Podcast Summary: Talkin' About [Infosec] News, Episode: Pour Over News

Host: Black Hills Information Security
Release Date: September 18, 2024
Episode Date: September 16, 2024
Title: Pour Over News
Duration: Approximately 59 minutes

Introduction: Light-Hearted Banter (00:01 - 06:48)

The episode kicks off with the hosts engaging in casual conversation about the soaring temperatures in Florida and humorous discussions about air conditioning versus configuring a house to use DC power. This segment sets a relaxed tone before diving into the week's cybersecurity news.

Fortinet Breach Analysis (07:20 - 15:36)

Key Discussion Points:

• Breach Details: The team discusses a significant data breach involving Fortinet, where approximately 440 GB of data was compromised. The breach is attributed to a threat actor named "40 bitch," a name that sparked amusement among the hosts.

• Nature of the Breached Data: There is speculation about the type of data stolen. While Fortinet claims the breach affects only 0.3% of its customer base, the hosts hypothesize that the data might consist of diagnostic logs or firewall configurations.

• Fortinet’s Response: Fortinet's nonchalant response to the breach leads to discussions about the severity and potential impact of the leaked data. The team jokes about reverse engineering the threat actor’s tactics and highlights the general challenge of attributing breaches accurately.

• Risk Mitigation: Emphasis is placed on the importance of securing third-party cloud credentials and ensuring that systems like Fortinet’s support interfaces are not publicly exposed.

Notable Quotes:

• Ralph May [07:42]: "Probably some kind of logs or diagnostic data that's a lot of."
• Shadow [09:53]: "440 gigs for 0.3% of their customer base. And you know, like, like you said, it's not firewall config."

Multifactor Authentication (MFA) Best Practices (15:36 - 21:28)

Key Discussion Points:

• Snowflake's MFA Implementation: The conversation shifts to Snowflake's recent move to make MFA mandatory, sparking a broader discussion on the necessity and implementation strategies of MFA across platforms.

• Balancing Security and Usability: The hosts debate whether MFA should be enforced by default or offered as an option, considering the user friction it may introduce. They discuss different types of MFA, including SMS-based and Time-Based One-Time Passwords (TOTP), highlighting the pros and cons of each method.

• Support Challenges: Implementing MFA poses support challenges, especially when users lose access to their MFA tokens. The team suggests that while MFA adds a layer of security, it can also increase the burden on support teams if not implemented thoughtfully.

Notable Quotes:

• Alex [16:04]: "Do you think when you go to a website everyone should be enforcing multifactor like by default?"
• Ralph May [17:52]: "The only authentication token is just the email link you get. That's the only authentication."

Larry Ellison’s AI Surveillance Vision (21:36 - 27:04)

Key Discussion Points:

• AI in Policing: The hosts critique Larry Ellison’s proposal to use AI for monitoring police officers, questioning the feasibility and ethical implications of such surveillance systems.

• AI Limitations and Biases: The conversation delves into the inherent biases in AI systems and the technical challenges of accurately implementing AI-based monitoring without generating false positives or infringing on privacy.

• Surveillance vs. Reality: The team highlights the disconnect between the theoretical promise of AI surveillance and the practical difficulties in execution, such as alert fatigue and the complexity of interpreting video feeds accurately.

Notable Quotes:

• Ralph May [23:35]: "It's the definition of this is only newsworthy because a billionaire said it."
• Shadow [26:30]: "AI has biases built into them."

MasterCard Acquires Recorded Future (28:11 - 33:52)

Key Discussion Points:

• Acquisition Overview: MasterCard's acquisition of Recorded Future for $2.65 billion is a focal point, with the hosts analyzing the strategic implications of this move in the threat intelligence space.

• Recorded Future’s Value Proposition: The platform offers advanced threat intelligence, including AI-driven analysis and risk scoring, which MasterCard aims to leverage to enhance its fraud detection capabilities.

• Future of Threat Intelligence: The discussion touches on how this acquisition positions MasterCard at the forefront of proactive threat intelligence, allowing them to anticipate and mitigate threats more effectively.

Notable Quotes:

• Ralph May [28:23]: "How the heck is Recorded Future worth $2.65 billion?"
• David [31:12]: "Recorded Future does lots of AI stuff."

Cyber Insurance Trends and Challenges (33:52 - 42:35)

Key Discussion Points:

• Market Growth Projection: The hosts explore projections indicating that the US standalone cyber insurance market could reach $45 billion in premiums by 2034, a fivefold increase from present values.

• Sustainability Issues: Concerns are raised about the sustainability of cyber insurance, especially in light of large-scale breaches like that of 23andMe. The team questions whether insurance premiums can keep pace with the increasing cost of cyber incidents.

• Real-World Example – 23andMe Lawsuit: The episode highlights 23andMe’s agreement to pay $30 million to settle a class-action lawsuit stemming from a data breach. The role of cyber insurance in covering such settlements is scrutinized, with skepticism about the insurers' ability to handle massive payouts without crippling the industry.

