Loading summary
John
And that's the end of that story, man.
Daniel
Drink that much mad dog? 2020. Shucky story.
Corey
Before we went live.
John
Only Jews like me can drink that much.
Ryan
Yeah, yeah.
Daniel
Nothing but the finest bum wines for you, that's for sure.
John
Exactly.
Kelly
Repeat the part where you stole the raccoon.
John
You could repeat that, but I'll deny it.
Daniel
Yeah, yeah, a smart move. Smart move.
Wade
So did anything happen while we were in shutdown?
Corey
I don't know.
Ryan
I was shut down.
Daniel
Nothing I know of.
Alex
We didn't have music with that.
Mike
They pressed the big red button.
Corey
I was. Every year, I have, like, fingers crossed that, like, there's some, like, Y2K just blade by 20 some years that it's like everything just goes out. I'm like, all right, awesome. Like, ready to go.
Wade
I had coffee with Wade Wells. It was really fun.
Mike
Yeah.
Wade
Oh, is that a podcast?
Mike
It could be. That could be.
Kelly
I think a lot of.
Daniel
Yeah, a lot of ASMR sipping.
Wade
Hey, is Mr. Strand gonna join us?
Ryan
I. I think he's trying to, but we. We were already filled up.
Alex
2025, Corey.
Wade
Well, hey, I'm happy to drop if you need a spot for John.
Alex
Woohoo.
Kelly
Also drop. I just showed up to say let's just everyone leave and then let John do the show solo.
Mike
Oh, no. Just hide us all. Hide us all. Throw. Call him backstage and only have John on the show. Be like, john, Nobody showed up.
Wade
All right, Ryan, I'm dropping to see if we can get John on, okay?
Kelly
No, we need you, Kelly. We need. We have your problems. What you want to do is just throw your computer in the trash. That will solve all the problems. Just take the whole thing. Dumpster.
Mike
My wife's thinking about getting the cyber security, and I'm like, you should just go into grc. She's like, we don't know anybody in grc. And I'm like, you know Kelly? And she's like, oh, my God, I can do the same thing as Kelly. I'm like, yeah. She's like, all right, I'm in.
Wade
Your wife is way smarter than I am. She's a scientist.
Mike
Who knew. Scientist doesn't make money, right?
Kelly
Teachers, scientist. I know some scientists that make good money.
Mike
She's by. She's genetically engineering E. Coli to create byproducts and everyday product.
Alex
Oh, my.
Mike
So the E. Coli that she created creates nylon that goes into Lululemon. Leggings.
Daniel
No way.
Mike
Straight up.
Kelly
And there's no money in that. You're telling me turning bacteria into leggings isn't making Money.
Ryan
You got me. You got me walking.
Kelly
Yes.
Ryan
Leggings. And I'm just like, John, are you.
Kelly
Wearing Lululemon right now? Because a lot of older men tend to like those ABC pants, from what I've heard. No, no, no.
Ryan
I am.
Kelly
No.
Alex
The look on his face.
Kelly
I'm sorry for outing you, John, but I just. I knew that. Oh, he has. I guess he has to go.
Mike
No, he's about to get into a wider shot.
Ryan
Yes. No.
Kelly
I knew it. So, John, would you be surprised to learn Wade's wife made bacteria that somehow made that shirt exist?
Ryan
Oh, no, that. That completely checks out.
Kelly
Okay.
Ryan
I wouldn't be surprised by that. Not in the slightest. Actually.
Daniel
Makes absolute sense. I mean, sky's blue, water's wet. Wade's wife makes stuff that goes in Lululemon stuff. I mean, I. I don't know what you don't get.
Mike
Right?
Alex
Right.
Ryan
I did have to go San Diego or. Just so you know, because I did take my shirt off. And no one wants that shit.
Wade
No one wants that juicy first podcast of the year.
Ryan
You know? I don't know. I don't know where to go from now. Just a dead end.
Kelly
So, wait, are we. Are we changing anything? Are we. Let's change this podcast to something else for 2025. That's what everyone should do.
Ryan
Lululemon, synthetic podcast. Set up some challenges. So do I need to go down or up on my sound level?
Corey
Go up.
Ryan
All right. How's that?
Corey
Go up.
Kelly
Keep going those levels up.
Ryan
Is that better or worse?
Kelly
Go to 11.
Ryan
Wait, hold on. I bet, I bet, I bet. Ah. Ah. Oh. That better? I think I went down.
Wade
You look thinner.
