Loading summary
Alex
So one day we should do the post show for pre show and the pre show for post show.
Brian
Well, how about you remember in the old days of TV where there'd be like two part episode and two beach continued and you'd have to wait a week. Did you remember correctly? Last week we talked about poop, this week we're talking about boogers.
Corey
Absolutely.
Derek
A different bodily fluid every episode.
Brian
Now there's, there's a reason why we're talking about this. This actually does have something to do with the news.
Corey
That's it.
Brian
We were talking, um. It does, it does. For those of us who are recovering from the hurricanes and the storms that happen, we are dealing with flesh eating bacteria along the Gulf coast here. And this is my PSA for people. If you use a neti pot and if you want to know what a neti pot is, Alex will explain it to you. If you're going to be using a neti pot, do not use tap water because it will eat your brain. Tell us about a neti pot, Alex.
Corey
I use the power device that it basically like. It puts like suction on one nostril and water jet onto the other nostril and it basically like sends the saline solution like up through the nostril, back around the sinus cavity and then out through the other one. This sounds like a form of mummification to me. It kind of is, yes. And I understand that reference. I studied that in elementary school too, like the mummification. And it does, it really does feel like you're just kind of like water jetting your brain a little bit. I will either unlock secrets to the cosmos or just like further decline craziness.
Eric
But.
Brian
Maybe that's how you get your cybersecurity insights.
Frank
I know. That is.
Corey
I'm going to be like a thought leader.
Frank
I'm just going to be like, oh.
Corey
Let me hit the navage there and be like, oh, yeah. Okay, now I got some great ideas for AI incorporation into things. Like, has anybody made an AI enabled toilet cam?
Frank
So we talked about that last week.
Corey
Exactly.
Frank
Callback.
Brian
So for all of you filling out your bingo cards, we've had thought leader, we've hit AI, We've got.
Eric
What did we miss?
Frank
Well, if you ever end up as a thought leader, you're in a bad spot. You don't want that to happen. That's to be avoided at all costs.
Brian
Well, did anybody vote?
Frank
Time is back. Which means my room gets very dark now.
Brian
Oh, it does. But we can see your features. Ryan, you don't look Like a serial killer to us.
Derek
You're well illuminated.
Frank
I see sunshine out there in the corner. You liar. No one believes you, but it's. It's a lot dimmer than it usually is.
Corey
Oh.
Frank
You live in Florida. Don't complain. Okay, I'm going to enter the gray times for the next six months. The great times. The gray times are upon us. Get your tea and head to the hills.
Gina
Great times.
Frank
Come on.
Derek
Come on.
Brian
So, Corey, we're so glad you're here. On a scale of 1 to 10, how ranty are you today?
Frank
Not very ranty, because I'm about to go on vacation. I guess I should just rant and then go on vacation and be like, all right, have fun with that.
Derek
Yeah, rant. Get it out of your system.
Frank
No, I'm not very rare. I'm not. I can. I can be. I can rant about thought leaders. We don't need them. Why do. Why would we need thought leaders? Everyone's a thought leader. Like, you don't. You don't need to call yourself that.
Derek
I know people who consider being called a thought leader an insult.
Frank
Those are the. Those are the people.
Derek
Yep.
Alex
Thought leader rockstar.
Eric
Both.
Alex
Both can be insults.
Frank
Yes. I'm gonna go on LinkedIn and change my job title to thought leader real quick.
Alex
Dude.
Eric
Thought leader. Leading influencers.
Frank
Yes.
Alex
Thought leading, influencing rock star.
Eric
I should try that.
Frank
I'm a nominee for the Difference Maker podcast.
Brian
Oh, no. I'm seeing in the Discord chat, that chat, that we're losing numbers because you're not ranting enough. Corey, turn the handle.
Frank
Numbers. What does that even mean?
Derek
We're not.
Frank
There are no numbers.
Corey
I think the grass going in the wrong direction.
Frank
Who's looking at a graph? All right, whoever has the graph, I'm gonna make it go up into the right. Roll the finger.
Eric
It's a graph in mirroring mode.
Frank
Roll the finger. Is the graph mirrored? The graph is mirrored. Yeah. It's going down into the left. Hello, and welcome to Black Hills Information Security's talking about news. It's November 4, 2024, and today we're talking about vaping. Or I mean neti pots. Or I mean cybersecurity. Sorry, I got confused there for a second. This is a cybersecurity podcast. If anyone's interested in my thought leadership podcast, Neti Pots International. Just. That's a different podcast. Welcome, everyone, to the show. We've got tie dye, Alex. Nice tie dye. Do you have. Do you have anything you'd like to share about that epic tie dye? Did you make it yourself?
Corey
No, but I did go to the Pinball hall of Fame in Vegas, so that's where I got it from. And love pinball and all the excellent things that come out from it.
Frank
Would you say you're a pinball wizard?
Corey
I am a pinball wizard.
Frank
Oh, nice. No one else has any, like, noticeably cool clothes except for Shecky, who has a blue team shirt. Vhis represent. Yeah. We're all blue team. Let's just admit it. We're all blue team. Even us. Red team, reserve blue team.
Alex
In your own way, it is. It is true.
Frank
All right, let's talk about. I think there's two. There's two articles that are super interesting to me specifically. The first one is Midnight Blizzard using RDP phishing. And this is interesting because this is a Black Hills Information security homegrown tactic, which I love and is also kind of terrifying. Yeah. So Ryan will find the article, but basically Midnight close the pop up.
Corey
There we go.
Frank
Oh, yeah. Ryan, you're going to want to just open that RDP file and then type in your credentials. Okay, great. So now that Ryan's been phished, basically Midnight Blizzard, which I guess is Russian, is sending reverse RDP phishing, which is a tactic that we announced or released in 2022. This was released by Mike Felt, who is no longer with Black Hills, works at Trusted Sec, but it's still on our blog. And I'm assuming they read our blog and we're like, that's a good idea. And now they're doing it. For those curious how reverse RDP phishing works. Basically, the target receives a RDP file, that file, then if they open it, connects into an attacker controlled computer. Then that computer is basically an attacker controlled computer. You can see their clipboard, you can see their files. You can also just have them log into the computer, do all kinds of other stuff. So basically, this is a real threat actor using a tactic that we released in 2022. So I just think that's a funny callback. Did we tell Microsoft to fix it? Yeah, we did.
Derek
And it seems they ignored us, as usual.
Frank
Yeah, they ignored us.
Eric
It's not a bug, it's a feature.
Frank
It is a feature.
Brian
Let's talk about RDP a little bit. How many organizations do you think are still using RDP?
Hannah
Too many.
Frank
100%. You know me, 100. All organizations, everybody.
Eric
I call RDP ransomware deployment protocol. I even have a shirt for it.
Derek
Is that kind of like how RAM stands for Rarely act Adequate Memory?
Eric
Yes.
Frank
Yeah, it's exactly like that.
Hannah
There's a lot of RRMMS out there. Right. They all cost money. Remote Desktop's already built into Microsoft Windows and all the other platforms, so it's really easy to interact with. It's not going anywhere anytime soon.
Frank
Nope.
Eric
Yeah, tunnel through that RDP back into the console, much like a VNC connection. And some of them are even very free. Like I'm not going to say anybody because I don't want threat actors to go using them more than they already are. But yeah, it's a free thing to tunnel back through and be able to connect into workstation. So it's not going to go away anywhere anytime soon.
