Podcast Summary: "Talkin' About [Infosec] News, Powered by Black Hills Information Security"
Episode: 2024-11-04 - The Grey Times
Release Date: November 6, 2024

Introduction

In this episode of "Talkin' About [Infosec] News," the Black Hills Information Security team delves into a variety of cybersecurity topics, ranging from recent phishing tactics to significant legal battles in the industry. The hosts—Alex, Brian, Corey, Derek, Frank, Hannah, Gina, and Eric—engage in lively discussions, sharing insights, experiences, and expert opinions on the latest developments in the infosec landscape.

1. Neti Pot Phishing and RDP Security

Timestamp: [00:30] - [08:56]

The episode kicks off with a conversation about a novel phishing tactic involving Remote Desktop Protocol (RDP) files. Brian introduces the topic by highlighting the resurgence of RDP-related security issues, exacerbated by recent natural disasters affecting the Gulf Coast.

Notable Quote:

• Brian [00:30]: "We were dealing with flesh-eating bacteria along the Gulf coast here. And this is my PSA for people. If you use a neti pot and if you want to know what a neti pot is, Alex will explain it to you. If you're going to be using a neti pot, do not use tap water because it will eat your brain."

Corey explains the functionality of a neti pot, likening it humorously to mummification, which segues into a broader discussion about RDP security. Frank emphasizes the importance of blocking RDP files to prevent unauthorized access:

Notable Quote:

• Frank [07:32]: "If you're a Black Hills Information Security Red Team client, you didn't get affected by this campaign because we already tried it and it didn't work. So you should be."

The team underscores the persistent vulnerability of RDP across organizations and shares strategies to mitigate associated risks, such as disabling inbound RDP files and employing breach attack simulation tools.

2. Delta vs. CrowdStrike Lawsuit

Timestamp: [16:51] - [21:18]

A significant portion of the discussion centers around the legal confrontation between Delta Air Lines and CrowdStrike. Brian provides a detailed overview of Delta's lawsuit against CrowdStrike, alleging at least $500 million in losses due to a cybersecurity incident.

Notable Quote:

• Brian [17:13]: "Delta has filed a suit against CrowdStrike for at least $500 million in immediate losses as well as punitive damages for the CrowdStrike incident that happened in 2024."

CrowdStrike countersues in federal court, arguing that Delta failed to adhere to critical cybersecurity hygiene standards set by the Transportation Safety Oversight Board (TSO). Eric and Frank debate the implications of such legal actions, highlighting the complexities of proving negligence and the defense CrowdStrike might employ regarding industry-standard practices.

Notable Quote:

• Frank [21:18]: "That's going to hit up against the wall that every other like that is industry standard."

The hosts analyze how this lawsuit could set precedents for future cyber-related legal battles and the responsibilities of cybersecurity firms in preventing breaches.

3. RedLine Info Stealer Takedown

Timestamp: [22:06] - [28:10]

Corey brings attention to the recent takedown of the RedLine stealer, one of the more notorious info stealers in circulation. The team discusses the implications of law enforcement actions against malware developers, particularly focusing on the arrest of a Russian national responsible for RedLine.

Notable Quote:

• Corey [24:09]: "The redline stealer has been packaged up in more ways than you could ever count. It's been used in every social engineering, every phishing campaign, every malware crack software, all that stuff. So it's definitely the big one."

Frank remarks on the perpetual cat-and-mouse game between cybersecurity professionals and threat actors, noting that dismantling one stealer often leads to the emergence of others.

Notable Quote:

• Frank [27:53]: "It's not hard to implement concept. We've built our own stealer at Black Hills. Lots of people have built Steelers, so not that big of a deal."

The discussion highlights the resilience of the info stealer market and the ongoing challenges in completely eradicating such threats.

4. Disney Employee Security Incident

Timestamp: [28:10] - [35:00]

The hosts shift focus to a security incident involving a Disney employee who, after termination, exploited lingering access privileges to manipulate internal systems. Corey details how the disgruntled ex-employee altered font files and QR codes, disrupting operations and redirecting customers to unintended websites.

Notable Quote:

• Corey [29:57]: "He changed the name for like the font files so that like when it fetches like the fancy Disney font file, it's bringing up wingdings instead."

