2024-09-09 - More Chicken Related Crimes - Talkin' Bout [Infosec] News

Summary6 min read

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: September 9, 2024 - More Chicken Related Crimes
Release Date: September 11, 2024
Host: Black Hills Information Security

1. Opening Nostalgia: First Computers and the "Revenge of the Nerds" Influence

The episode begins with a light-hearted conversation about the hosts' early experiences with computers, interwoven with references to the classic film Revenge of the Nerds. Corey opens the discussion by reminiscing about how the movie influenced their career paths in infosec.

Corey [00:01]: “The nerds provided a lot of career insights to some of us.”
Corey [02:16]: “Oh, I got my start in computers with the little pulpressor calculator.”

The hosts share anecdotes about their first computers, highlighting the challenges and learning experiences that shaped their skills as penetration testers. Gina narrates her adventures of tinkering with early computers, emphasizing the hands-on learning that inadvertently fostered her hacking abilities.

Gina [01:07]: “If I can make it better and nobody will notice, then it stays in place.”

2. Pre-Show Banter: More Chicken-Related Crimes

Transitioning from nostalgia, the hosts delve into the episode's main topic—chicken-related crimes. Although initially intended as a pre-show discussion, the conversation sets the stage for deeper insights into unconventional security breaches.

Frank [05:37]: “Apparently it's so good, it's worth doing crime for it.”
Corey [08:46]: “Well, they sent these beautiful salted ducks to the parents of the senior aide.”

Michael introduces an intriguing case where salted duck was allegedly used to bribe a New York State official, sparking a debate on the unusual methods employed in corruption schemes. The hosts humorously ponder the plausibility and effectiveness of such tactics, ultimately highlighting the blend of traditional bribery with quirky elements.

Michael [07:01]: “It must be.”
Corey [09:02]: “Maybe the UB key had problems. You know, had this detector before and were you worrying about it then?”

3. Yubikey Vulnerabilities: Cloning the Gold Standard

The discussion shifts to a significant security concern involving Yubikeys, a widely trusted hardware authentication device. Michael summarizes recent research exposing vulnerabilities that allow cloning of Yubikeys, though he downplays the immediate threat due to the high cost and technical expertise required.

Michael [09:59]: “Researchers disclosed an attack that allows you to clone Yubikeys… requires over $10,000 in equipment.”
David [10:59]: “You probably have to have access to the person's username and password.”

Gina and Kelly contribute by stressing the importance of firmware upgrades and the broader implications for hardware security. The conversation underscores that while Yubikeys remain a preferred choice for multi-factor authentication, no device is entirely impervious to sophisticated attacks.

Kelly [12:07]: “You can't upgrade the firmware. If you are that concerned, you have to buy all new Yubikeys.”
Corey [13:17]: “Everything can be broken eventually.”

4. Data Breach at Confidant Health: Misconfigured Cloud Storage Exposes Patient Data

The hosts examine a recent breach at Confidant Health, where a misconfigured cloud storage service led to the exposure of 5.4 terabytes of sensitive patient data, including recordings of telehealth sessions.

David [21:42]: “Patient data for this company included recordings of telehealth sessions… 5.4 terabytes.”
Michael [22:50]: “Maybe they're trying to sell the data… they shouldn't be stored in an exposed manner.”

The discussion highlights the critical nature of securing health-related data and the compounded risks when sensitive information, such as personal therapy sessions, becomes publicly accessible. Corey emphasizes the broader societal impacts, especially in regions where organizations like Planned Parenthood serve as essential healthcare providers.

5. California AI Bill: Navigating Regulation in Emerging Technologies

Corey introduces the passage of California's AI Bill, SB 1047, which aims to establish standards for AI models, including mechanisms to mitigate cybersecurity and infrastructure risks.

Corey [25:29]: “The California AI Bill, SB 1047, did pass… establishing AI standards of care.”
Michael [26:10]: “What you mean is cut the hard line…”

The hosts debate the potential effectiveness and challenges of such regulation, particularly concerning its impact on startups and small companies. They discuss the delicate balance between fostering innovation and ensuring robust security measures, with Kelly questioning the practicality of emergency shutdown protocols for AI systems.

Kelly [31:24]: “The cables underneath a guillotine before they're pulled.”
Michael [31:30]: “Shut down the power to the building…”

6. Ransomware Corner: Brain Cipher and the Evolution of Threats

In their dedicated ransomware segment, the hosts discuss the latest actions by the threat actor Brain Cipher, who claimed a data leak affecting French national museums during the Olympics.

Gina [38:29]: “It's using LockBit and evolving it a little bit with more persistent and evasion techniques.”
Michael [39:53]: “Has anyone heard of Brain Cipher before?”

They analyze the sophistication of current ransomware threats, noting the incremental advancements that make defenses challenging. The conversation underscores the persistent adaptability of cybercriminals and the necessity for continuous vigilance in defense strategies.

7. City of Columbus Sues Researcher Over Ransomware Disclosure

A controversial case unfolds as the city of Columbus takes legal action against a researcher who publicly disclosed the extent of a ransomware attack, revealing that sensitive data was neither encrypted nor corrupted as initially claimed.

Michael [55:43]: “They say it's only accessible to individuals with computer expertise, but downloading it was straightforward.”
Corey [57:06]: “Does the city's cybersecurity posture suck?”

The hosts critique the city's response, highlighting the risks of misinformation and the importance of transparency in data breach disclosures. They express skepticism over the legal grounds of the restraining order and emphasize the ethical responsibility of researchers to inform the public about security vulnerabilities.

Kelly [56:14]: “This is basically just the F12 hacker comes back.”
Corey [56:35]: “Their security posture probably sucks… they handled it terribly.”

8. Recent Data Breaches: Durex India and Planned Parenthood Montana

The episode concludes with an overview of multiple recent data breaches, including Durex India and Planned Parenthood Montana, discussing their potential impacts and the varying sensitivities involved.

Michael [52:33]: “Durex is a company that makes contraceptive products… data breach is really rough.”
Corey [53:23]: “There are socioeconomic, sociopolitical elements to data breaches.”

The hosts reflect on the broader implications of data breaches beyond mere technical vulnerabilities, touching on privacy concerns, potential for blackmail, and the societal ramifications of compromised healthcare data.

Conclusion: Lessons Learned and Future Vigilance

The episode wraps up with the hosts reiterating the complexities of cybersecurity in the modern age, where technological advancements continually shape both threats and defenses. They emphasize the importance of staying informed, maintaining robust security practices, and fostering transparent communication in the face of evolving cyber challenges.

Gina [61:13]: “We're public relations for a city government…”
Evan [60:03]: “AI is making folks kind of rethink things.”

The conversation underscores the necessity for ongoing education and adaptive strategies within the infosec community to effectively counteract and preempt emerging threats.

Notable Quotes:

Corey [01:07]: “I started programming it a few months after he got it because I was bored with playing games on it.”
Michael [07:01]: “It must be.”
Gina [38:29]: “It's using LockBit and evolving it a little bit…”
Corey [57:06]: “Does the city's cybersecurity posture suck?”
Michael [52:33]: “Durex is a company that makes contraceptive products… data breach is really rough.”

This episode of Talkin' About [Infosec] News encapsulates a blend of technical discussions, real-world security incidents, and the ever-present humor that defines the Black Hills Information Security team. From unconventional bribery methods involving poultry to the nuanced debates surrounding AI regulation, the hosts provide a comprehensive overview of current infosec landscapes, making it a valuable listen for both seasoned professionals and newcomers to the field.