Ryan
I do look thinner. Thank you.
Kelly
It's that Lululemon. It makes you look Lululemon.
Ryan
It sounds clearer, but your. Your volume's still low. All righty. Tighty, lefty, Lucy. How's that?
Alex
Hey, There you go.
Wade
Loud and clear.
Alex
Woo.
Ryan
So we got suggestions. 20, 25. Cory, one of them is John shirtless.
Daniel
No.
Wade
Yes.
Alex
Oh, my.
Ryan
It's not.
Kelly
I think.
Wade
Did it get warm in here?
Kelly
Yeah.
Ryan
For a long time at conferences, I would get to the conference floor, get to our booth, and just take off my shirt and put on one of the booth shirts. And I had one of the employees at the time say, I think I've seen you topless more than any boss I've ever had in my entire life.
Kelly
Well, John, so the problem is, we have to cancel our Lululemon sponsorship if you don't wear a shirt for the entire year.
Ryan
I just find it weird that I was wearing a Lululemon Jigar as it came out. Like, it's just the trifecta of. That's weird.
Mike
Very strange.
Kelly
Should we do the show? I guess.
Ryan
Let's do it. Oh, yeah, that means me. Sorry, it's my first time here.
Kelly
Like, oh, sorry. I was buying some stuff on Amazon.
Ryan
Hello, and welcome to the year 2025. It is the beginning of the apocalypse in it, where AI runs rampant on Facebook and act continue to happen in the exact same goddamn way that they've been happening in the past 25 years. I'm mad, I'm angry. And we're going to do predictions. Really bad predictions. In this episode of the brand new year of Infosec. Talking about news with Black Hills Information Security. Are we ready to jump in and talk about some juicy infosec stories? Because damn is our. Like, it's just stacked with stories. So many stories coming up.
Kelly
It's almost like we took three weeks off or two weeks off. It's kind of. There's some really.
Mike
There's some particularly good stories that don't happen every month. Right. Like.
Kelly
All right, Wade, what do you got?
Ryan
We've got to start with the treasury, though. I mean, that. I mean, I had family members calling me and all of that. Is it okay if we kick off with that one?
Kelly
Yeah, yeah.
Ryan
Ryan can find U.S. treasury hacked.
Corey
I'm getting there.
Ryan
And for those of you that don't know, the United States treasury was hacked, but they were hacked through Beyond Trust. And for those of you that don't know, Beyond Trust is literally an application service that you can buy that's designed to make sure that you don't get compromised through credentials. So it appears the Chinese got access to an exploit or somehow gained access to the Beyond Trust Council, which allows you to re. Like, change local account passwords to anything that is in the Beyond Trust identity and access management solution. And that's just what they did. Which I want to kind of open this up to everybody. Like. Like, seriously, I. I feel a little bit vindicated because I was teaching for years, still teach, and people ask me about these solutions. And a lot of times what I say is, yeah, it does make your life more difficult as pen testers. But, damn, it scares me to think of all of these eggs in one basket, because in the past, I actually broken into a couple of these identity and access management solutions for pen test, back when I was still doing it in the days of Cobalt Fortran and Turbo Pascal. And, yeah, once you get into this, you get into absolutely Everything. I do believe that it's a little bit better, I do, than not having solutions like this, but God damn, this is. Everyone's gotta be worried about this. So what does this mean? Where do we go from here? Why. Why do we have like double rainbows? Who wants to take it from here while I drink whatever the hell this is?
Kelly
What I want to know is, do you think Beyond Trust was using any desk for their remote support?
Ryan
I. I wouldn't be surprised. I don't know.
Kelly
What. Well, so the article kind of skirts around a little bit, but the hack happened through, you know, software as a service type stuff. Right? And I'm just kind of curious. Like I'm assuming this is the first party product and I'm also assuming it was info stealers because everyone just go ahead and check that off on your 2025 business. Just info Steelers day one.
Mike
You gave them that way too easy right off.
Kelly
It was, it was the free space.
Ryan
I'm sorry, it's the center square. It's the center square and bingo. It's a gimme. You just got it.
Kelly
So I would guess this is Exposed Credentials for Beyond Trust on Infosealer. Exposed credentials, someone taking advantage of it. I don't think it really means anything big for Beyond Trust. A lot of our clients use Beyond Trust. To be honest, it's pretty commonly used and turns out, yeah, if you have remote support, you got to secure that. Maybe even harder than your actual first party support. Right? Because RDP is always going to work every day of the week. But Beyond Trust, when it needs to work, it's probably important like for the crowdstrike blue screen. Like that's when you need that support as a third party stuff.