Frank
Nope. Yeah, I mean, as far as like it does have to be signed, you know, with the valid certificate. That's a really high bar to pass. I feel like this also relies on email phishing, you know, filtering and stuff. But basically what we recommend when we use this tactic on our clients, what we recommend is don't allow these files inbound. Don't allow RDP files. If you're a Black Hills Information Security Red Team client, you didn't get affected by this campaign because we already tried it and it didn't work. So you should be.
Corey
I mean, I did a similar thing. Like I absolutely love like breach attack simulation tools because I just, just loaded up campaign and been like, I'm pretty sure we block RDP files, but let me specifically select the RDP file campaign that Midnight Blizzard is doing. Emulate that in your environment and go, yep, it's blocked. So I love those things because you're going to get an executive that. In my case, I did ask about it and you go, yeah, I just simulated that an hour ago. Here's the latest result, we're good. And then they can pass that on for client contact or any sort of client inquiries as well. So yeah, I love those tools and love being able to emulate that in the environment. For going and checking that you go, hey, I'm pretty sure we'd have this locked down. Go ahead and emulate it, check it again. Works really well. Or call BHIS and be on there, Use their services. They'll make sure you're covered.
Brian
Hey Ralph, can I follow up on something you said? I see a question in our Discord channel. Is there an actual need for RMM anymore?
Hannah
I mean, is there a need for remote management software?
Brian
I think that's what they're asking.
Corey
Yeah.
Hannah
I mean, so this is things like teamviewer, rest desk, any desk, you know, all of these. A Bomgar. Yeah. And yeah, they're not going anywhere anytime soon. I believe Microsoft's Intune has it now built in the remote management software.
Frank
Quick Assist is built in.
Hannah
Yeah, so it's part of the Intune suite. So it is Quick Assist. So yes, to bring that up, Quick Assist, which is, you know, like a teamviewer alternative, is actually default installed already on Microsoft Windows. Right.
Frank
And what attackers would never use that.
Hannah
Yes, it's quick access to a system and the way that they work, in short, is they have some id, maybe a password that appears as soon as you start the software and someone asks, hey, what's the id, what's the password? And then they can log in on the computer and do some kind of remote assistant. Right? Yeah, they're definitely not going anywhere. They're really popular in msvc. Yes, they're, you know, that's how they do their day to day activities where you know, somebody calls up and says, hey, my email's not working or whatever. Instead of them describing it on the phone, they log into their system and they use one of these tools, you know, to, to do that activity. So yeah, they're very popular.
Frank
I mean, the other thing to keep in mind is as security gets more complicated, these RMM tools get used even more. Because when you don't have a flat network, you can't just RDP everywhere. So then you need RMM tools even more that call out to a centralized point of control. I mean they're basically corporate deployed C2 or you know, they're command and control servers basically. Yeah, exactly. But, but you need that because if your business unit in London doesn't talk to your business unit in America and a help desk person is in America trying to get to a system, what are you going to do? You can't just be like, hey, I'm going to email you this RDP file.
Alex
So yeah, the problem with the tools come in is the security levels of them and how easy they are to get somebody to fall for it. And that's where I see it all the time from MSSPs and MSPs is they'll use something such as TeamViewer, which has known vulnerabilities, but they never actually get around to really updating it because they've got so many clients out there that they need to keep everything on the up and up and it would take them too long and use too much manpower to go ahead and do it. I've seen that happen plenty of times over the course of things. As far as RDP goes, I'm Seeing that less and less on the outside, but I'm seeing it used internally and that's being limited by different networks. And what networks are allowed to talk to one another on the ports internally?
Hannah
That's the only way that you configure Windows Server. Right. Like this is like no one's going. I mean, let me take two steps back. First of all, no one's going physically to that server because it's a virtual machine in the first place. Right. And you know the virtual machine consoles inside of all of the virtual machine systems, you could use those. Right. But they're not nearly as fast or as fluid as a remote desktop. So internally it's being used like crazy for managing Microsoft Windows Server environments or any other kind of environment around that.
Frank
Yeah, I mean, it's also. Yeah, it's really a security awareness thing as well. Like knowing that these kinds of reverse connection attacks are going to be on the rise. Right. We've actually talked about using these exact attacks to target help desk people of being like, hey, can you run into my computer and check if your credentials work? Right. And they're just connecting into a non managed computer, just like something we control. Yeah. I mean, basically connecting into a computer can also put you at risk, even though you might think, well, I'm connecting to their computer. But you don't realize that you're exchanging information, you know, with the attacker at the same time.
Corey
So yeah, I mean, also like as a BSA for remote management software, like if your organization uses rmm, they don't use every rmm, like inventory what you're using and close off all of the other things. Because if you sit there and you go, do we use TeamViewer? No, TeamViewer isn't allowed.
Frank
Cool.
Corey
Block the TeamViewer ports. But there are a lot of organizations that go, well, we use rmm, so let's just open up the ports for everything. For Kaseya, for TeamView or for RDP, for whatever. Because we don't know what RMM tools are used. So we need to allow access for all of them.
Frank
Yes.
Eric
And that's when people start calling us because they don't know what the F is going on anymore.
Corey
Yep.
Derek
And, and this is a sucky part about cybersecurity is that RMM tools were, were created to solve problems and they do. And then bad guys come along and they just mess it all up. And now we have to do all this other stuff to keep our cool tools from being hijacked and used for badness. And it sucks.
Hannah
Listen, Was that Ramsey?
Alex
Part of the problem actually falls on the MSP MSSP side because they all use the same damn tools. And what they wind up doing is they rebrand them. And then the security team goes ahead and I've run into this at a place I worked at, goes ahead and says, what tool are you using? So that way we can make sure that we are being safe. And they say, sorry, it's our secret sauce. We're not telling you anything. We're safe. We're this, we're that, we're the other thing. And we're sitting there going, well, we're not letting you in. The second that they go ahead and run something, all of a sudden nowadays with the EDRs, you can see exactly what tool it is and you say, oh, this is the tool. No, we're not opening up this port and this port and this port because you say so. This tool only needs this, this and this. The RMMs don't, the, the MSSPs don't know what they actually need opened. So they throw everything at you.
Eric
Most of the time the msp, you know, this is going to get really, really ugly and really, really bad. So bring it, bring it. The content. The, the following statement is by me and nobody from Black hills. But most MSPs are just idiots. I'm sorry, they are. They don't mandate MFA or 2fa. They don't go through the vendors best security practices to secure the tools that they have in place. And then they become vulnerable and they're like, oh, the vendor didn't advise me. Come on, come. I mean, secure your own house. You want to yell at your clients about getting more secure doing cybersecurity training and doing this and doing that, but you're not willing to do it yourself. I mean we, at some point we need to start looking internally to the people who are using the technology data in day out and be like, you're to blame for all of this crap that's going on right now.
Derek
Wait a minute.
Eric
Thanks for kind of my tip.
Derek
People take ownership for their own screw ups.
Eric
Never ever. Let's blame the government for everything.
Frank
No, no, no. That's why lawyers exist.
Brian
All right, that's a great segue. Let's talk about Delta and CrowdStrike.
Frank
No, we talked about that last week. There's nothing.
Brian
No, there's juicy follow up. Corey, it's good stuff.
Frank
How is it real? All right, hit us with the juicy follow up.
Derek
Okay, but only if we talk to Disney afterwards.
Frank
Yeah, yeah, we gotta go ahead. Okay, got it.
Brian
So Just the quick TLDR for those of you who aren't following this like the Real Housewives of Atlanta, like I.
Frank
Am, which you should be because subscribe to Black Hills Infosec Talking about news podcast.
