Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: September 9, 2024 - More Chicken Related Crimes
Release Date: September 11, 2024
Host: Black Hills Information Security

1. Opening Nostalgia: First Computers and the "Revenge of the Nerds" Influence

The episode begins with a light-hearted conversation about the hosts' early experiences with computers, interwoven with references to the classic film Revenge of the Nerds. Corey opens the discussion by reminiscing about how the movie influenced their career paths in infosec.

• Corey [00:01]: “The nerds provided a lot of career insights to some of us.”
• Corey [02:16]: “Oh, I got my start in computers with the little pulpressor calculator.”

The hosts share anecdotes about their first computers, highlighting the challenges and learning experiences that shaped their skills as penetration testers. Gina narrates her adventures of tinkering with early computers, emphasizing the hands-on learning that inadvertently fostered her hacking abilities.

• Gina [01:07]: “If I can make it better and nobody will notice, then it stays in place.”

2. Pre-Show Banter: More Chicken-Related Crimes

Transitioning from nostalgia, the hosts delve into the episode's main topic—chicken-related crimes. Although initially intended as a pre-show discussion, the conversation sets the stage for deeper insights into unconventional security breaches.

• Frank [05:37]: “Apparently it's so good, it's worth doing crime for it.”
• Corey [08:46]: “Well, they sent these beautiful salted ducks to the parents of the senior aide.”

Michael introduces an intriguing case where salted duck was allegedly used to bribe a New York State official, sparking a debate on the unusual methods employed in corruption schemes. The hosts humorously ponder the plausibility and effectiveness of such tactics, ultimately highlighting the blend of traditional bribery with quirky elements.

• Michael [07:01]: “It must be.”
• Corey [09:02]: “Maybe the UB key had problems. You know, had this detector before and were you worrying about it then?”

3. Yubikey Vulnerabilities: Cloning the Gold Standard

The discussion shifts to a significant security concern involving Yubikeys, a widely trusted hardware authentication device. Michael summarizes recent research exposing vulnerabilities that allow cloning of Yubikeys, though he downplays the immediate threat due to the high cost and technical expertise required.

• Michael [09:59]: “Researchers disclosed an attack that allows you to clone Yubikeys… requires over $10,000 in equipment.”
• David [10:59]: “You probably have to have access to the person's username and password.”

Gina and Kelly contribute by stressing the importance of firmware upgrades and the broader implications for hardware security. The conversation underscores that while Yubikeys remain a preferred choice for multi-factor authentication, no device is entirely impervious to sophisticated attacks.

• Kelly [12:07]: “You can't upgrade the firmware. If you are that concerned, you have to buy all new Yubikeys.”
• Corey [13:17]: “Everything can be broken eventually.”

4. Data Breach at Confidant Health: Misconfigured Cloud Storage Exposes Patient Data

The hosts examine a recent breach at Confidant Health, where a misconfigured cloud storage service led to the exposure of 5.4 terabytes of sensitive patient data, including recordings of telehealth sessions.

• David [21:42]: “Patient data for this company included recordings of telehealth sessions… 5.4 terabytes.”
• Michael [22:50]: “Maybe they're trying to sell the data… they shouldn't be stored in an exposed manner.”

The discussion highlights the critical nature of securing health-related data and the compounded risks when sensitive information, such as personal therapy sessions, becomes publicly accessible. Corey emphasizes the broader societal impacts, especially in regions where organizations like Planned Parenthood serve as essential healthcare providers.

5. California AI Bill: Navigating Regulation in Emerging Technologies

Corey introduces the passage of California's AI Bill, SB 1047, which aims to establish standards for AI models, including mechanisms to mitigate cybersecurity and infrastructure risks.

• Corey [25:29]: “The California AI Bill, SB 1047, did pass… establishing AI standards of care.”
• Michael [26:10]: “What you mean is cut the hard line…”

The hosts debate the potential effectiveness and challenges of such regulation, particularly concerning its impact on startups and small companies. They discuss the delicate balance between fostering innovation and ensuring robust security measures, with Kelly questioning the practicality of emergency shutdown protocols for AI systems.

• Kelly [31:24]: “The cables underneath a guillotine before they're pulled.”
• Michael [31:30]: “Shut down the power to the building…”

6. Ransomware Corner: Brain Cipher and the Evolution of Threats

In their dedicated ransomware segment, the hosts discuss the latest actions by the threat actor Brain Cipher, who claimed a data leak affecting French national museums during the Olympics.

• Gina [38:29]: “It's using LockBit and evolving it a little bit with more persistent and evasion techniques.”
• Michael [39:53]: “Has anyone heard of Brain Cipher before?”

They analyze the sophistication of current ransomware threats, noting the incremental advancements that make defenses challenging. The conversation underscores the persistent adaptability of cybercriminals and the necessity for continuous vigilance in defense strategies.

7. City of Columbus Sues Researcher Over Ransomware Disclosure

A controversial case unfolds as the city of Columbus takes legal action against a researcher who publicly disclosed the extent of a ransomware attack, revealing that sensitive data was neither encrypted nor corrupted as initially claimed.

• Michael [55:43]: “They say it's only accessible to individuals with computer expertise, but downloading it was straightforward.”
• Corey [57:06]: “Does the city's cybersecurity posture suck?”

The hosts critique the city's response, highlighting the risks of misinformation and the importance of transparency in data breach disclosures. They express skepticism over the legal grounds of the restraining order and emphasize the ethical responsibility of researchers to inform the public about security vulnerabilities.

• Kelly [56:14]: “This is basically just the F12 hacker comes back.”
• Corey [56:35]: “Their security posture probably sucks… they handled it terribly.”

8. Recent Data Breaches: Durex India and Planned Parenthood Montana

The episode concludes with an overview of multiple recent data breaches, including Durex India and Planned Parenthood Montana, discussing their potential impacts and the varying sensitivities involved.

• Michael [52:33]: “Durex is a company that makes contraceptive products… data breach is really rough.”
• Corey [53:23]: “There are socioeconomic, sociopolitical elements to data breaches.”

The hosts reflect on the broader implications of data breaches beyond mere technical vulnerabilities, touching on privacy concerns, potential for blackmail, and the societal ramifications of compromised healthcare data.

Conclusion: Lessons Learned and Future Vigilance

The episode wraps up with the hosts reiterating the complexities of cybersecurity in the modern age, where technological advancements continually shape both threats and defenses. They emphasize the importance of staying informed, maintaining robust security practices, and fostering transparent communication in the face of evolving cyber challenges.

• Gina [61:13]: “We're public relations for a city government…”
• Evan [60:03]: “AI is making folks kind of rethink things.”

The conversation underscores the necessity for ongoing education and adaptive strategies within the infosec community to effectively counteract and preempt emerging threats.

Notable Quotes:

• Corey [01:07]: “I started programming it a few months after he got it because I was bored with playing games on it.”
• Michael [07:01]: “It must be.”
• Gina [38:29]: “It's using LockBit and evolving it a little bit…”
• Corey [57:06]: “Does the city's cybersecurity posture suck?”
• Michael [52:33]: “Durex is a company that makes contraceptive products… data breach is really rough.”

This episode of Talkin' About [Infosec] News encapsulates a blend of technical discussions, real-world security incidents, and the ever-present humor that defines the Black Hills Information Security team. From unconventional bribery methods involving poultry to the nuanced debates surrounding AI regulation, the hosts provide a comprehensive overview of current infosec landscapes, making it a valuable listen for both seasoned professionals and newcomers to the field.