Wade
So I got a different take on it.
Ryan
Oh please.
Wade
Yeah, our friend Jake, Jake Williams was actually quoted and wired and I got to kind of agree with him. His. His take was it was a command injection vulnerability. And his call to action in the article was hey, you would expect something more from a company and a service that's Fedramp certified. So as the, you know, the person with the compliance hat on, I'm like, well, apparently Fedramp really doesn't mean anything.
Ryan
I.
Kelly
Well, it's a cool way to get your bike off the ground.
Ryan
I, I hate, I hate to disagree with my brother from another mother to expect more. And I know that Jake's being sarcastic, by the way, but good night everybody. Like we have more and more consolidation. I was just got done talking with one of our customers about Microsoft vulnerabilities and all these things that are happening in the cloud that Microsoft is flat out ignoring. So much so that things like this, I'm planning on giving a webcast here in the next couple of weeks. My predictions for 2025 are, you, here's all the shit we're going to continue to ignore. And I think that one of the things that we're absolutely.
Kelly
That's a Rantcast.
Ryan
It is a Rantcast.
Corey
Yeah.
Ryan
I'm right. Yeah. It's not a webcast. We're going to call them a Rantcast and we're just going to continue to ignore shit like this. Right. I, I, you know, we look at Kaseya, we look at all of these different breaches that we had of third party vendors. I think that we're just going to continue to ignore it. And I think that a lot of these vendors remember they first get their products set up. Right. It's all about the product. It's all about selling the product. It's all about advertising the product. But after a while, these products become cash cows. And I'm not necessarily accusing this of what happened with Beyond Trust, but let's just say I wouldn't be surprised that the people in charge of Beyond Trust were no longer interested in trying to keep security up, trying to check and make sure that things like command injection vulnerabilities didn't show up. That there's just no money in that.
Kelly
Well, there's basically proof of that. There's basically proof of that because the vulnerabilities were discovered during incident response. Correct?
Ryan
Yes.
Kelly
Like I'm not misinterpreting that.
Ryan
Like, how bad does it have to be that your IR team finds the vulnerabilities?
Kelly
Yeah, I mean, I think that's basically proof that they're not as up to date with security tests in their own products. If they found something during incident response that now has two CVEs, right.
Daniel
Like that they like to recursively pen test. That's the thing is they, oh, now after the fact now we can get a really good pen test going.
Alex
Yeah.
Daniel
Find those vulnerabilities and keep those people out of our.
Ryan
It's like, God damn it. People testing. That's not all pen testing is supposed to work. You don't wait for breach and then get one.
Kelly
Well, it's a budgetary issue, John. When you actually.
Ryan
Okay, actually, I take that back. I take that back. For all of you that get breached, please contact Black Hills Information Security for all your needs. Where testing dollars, it doesn't really matter.
Kelly
One way or the other, we're Fedramp pen test ready. That means absolutely nothing.
Ryan
Type 2 certified. I don't. I paid for that shit and I don't what that means. So, you know, I will say it's.
John
Still this whole case that I've seen for years of, they put the sales, the money before anything else. And I've talked with dev friends of mine over the years and nothing has changed. They've got their deadlines, they've got to push something out with new features because they've got to be first to market or they've got to keep up with the Joneses so fast and security just doesn't matter to them. Oh, we'll toss it on later. We'll toss it on later. Nobody's going to find this little bug.
Alex
Are you speaking about developers?
Ryan
I think he's speaking as macro issue, not specifically about beyond trust.
Corey
Yeah, I think he could be talking.
Ryan
To so many vendors right now.
Corey
Yeah, I did John's homework on things that were going to be like, ignored for 2025. So whenever you want me to jump in, jump in.
Kelly
Alex, do you have a time machine?