Brian
Anyway, so Delta has filed a suit against CrowdStrike for at least $500 million in immediate losses as well as punitive damages for the CrowdStrike incident that happened in of 2024. And listen to what I'm saying carefully because it matters. Delta filed it in a state court. CrowdStrike filed a countersuit in federal court against Delta saying that Delta has a limitation of liability and an exclusion of consequential damages. And the reason why I'm bringing this up, Corey, because it's very interesting. One of CrowdStrike's tactics in this is to say that Delta hasn't followed good cybersecurity hygie and what the CrowdStrike attorneys pulled out was and I didn't know this either, it was kind of interesting. So the Transportation Safety Oversight Board is what oversees TSA at airports. They actually came out with an order that says TSA has the ability to determine implementation of critical cybersecurity mitigation measures and TSA has the ability to exercise emergency regulation authority. Excuse me, emergency regulatory authority. And basically what counter strike or CrowdStrike is saying is that Delta didn't even follow TSA and the Transportation Safety Oversights Board's basic minimum standards for cybersecurity hygiene. And it's a. I have the filing if anybody's interested in reading it. But basically you mentioned a little earlier when we were talking about RMMs about network segmentation. One of the stipulations in the cybersecurity regulations is that those organizations that are providing national transportation needs like an airline like Delta has to develop network segmentation in the case of failed patches. So this Delta CrowdStrike lawsuit face off is getting more and more juicy.
Eric
Can I weigh in real quick?
Brian
Yes please.
Eric
Okay, so this goes right back to one of my other major gripes is self acitation. A lot of companies would go through and say yes, we're following 801. They nist 800171 and then they want to throw up their hands and be like oh we can't here to CMMC because it's such an uplift when it's only 13 extra controls. So we step back. But anyway about to this story, if you go in and read crowdstrike is also stating and I know because barricades we are a CrowdStrike partner, we use them inside and out in so many different ways. So I can tell you with 100 certainty, even our small organization was getting by calls twice a day from our account team. Hey, do you need anything? Hey, do you need anything? And in that article they quote CrowdStrike and Microsoft both reached out to Delta numerous times saying, hey, we have a team standing by. We could put boots on the ground to help you recover. They just threw up their hands. No, we got it, we got it.
Frank
You know, then no, no, they called an IBM that's. They actually did. They called an IBM to help.
Eric
Yeah. So I mean you have the vendor who in all intents and purposes caused the issue trying to do make it right when you look at your.
Frank
And they gave a 15 Uber Eats gift card. Get yourself a little slice of cake. That's good enough. All your systems are down. Here's a slice of cake.
Eric
Yeah, so.
Brian
So, Corey, let me follow up on something that you might like to riff on. In Delta's law lawsuit against CrowdStrike, they said that CrowdStrike intentionally created and exploited an unauthorized door to the Colonel.
Frank
I mean, that's going to be interesting for a judge to take a look at that because it is true. But the problem is that it's going to, it's going to hit up against the wall that every other like that is industry standard. That's what CrossFit is going to say. They're going to say all EDRs are in the kernel or at least all ones that are worth anything. So that's. It's not a. It's not like we had to. We did this because we had to. This is just what products of this caliber do. It's not like we did this specially and, you know, on our own volition without, you know, any reason for it. It's going to become, it's going to be necessary. I mean, I don't know. I think we should move on. This article is the same as it was last week. Basically, the CEO of Delta doesn't like the CEO of CrowdStrike. They don't go golfing together anymore. Let's move on.
Hannah
Yes. All right.
Corey
What you got?
Frank
Think boring hits I got. So, okay, let's talk about these Steeler takedowns. Or we could talk about Disney either or I want to talk about the Steeler takedown. So this has been something that comes up on the show quite often. Basically info stealers. We have blogs about it. We have, you know, we've talked about it ad nauseam. There's. I have an entire webcast where I was with flare and we talked about info stealers. But this one, redline is particularly one of the older ones that hasn't been taken down or hadn't been taken down until recently. So recently on, this article was published on October 29, but basically the red line seller was taken down. Obviously, we'll get into the details of why that is kind of not really true, but basically they, they found the creator who's a Russian national. They arrested or at least indicted that person, and then they also took down some central servers and I believe the Netherlands or something. And there's a separate article that we'll. We can talk about as well, that's basically opsec, the OPSEC failures of this person who developed it, including also the dating profile of the person who developed it. But I mean, basically the. For, for anyone that doesn't know this stealer, the redline stealer is definitely one of the more prolific ones. It's been out for a long time and it's been, it's caused a lot of damage. One of the tidbits from the article that kind of blew my mind is they say that it's infected hundreds of DoD systems. I'm like, who released that statistic? Like, who admitted to that? I don't know if that's like OSINT, they figured that out through OSINT, or if the DoD actually said, yeah, we're going after these people because they've infected hundreds of our systems. That's kind of awkward. But yeah, basically developer was a Russian national. As far as OPSEC failures, you can read the full article for the details, but basically they don't appear to have tried to use any OPSEC at all. And that kind of brings my question to the group is, if you're a Russian national making malware, do you need opsec or do you just do it like from your own real name? And like, who cares at that point, right? Do you even need opsec? I don't know.
Corey
I mean, there's also the point that it's like you're stealing all of this information, all of this data, and you still can't get a date.
Frank
Yeah, apparently bitcoins, that was a hard no. Aren't they don't impress the ladies. I don't know. But yeah, I mean, I will say this whole thing, the info stealer economy or whatever you want to call it, there are like hundreds of these things. The concept of taking down one of them is like saying, we took down this ransomware. It's like, okay, well guess what? Like there's lock bit 2.0, 3.0, 4.0, there's probably lock bit 19.0. The, you know, there the versions this software ends up getting open sourced, leaked, remixed and there's multiple other Steelers that I know of. Off the top of my head, there's the meta stealer. That one also has been like in law enforcement activity, but there's also, you know, Steel C or a bunch of other. Turns out the concept of running, you know, grabbing credentials and information from a system is not really a super hard to implement concept. We've built our own stealer at Black Hills. Lots of people have built Steelers, so not that big of a deal. However, I think the biggest other thing about the economy that's interesting is some of the customers that use this dealer also are under law enforcement attention within the Netherlands. So that's I guess good. But it does kind of get into that whole like info stealer economy. We'll see if this has any effect.
Corey
And for the info stealer economy, like I wanted to state just from like one of my experiences for like the vector that these things are getting in, most of the times when they land on the shores and I look at them, it's not through the phishing campaigns because most of the times those get blocked by a corporation. A lot of times I found that they are coming through because of cracked software on a personal machine. Like somebody's, you have an employee that they have their personal laptop could download some illicit software or some like cracked version of something and it gets infected. And we see it like when they bring it to the connect to the employer's WiFi, like the guest WiFi or VDI or.
Frank
Yeah, yep.
Corey
We see it beaconing out and we go, okay, so that, and that's something that is not in a lot of security awareness going like, hey, don't let your kids on your machines. Don't download this crack software is bad. You have the, don't click on things. You have all the phishing campaigns that are out there, but you might not have as many campaigns for, you know, hey, don't. If it's, if it's software that normally costs a lot of money and you're finding it somewhere for free, that's almost, almost 100% a trap. If you're going to wait, I can get Adobe Photoshop for free. Help me more. And you just tell me, well this.