Loading summary

Transcript292 lines

[00:01]
Corey
The nerds provided a lot of career insights to some of us.
[00:05]
Michael
Yeah.
[00:06]
Corey
Would we be in computers if it wasn't for Revenge of the Nerds?
[00:11]
Evan
That's a good question.
[00:12]
David
I'm not sure I ever saw that movie. I didn't know it was about. I didn't know there were computers involved.
[00:16]
Corey
Oh, yeah, you've got to see it.
[00:20]
Kelly
It hasn't aged well, though, if you actually watch it.
[00:25]
Frank
Many of those 80 movies that haven't quite aged well. No, they have, Especially the cringy comedies or whatever you want to call them.
[00:34]
Evan
Yeah, they wouldn't make it in 2024 at all. Like.
[00:41]
Corey
Ah.
[00:41]
Evan
But Time After Time, the Queen Song, We Are the Champions. Talk to me, Skull Nick.
[00:49]
Kelly
Yeah. No, what got me into computers was. Was before then. Anyways.
[00:53]
David
So I'm old.
[00:56]
Kelly
My dad actually buying a computer in 7980 before even war Games came out. I started programming it a few months after he got it because I was bored with playing games on it.
[01:07]
David
That's cool.
[01:08]
Evan
The golden years. Yeah.
[01:11]
Gina
Oh, yeah. So, yeah, I had the fun with that early computer that was also bought in the 80s. And then you would tinker with it. You would change something. And then it's like, father's out on trips. He's coming back home. You have to figure out how to undo what you just did before he gets back. That makes a really good. That turns you into a really good computer hacker of like, I'm going to try making this better. If I can make it better and nobody will notice, then it stays in place. But otherwise, if you try and fail, it's like, okay, you better figure out how to reverse this and put the computer back together.
[01:49]
David
Yeah, you learn a lot that way. Back the way they were, but exactly.
[01:54]
Gina
The way they were. And it's like, I swore all this stuff fit before I opened it. And you go, it's like missing screws.
[02:01]
Evan
Ah, don't worry about it.
[02:03]
Gina
You screw it back and you're like, wait, where'd this piece come from? Yep.
[02:07]
Evan
Ah.
[02:07]
Gina
Or you find out that it's like, it's it. You never put the piece back in and it still runs fine. And you go, well, I guess that wasn't. I guess they didn't need that. Like, that was redundant, I guess.
[02:16]
Evan
Yeah.
[02:16]
Corey
Oh, I got my start in computers with the little pulpressor calculator.
[02:22]
Evan
Oh, I remember that didn't happen.
[02:24]
Corey
I'm joking. And I'm not. I'm not good at math, so I don't know how I ended up in this Career.
[02:28]
Evan
I remember.
[02:29]
David
Turns out you don't need much math in this career. I think, like, I remember getting that advice in school, like, if you want to go into, you know, anything computer related, if you want a computer science degree, you've got to know a lot of math. And. Well, I never did finish that four year computer science degree, but turns out you don't need much math.
[02:46]
Evan
Close enough.
[02:47]
David
Yeah.
[02:51]
Corey
Gives me the cold sweats.
[02:53]
Gina
No, I was crazy. And I did the. I passed differential equations on the first time, and then I promptly decided to switch to political science and then get into hacking because I was like, I don't need this. I'm like, this isn't what I want to do. I don't want to do differential equations and eigenvectors. And there's someone in the chat that knows what eigenvectors is so that I didn't want to do that for the rest of my life. And I'm like, wait, I can just do what, be a PolySci major and get into infosec? Who knew?
[03:24]
Evan
Oh, my first. My first main computer, the house computer, was the old 486 with the turbo button.
[03:33]
Kelly
I better go get my cane.
[03:37]
Frank
I had a turbo button. Those are like, wait, why would I not want to turn that on? Just leave it on all the time.
[03:44]
Evan
Crank it up.
[03:46]
Corey
So is this the old geezer show? Did we just turn off all the young people? They're like, what the heck are they talking about? Oh, wait, Corey's here.
[03:53]
Michael
What are we talking about? Are you talking about the save button?
[03:57]
Evan
The great. The gray beard gala? Yeah, we really did.
[04:06]
Corey
We're talking about our first computer.
[04:08]
Frank
Yeah, I think the turbo button went from 33 MHz to 66 or something very dramatic like that.
[04:15]
David
Oh, holy cow.
[04:16]
Kelly
You know you're old. When your second computer was a Commodore 64.
[04:21]
Evan
You know what? You know what? Yeah, that's. Wow. Yeah, that's all I gotta say.
[04:28]
Corey
Not old.
[04:29]
Michael
We're have no comments. I'm not.
[04:33]
Kelly
Little piece of trivia that Wade picked up on this from another podcast I was on a year ago. This desk back here is the desk that housed my Commodore 64 when I was a kid in junior high in high school.
[04:46]
Evan
Wow.
[04:47]
Corey
It's an antique.
[04:49]
Kelly
Yeah. Class. And it still works for a computer desk. I've got an older intel processor sitting on there right now, along with a Raspberry PI.
[04:57]
Evan
Look at that.
[04:58]
Corey
Are there Cheetos in the drawer too?
[05:01]
Kelly
There is no drawer. They didn't have drawers on those. It was just a simple table with.
[05:07]
Evan
Two levels to it with the tin can. Nestle quick for chocolate milk.
[05:13]
Michael
Yeah.
[05:13]
Corey
You had to pry the lid off.
[05:15]
Evan
Yeah.
[05:20]
Corey
Corey, are you ready to talk about chicken stuff?
[05:23]
Michael
Yeah, I like I'm only here for the chicken stories. I don't care if it's not chicken. I don't want to talk about it.
[05:31]
Evan
You saw the lights change when he said it's not chicken.
[05:35]
Michael
It has to be chicken.
[05:37]
David
All right, so this is a pre.
[05:39]
Frank
Show story because it's not an official story. But yeah, there's another chicken related crime that we have to talk about because I don't know if they're related. Maybe they are because we last story we determined that there's a black market for chicken. Or there must be some sort of a black market for chicken.
[05:57]
Michael
Maybe this isn't chicken. Actually, I will say my name is technically wrong because it was actually salted duck. It wasn't chicken. And basically salted duck was used to potentially bribe an official. I guess I gotta say, how do you have a security clearance if you can be bribed with duck?
[06:17]
Gina
I can be bribed with live duck.
[06:19]
Michael
Okay, they were assaulted. I know.
[06:23]
Gina
I don't want salted duck.
[06:25]
Michael
These are salted ducks. Okay, I don't know what that means, but then it's good on a pizza.
[06:32]
Frank
They're gourmet ducks.
[06:33]
Michael
I guess I need to change my name to poultry based crime expert. I'm getting interviewed for the next History Channel show. I can't wait. I always found the most specific experts for the History Channel. It'll be like, yeah, I'm a 17th century Bladed weapons experts. Like just some random guy that's like, yeah, I, I know about swords.
[06:55]
Frank
No, I guess that's all we had to say about the poultry.
[06:57]
Michael
Apparently it's so good, it's worth doing crime for it.
[07:01]
Frank
It must be.
[07:02]
Kelly
They just put it on her bill.
[07:05]
Michael
Is that a pun? Puns are banned.
[07:09]
Corey
Oh, they are?
[07:11]
Michael
No, but this US official is about to be banned. I mean, yeah, I don't even know. I guess they worked. This official worked for the government of New York State specifically.
[07:22]
David
What were they getting in exchange for the ducks?
[07:26]
Michael
No, no, no, they were getting. Oh, what were they giving. You mean like what were they. What was the currency?
[07:31]
David
What were they selling for duck?
[07:33]
Michael
Well, I don't think they were selling anything. They're basically just giving, you know, giving favorable. Apparently they blocked. They blocked. So. And this is all in the article, but basically actions benefited the People's Republic of China and the Communist Party. They blocked Taiwanese officials from having Access to the governor's office eliminated. So it was mostly anti Taiwan stuff, but basically it was like ensured that state officials did not publicly address the persecution of Uyghur Muslims and all that good stuff. So, you know, normal cover up combined with blocking access to people that you don't think deserve it. So the old corruption, classic. The classic corruption, the colossal corruption, all in exchange. It was more than ducks, unfortunately. I think it'd be better if it was just for the ducks. That'd be a better story. I'm sorry, I just really like duck. All right. I'm gonna go to prison now. Yeah. But also included travel benefits and just money, which is super boring.
[08:32]
Gina
I mean, I was thinking that would make like an interesting pre show banter question. And it's like, what. What wild item could be your bribe? Other than the obvious money.
[08:40]
Michael