• Insurance Coverage Limitations: Discussions emphasize that while cyber insurance can cover incident response and ransom payments, it may not adequately address the broader financial impacts of breaches, such as reputational damage and long-term losses.

Notable Quotes:

• Alex [35:18]: "Why did MasterCard buy Recorded Future?"
• Ralph May [41:23]: "They paid $1,500, you're like, all right, I paid my 1500. Now I need 2.5 billion dollars."

23andMe Data Breach Lawsuit Settlement (42:35 - 45:50)

Key Discussion Points:

• Settlement Details: 23andMe has agreed to pay $30 million to settle a class-action lawsuit related to a 2023 data breach. The settlement is expected to provide minimal payouts to affected customers, with a large portion covered by cyber insurance.

• Impact on Customers: The hosts humorously speculate on the actual benefits to individual customers, noting that lawyer fees may significantly reduce the amount each customer receives.

• Legal and Compliance Measures: The settlement includes mandates for 23andMe to conduct annual computer scans and security audits for three years, reinforcing the importance of regular security assessments in preventing future breaches.

Notable Quotes:

• Alex [40:43]: "They're just getting a pen test now? They have to get one pen test."
• Shadow [44:29]: "You can buy a broken microwave. That'll do that."

EU Scrutiny on Google’s GDPR Compliance (46:17 - 50:38)

Key Discussion Points:

• GDPR Violations: The hosts discuss reports that the EU is scrutinizing Google for potential GDPR violations related to the use of personal data in training AI models. This mirrors similar actions taken against X (formerly Twitter), where data usage practices have come under fire.

• Impact on AI Development: The stringent GDPR regulations pose significant challenges for AI development, particularly in ensuring that personal data is appropriately handled and that users have the right to opt out of data usage.

• Company Responses: While Google has yet to provide a formal response, the hosts anticipate that it may follow X’s lead by limiting or suspending the use of EU-based data until compliance issues are resolved.

Notable Quotes:

• Shadow [46:17]: "Google hasn’t had a formal response yet, which is why I'm hypothesizing they'll probably do what X did."
• Ralph May [47:20]: "The issue is just, it's the all or nothing nature."

Rogue WHOIS Server Exploit (50:38 - 58:34)

Key Discussion Points:

• Incident Overview: A rogue WHOIS server takeover involved registering an expired domain, mobireegistry.net, which was formerly used for the MOBI top-level domain. The attacker issued certificates improperly by exploiting outdated WHOIS records and manipulating email confirmations.

• Technical Implications: The takeover allowed the attacker to respond to WHOIS queries with falsified administrative emails, facilitating the issuance of fraudulent TLS certificates. This undermines the integrity of the certificate authority process and exposes vulnerabilities in the WHOIS system.

• Responsibility and Migration Flaws: The hosts critique the failure of proper domain migration and monitoring, emphasizing that original domain owners must ensure legacy domains are maintained or appropriately decommissioned to prevent such exploits.

Notable Quotes:

• Ralph May [50:52]: "So you can supply any email address you want as the owner of the domain and then oops. Now when you go to register a certificate that's the email that is a domain owner."
• Shadow [57:34]: "They have to monitor the people who are querying and regularly contact them and say, hey, we noticed you were still clearing it."

Conclusion and Wrap-Up (58:34 - End)

The hosts conclude the episode by reflecting on the extensive discussions and teasing future topics. They acknowledge the episode's length and express gratitude towards the listeners for joining a full-hour session.

Notable Quotes:

• Alex [59:25]: "So we're light on news this week."
• Ralph May [59:42]: "Stay tuned. It's always funny because sometimes these breaches come out and we get like, just like a whiff that there could be something."

Key Takeaways:

1. Fortinet Breach Highlights: The breach underscores the critical importance of securing diagnostic and configuration data, especially from third-party cloud services.

2. MFA Implementation Strategies: Effective MFA deployment requires balancing security enhancements with user convenience to minimize support burdens.

3. AI in Surveillance: While AI holds potential for monitoring and enhancing security, practical implementation faces significant technical and ethical challenges.

4. MasterCard’s Strategic Acquisition: Investing heavily in threat intelligence platforms like Recorded Future positions MasterCard to lead in proactive cybersecurity measures.

5. Cyber Insurance Viability: The growing cyber insurance market faces sustainability questions as breach costs escalate, highlighting the need for robust security practices over reliance on insurance.

6. Regulatory Compliance: Companies like Google must navigate complex GDPR regulations, which significantly impact AI model training and data usage practices.

7. WHOIS System Vulnerabilities: The rogue WHOIS server incident reveals vulnerabilities in domain management and underscores the necessity for meticulous domain monitoring and migration processes.

This episode of "Talkin' About [Infosec] News" offers an in-depth exploration of current cybersecurity challenges, blending technical analysis with engaging discussions. Whether it's dissecting major breaches, debating security protocols, or examining regulatory impacts, the hosts provide valuable insights for both seasoned professionals and those new to the field.