Frank
This, yeah, that scenario I think is the biggest, I think that's the biggest like cause and effect we've seen with enterprises. Are the contractors like people who are, you know, brought in there are, you know, they're. Maybe they're offshore or who knows their details, but they need to use a certain software and you know, that becomes. And then of course, when those people are breached their credentials, they have credentials for 20 or 30 different companies, so.
Corey
Exactly.
Frank
Yeah. I don't know, I just thought that one was interesting. Finally some retribution for these, you know, people that have caused so much strife. I will say that the redline stealer has been packaged up in more ways than you could ever count. It's been used in every social engineering, every phishing campaign, every malware crack software, all that stuff. So it's definitely the big one. If there's one big one.
Brian
Corey, how many info stealers are you going to get in your Christmas stocking this year?
Frank
Ooh. I mean, all of them.
Brian
Well, it depends how naughty or nice you are, I think.
Frank
No, I'm a gray hat. That's unclear. So, okay, let's talk about Disney because this one ties up. It ties up an article that we talked about before, which I was shocked that they didn't mention this in the article. Let's talk about the article first and then we'll talk about the tie in to a previous article that we had talked about for Disney. But basically, does anyone want to brief this one so I can stop talking and save our audience some. Some sad times?
Corey
I mean, I read through this one and it was, you know, the Disney employee went through and Ex employed. Yeah, ex employed.
Derek
He had already been released and he still had released.
Frank
Is that the Disney term released?
Corey
His credentials have not been revoked though, so. His credentials have not been revoked, which is like the big thing. So again, if you're taking down all the PSAs from this, from this talk, starting with Netipod at the top and then all the way down to when somebody is. When somebody is. When somebody has terminated, remove their access. You can write that on your notepad too. But it's like, so what he had done is he had changed, it seems like he changed the name for like the font files so that like when it fetches like the fancy Disney font file, it's bringing up wingdings instead. So it breaks that the printed menus. He changed the QR codes on the printed menus to take it to a political site between Israel, Palestine, so it redirected there. And then also like, just as like the, you know, hacks that can ha. That can impact, you know, life is removing some of the allergen information from Magus and from information. So he did all that as kind of a disgruntled ex employee that still had access. And I'm really surprised that Disney, of all places, it was probably a third party.
Frank
You probably was probably a third party called like menu magic or something and no one thought about it. Okay, so to tie this back, I don't know if maybe Ryan can find the article, but Disney is currently under a lawsuit where someone went to their. It was like a Disney managed property, ate something with an allergen in it, and then actually unfortunately did die. And so the lawsuit is basically claiming that Disney gave this person assurances that there was no allergens of this type in the food, and then there actually were and the person ended up passing away. But my thing is, it would be really interesting the more, you know, this isn't what happened, but it'd be more interesting if like, the person got into like a big disagreement with Disney over that lawsuit and then like, said, like, well, screw it, then I'm gonna like, put you on blast for this like, menu allergen stuff. But sadly, no, it was just someone being disgruntled. But.
Eric
Or was that the same story where Disney tried to dismiss everything and put everything through arbitration because they were a member or signed up for trial?
Frank
Disney, they were a subscriber to Disney plus.
Eric
I was trying to make sure it was part of the same ecosystem. Okay. Okay, I'm tracking.
Frank
Yes, it was an absolutely insane.
Hannah
Agreed to the agreement.
Frank
When they signed, it was an insane legal. I mean, I think it like they ended up. I. Yeah, they abandoned the effort. That's what this article says. So I'm glad that confirms what I remember. Basically the angle that the lawyers tried to pull, or should I call them the mousers? I don't really know what to call them. Basically they. They tried to claim because this person who unfortunately died was a Disney subscriber, that they had to agree to arbitration, which they ended up giving up on that. So the lawsuit is going forward for real. But yeah, I don't know. Just two weird articles that aren't actually tied together whatsoever, but in my opinion just fit right together in my brain.
Brian
So would an insider threat program address manipulating fonts like that? Probably not. But it makes me wonder really what his beef was with Disney. To target allergens, knowing that you're really going to potentially hurt somebody else is really mean.
Frank
I feel like that was potentially not the intention. I feel like the intention was break things. And the allergens are. Disney's angle of this is why what you did is bad. That's my take, that's my personal take. And as far as why that's what they went for, I'm guessing that's all they had access to. Let me tell you how it works from an adversary perspective and this is exactly how it works from an insider threat perspective. When I get in trouble for when I, when people are trying to lock down my access to a company, whatever I have left that still refreshes and works, I'm going to try to use it for evil purposes. That's the exact same thing an insider threat would do, right? Like when we compromise an account, we launch every single octa or whatever M365 session, every single app they can get to. We will launch some of those apps inevitably will have way longer timeouts than everything else or will have separate credentials or things. I'm guessing that was the scenario here where like this user, their domain account had been locked, their Okta was reset or their Microsoft was reset, all their sessions are reset. But either they had a separate login to this menu application or they had a long live session time in timeout. So yeah, basically add I'm sure Disney now has in their off boarding procedures or I didn't see any fun recommendations for what Disney would call firing but whatever Disney would call firing their, you know, document that says what to do definitely includes check if the user had any third party applications such as Menu Magic or whatever. I just made that up. It doesn't really exist but.
Derek
Yeah, well, but you're hitting on a key critical point Corey, and that is that all of these malicious actors, they're opportunists. If they can get their grubby paws on something, they're going to and it's unless it's something that is targeted and has a specific financial objective in mind. I mean look, look at when, when people's websites get hacked it's all about what could they grab onto and mangle. And it's just. Yeah, like Kelly said, it's mean.
Frank
Totally. Yeah. I mean that's what disgruntled employees are trying to do, be mean. That is exactly their goal. I will say though, to wrap it up. If you're considering being a disgruntled employee yourself would not recommend this person's facing what up to 15 years in prison or something.
Eric
The legal ramifications of people actually getting hurt because of the allergies, they're going to have some criminal charges for potential manslaughter or aggravator to sold or whatever they may throw at this individual, it's going to be very, very bad. So please think to your consequences before you do your actions. Just because you could do something doesn't mean you should.
Frank
Maybe just go get drunk with your friends. Come on normal, do something. You could do something stupid, just make it self destructive.
Derek
Friends. Corey, you're assuming they have friends.
Frank
Okay, get drunk to the point where you think you have friends. I don't.
Brian
Let me just clarify something real quick though, Eric. That particular situation we've been talking about was filed under the Computer Fraud and Abuse act and it's not manslaughter. The Computer Fraud and Abuse act says harm to a person up to $5,000 worth of damage. So the point that makes me feel sad is apparently according to the Computer Fraud and Abuse Act, a person's life is only worth $5,000.
Eric
Well, I think it says up to 5,000. That's so what I'm going to push back. And this again, I'm not or I say it many times. I'm not a lawyer, but I did stay at a Holiday Inn Express last night. I think that's where you know when your charges are elevated. So like hypothetically, let's say, you know, let's just take the, the larceny, whether you have petty larceny or grand larceny because of that certain dollar amount. So I'm going to assume assumption being the mother of all evil that you know, that 5,000 is, you know you're here or if it's more than you actually lost a life or something like that, then it gets elevated. In that sort of scenario that I'm hypothetical scenario that I'm putting out there, what I'm assuming is going to happen. So we'll have to see where it comes out at the end. But I wouldn't say they limited a life at 5,000. I just think the statutory limitations of said claim is at that $5,000 before it goes on to the more sever charges.
Frank
I think they would be charged with more had they actually caused impact to human life. But it sounds like in this scenario they're not able to be charged with this. Also, just to run through some of the chat GPT recommendations for firing, here's the options you have magically, magically unimagineered, which is hard to say. You have taking a permanent leave, journeying to the unemployed kingdom that might.