Corey
There you go, sure. But so the thing that I boiled it down to, and I describe it as security overrides for exceptional users. And it's just going to continue to be things like the developers that you're talking about that they have to have things and they go, don't have the security stack on my computer, we need to work from a machine that I can install anything on. And oftentimes that's their home machine that also runs a Plex server, also runs this. You have like when you say, use MFA everywhere. Cool. But there are again, those security exceptions to where you have organizations that say, well, we don't want people to have phones on the teller line or on the manufacturing line, so we can't do it because of these exceptions. And some exceptions make sense though, because you go, you know, working with, you know, doctors, medical fields, they go, look, I don't, I don't have my security token, I don't know my password, I need to get into this system to do an emergency C section. And there's like patient safety. So, yeah, you have those security overrides for a reason. But I think the thing that's going to continue to be ignored is just having all those overrides. And when you look at, you know, machine servers that have, you know, unpatched vulnerabilities, things that their teams told them about, it's likely because that was that Security exception or security override for exceptional users that they go, we need, we need this outdated way of accessing a sensitive server because there is some vendor out there that needs it. There is some exception that we're just going to throw security out the door or push it a lot with the door a little bit to save, you know, here's these exceptions, and that's just going to continue to be something ignored. Okay. And rant, that's my, that's my homework assignment, John.
Ryan
That's great. I'm going to throw it over to Kelly, though, because whenever we're looking at grc, we're talking about compliance. We play that game all the time. Right. Like whenever you're talking to companies and you're saying, okay, you're in compliance, how's MFA? Oh, we're 100% compliant with everything in MFA. And you're like, really everything? They're like. Except they're as 400 systems and. But you cannot, you cannot hold a company completely. Like, you cannot score them from a compliance perspective on their absolute worst system. So I think that there's always gotta be that balance, and I think Kelly knows that balance better than just about anyone. Kelly, do you want to talk a little bit about that in your stuff that you deal with with us and our customers?
Wade
Sure, I'm. I'm going to try and translate that ramp there and the handoff. I think, John, what you're talking about there is risk management. And a good GRC program isn't just about check marks and compliance and that sort of stuff, but it's really understanding what risk you mentioned. There are some systems that really have a higher risk profile and we need to spend more attention on or trying to get MFA on them, like VPNs, remote access. But then there's other systems where we have to kind of do a risk analysis and say, well, this thing's old. Is it worth trying to update? Is there a better solution? And if we could pivot our GRC programs to talking about risk instead of compliance and check marks, I'd be a whole lot happier.
Kelly
What if you had a webcast about that?
Ryan
If only there was a webcast that we could do on that topic, if there was somebody who was an expert on that. But if you talk about risk, the biggest problem that I have with risk vis a vis grc, and we're talking compliance and all that is risk is the intersection at the core, at the, at the core foundation of it is threat times, vulnerability. And it's impossible for anybody to come up with a definition or a quantifiable number, a subjective number for risk. If you don't understand threats and you don't understand vulnerabilities. And I think that was one of the reasons why pen testing layers in on top of that.
Alex
Right?
Ryan
Because it's one of those things to eliminate threats and vulnerabilities in organizations. And there's other ways to pull that out with vulnerability assessments, threat intelligence, all of that can come into play. And once again those are all things that a lot of organizations ignore. Right. Whenever they're trying to do computer security or information security in general, they're looking at it as more of like, like a checklist exercise. Kelly said that can die in a fire rather than truly trying to understand what was the purpose behind doing those different compliance standards that are out there. And I think that that's going to be another thing that people are just going to ignore in 2025. They're going to look at computer security. And this goes back to Jake Williams comment. It's like, oh, they're FedRAMP certified. No one gives a. Because apparently it doesn't matter. The thing that hurts me at my soul is every time that happens, that compliance standard gets a little bit weaker and a little bit weaker and a little bit weaker. And then we have a whole bunch of people that come out and say oh, we don't need compliance standards at all. And then we're right back at square one again.
Daniel
So John, let me ask you this. Based off of that assessment, how do we get them to give a, like what is, what is the path back to like hey you know what, we should probably really start doing something? Is it a, is it a money thing? Is it a time thing? Is it a combination of a bunch of stuff? Like what would be the thing that you would say would probably get some, a lot more buy in from these organizations to go. We need to take this more seriously.
Ryan
I'm just going to throw this out quickly and I want to open up to other people. But seriously, the solution to every single one of our problems is education. The more people understand the technical components and the nitinoids of computer security, of it, of the cloud infrastructures, regardless of whatever their job is, the better we're all going to be. So that's my take. I don't know if anyone else has a different one.
John
The problem that I run into with checkboxes is that it's all based on compliance saying this is the minimum level and the minimum level is never going to be enough. And we Gotta understand that anybody that's looking at it from a corporate executive position is gonna say, do we meet the minimum standards? Do we get that checkbox? If we raise that level of what it takes to get that checkbox, we get more security. Because they want that checkbox for their insurance or for their compliance or for whatever reason behind it. It's an identifiable and quantifiable thing for them. So what do we need to do? We know that ABC is the minimum. We need to tell them. Instead of ABC being the minimum inside of these compliance office, inside of these checklists, that CDE that we know is what we should require should be the minimum. Not the minimum. Be the minimum. That's just my thought on it.