Yeah, it has to be. I mean, apparently duck. Maybe I need to get my hands on some of this duck.
[08:47]
Corey
Well, they sent these beautiful salted ducks to the parents of the senior aide. And honestly, it's something to consider, especially with in laws. If you're in a heap of trouble or you're trying to impress your in laws, maybe send salted ducks.
[09:03]
Michael
Okay. It's the new version of flowers. Honestly, I'm not a huge fan of duck. Is anyone a huge duck fan in here?
[09:10]
David
No, never has.
[09:11]
Michael
Kind of gamey. It's kind of. I don't know, it's. I'm not a huge. It's kind of fatty. Not a big fan. Anyway, I guess we should do the show. Sadly, this isn't a food podcast. Hello and welcome to Black Kills Information Security's talking about news. It's September 9, 2024. We're here to talk about poultry based spy efforts. We're here to talk about, honestly, Yubikeys, Who's. Who's been. Who's been reading up on the yubikey stuff? I think that's kind of a spicy one.
[09:58]
Corey
Ooh, spicy.
[09:59]
Michael
So Ryan will find the article. But the long and short of it is some researchers disclosed an attack that allows you to clone yubikeys, which Yubikeys are kind of the. For those that don't know, they're kind of the golden standard, I would say, for security authentication keys, hardware, physical keys. Like, it shows a picture there of the little USB guys, but basically attackers or researchers have a way to clone them. But I will say, I mean, Loki already spoiled it in chat, but it's a little overblown because it requires physical access to the key. As you'd imagine for cloning. It requires over $10,000 in equipment and it requires you to disassemble and reassemble the Yubikey. So it's kind of like for anyone other than like chicken or poultry based spies, probably not going to get targeted with this. And again, like, you do have to also have physical access to the key. So if you keep your keys in a safe spot, probably not going to be affected by this.
[11:00]
David
Yeah, you got to probably. You probably have to have access to the person's username and password.
[11:04]
Michael
You do. And possibly also their pin. So it's like you really need all the things. It's pretty overblown. I will say credit to the researchers. It's a very awesome. It is really interesting if you read how they disclose the attack. They actually had to reverse engineer. So to get into a little bit of technical details, there's a company called Infineon. I don't know if I'm pronouncing that right, but that actually makes the cryptographic chips like the secure enclave or whatever you want to call it on the Yubikey and that library that they provide is the vulnerable library. And it's like totally undocumented. You have to sign NDAs or whatever to even get access to the documentation, all that good stuff. So credit to the researchers. I'm sure. This one was really difficult to investigate and discover when everything's closed and you had to reverse engineer it. But still really cool, I think, but probably the modern equivalent of Vaneck freaking or whatever. It's like not going to get used unless you're a super high value spy who also uses Yubikeys.
[12:07]
Kelly
Not to duck the issue on this one, but I really think the big takeaway takeaway on this one just happens to be the fact that you can't upgrade the firmware. If you are that concerned about it that you want to fix the problem, you have to buy all new UBIs.
[12:26]
Michael
That is true. I really hope some company doesn't read this and be like, all right, get new Yubikeys now. Like, they probably will.
[12:34]
Evan
Yeah, they'll be screaming, where's the purchase order? Let's go.
[12:37]
Michael
But really, I wouldn't, I, I wouldn't recommend that. I don't know if anyone.
[12:41]
Corey
I think you bring up a good point though, Corey, because remember we, we're talking about some of us who have been around the block a few times. Do you remember when we had the old R tokens and everyone thought, okay, these things are perfect. No one's going to be able to hack in them. You know, people would have them on their key rings, you'd see them at football games. And we got overly confident about how secure the RSA tokens are. I think maybe we got maybe a bit overconfident with how secure the Yubikey tokens are as well. So in a way, this is kind of a good reminder that everything can be broken eventually.
[13:17]
Michael
I don't know. I think the UB keys, even as implemented now, are still pretty secure. Like, I think, if you. If you ask me, would you rather have traditional MFA or a Yubikey that's vulnerable to this attack? I would still rather. I'd still think a Yubikey that's vulnerable to this attack is more secure than traditional mfa. My.
[13:36]
Corey
I agree with you on that. Absolutely. And it's nice to have the physical device, but some people were going along the camp of thinking, oh, this is indestructible, it's unhackable.
[13:48]
David
And I don't think anything's unhackable. Nothing.
[13:53]
Michael
Yeah. And I will say, like, you could argue, oh, why didn't they let people update the firmware? Probably so people wouldn't backdoor their own firmware unintentionally. Right. So it's like, I'm assuming that decision to not allow people to update the firmware was intentional. It's kind of annoying that now you have to buy a new Yubikey if you want a fully secure one. I think at the end of the day, this. So the, you know, the Yubikey is still the gold standard. It's just if you really want the DoD compliant or whatever version, now you have to buy another one.
[14:23]
Gina
Unfortunately, I also like how, like, the cloning of the Yubikey isn't necessarily, like, a core issue, because prior to this cloning vulnerability, like, you still had that same threat vector. Somebody steals your Yubikey, knows your usernames and password, logs in, and they just give it back to you without cloning it. Because oftentimes the level access they have, that one time is enough to do.
[14:48]
Michael
The damage they need to do to add another Yubikey.
[14:52]
Gina
Yeah, you can just add another Yubikey. Yeah, that was already a threat model, but now you go, it's like, okay, well, now they can. Now they can clone it, and suddenly everybody's hair is on fire. And it's like, well, but the UB key had problems. You know, had this detector before and were you worrying about it then?
[15:08]
Michael
Yes. I mean, I really.
[15:11]
Kelly
I really feel this is just another case and we've all seen it over all the years of stunt hacking where people get blown out of their minds because of something that, I mean you see it with like the laser can go ahead and listen through the walls and tell you exactly what data is on this.
[15:28]
Evan
Right.
[15:28]
Kelly
What's the real risk factor on it? It's really another lesson in is this a risk factor or is this just something that's going to wind up being sensationalized just because of how secure we thought something was?
[15:40]
Michael
I will say I, I get what you're going with the stunt hacking thing, but I think it's more just the cutting edge of security research because as Kelly said, these things were kind of bonded as the most unhackable thing on the planet. And it's good to kind of get a reality check of, you know, this isn't actually unhackable or. Yeah, you know, so I don't, I kind of, I agree with you that like it isn't going to be impactful. I agree with you there. But I do think this is an example of like it's not. I think it's more about the researchers saying everyone's saying yubikeys are perfect. Let's go ahead and prove they're not perfect. They can't. They do have vulnerabilities. And another thing that Chair Char mentioned in chat was these Infineon chips are used in more than just UB keys. They're also used in cryptocurrency wallets. I would imagine they're probably used on cell phone like for, to store biometrics or things like that. These chips are standard chips so reverse engineering them is pretty impactful. Even if the fix isn't like a MSO867 patch now or you'll be joined configure botnet tomorrow situation.
[16:50]
Gina
Well, who knows what grows out of like this stunt hacking as well? Because I remember even from like pager capturing, like, remember like when that first showed up on the scene and it was like, oh, it was some story where it's like somebody had like these weird like rabbit ears and tin foil and they were able to pick up like the pager messages that were going around the hospital and they're like, ah, that's, that's stunt hacking. Now you can do that with like an sdr, like you know, a twenty dollar tool. Like twenty bucks you go, yeah, I can pull that from you know, three counties away. I can pull that stuff. So it starts as kind of like this proof of concept stunt hacking and then it Becomes like a real threat. Which, yes, nowadays, like, even, even today, you can still pull some sensitive information just over feature capturing.
[17:32]
Evan