Brian
These are bad movies.
Frank
Journey to the unemployed kingdom is so funny. All right, I'm gonna go.
Derek
I like wishing on a star for a new job.
Frank
Happily ever after somewhere else all right, moving on. What else?
Brian
Okay, I've got another one you're gonna find boring, but I think it's important to bring up. Let's talk about hippo.
Gina
I'm captivated.
Frank
Let's talk about hippos. Is it a baby hippo? Those things are so cute.
Hannah
They are dangerous, though. Even the baby.
Frank
They are dangerous if you're president.
Derek
I always give way to things that have more mass than me. Always.
Frank
All right, tell us about hippos.
Brian
Let's talk about HIPAA and risk assessments. So ocr, the office that actually sets about. So Health and Human Services is managed by ocr. Ocr, Actually not. You got me all worked up. I can't even think straight.
Derek
Breathe, Kelly, breathe.
Brian
There was the first financial fine to an organization, an ambulance service, for not actually doing a risk assessment against ephi. And I find this really sort of interesting because HIPAA is old. It's been around for a long time. We're talking about Computer Fraud and Abuse Act a little earlier. HIP is almost as old, if not maybe slightly younger. But we've been telling people to do risk assessments on data for years and years and years. And finally, we're getting some teeth in the regulation. Now, granted, it wasn't a very big fine. And usually when it comes to federal regulations and regulators, you don't admit that you've done something wrong. They give you a fine. You admit that you'll improve your proof program and you move on from there. But I just kind of want to bring this to your attention. If you're not doing risk assessments regularly, regardless if you're in healthcare or not, maybe 20, 25, instead of losing weight and eating better, you should do a risk assessment instead.
Frank
Totally. And the HIPAA requirement for risk assessment is not that high. It like. Right, Kelly? Like you don't have to actually get a real pen test. You can just do a controls assessment or something. Right. Like you can. You don't have to go crazy with it. Right. It can be low cost, easy. Right.
Brian
That was some dangerous ground there, Corey. What do you mean by a real pen test versus a fake pen test?
Eric
Hiring Black Hills versus running a scanner tool.
Brian
Okay.
Frank
Yeah. Or filling out a spreadsheet versus having packets at your network lately.
Corey
You're good.
Frank
Exactly. Yeah. I mean, that's. That's. Yeah. It's not hard. It shouldn't be hard.
Eric
I want to throw this one back a little bit to you. Have you looked at the total revenue for this county? Because 90,000 seems pretty low for a county to pay out. And I pretty much would go out on a lend to say it's probably less or right about their 10% that, that the requirement is. So until it actually has a real impact against that county, like financially, they're not going to change. They're just like, yeah, we'll do better.
Frank
Actually, I actually disagree with that because I think the CISO looks at it and says why did we have to pay this? Or maybe not the ciso, but cto, whatever. Some executive looks at it and says, yes, it's only $90,000, but this is still money. We didn't have to spend like that. It's, it's unnecessary. I feel like it's one of those things. It's kind of like a fee. Can people like a parking ticket or something. If I got a parking ticket, I'd be way more upset than just because I had to deal with it than I would just paying the parking ticket. You know what I mean? I don't know.
Brian
Again, you're both right.
Eric
Yeah, the 90,000 I think may be a lot less than it would be to actually for them to implement it. So there's like, okay, either we can pay 150, 200k to fix all this crap that we're doing, or we'll just pay the 90,000 and move on and probably be still fine for another couple of years until we get hit again.
Brian
I mean, the other, the other gotcha in that article isn't just the 90,000. Not only do they have to pay the money, but they're under a corrective action plan which means they're monitored by OCR for the next three years. That usually means they have to hire an outside consultant to come in and manage their corrective action plan. That gets expensive.
Frank
Wow.
Eric
So managed. Sorry.
Brian
Yeah, no, I mean, so I've got a friend who, you remember Facebook also had a regulatory action against them and They've got a 20 year compliance plan. That's his whole job is submitting compliance reports to FTC on behalf of Facebook. So it may not necessarily be defined. It's the follow up corrective action. So not only do you may have to hire an outside consultant, now a certain percentage of your full time staff members are, are following up and reporting to an outside agency. And if you've ever been in that position, it is very time consuming. You've got to dot your eyes, cross your T's and you're not doing the business of your business. You're not making widgets or having a magical experience or whatever it is you do for your Business.
Eric
Something tells me and I could be completely wrong here. Well, I wasn't expecting to be big. Sorry. Someone's telling me that the managing the remediation process, when I'm thinking back on my cases that we've worked recently, is a very loose term. You know, us emailing our point of contact for a case for remediation and they don't implement whatever or fix whatever we're trying to get done to bring them back up to a certain standard is technically managing. We're managing to notify them, hey, you need to fix this. Hey, you need to fix this. So I guess, you know, you know, I guess the follow up to you and because of my lack of knowledge, just because you have someone managing, is there a follow up meeting with OCR saying, yep, we managed it, they improved by this metric amount, things of that nature. And they're like, okay, we forgive you of this infraction type of thing. So I'm like, what's the post op look like for ocr? Because that's the one thing I've never seen.
Brian
There's no forgiveness. This is not the Catholic Church here.
Derek
They only forgave for a price. Anyway.
Frank
Don'T crash your ambulance next time. All right?
Brian
Anyway, you're locked into that corrective action plan and perhaps I hear your point, Eric, that from a technical point of view, maybe it is just a small meeting or an email, but you also have attorneys involved and the attorneys are crafting their response. You have maybe a compliance person who's involved if there's a third party. So it's your time multiplied by other people's times and at that point, 1 plus 1 equals 10, that's that math.
Frank
Got it. If anyone's curious, ChatGPT did the math on that one. But basically the beginning, the cash balance. So this company or this I found online, there's a PDF because it's a public entity, but I found some random public report that basically says they're, you know, beginning cash balance for July 1st was 1.1 million. Their ending cash balance is 1.5 million. Like they're a pretty small entity. They're collecting a total of two to three million dollars a month in income. I guess that's not tiny, but 90,000 is still a sizable chunk of money for someone at that scale. I think they probably have pretty thin margins. Can we talk about.
Hannah
Anyway, another one I got. This one's going to be a short one. This one is the security researchers find zero day zero click bug in the Synology photos app.
Frank
Synology are actually developed by APTS to get footholds on your home network.
Derek
If you ask me, it sure seems that way sometimes.
Hannah
Yeah. The two things I just wanted to hit on is that this is not the first nor the last time. Neither a Synology or some other kind of like self hosted application is going to fall victim or be discovered that there's a zero click vulnerability or some other way to totally compromise that these.
Frank
Things are botnets waiting to happen.
Hannah
Yes, but my, my remediation here is not to necessarily go throw them all away and say that they're all junk or that we don't need them but. But to think about how you use this device for a lot of people. This photos app is maybe getting shared with a couple people. So just putting it behind a VPN is probably a really great step and you should think about that. In all of the security of any.
Frank
Kind of public facing device. Right.
Hannah
Does it need to be consumed by any random person on the Internet or does it just need to be consumed by my company internally then I don't need it on the Internet. Internet, right. Yes, totally. Just thinking about these things when you're deploying them for yourself or for whoever. Right. Can really help avoid the risk that is inherent with having anything publicly exposed on the Internet.
