on holidays to the Bahamas and all of a sudden he can't access his resources.

Dave Bittner

Right.

Rob Allen

So this is why the dynamic nature of what we do is so effective. Because it doesn't matter if I go to the Bahamas or Timbuktu, quite frankly, I'll have an IP address, it's gonna check in, register, upload and be added to named location. So it doesn't matter if somebody steals my credentials, it doesn't matter if somebody even gets my token. The fact is they won't be allowed to connect because of those conditional access policies.

Interviewer

When someone decides that they want to take this approach that, you know, they're all in on going at the problem this way. What does the onboarding look like?

Rob Allen

Surprisingly smooth, is the answer to that question. Because basically when we deploy threat locker, when a customer deploys threat locker, it's not blocking anything, it's not stopping anything, it's not getting in their way. Fundamentally, all it's doing is it's logging data. It's basically building a set of policies based on what's present in the environment. So it takes a lot of the heavy lift out of this process.

Interviewer

So there's an analysis, correct, A learning period sequence.

Rob Allen

Okay, absolutely. So the learning period, basically what it's doing is it's logging all of the software that's on your machine and it's saying, look, all of this software is required. We're going to fundamentally allow this, this, or create our policies to allow this to run. After which point, you know, a couple of weeks in the future, we can say, okay, well you've got policies for all you need, all the things you need, and we're going to lock it down and then all of those things are going to be allowed and then nothing new is going to be allowed to run on your machine.

Interviewer

Are there company wide policies, but then individual policies as well.

Rob Allen

You can do it at various different levels. You can do a company wide, you can do it global teams. Exactly.

Interviewer

Again, my salespeople travel, they need.

Rob Allen

Correct, exactly. And your IT team probably needed a little bit more leeway in terms of the tools they're going to run. So they might need to run a tool like putty. Whereas your finance department probably aren't. Your marketing people. Definitely aren't. Your marketing people might need creative cloud, but your IT team don't. So it's not a question of applying the same rules to everybody. You can pick and choose, you can adjust and tweak as necessary. Again, the idea being to allow people to do what they need to do.

Interviewer

But no more as a Provider of the type of tool that you provide. As you're looking toward the horizon and you're seeing the evolution of the threats, how do you stay nimble? How do you anticipate and know that your own roadmap is going to be able to respond to those things?

Rob Allen

Well, to some extent. I mean, obviously we're constantly striving to improve what we do. We're trying to make it as seamless as possible, both for the administrators and also for the users. That's something that's really important to us. I mean, one of the beauties of the approach that we take because it's denied by default, we're not constantly responding to new threats, to new techniques, new tactics. I mean, obviously we tweak and adjust our policies from time to time. We make them more secure. We can absolutely always improve things. But generally speaking, the deny by default approach means that it doesn't matter if a new piece of malware appears tomorrow, a zero day appears tomorrow, or even a particular piece of software is vulnerable. You know what I mean? Application vulnerabilities are a major, major issue. But you have to consider with the likes of application vulnerabilities is, well, what's the next thing that will typically happen if a vulnerable application is exploited? Well, generally speaking, something's going to run or something's going to reach out to the Internet. You know, somebody's going to call PowerShell to try and download a payload. Well, if you can stop all of those interactions, then you basically stop that vulnerability from being exploitable. So as I said, it's the beauty of default and I is you're not constantly trying to play catch up. And again, that's one of the problems with cybersecurity as a whole, is the industry is constantly playing catch up. The bad guys are nimble, the bad guys are really, really clever, and they're constantly one step ahead. And if your approach requires you to keep up with them, then you're never going to win. I mean, the sad reality, the sad fact is nobody knows all of the bad things. I mean, if somebody knew all of the bad things, there would be no need for solutions like ours. There would be no need for any other solution. The fact is, nobody does. I mean, there's 160,000 new pieces of malware come out every single day. How do you possibly keep up with that? I mean, the sad reality is you can't. So that's why a different approach, one like the default deny, one that we expose, is so important.

Interviewer

There's been a lot of Talk I think particularly this year about consolidation. And we hear from CISOs all the time that how do I keep track of all these different tools? What I really want is, you know, to bring me a platform that'll. One platform that'll do everything. From your point of view as a.

Dave Bittner

Provider.

Interviewer

How do you approach playing well with others?