But isn't that how all hacks start? I mean, if you think about it, right, like, if it's like even, for example, like mobile phones, right back in the day, like with Android or whatnot, it's like, okay, cool, you get like Linux on a phone or whatnot and then people try to figure out ways on how to pack that. And it's like a little bit of research turned into a wider gap of research. And now it's turned into something like phenomenal, you know, look at when it comes to like UB keys. Like, yeah, we may say, yeah, this is a stunt hack or whatnot, but this could open the door to more impressive research. So kudos to the researchers that found the time to get in there and start digging away and looking at things.
[18:10]
Kelly
And I wasn't meaning to try and disparage the research portion of it. Oh, no, it's one of those things that the everyday person will look at this and start to get worried. And to us, it is an initial research thing, which is why I like to call it a stunt hack. It was done as a stunt to show that this could happen.
[18:30]
Michael
Oh, yeah.
[18:30]
Kelly
The reality of it at this point in time is that right now it's not something that somebody has to worry about. The Yubikeys are still safe and Infineon is working on it. And I do believe. I don't. I haven't looked at the article in a couple of weeks, but I do believe it was like one specific firmware of it. And earlier ones and early, way earlier and way later ones were not affected by the same hack.
[18:55]
Michael
Yeah, it's one library version of the Infineon library that they provided. So the firmware, though, is baked into the hardware and you can't change it. So I will say for most people, like, they're like, yubikey, what the hell is that? I don't think a lot of people know what Yubikey is.
[19:13]
Evan
You know what, you're not too far from that.
[19:15]
Michael
Yeah, yeah, most people are like, oh, you mean, would it text me the code? Is that good or bad? But yeah, I mean, for CISOs or for, you know, for. I don't think decisions like in the chat, some people have had some good, you know, basically, like, if you already have these in deployment in live, I don't think you need to go like panic and recall all of them and immediately upgrade. Unless you're like the NSA or the FBI if you're just a normal company. And then in the future you probably shouldn't be rolling out vulnerable yubikeys. You should probably cut new deployments until you can get your hands on some new ones. So it's definitely. Yeah. And it's a really bad time to buy yubikeys on ebay.
[19:57]
Evan
Hold on to those purchase orders, folks.
[19:59]
Michael
Yeah, I don't know, I thought that was a kind of. Also just to kind of like as a final thing, it does require valid credentials and the user's pin. If you have a PIN on your yubikey, which if you don't, what are you doing? Then it. It is not really vulnerable unless your PIN is 1, 2, 3, 4. And the attackers guess it. So. Yeah. Anyway, that was a fun little article. Does anyone have any desire, any poultry based articles we can go to next or chicken or any of that?
[20:30]
Kelly
No, I think we're all being chicken about it.
[20:33]
Gina
Oh, well there I. Yeah, I see something from. On the list here from like researcher Jeremiah Fowler. So I don't know if that would. Friend of the show. Yeah, chicken related.
[20:48]
Michael
Chicken related.
[20:50]
Gina
Fowler foul. Fowler, Poultry. I don't know, I'm just trying.
[20:55]
Frank
That's a stretch, but we'll go with it.
[20:57]
Michael
Has any. Has anyone read the article and wants to run through it? Because I have not.
[21:01]
David
Yeah, I skimmed it. It looks like there are. Or there. There was patient data that was stored on some kind of cloud storage service. I don't know what the service was. I didn't see that in there. But basically something akin to a, you know, misconfigured S3 bucket. Because it mentions in the article that there was an S or a misconfiguration in there that caused all this patient data to be exposed. What was interesting to me was the patient data for this company included things like recordings of telehealth sessions with patients where they're talking to a therapist or something like that. And there was like gigabytes. And gigabytes of this.
[21:42]
Michael
Yeah, it said 5.4 terabytes. That's great.
[21:46]
David
Yeah, so it sounded like it was pretty serious.
[21:52]
Michael
The main question is, is it Confidant health or Confident Health? You know, confidant health. Apparently not a very good confidant, if we're being honest. I mean, this kind of cloud exposure, was it like an S3 bucket or was it like just kind of one of those like idors or something like a web app thing at the bottom? We'll have to.
[22:17]
David
It just mentioned a misconfiguration and cloud services that it was stored on a cloud service. So that's all I saw in there is with like as specific as I got.
[22:27]
Michael
Yeah, I mean it is, I guess like let's just assume it's either S3 bucket exposure or some kind of backup file exposure or something like that. But I will say like you're right to be very confused about why this would even be recorded even if you are our therapist. I mean is I don't think it's normal to record therapy conversations at all.
[22:51]
Evan
I thought it was. Wasn't allowed.
[22:55]
David
Yeah, you would think that it wouldn't be allowed. Like just be, you know, ephemeral.
[23:01]
Corey
But it's a virtual company so they're probably offering healthcare services or mental health care services to people who are nowhere near a therapist. So it has to be virtual but it doesn't have to be recorded.
[23:15]
Michael
Exactly. I mean maybe, yeah, maybe they're trying to enrich the data. I mean they're trying to sell the data, if we're being honest. They're trying to say 42% of people mentioned alcohol in their conversation with their therapist. Like who? Shocker. I don't know. Just like this kind of data shouldn't be stored in the first place and if it is being stored for some reason, it shouldn't be stored in an exposed manner. We'll have to have Jeremiah on the show and have him run through the.
[23:42]
Kelly
Yeah. The only thing I can think of as far as why they would record it, et cetera is in the past they'd use like tape recorders, but they'd keep the tapes just for being able to double check their transcript to make sure that they got everything for their notes going forward. That's the only reason I could think of.
[23:58]
Michael
True that it was also mentioned could be snowflake something to think about. So yeah, I mean but again, who is giving. Who would give their recordings of all their health things to some random snowflake contractor anyway?
[24:14]
Evan
Well, it is 2024.
[24:16]
Michael
That's true. Are you a big data scientist? Come and tell us how we can sell things better.
[24:22]
David
One thing I'll point out that it stood out to me in the article. I just thought this was kind of interesting. Was when they were talking about the investigation into checking and seeing if this data was accessed by any real world attackers. Because this was accessed by the security researcher. They reached out to the company and then they checked to see if has anyone else accessed it. Allegedly no other malicious actors had accessed it. But they also mentioned that according to their logs no AI systems of any kind had accessed it. I thought that was pretty interesting for them to point out because that is a whole nother potential threat model and risk that. What if all of those videos had been ingested by some artificial intelligence that would, like, expose that data in a whole new way?
[25:12]
Michael
Yeah. Let me go ask chatgpt what people talk about in therapy and see what it comes up with.
[25:16]
David
Or like one specific person talked about in therapy, potentially.
[25:19]
Michael
Yeah. True, true. Let's say my name is Blah. What do I talk about in therapy?
[25:24]
David
Chicken.
[25:25]
Corey
Would this be a good time to segue to the story on the California AI Bill?
[25:30]
Michael
Yeah, hit us with the. Hit us with the bill.
[25:33]
Corey
Okay. As many of you already have heard, the California AI Bill, SB 1047, did pass. This was a law, for those of you who aren't familiar with, has sparked a lot of conversations going back and forth. A lot of people for it and a lot of people against it. The reason why there was a lot of bits and pieces to this bill, first of all, they wanted the ability to screen for potential cybersecurity risks or infrastructure risks in the AI models. They also wanted a. A mechanism to basically pull the plug. Is there a way to quickly and fully shut down the model?
[26:11]
Michael
What you mean is cut the hard line. We've seen the matrix. Cut the hard line. Cut the power to the building.
[26:18]
Evan
Cut it.
[26:19]
Michael
Cut the power to the building, sir. The buildings in Netherlands, we can't cut the power.
[26:25]
Corey
So there was. So a number of the large AI companies in California, like OpenAI or. Oh, I can't think of the other one. It'll be in a minute.