Frank
Yeah, I mean I think that like a lot of these devices are marketed as like cloud in your house and it's like turns out cloud does have to be secured. You can't just put it in your house. Like it's, you know. I don't know. Yeah, you're right. I mean basically my opinion on these kinds of things is any product like this that's sold without auto updates is not worth buying. Like when people come to me in my personal life and say hey, I'm looking at purchasing a router or you know, something like this, I always say I don't know, I don't have personal opinions on this. Although use true nas but you know, the like whatever it is, as long as it automatically updates its own firmware without you having to do anything, it's fine. Like you know I, I do think that's a key thing to have.
Hannah
Yeah, it is. It is interesting though. Whenever you think about how these things are developed or whatever and you know, it's not just Synology, it's the Palo Altos, it's Sophos, it's all these large products that create firewalls or any kind of endpoint device. Right. Or like you know, perimeter facing device.
Frank
Yep. Anything that has UPNP enabled.
Hannah
Yes. Exactly. And you know, some bad decisions are made. But, but if you're thinking about how do I secure this thing because I still need a firewall or whatever that device is, just think about how it's going to be used and maybe its purpose isn't necessarily going to be available to everybody. Right. So configuring the least likely to expose yourself to the whole Internet because if you look at all the different countries and everyone are scanning all the time. So if you're the only one using it, these that really need to be open to everybody. So yeah, just something to think about.
Frank
What if I bring Russia and I want to access my photos?
Hannah
Yeah, that's exactly.
Gina
I want to bring this back to an elementary angle actually in the article that articulates a zero click vulnerability, something that a lot of people that have been listening to the news or other podcasts really haven't been hearing a lot about. I know for me in the last year that's something not heavily talked about, that, you know, the name kind of says it. You know, the end user doesn't have to click something for this vulnerability to be exploited or leveraged. So Kaspersky, just in a quick Google search, what's a zero click vulnerability? Basically a zero click hack exploits flaws in the device making use of the data verification loophole, basically saying the vulnerability is there whether you're seeing it or not, whether you're activating it or not. So anybody who's a C suite executive that might come across this or if this ever gets clipped into like a, a short for any sort of social media. It's also important to acknowledge that just because you're not engaging to have that vulnerability like be exploited, that doesn't mean that it doesn't exist. It's there, which is why you have a cybersecurity division in the first place.
Frank
Anyone that lives at. Yeah, I mean we can also talk about, you know, byod, home office, small office thing. Right. Like does anyone remember the Cisco compromise from a long time ago that was all started from someone's play server that got popped? The last one I remember, I don't know, it was a couple of years ago. Basically people's home devices, people's home networks are in scope for a lot of corporate networks. This is part of the third party risk picture. You have Synology, NAS on your home network, your work computers on your home network. The botnet angle, meaning the attackers are just taking control of it so they can send spam or whatever is a common one. But also sometimes they'll Go after.
Corey
They'll.
Frank
They'll do basic reconnaissance on the network and say, hey, you know, there's other devices here. Maybe there's vulnerable protocols or other vulnerable devices. Go after those, and then maybe we actually get somewhere useful. That's happened and it's led to compromises of large companies. What is next? Did anyone keep track of that? Sophos 1. I mean, that's kind of on the same vein of, like, backdooring things.
Hannah
So it says that they were, like, pretty much fighting back against. From what. From what I could tell in this article, they were fighting back against Chinese attackers. Right. And so they were. It sounded like they were putting malware on the devices so that they could track when they were getting attacked. It was kind of interesting.
Frank
Yeah, I mean, this is kind of an interesting angle. It's like, sir, they keep hacking our devices. How are they doing it? Like, actually following the rabbit hole down for five years on how they were doing it. Like, figuring out how the supply chain, how are they acquiring the devices, how are they exploiting them? I mean, talk about threat intel. If you're actually on the development environment of Chinese hackers trying to see what exploits they're developing against your product, I mean, that's pretty cool. I will say. I do think that's, like. I don't know if this is standard or if this is standout. I think. I've never heard of this at least, so it must be. I don't know if it's, like, secret and normal, but I think this is pretty cool to be like. Like installing backdoors on your own devices, shipping them to China, or like, let's make an ebay listing and for, like. It's an interesting angle, though. Yeah. Read the whole blog post, if you're curious.
Hannah
Yeah, it's kind of.
Frank
Is that unethical? Imagine if you buy a Sophos firewall on ebay. They thought they were selling it to China. You're just a guy, and they're monitoring all the stuff you're doing.
Hannah
Well, then you're not going to be hacking it. So it will. It will be quickly marked off, as, you know.
Frank
You don't know that. What if I run a little. What if I run a little, you know, I run a little nuclei scan against my firewall. Am I in trouble?
Hannah
Well, no, I. I fixed that. It was a little bit lower level than that.
Frank
So what if I want to change the. What if I want to get a free license? I don't.
Hannah
Yeah, yeah, no, they'd be like, well, that's a problem, but it's not our problem.
Frank
Them. Yeah. No. I don't know. All right, next article.
Hannah
What else? What else we got? Anyone else?
Derek
Microsoft is asking $30 if you want to delay switching to Windows 11. They're getting into the ransomware game.
Hannah
They've always been in the ransomware game. That's the thing.
Derek
That's true. That's true.
Alex
A one year extension, $30.
Hannah
That's for the security updates, right?
Frank
Yeah.
Eric
That's extended support.
Frank
That might be the cheapest extended support contract I've ever seen. That's pretty solid actually.
Hannah
I'm in. I'm all in. Especially that chipset.
Brian
Why would Microsoft do this?
Frank
So they can make more money. Carrot and the stick at the same time.
Brian
Yeah, I, I agree.
Derek
There's a reason why wouldn't cry. Maybe there's been hue and cry over the fact that so many systems can't run Windows 11. Like none of the hardware that I have in my household is capable of running Windows 11. And some of it isn't that old.
Frank
Well, looks like you're gonna have to pay $30.
Corey
Yeah.
Brian
I think it's a Democratic conspiracy. They kept the price down because, you know, we've got an election coming up tomorrow and if we lower the price of Microsoft licensing then the Democrats win.
Derek
Is that how it works?
Alex
I think the one thing that we're all missing on this is that this is not aimed at corporate. This is for home users.
Hannah
Yeah.
Alex
That is your mom and pops, your kids that are playing their video games.
Frank
Yeah. And definitely don't know how to get. They definitely don't know how to get this.
Alex
How often do home people, the everyday average Joe going to go ahead and update their systems? Even if Microsoft says you need to update your system so that way you can run Windows 11, what are the odds of them doing that? Especially with the way the economy's been for a lot of smaller people nowadays.
Frank
Increasing paying $30 to continue.
Hannah
I think it's just the gas traffic.
Alex
$30 for a year versus a thousand five hundred to one thousand dollars for a new computer.
Frank
Yeah. Yeah. But they don't see it that way. The option, the default option is do nothing thing.
Hannah
You don't even need security updates. I mean like I'm just a guy at home, you know.
Frank
Correct. Why would I need security updates? I'm just a guy trying to get on my malware websites and download crack software. I don't need updates.
Hannah
I mean, I will say this.
Frank
I think this is an interesting game to play because Microsoft in the past when they've been backed into a corner between patch it or let it get hacked, they've always chosen patch it. Like Windows Server 2003 when all the eternal blue stuff came out and all that, they patched it even though it was unsupported. It was, you know, was like totally like in the process.
Derek
CYA move. That was a CYA.
Frank
What is this? How many Windows 10 computers do you think there are? Probably 20 million or billions.