Rob Allen

Well, one of the ways that we try and solve that problem for people is we try and solve as many of the problems as we can within one portal, one agent, one product, one thing to understand, one bill to pay. Fundamentally. So as well as the allow listing, ring fencing, network control stuff I mentioned, we do have detection capabilities. This is another product we do. We've also gotten. We've recently introduced web control. So basically web filtering, we've introduced patch management, a very unique, take a unique approach to patch management. So these are all boxes that we can tick for organizations without them having to go out and buy third party tools or have another portal to manage or another agent to install in the machine. Because it is one thing that we hear loud and clear is I've got too many agents on my machine. I've got my antivirus, I've got my edr, I've got my, this thing, I've got my patch management, I've got that thing. I've got web control, I've got different agents running my computer. The fan is always, the pan is almost filling. So there's a huge amount of value in just giving them one agent, one portal to manage, one product to understand, one thing to get trained up on and you don't need to manage all of these other tools. So that is something we're acutely aware of and trying to solve in that fashion by building solutions ourselves.

Vanta Representative

Yeah.

Interviewer

As you're walking around here at RSAC 2025, what are some of the things that have, that have caught your eye? Are there things that, that, that lift your spirits, that give you hope? You know, that what clever people we are, you know, those sorts of things.

Rob Allen

A lot of very impressive boots, that's for sure. There are some very, very shiny boots and very big and fancy and there.

Interviewer

Are puppies and baby goats and.

Rob Allen

Is there puppies?

Interviewer

There are puppies.

Rob Allen

I saw a picture of the baby goat. I did not. Where are the puppies?

Interviewer

There is over there.

Rob Allen

There's a puppy. Okay, I'm going to have to go and find the puppies. I mean, I actually chastised our marketing department yesterday because when we saw there was goats, I was like, how come we haven't thought about bringing Farm riot animals to these things. Yeah, Missed opportunity. So, yeah, I didn't realize somebody had brought puppies. That's kind of one upping. But, no, I mean, the beauty about events like this, from our perspective is twofold. I mean, first of all, it's an opportunity to meet existing customers. The great thing that I've seen, even over the last couple of years of coming here, is that, you know, a few years ago we would have had, I'm not going to say a handful of customers. There wouldn't be a huge amount of customers. Every year there's more and more and more. They come up, they say hello, you know, tell us about their experience. And it's phenomenal feedback. I mean, face to face like that. It's just. It's a brilliant opportunity to connect with existing customers, but obviously it's also an opportunity to tell people about what we do, tell people about why we do it. Explain.

Dave Bittner

Explained.

Rob Allen

I mean, I had somebody come up to me yesterday and they were talking about. Talking about allow listing and they're saying, we're looking at this other allow listing solution. Tell me why you're better. And we have. And I actually don't have it here. I'd love to show you, but we've got rubber duckies that do data exfiltration, we've got rubber duckies that do screen captures and upload them to a C2 server. We've got a whole pile of different stuff. So I was able to show them in person. Three different attacks, all perpetrated using PowerShell, none of which were detected as being bad, all of which were extremely scary. And that's a fantastic opportunity. I mean, you just don't get that talking to somebody over Zoom, for example. You can explain it to somebody, but you can't show them.

Dave Bittner

Right.

Rob Allen

And there's a huge amount of value in that for us.

Vanta Representative

Yeah.

Interviewer

All right, well, Rob Allen is chief Product Officer with Threat Locker. Rob, thanks so much for joining us.

Rob Allen

No worries. Pleasure. Thank you very much.

Dave Bittner

That's Rob Allen, chief Product Officer at Threat Locker. And finally, security researcher and O2 customer Daniel Williams uncovered a glaring privacy leak in O2 UK's 4G calling system. For context, O2 is one of the UK's largest mobile carriers, part of the Virgin Media O2 group, serving millions of customers across the country. And apparently it's been serving up more than just phone service. While poking around voiceover LTE call data, using a rooted Pixel 8 and some digital elbow grease, Williams found that O2's IP multimedia subsystem implementation was a little too chatty. Calls were accompanied by SIP messages containing not just debug logs but also both parties, imsis imies and cell tower IDs. In short, every call was a potential geolocation treasure map. Williams concluded that O2's IMS implementation poses a significant privacy risk as it exposes sensitive metadata during every 4G or Wi Fi call. This data can be exploited to geo locate call recipients with surprising accuracy even when they're abroad or not currently connected to the network. The researcher emphasized that this Vulnerability affects all O2 customers using IMS based calling and cannot be mitigated by users themselves, as disabling 4G calling does not stop the data from being shared. He called on O2 to remove these unnecessary SIP headers and and debug messages from call signaling and criticized the company for lacking a clear path to responsibly disclose such findings. Since then, O2 says they have resolved the issue and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K's senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.