[26:37]
Frank
Anthropic.
[26:38]
Corey
Anthropic. Thank you. Thank you. Said, hey, we're concerned that the specifications you put in the bill are too limiting and it's going to crush startups and small companies. So I do applaud California in that they listen to feedback from some of the larger companies. Interestingly enough, the California Chamber of Commerce was against the bill because they were concerned it was going to impact jobs or make California as a state less exciting or less inviting for new businesses. But eventually the bill did pass. It is sitting on Governor Newsom's desk. He's got until September 30th to sign it or not sign it. But the thing that's kind of interesting from a governance point of view is they're trying to establish AI standard of care or do care. And I don't think that is a bad conversation to have.
[27:34]
Michael
I just like that they're, oh, go ahead.
[27:37]
Kelly
Sorry. I was just gonna say it sounds like a lot of companies are worried about their golden goose going away, which is fair.
[27:44]
Michael
I mean, right now, I would say they're definitely not gonna duck the issue. I use the same one. I can't do it. I can't do it. I'm only an expert on crime. I don't know anything about chicken pud.
[27:57]
Evan
At least put some dressing on it.
[27:59]
Michael
Oh, all right. The other joke I was gonna make, which is super on topic, is that, yeah, they're creating a board of frontier models. Okay. I have to imagine a scenario. Scenario where, like, some old politician is, like, looking at available committees to join is like, ooh, there's a board of models.
[28:19]
David
I like.
[28:20]
Michael
I'd like to be on that board and look at models all day and then joins it and is like, what the hell is an LLM? What is happening? I don't know what any of these acronyms mean. Where's the models?
[28:30]
Evan
Bring in the model lavish large modules. I think that's a standard lavish in there.
[28:37]
Gina
That's a standard government committee. To not understand what any of it is about or any of the acronyms. Yeah, I mean, I don't know what these acronyms mean. I'm not going to join this. Like, yeah, doesn't stop politics.
[28:47]
Michael
I have such mixed feelings on this because on one hand, California has such a bad track record of, like, making bills that are based on vibes, like Prop. Prop 53 or whatever. The one about the cancer warnings or whatever is just so ridiculous. It's like you're going into a hotel in California. It's like, this hotel contains chemicals. It might cause cancer. It's alert fatigue. No one ever cares or listens to things that might contain cancer. That's, I think, one of the worst examples of, like, California legislature. But on the plus side, they are listening to companies. They're amending the bill. They seem somewhat willing to take feedback on this. So maybe it could be beneficial. And we know that other states are going to follow their. Their same. You know, they're going to follow the lead of California. So. And also notably California. It's not like Wyoming's doing it and hoping everyone listens. Like, California is the absolute geographic center of the universe when it comes to AI research. So although I guess arguably they could all move to Florida Joe Rogan style. Like, they could just be like, all right, peace out, we're leaving. Yeah, Yeah. I mean, it's tough, but, like, you know, it's a lot of money. At least the Bay Area, that's one of the main things they have going for them. They have a lot economically, not going for them. So it's like. I'm sure that is a tough political thing, but I don't know. We'll see.
[30:03]
Evan
I'm so glad they stopped complaining about the radiation. I mean, and the folks that were complaining probably were the ones that had beepers on their hips for a long time, but want to complain about radiation, but it's right in your hip. So. Yeah.
[30:16]
Corey
So let me ask you guys this. What's worse, no regulation or bad regulation?
[30:22]
Evan
No regulation.
[30:23]
David
Depends on what you mean by bad regulation.
[30:25]
Michael
I think bad. Worse than none.
[30:28]
David
It could go multiple different ways. You have bad regulation due to corruption, or you could have excessive bad regulation, or you could have bad regulation that gives the appearance of helping somehow, and that doesn't actually do any good at all.
[30:46]
Corey
So, Michael, let's take what you just said. How would you apply that to AI?
[30:50]
David
Oh.
[30:53]
Evan
Yeah, that's a good one.
[30:56]
David
Yeah. I mean, now I've got to remember all the different types of bad regulation that I just said.
[31:00]
Michael
I mean, one joke is like, okay, so they're requiring that companies have a way to turn this off. Is there just going to be a compliance document that says, in the event of an emergency, we'll run the command shut down now on the web server? Like, is that. Is that going to be the document? The engineers like, no, they're gonna have.
[31:20]
Kelly
The cables underneath a guillotine before they're pulled.
[31:24]
Michael
That's what I'm saying. And chop, is that where this is going to end up? Where, like, cut the power to the building? Like, is actually a thing.
[31:31]
Evan
Shut down Dash H wins.
[31:33]
Michael
Is there gonna be, like, a laser trained at the memory chips that's gonna melt them? Like, how are we like it? That's. You know, I think I'm joking, but it is an example of, like, if you require people to be able to do this, it's kind of on some level, like, do we. What. What is that going to be? Is it going to be cut the power to the building? Is it. Is it going to be, like, because of how these things scale, is it, like, shut down the whole Internet? Like, I don't know what the.
[32:00]
Kelly
Well, and then on top of it all, it's a matter of how many locations do they have those machines set up in, and what is in jurisdiction? What is out of jurisdiction?
[32:09]
David
Like, does cutting power to the building even do any good at all? Or did it just shut it down in that one sp and every other redundant other data center that they've got is still up and running, right?
[32:20]
Michael
Yeah. Maybe the engineers will look at the regulation and be like, oh, yes, we can go back to mainframes. Yeah.
[32:28]
Evan
Oh, man, oh, man.
[32:32]
Corey
One of the things we are looking at in the bill. So I want to continue the conversation about good regulation versus no regulation or bad regulation. So one of the things that the AI companies brought up as part of the discussion of the bill is downstream. And that's one thing I'm glad we're talking about it with AI. We didn't necessarily talk about it when cybersecurity came along. So let's take a look at what happened with CrowdStrike earlier this year. Look at the downstream harms of that situation. It's not a breach. It was. Let's just call it the meltdown, the CrowdStrike meltdown. So I'm kind of excited to see that legislation is looking at, at least acknowledging that there could be downstream harms of using AI. But I think the big corporations are also saying we're trying to protect ourselves. So if somebody downstream uses our models incorrectly, we don't want to be held viable. But at the same time, government wants to say, listen, if your AI takes lives or cause significant safety concerns, we need to address that.
[33:37]
Kelly
Well, doesn't. And I'm going to go a little bit tangential on here. Doesn't that already mean that we need a privacy bill to stop the AI in some instances? Because already data privacy and AI sort of go hand in hand with how the LLMs learn from the data coming in. I mean, we've seen it with, with things like meta AI and stuff, where they're pulling in the data without actual real consent. Isn't that already damaging things enough? Isn't that already causing problems? Couldn't that already be causing problems downstream for people?
[34:15]
Gina
Yeah, and I think there were even like some instances where it ingested, like, bad joke advice from Reddit. And it goes. It's like, okay, there was the how do I keep the cheese from sliding off my pizza? I'm sure somebody understands that reference. And the AI said, hey, use some Elmer's glue on it. And well, that was. That was taken from like a Reddit thread. People found that actual Reddit thread. Even worse, though, was that, you know, digging through that, they were finding that it consumed like, some bad advice regarding suicide prevention. And that's catastrophic, you know, for being able to ingest, you know, that type of bad advice for downstream impact, you know, or, you know, just separating out that that bad Advice for even privacy concerns. Like, what happens if like AI accidentally ingests and then produces sensitive information? You know, how to, how do you cut that off? Like if you just cut the power line to it? Well, great. You still have a database that has all that information. And how do you pull that sensitive information out of the AI model so that it doesn't get distributed to the general public?