Derek
Probably billions and billions.
Frank
I mean I get it, but they.
Hannah
Could just be like well we told them like we told them and they got hacked. I don't know what like, you know.
Frank
That'S what I'm saying, that's what I'm right.
Derek
But by doing the $30, they have one guaranteed an opportunity for additional revenue stream that they might not get.
Hannah
I think they're trying to test out to see if it's worth so that's.
Derek
That'S 1, 2 now they have plausible deniability. Hey, we warned you this was coming. We even gave you an opportunity to protect your systems for another year. All you had to do was cough up $30. So if, if Joe Blow homeowner decided that he didn't want to update his computer and pay the $30, well that's not our fault. We gave them the opportunity. Total CYA move.
Frank
Ever gonna sue Microsoft? I don't know. I, I, I, I think it's deep podcast. I actually do think this is the most neutral way to handle this problem and I actually kind of, I think it's cool to be honest because for the people that don't know and don't care, it'll have zero impact on them. They won't get the updates and they won't care for the people who are take my Windows 10 from my cold dead hands. Why? I don't know why but these people exist. They can pay the $30 and continue to use Windows 10. And for everyone else they already upgraded to Windows 11 so they don't care. I think it's actually like and obviously it does cost Microsoft money to support legacy operating systems. That's not rocket science to understand. You know keeping these things teams, probably large teams of people running is not cheap. Will they make very much money from this though? Probably not. I got another take.
Brian
They're using it to crowdfund an upgrade of Microsoft Teams.
Hannah
Make it better.
Alex
I, I've got, I've got another take. They're using it to go ahead and get people ready to go to prove that the co pilot PCs are worthwhile getting so they need a little extra time to go ahead and get through that. With how complaints have been going on.
Hannah
About my Mac into a copilot PC. I just record my screen all the time.
Frank
That's called. That's my. Hey, dude. That's called being a twitch streamer. That's called being a twitch streamer. You're confused.
Hannah
No privacy.
Frank
There's no need.
Eric
This may honestly be Microsoft's attempt to really go after the SaaS platform for the home user. I mean, I know you got the365 tenancy where you could be able to do all that, but for the OS itself, instead of doing the one license cost for, you know, then your own license, they're going to try to migrate this over to a SaaS offering for the OS operate system itself. And I think this may be the introductory of that. So if they can get more people to get extended license buy in, then they may be able to pivot that to the OS itself for the home user. It's my thought.
Frank
Yeah, I mean that's, you know, I think that's true. I mean, I genuinely have no understanding of how Windows licensing works. All my Windows computers say activate Windows at the bottom. Right. So I don't know. But I don't know how to make that go away. And I've tried. I have license keys. I'm doing my best here.
Derek
The thing that cracks me up too is that we're going backwards. I remember mainframe systems, I remember thin clients and dumb terminals and all of this software as a service platform. As a service. I'm sorry, we're going backwards. Didn't.
Frank
No, I actually.
Derek
Yeah, well, it feels that way for us old folks.
Frank
I don't know. I don't think we're going backwards. I think $30 is a far cry from having to buy some legacy. You know, they were in the olden days. You would have had to pay 10x for this. I'm sure there are companies who have. I don't know what the numbers actually are, but I bet you the amount of money that companies have paid to Microsoft for extended support licenses has to be in the billions. Like it has to be. But anyway, let's move on.
Hannah
You can get a license forever. You just got to subscribe to Office365.
Frank
I do think also as an end.
Derek
User, it's Microsoft 365.
Frank
Yeah. As an end user, I think it's software as a. Software as a. If I have to type in a license key, I'm already out. What am I doing? Just let me pay for it. Go away. Stop asking. And I will say, every time I log into a Microsoft 365 account on my Activate Windows computers, which I have like 50 of, they're always like, oh, okay, no problem. We're happy now. I'm like, okay, I don't know what I did, but thank you. Is there any voting security stuff?
Hannah
No, I was gonna bring that. I was gonna bring that up. I didn't notice really any like, election security stuff this year?
Frank
Someone linked one in the chat and I'm not scrolling past all the memes to get back to it.
Derek
I'm being cheated.
Eric
I mean, I've seen people where the screen doesn't work, just all the. But has anybody followed the owned Oppone and all these other hacking conventions that. That were able to literally destroy these voting machines and they said that, oh, we can't fix it in time. And this was like years ago.
Frank
Yeah, I mean, the hacking the voting machine village was a thing at like DEFCON 2020 or like, you know, it's been a thing forever. Yeah. Is anything actually happening from it? Maybe not.
Eric
I don't think so.
Frank
Yeah, I will say, like, to kind of like put a T on it. One of the articles we already had in our list and someone just linked it in the chat as well, is that apparently Colorado voting machine passwords ended up in a spreadsheet on the Internet. They are, they are bios passwords and the spreadsheet was pasted or posted to their website. I guess no one would ever have physical access to a voting machine. Right. It's not like that happens tomorrow or anything. What are you doing in there? Oh, sorry. I'm rebooting the voting machine and getting into the bios.
Hannah
So I think it's interesting, like the voting machine attacks because they require physical access most of the time. Right. And they are definitely possible. And there have been null attacks, so on and so forth. Right. What we haven't seen though is them doing it at scale or causing some sufficient change in the results. Right. At least not that we've seen. No one's been able to come out with that. So it is kind of interesting. I think it's something that we could. Should continue to look at and look into attack. Right. But you know, there are other machines out there. Have you guys heard them? ATMs, they're also vulnerable to the same thing. Seems like might be more useful to have spit out money than get one extra vote. So.
Frank
Yeah. Yeah, I kind of feel the same way. Like, I don't know, I know that, you know, not to get political, but we know that this. I don't know how this is going to go tomorrow, how much people are going to cry foul and how much is going to be. How much drama there's going to be. But I agree with Ralph that, like, as a target, they're just, you're, you're fighting a losing battle. All millions, hundreds of millions of people are going to vote tomorrow. And, you know, blowing up 10 of them is not going to probably make a meaningful change in 99% of the country. Like, there might be one county in Iowa or whatever where it matters. Exactly. But like, like, you know, 99% of the country, like around where I live, which is a very blue area, people were like, blowing up or, like lighting voter drop boxes on fire or whatever. It's like, it's like, what is this gonna do? Like, first of all, it's raining. This isn't gonna stay. Like, it's not gonna stay on fire. Second of all, like, it's what, you're gonna wipe out, like, 30 votes that were already, you know, kind of. I don't know. It is like, don't get me wrong. I'm not saying it doesn't matter. I'm just saying, like, from a threat vector perspective, it's more about, you know, drama and causing news articles and, you know, clippable moments than it is actually influencing an election, in my opinion. But anyway, we should.
Derek
Yeah, it's that. What can they get access to if they can't? They don't know how to access things at scale. Hey, there's a Mail Dropbox. Hey, you got nothing better to do on a Saturday night? I'm going to go firebomb a bunch.
Frank
Yes, totally.
Hannah
I could break into any building. All I have to do is drive my car through the front door. But that's not.
Derek
Ralph.
Frank
Hold on, Ralph. There's a pen test finding for that. Insufficient bollards, critical severity.
Eric
Anyway, is this the one industry where technology has caused a bigger detriment to than any other industry in terms of not. You know, I'm an old. But I remember within like 24 hours of all the polls closing, we knew who the election winner was. And now that we have voting machines and all this other trash, it seems like we're waiting weeks and months, potentially in some states, to know who the f the winner is.