Frank and Eric discuss the broader implications of insider threats, emphasizing the necessity of comprehensive offboarding procedures to revoke all access rights promptly.

Notable Quote:

• Frank [32:05]: "That's the exact same thing an insider threat would do... You can't just be like, hey, I'm going to email you this RDP file."

The conversation underscores the critical importance of internal security measures to prevent former employees from causing harm.

5. Synology Photos App Zero-Day Vulnerability

Timestamp: [37:20] - [52:13]

Hannah introduces a topic about a newly discovered zero-click vulnerability in Synology's Photos app. This vulnerability allows attackers to exploit devices without any user interaction, posing significant security risks.

Notable Quote:

• Hannah [48:10]: "A zero click hack exploits flaws in the device making use of the data verification loophole, basically saying the vulnerability is there whether you're seeing it or not."

The team discusses the ramifications of such vulnerabilities, especially in self-hosted applications, and shares best practices for securing devices exposed to the internet, such as employing VPNs and ensuring automatic firmware updates.

Notable Quote:

• Hannah [45:35]: "Just putting it behind a VPN is probably a really great step and you should think about that."

They also touch upon the ethical considerations of device manufacturers and the responsibilities of users in maintaining device security.

6. Microsoft’s Windows 11 Extended Support Fee

Timestamp: [52:20] - [59:50]

The conversation turns to Microsoft's recent policy change requiring users to pay $30 for an extended support period to continue receiving security updates for Windows 10 beyond its official end-of-support date.

Notable Quote:

• Derek [52:36]: "They're getting into the ransomware game."

Frank humorously critiques the fee structure, comparing it to previous extended support licensing costs and pondering Microsoft's motives behind this decision.

Notable Quote:

• Frank [54:15]: "They're using it to crowdfund an upgrade of Microsoft Teams."

The hosts debate whether this move is a monetization strategy or a practical approach to managing legacy systems, with considerations on user compliance and the potential impact on home users versus corporate environments.

7. HIPAA Risk Assessment Fine

Timestamp: [36:55] - [43:45]

Brian brings up a noteworthy development in healthcare cybersecurity: the first financial penalty imposed on an ambulance service for failing to conduct a proper risk assessment of electronic protected health information (ePHI) under HIPAA regulations.

Notable Quote:

• Brian [37:20]: "The first financial fine to an organization, an ambulance service, for not actually doing a risk assessment against ePHI."

The team discusses the significance of this fine as a wake-up call for organizations to prioritize regular risk assessments and the broader implications for compliance and data security in the healthcare sector.

Notable Quote:

• Frank [39:27]: "It can be low cost, easy. Right."

Eric and Derek explore the potential long-term effects of such regulatory actions, including the increased burden on small organizations to maintain compliance and the role of corrective action plans imposed by regulators.

8. Voting Machine Security Concerns

Timestamp: [45:09] - [66:19]

The episode concludes with a critical analysis of voting machine security, prompted by a report of leaked passwords for Colorado voting machines. Hannah explains the concept of zero-click vulnerabilities and their implications for the integrity of electoral systems.

Notable Quote:

• Hannah [48:12]: "The vulnerability is there whether you're seeing it or not, whether you're activating it or not."

Frank and Derek debate the practicality and impact of such vulnerabilities, questioning the effectiveness of attacks in altering election outcomes while emphasizing the importance of securing these critical systems.

Notable Quote:

• Frank [54:46]: "They're not accessible to end users. I don't know. I think it's just the automation. You do need some computer at some point to tabulate the results."

The team underscores the ongoing challenges in safeguarding electoral infrastructure and the broader societal implications of cybersecurity vulnerabilities in voting systems.

Conclusion

Throughout the episode, the Black Hills Information Security team provides an in-depth exploration of pressing cybersecurity issues, combining technical expertise with real-world implications. From phishing tactics and insider threats to legal battles and systemic vulnerabilities, "The Grey Times" offers listeners a comprehensive overview of the current infosec landscape, underscored by engaging discussions and expert insights.

Disclaimer: The views and opinions expressed in this summary are based on the podcast transcript provided and do not necessarily reflect the official stance of Black Hills Information Security.