[35:27]
David
Yeah, that's a good question. Are we essentially building a system that's too complex to effectively regulate? I think that a lot of AI models, as data gets fed in, it's not necessarily clear how that data is structured internally where a human could potentially, you know, like examine it themselves and without having something else to kind of process. So, you know, is that type of regulation on what data goes into it or anything else even possible beyond just, you know, saying you're not allowed to put this type of data into an AI model, You're not allowed to collect from these types of sources?
[36:14]
Gina
Yeah, I mean, you can say you are not allowed to collect from these types of sources, but you need to have a control for. Okay, well what happens if it does?
[36:20]
David
Sure.
[36:21]
Gina
Like I could say, you know, just for bhis or the audience, like, what happens if like all the pen test reports, like somehow accidentally get ingested by AI and now you can query them and go, oh, hey, you know what? You know, I'm trying to hack into Company A. How do I get in? It says, well, according to this, like Black Hills Information Security, you know, pen test report that they did on this page, they were able to find these sort of vulnerabilities. Everybody's heads would melt with that. But they go, it's like, well, you weren't supposed to put that in the AI. It's like, well, it's there now. All these, you know, how do you, how do you take that out? How do you stop people from accessing that information? You can't just say, well, they broke the rules and we're just going to find them. Because that's not going to help Company A. That's like, well, we just got, like, we just got hacked because of what AI ingested. Black Hills pen test reports doesn't help out Black Hills because they go, well, all of our fentest reports got ingested and you have no recourse for it.
[37:19]
Evan
So yeah, yeah, it's AI is making folks kind of rethink things. The policy writers have a lot of work to do. People who are like creating more like newer, up to date security controls have a lot of work to do. We all have a lot of work to do when it comes to AI in general, so.
[37:41]
Gina
Yeah. Yep.
[37:42]
Michael
I'd say we're just. We just. I'd say we just quacked this article wide open.
[37:51]
Kelly
So what more tales do we have to go with today?
[37:55]
Michael
We have to. That's a good question. Does anyone have any other articles that they're passionate about? We got Rambo attacks. Another stunt hack.
[38:06]
David
I like that one. Just because it sounds cool.
[38:09]
Gina
I could say that we could. We could segue to something that smells good.
[38:12]
Michael
We could talk about the Olympic. Olympic. You know, Olympic ransomware. I guess we're calling it. Who Gets Gold. Okay, okay. Who's going to get gold in this year's ransomware Olympics? Probably Brain Cipher, which is a threat actor I've never heard of. Has anyone heard of Brain Cipher before?
[38:29]
Gina
No, I thought it was Brian something too. I read it as Brian.
[38:32]
Michael
I was like, who's this Brian? My name is Cypher. Brian Cypher.
[38:37]
Gina
I was like, that is an awesome security name. Like, I should grab that in the handle if they don't have it yet.
[38:42]
Evan
He's promised 300 gigs of a data leak. Promised it.
[38:46]
Michael
Okay, so the incident affects French national museums. It only happened during the Olympics, so it's barely even an Olympic ransomware. I would say didn't even qualify for the event. But I mean, what is 300 gigs of data from museums? I guess it could be sensitive data, like people who bought tickets or something like that. But in my head, it's just like a bunch of, like, guided tours of various museums. Like, you know, just not very. Like, I don't think of museums as having a lot of sensitive data but no donors or something.
[39:19]
Corey
Do you think he was working around the clock on this?
[39:21]
Michael
I think he was probably Brian Cipher. Yeah, I'd say. I'd say Brian Cipher was. Was working around the clock all day.
[39:29]
Gina
Click cluck.
[39:30]
Michael
Click cluck. Yeah, I mean, yeah, I guess. Keep an eye on the. Allegedly they're claiming the attack. So.
[39:38]
Gina
Yeah.
[39:39]
Michael
And I can't stop seeing it as Brian Cipher now. So you're welcome. Apparently the payload is. Apparently the ransomware is based on blockbit 3.0. So it's kind of a known. Known rate. Known malware.
[39:54]
Corey
So what I'm guessing or the five I'm getting here is. Yeah, yeah, yeah. It's just another thing. It's not as sexy as everyone thinks it is. It's just another. Is that fair to say much?
[40:04]
Michael
And barely even Olympics related. But we have to cover the ransomware corner of the show, we have a whole region of the Internet for ransomware.
[40:13]
Gina
So yeah, I think though, it's. It's using lock bit and evolving it a little bit to, you know, that, that I'm trying to read in the. The. It's equipped with more persistent and evasion techniques. So when you go, it's yet another one that uses lock bit, but it's doing more persistence and evasion techniques. And I think it is important that we still bring this up in the ransomware corner because it's making those incremental things just so it doesn't come out of left field and people go like, oh, holy cow, how did lock bit evolve to 4.0 and has all of these evasive techniques and it's super complex now and I don't know how to defend about this. Where did this come from? Well, it did that in small increments. So when you hear these reports going, hey, it introduced something new, you know, you're gonna work likely in another month going to have another report saying, hey, they use lockbit, just like, you know, Brain Cipher or Brian Cipher did, only they did something additionally new. And you get those small steps that you go, okay, well, how did we wind up here? It's like, well, because of all the small steps that we pointed out along the way.
[41:20]
Kelly
So basically we could say that they weren't winging it.
[41:23]
Evan
Oh, man.
[41:25]
Michael
There's a part of me that like, feels like we're way overdue for a big vulnerability disclosure. And I'm just like, scared waiting for what it's going to be. I feel like it's been a while since anything crazy happened. Maybe I'm just like, too paranoid.
[41:39]
Gina
But it's going to be the vulnerability that they couldn't get patched in time for it to be discussed at Black Cat and defcon.
[41:47]
Michael
Okay.
[41:48]
Gina
There's going to be something that's going to, you know, that shoe is going to drop.
[41:52]
Michael
You're right. Maybe. Yeah, maybe we just kind of. Yeah, I don't know. Let's just hope that nothing bad happens. That's what I do. You think? Let's talk about Navy ships trying to get WI fi. Yeah, that was a pretty funny story.
[42:05]
Gina
If something smell. If something smells foul, it might be your stinky WI fi.
[42:09]
Michael
Well, what they say is if it looks like a duck and it quacks like a duck, then it's a WI fi. So this article is kind of interesting, but I guess basically, I'm sorry, the.
[42:22]
Kelly
Jokes are laying eggs at this point.
[42:24]
Michael
Okay. Yeah, yeah. The, the, the Navy. So this is basically a story about how Navy chiefs conspired to get themselves illegal warship wifi, AKA Starlink. So basically, the chiefs, you know, the commanders of the ship, installed Starlink and secretly put it on top of the ship and called it Stinky, which is so.
[42:46]
Gina
And that's where I put in that additional article, because I don't think they called it stinky, because, like, the Ars Technica article, they updated with their link saying, oh, it turns out that Stinky was actually like a default name for some time. And they were like, they didn't find that believable either. But then it was like, oh, well, then Mr. Musk has a tweet saying, like, hey, at this point, we're just going to name the default one Stinky. And then if you feel embarrassed by having that, fix your network Project Winky.
[43:19]
Michael
All right, okay. So I was never, you know, I, I was never on a. I've never been without Internet for an extended period of time unless it was voluntary. But is it worth breaking the law just to get, like, also, why don't they just have Internet on chips? Well, what is going on?
[43:36]
David
I mean, is it worth, like, degrading the opsec of the entire ship in order to just get wifi?
[43:43]
Evan
And so you could be on Reddit?
[43:45]
Michael
I mean. Yeah, well, the question is, why can't they already be on Reddit? That's. I want to start with that. Why don't Navy ships have Internet? Is this a security thing? Is it just a.
[43:55]
Gina
And there is a thing. This, this could go back to, like, the recent. I'm thinking of, like, Darknet diaries, like the most recent one where they talked about, like, a comms blackout, that somebody died. There was like a, an incident where a soldier lost their lives. They go immediate into, like, a comms blackout because they need to notify the family first before somebody posts something on Reddit.