Frank
Yeah, I mean, I mean, I kind of agree. My state does only mail in ballots, all paper. And it's fine. I've never used a voting machine. I Don't need a voting machine. I just used my pen and paper like Scantron when I was a kid in school. I'm sure all those are just fed into a machine. It works. I mean, there are machines, but they're not accessible to end users. I don't know. I think it's just the automation. You do need some computer at some point to tabulate the results. Right. Like manually counting all those night of.
Hannah
Right. And not like three weeks later. Which by the way, the three weeks later mostly is because of how close it's been. Right. And then the fact you have to recount 900 times. Yeah, well, that's Right.
Alex
Not just that. It's. It's not just that. It is the mail in ballots. It's the states that don't allow them to open them up in advance. They've got millions of votes per state that are coming in from early voting or mail in voting. And there are a bunch of states like Wisconsin that can't open those ballots until the day of the election themselves.
Corey
Oh yeah, I'm in that area. I hate that door. I'm like, I did this early. When are they going to be shown? And it's like starting 7am tomorrow. I'm like, well, that's.
Derek
Mine's already been counted.
Hannah
Absolutely.
Corey
Comes down to like 80 votes.
Frank
So yeah, I will say every time they recount they have to post another password to that spreadsheet. It's really inconvenient. All right, I say we close it out. Everyone, if you're listening and you haven't already voted, go vote tomorrow or whatever. And yeah, I won't be here next week. But thanks everyone for coming. Thanks everyone for listening. Get a pen test, Get a sock. Get whatever Eric sells.
Derek
I don't know, get an anti sock.
Frank
This is awesome. Get you, get you some Eric. Have him. Yeah. Bye. Bye.
Hannah
All right. Bye, guys.
Frank
Bye.
Derek
Bye.
Alex
That's.
Podcast Summary: "Talkin' About [Infosec] News, Powered by Black Hills Information Security"
Episode: 2024-11-04 - The Grey Times
Release Date: November 6, 2024
In this episode of "Talkin' About [Infosec] News," the Black Hills Information Security team delves into a variety of cybersecurity topics, ranging from recent phishing tactics to significant legal battles in the industry. The hosts—Alex, Brian, Corey, Derek, Frank, Hannah, Gina, and Eric—engage in lively discussions, sharing insights, experiences, and expert opinions on the latest developments in the infosec landscape.
Timestamp: [00:30] - [08:56]
The episode kicks off with a conversation about a novel phishing tactic involving Remote Desktop Protocol (RDP) files. Brian introduces the topic by highlighting the resurgence of RDP-related security issues, exacerbated by recent natural disasters affecting the Gulf Coast.
Notable Quote:
Corey explains the functionality of a neti pot, likening it humorously to mummification, which segues into a broader discussion about RDP security. Frank emphasizes the importance of blocking RDP files to prevent unauthorized access:
Notable Quote:
The team underscores the persistent vulnerability of RDP across organizations and shares strategies to mitigate associated risks, such as disabling inbound RDP files and employing breach attack simulation tools.
Timestamp: [16:51] - [21:18]
A significant portion of the discussion centers around the legal confrontation between Delta Air Lines and CrowdStrike. Brian provides a detailed overview of Delta's lawsuit against CrowdStrike, alleging at least $500 million in losses due to a cybersecurity incident.
Notable Quote:
CrowdStrike countersues in federal court, arguing that Delta failed to adhere to critical cybersecurity hygiene standards set by the Transportation Safety Oversight Board (TSO). Eric and Frank debate the implications of such legal actions, highlighting the complexities of proving negligence and the defense CrowdStrike might employ regarding industry-standard practices.
Notable Quote:
The hosts analyze how this lawsuit could set precedents for future cyber-related legal battles and the responsibilities of cybersecurity firms in preventing breaches.
Timestamp: [22:06] - [28:10]
Corey brings attention to the recent takedown of the RedLine stealer, one of the more notorious info stealers in circulation. The team discusses the implications of law enforcement actions against malware developers, particularly focusing on the arrest of a Russian national responsible for RedLine.
Notable Quote:
Frank remarks on the perpetual cat-and-mouse game between cybersecurity professionals and threat actors, noting that dismantling one stealer often leads to the emergence of others.
Notable Quote:
The discussion highlights the resilience of the info stealer market and the ongoing challenges in completely eradicating such threats.
Timestamp: [28:10] - [35:00]
The hosts shift focus to a security incident involving a Disney employee who, after termination, exploited lingering access privileges to manipulate internal systems. Corey details how the disgruntled ex-employee altered font files and QR codes, disrupting operations and redirecting customers to unintended websites.
Notable Quote:
Frank and Eric discuss the broader implications of insider threats, emphasizing the necessity of comprehensive offboarding procedures to revoke all access rights promptly.
Notable Quote:
The conversation underscores the critical importance of internal security measures to prevent former employees from causing harm.
Timestamp: [37:20] - [52:13]
Hannah introduces a topic about a newly discovered zero-click vulnerability in Synology's Photos app. This vulnerability allows attackers to exploit devices without any user interaction, posing significant security risks.
Notable Quote:
The team discusses the ramifications of such vulnerabilities, especially in self-hosted applications, and shares best practices for securing devices exposed to the internet, such as employing VPNs and ensuring automatic firmware updates.
Notable Quote:
They also touch upon the ethical considerations of device manufacturers and the responsibilities of users in maintaining device security.
Timestamp: [52:20] - [59:50]
The conversation turns to Microsoft's recent policy change requiring users to pay $30 for an extended support period to continue receiving security updates for Windows 10 beyond its official end-of-support date.
Notable Quote:
Frank humorously critiques the fee structure, comparing it to previous extended support licensing costs and pondering Microsoft's motives behind this decision.
Notable Quote:
The hosts debate whether this move is a monetization strategy or a practical approach to managing legacy systems, with considerations on user compliance and the potential impact on home users versus corporate environments.
Timestamp: [36:55] - [43:45]
Brian brings up a noteworthy development in healthcare cybersecurity: the first financial penalty imposed on an ambulance service for failing to conduct a proper risk assessment of electronic protected health information (ePHI) under HIPAA regulations.
Notable Quote:
The team discusses the significance of this fine as a wake-up call for organizations to prioritize regular risk assessments and the broader implications for compliance and data security in the healthcare sector.
Notable Quote:
Eric and Derek explore the potential long-term effects of such regulatory actions, including the increased burden on small organizations to maintain compliance and the role of corrective action plans imposed by regulators.
Timestamp: [45:09] - [66:19]
The episode concludes with a critical analysis of voting machine security, prompted by a report of leaked passwords for Colorado voting machines. Hannah explains the concept of zero-click vulnerabilities and their implications for the integrity of electoral systems.
Notable Quote:
Frank and Derek debate the practicality and impact of such vulnerabilities, questioning the effectiveness of attacks in altering election outcomes while emphasizing the importance of securing these critical systems.
Notable Quote:
The team underscores the ongoing challenges in safeguarding electoral infrastructure and the broader societal implications of cybersecurity vulnerabilities in voting systems.
Throughout the episode, the Black Hills Information Security team provides an in-depth exploration of pressing cybersecurity issues, combining technical expertise with real-world implications. From phishing tactics and insider threats to legal battles and systemic vulnerabilities, "The Grey Times" offers listeners a comprehensive overview of the current infosec landscape, underscored by engaging discussions and expert insights.
Disclaimer: The views and opinions expressed in this summary are based on the podcast transcript provided and do not necessarily reflect the official stance of Black Hills Information Security.