[44:20]
Michael
Yeah, gotcha going.
[44:21]
Gina
Because you don't want to have like, some Reddit post from, like, a Navy ship going, oh, we took some fire, some combat. We only have like, you know, three servicemen died and everything. And that winds up on Reddit. And then you get the family members going, how, you know, department of the Navy, please explain to me how I found out about this through a Reddit post before your official called me. So they were. And that was like, the Darknet diary was talking about, like, evil mogul, you know, in his stories and his history. That's like, he just had to, you know, shut down, count back out in that, that theater.
[44:50]
Michael
So it's about control, which for a naval ship with a bunch of missiles on board, seems relatively important. Yeah, so it's, it's, it's about, you know, the Navy being able to control what information is coming and leaving on the ship.
[45:04]
David
Yeah. The article actually says it can be for a variety of reasons that include operational security. It says that the crew's Internet access is regularly restricted while underway. So. And it can be even to preserve bandwidth for the mission, to keep the ship safe from nefarious online attacks, et cetera. So like, it sounds like there are times whenever the entire ship does have Internet access for the crew. It's just that at other times they have restricted that access probably for good reason. So like, to circumvent that. That seems like a terrible idea given the, like, what your job function is in this role where, I mean, it sounded like a, I don't know, like military ranks and stuff. It sounded like a fairly high ranking enlisted person on the ship. So probably.
[45:53]
Corey
Do you think somebody clucked up here?
[45:55]
David
Yeah, I'd say so.
[45:58]
Michael
Okay, the question I have. So this was kind of like, it was like a little ring of like high up people that had access to the stinky wifi.
[46:08]
Gina
Well, the chief, so the officers didn't have access and the lower enlisted didn't have access. It was that circle of chiefs that had access and really went to like extremes to conceal it. Because I was reading also that like they were rifling through the suggestion box for the captain and the commander where people would like put in these things, being like, hey, what is this WI FI network doing? They would take those little like notes out of the suggestion box and shred them and be like, they don't need to know anything. Yeah. And I think it was just for, you know, the top enlisted guys that were, you know, wanting to watch ESPN or.
[46:44]
Michael
Yeah, you know, check. I mean, I will say like this. There are plenty of examples in the past where data leaked from military can do damage to real things and real operations. But I will say, like, you could argue that being this high up should grant you access to Internet. Unfettered Internet for. I mean, it's funny to me that they don't just Google like how to fix a battleship or something. I know there's like procedures and stuff, but I feel like there's plenty of scenarios where being able to have chiefs being able to read the Internet, arguably that information that could be used by the enemy could also be used by them. Like watching the Twitter of the ship.
[47:27]
Evan
They'Re following internal threats Galore.
[47:31]
Michael
I know it's intelligence, technically some other military entity should be getting that, filtering it down to them. But like, I guess I'm just surprised like that the chiefs don't have Internet access.
[47:41]
Gina
Or you could sit there and go, you mentioned Twitter, who owns Starlink? And what do they think about the current war in Ukraine? And would they be able to know where this Starlink satellite is? And go, hey, that's information that is valuable. So yeah, I mean, for sure.
[48:04]
Michael
But how many other ships do you think have Starlink? And I mean if they were to just look at a map of all, like, they would have to know. Yeah, I mean it is, it is terrifying from a privacy perspective what you could do if you were monitoring all the traffic and location of naval ships. Like that is such an intelligence leak for the US like, and yeah, of course it's illegal.
[48:21]
Gina
There's others that would have Starlink, but the Navy would know which ones those are and be able to control appropriately instead of sending a ship out for operations that you know, where they don't, don't know that. It's like, oh, this, we didn't know this had a Starlink satellite and it is, you know, beaconing its location to, you know, some that have that insight. So they wouldn't, wouldn't be able, the ones that have Starlink, they'd be able to control for that variable.
[48:52]
Michael
Yeah, I mean, I will say that the person who perpetrated it, or at least who got in trouble for perpetrating it, only got demoted. They did not. There was no criminal action or no like they just demoted. So back to the ranks of people who don't have WI fi. What else is happening in the world? I mean there was ABD 29 stuff, AP, that's old news. We all know about APT 29. There's more stunt hacking. We could talk about the TSA thing.
[49:23]
Evan
I guess it's at an all time high.
[49:25]
Michael
Apparently the TSA is vulnerable to SQL injection. So basically this is an article from the Verge. Researchers say a bug let them add fake pilots to rosters used for TSA checks. They essentially found. Ian Carroll wrote this blog post in August and then Sam Kerr is the other person responsible for this. They found a third party website that the TSA uses. The third party is called Flycast. Why it's not Flyquack, we don't know. But they provide smaller airlines to the known crew member system. Basically they're giving access to be able to have smaller airlines able to have pilots that can kind of sweep through security easily. But SQL map was used to add the username of tick or 1 equals 1 and a password of tick parentheses or 1rmd5. Yeah. So basically they SQL injected their way into an admin of Air Transport International account. And how is their SQL injection? I guess it's the airline industry. They're notorious for having tech debt at the wazoo. Or the aerospace industry does. Yeah, yeah.
[50:39]
Kelly
The kicker is that it didn't affect anything like your Americans, your Deltas, your United's, because they use their own systems. So it literally was these smaller ones. And the smaller airlines are going to be at smaller. Tend to be at smaller airports overall.
[50:53]
Michael
Well, but isn't that data shared? Right? Like, isn't the KCM system shared between different airports? So I could like add myself to the system at a smaller airport, then go to a bigger airport and be like, oh, I'm actually scheduled to fly. Maybe it would hit some kind of check where it'd be like, oh, you know, oh, you're not actually on the roster. You don't have a flight.
[51:12]
Kelly
Oh, this airline doesn't come. Or oh, this airline does not exist at this airport.
[51:17]
Michael
Or that. Yeah, I mean, I don't know. I. All I'm saying is people in chat have already called this out, but clearly they're winging it.
[51:26]
Corey
Birds of a feather fly together.
[51:29]
Michael
I really hope Brian Cipher makes a comeback. Slow week. I can't believe we went. We went on break for two weeks and there's no good hack. I think so many India or so many breaches. Directs India, Dick Sporting Goods, Avis, Planned Parenthood, Halibut.
[51:47]
Kelly
Hackers inject malicious JS in the Cisco store.
[51:50]
Evan
I think this is a big one.
[51:53]
Michael
Is this just a sign for the sign of the times that there's five big breaches and we're not going to talk about any of them because no one's surprised anymore? Like, it doesn't even matter. Planned Parenthood, Avis, exporting goods. Yeah, I mean, whatever.
[52:07]
Kelly
They're all flocked together.
[52:09]
Michael
Okay. The one that now I think about more is Durex India. Durex is a company that makes contraceptive products. And I guess I didn't really think anyone was buying those directly from the manufacturer, but apparently they are and now their data is breached. That's kind of really rough situation. No pun intended.
[52:33]
Corey
Don't touch it. Don't touch it.
[52:36]
Evan
Don't do it.
[52:37]
Corey
Don't do it.
[52:38]
Michael
Yeah, I mean, this, this could be a really embarrassing data breach to use for a lot of really bad blackmail situations. It's ironic. I think this is the most impactful one. Maybe Planned Parenthood could be pretty bad too, but, you know, no one's gonna care if you were renting a car or buying tight shorts or whatever at Dick's Sporting Goods. But this one could be more impactful.
[53:02]
Corey
Well, I'm. I might disagree with you on that one, Corey, because let's. Okay, I'm going to try and stay out of politics here, but in some rural parts of the United States, you don't have access to doctors or nurses. And in the event of an STD or getting pregnant, Planned Parenthood may be your only health care option.
[53:23]
Michael
True.
[53:24]
Corey
So that there is a data breach at a health. I would call them a healthcare organization. I'm not getting into politics here. I think it's pretty profound. And also I will talk about politics for a second here. We've got a lot of conversations happening in our country right now about teenagers, young people giving consent on their gender and their sexuality. This Planned Parenthood data breach kind of stirs the pot on that whole conversation as well. So it's not just about the data being leaked. It's what are the ramifications, what relationships are injured? Does somebody have to go down a healthcare alternative that they weren't considering or didn't want to? So sometimes when we look at data breaches, there are socioeconomic, sociopolitical elements to data breaches, not just vulnerabilities.
[54:19]
Michael
Very true. I mean, that's a good point. I think also it was, to get a little bit more specific, it was only Planned Parenthood, Montana. So it's kind of an interesting, like, specific location, which is probably a political battleground for that kind of issue. So I don't know, it'll be interesting to see who perpetrated it. I don't think we've seen an example of like a US Politically motivated type attack like that. So if it was a US Perpetrator would be very interesting. So stay tuned on the show and we'll let you know if it was. So let's talk about the city of Columbus, named for the definitely not imperialist. Christopher Columbus, probably. So they sued a researcher who disclosed the impact of a cyber or a ransomware attack. Columbus Hill victim. This is on July 18th. They disclosed it shortly thereafter. Of course, they offered people free credit, monitoring services, a researcher.
[55:14]
Frank
Standard practice.
[55:16]
Michael
Yes. So basically a researcher named David Leroy Ross or Connor Goodwolf started telling local media that like, basically they were downplaying the attack.
[55:27]
Kelly
Zidia, the city of Columbus was saying that the attackers had Stole corrupted and encrypted data. And Ross turned around and said, no.
[55:36]
Michael
It in fact was not encrypted or.
[55:38]
Kelly
Corrupted in Social Security numbers and other types of sensitive data.
[55:44]
Gina
Yeah.
[55:44]
Michael
So basically they were saying, oh, nothing really sensitive was disclosed because it was corrupt or encrypted. And then that person was being like, no, it wasn't corrupted or encrypted. It has SSN's, personal information of police officers reports, arrest records.
[56:00]
Kelly
I think the funniest line on it was Columbus claimed that although shared publicly, the information on the site, on Resita's site was only accessible to individuals who have computer expertise and tools necessary to download data from the dark.
[56:15]
Michael
This is basically just the F12 hacker comes back. Is that what this is?
[56:19]
Kelly
That's what it sounds like.
[56:21]
Michael
Because. Okay, so they're. So the city is accusing them, Ross, of interacting with the ransomware gang to download the deleted or the leaked information. If that's illegal. I've committed a lot of crimes because these sites are just. They just have a bunch of download buttons, and they don't require any technical expertise to access. It's pretty much just a site that says, click the button to download the data. And downloading it and investigating it doesn't seem at all sensitive. I guess we'll have to keep stay tuned on how this pans out. But I feel like there's no way this stands up in court. Right?
[56:55]
Gina
I mean, and Ross wasn't. He's just an independent researcher. Right? He's not. He wasn't part of, like, the city or had any inside knowledge or employer. Okay, cool.
[57:06]
Michael
I mean, they also were. The city was seeking a restraining order. Bars the order. Okay, so can you imagine this? This is a restraining order against the data he downloaded. It's like, you can't look at those files. Bad boy. So basically, the order bars Ross from disseminating the data, but does not prevent him from discussing it or the stolen data or the type of the data. So, like, it doesn't actually stop them at all. It's totally just the mayor called someone and said, make this disappear. And they tried to, and they failed. And now it's getting the Streisand effect. And we're talking about it here when none of us live in Columbus, hopefully.
[57:47]
Corey
I think it's a really interesting article because all of us are security researchers to a varying extent. And this really feels like rotten apples. The city was embarrassed, and they're going after him and they're leveraging orders, restraining orders, to basically quiet him. And, you know, the Question that I have. Does the city's cybersecurity posture suck? And that's not being.
[58:15]
Michael
They got ransomware about that.
[58:17]
David
Yeah, I agree that there's. Their security posture probably sucks, and I think they're handling it terribly. So I'd like to encourage everybody that's watching to go download the data from the Dark Web, take screenshots of it, you know, redact it appropriately so no one's like, no. Innocent people's Social Security numbers are put in on, like, social media and then like, tweet it to, you know, this, you know, local government. So they can see just how easy it is for everyone on the Internet to get access to that.
[58:48]
Michael
Well, it's also, I mean, I think, you know, I'm assuming, you know, you're kind of joking there, but, like, it is genuinely worth it from a privacy perspective to make sure that your data isn't disclosed in this breach, whether or not you're, whether you're a police officer or someone who got arrested or someone who just lived in Columbus for a time. Being able to look for your own data in breaches is totally allowed. I mean, I'm not a lawyer, of course, but there are some DOJ documents about this type of information, like open source intelligence data. From my, from my perspective, it's okay to store. It's only bad. It's essentially an. It comes down to intent and the intent to inform the public that, you know, this data is putting people at risk because there's definitely people out there that are going to say, oh, well, Columbus said it wasn't bad. I'm sure my data is safe. And then their identity gets stolen six months later because they never engaged, because, you know, it never got their data. They thought it wasn't really disclosed. I will say, like, it's got to be a mess up on their side that they just said it was encrypted or whatever when it wasn't. So, like, that's bad forensics. They obviously, they had bad security posture to begin with because they got ransomware.
[60:03]
Evan
Right.
[60:03]
Michael
Two, they have bad forensics or investigating after the fact of what was taken, what formats were taken. And three, they have bad PR of trying to silence someone for talking about a very public issue. I'm assuming that the individual that disclosed it is, has their data disclosed, so it's totally fair to download and look through it to see if you're in it. Is your Social Security number in there, Is your parking tickets in there or anything else. It's not great.
[60:32]
Gina
Well, and also, this is the type of thing. I think I mentioned it when the lock bit had all of their data released in the amount of stuff that was part of a data breach that went contrary to attestations of the company. So it could very well be that the city says, like we have all these attestations and we've, we've put on all sorts of legal documents that this is encrypted. And then, well, now there's this ransomware that happened and we're going to stand by our attestation that it's encrypted. This guy's coming out saying it's not. And now we get into a lot of trouble because we lied to regulators or forest certifications and.
[61:10]
Evan
Right.
[61:11]
Gina
Et cetera, et cetera. So.
[61:12]
Michael
Totally.
[61:13]
Corey
But I'll say here, those in glass houses shouldn't throw stones. We've been in situations where we thought something was encrypted or we thought a file share was turned off and it wasn't.
[61:25]
Michael
Yeah, but we're not public relations for a city government. That's the difference. Because if you're, if you're publishing something that involves people's personal data and safety, you need to make sure it's accurate before you publish it. I'm sure the person that published this was just like, guys, everyone can click download. Are you crazy? Like it's on some level, it's not even intent. It's just basically being like, are you living in reality or are you just crazy? I think it's time for the show to duck out.
[62:00]
Gina
To fly south for the winter.
[62:01]
Michael
I hope no one engages in any quackery this week. Kill it with fire. Have a good week, everyone. Bye bye.
[62:09]
Evan
Later.