Alex
Or why not just take out the minimum altogether? Because again, if we do, the second.
John
You take out the minute, the second you take out the minimum, they're going to do nothing. That's been proven.
Ryan
I disagree. I want to come back to that, Mike, but go ahead. Bsd. Yeah.
Alex
So reason I say take out the minimum, because that's the first question they're going to ask, okay, what is the bare minimum that we need to do in order to pass our audit?
Ryan
Right.
Alex
And you want to look at it from a standpoint like, okay, when they ask you that question, maybe that might be the time for a conversation like, yeah, you may have the bare minimum to pass the audit, but show them the real risk that's actually happening. You know, of course, with whether it's what you've seen out in the field with other customers or what's going on in the actual news, because again, that kind of devalues the, the actual. I'll say devalues the kind of. The actual compliance. If the, if, if they're just doing the bare minimum, they still get breached, like, what, three or four months later? Because we all know that the breaches are actually starting to mount up a lot faster than what they used to.
Ryan
What if we kind of hybrid that and we just flat out move to a GDPR framework where it's basically like, okay, we're not going to tell you how to secure your. We just aren't. And we're not going to try to tell you what the minimum is, because the minimum that we come up with today is going to be deficient six months a year from now. It's basically like, you need to have good security, and if you don't, then we're going to hold you accountable in a GDPR where it's more of an accountability framework rather than a Compliance framework.
Alex
Oh, that.
Ryan
Ooh. Yeah.
Kelly
So, okay, I. I have a. I have. I know Kelly is waiting to go.
Ryan
Last because I feel like trying to transcribe this. It just thought that it's transcribing porn with the amount of moaning and groaning that we just had. All right, that was a good one.
Alex
It's like.
Kelly
I think, I think Kelly will have the last word here because she'll probably have a really smart take.
Ryan
Yeah, that's.
Kelly
But I, I. Well, I want to say, I think penalties are really the only way to go here. I think we've shown that making. There's no, like, there's only a stick. There's no carrot. And I guess I would say for Fedramp people, I think a lot of government contractor type entities view the government as basically a cash cow of they'll pay all day, every day, no matter what. No matter what we do. Even if we aren't compliant. Even if we aren't. This. So I guess what I would say is make it so that. Let's say you're a Fedramp vendor and you result in the breach of a U.S. agency of some kind. You should be ineligible for future Fedramp contracts until you fix the problem that was originally identified or certain time frame. Right? Yeah. It's like what you did to fix it. Exactly. It's.
Ryan
It's.
Kelly
I mean, I think most companies would have to bend over backwards for the government in a scenario like this. I'm sure Beyond Trust is bending over backwards for the Treasury Department, but my, like, you basically have like a. You know, it's like the gsa, right? You have like a list of, like, these vendors are medpram certified but are currently on probation because they messed up and breached a US Federal agency. Like, you know what I mean? Public shame. And also, like, protect. Preventing them from signing new contracts until they either fix the issue or until a certain time expires. Like six months.
Ryan
That shit'll get fixed.
Kelly
Yeah.
Corey
All right.
Ryan
We need to give Kelly the last word on this, and we have to move on because we're playing in Kelly's, like, kiddie pool. So we need to move.
Wade
Okay. So the last word. I heard what you were saying, Corey, about a carrot and a stick. I think we flipped the conversation. And the commodity is trust. Once customers stop trusting organizations, then they pay attention.
Ryan
And I think that translates to, well.
Kelly
Only if the Treasury Department person who signs the SOW doesn't trust them. Because as one. Trust, like as a. As a customer quote unquote, of a lot of government services that I have no control or say in. Right. Like, it's not like I'm like, no, no, Department of the treasury don't issue any more bond. Like, I can't control what they're doing. I don't even know what they do. Like, it's up to one person or maybe a few people at those organizations to decide who they trust for their vendor. Right. Like, it's not like the public gets to vote on the next remote access vendor for the Treasury Department. Right.
Wade
So I hear what you're saying. Let me clarify what I was trying to say. I think as a, at the consumer level, when we start taking our business other places and we say, listen, I don't trust that organization because of how they handle my data or don't handle it or they sold it. I mean, how many people have left Facebook For a variety of reasons, but Facebook can be kind of, well, not always upfront about how they handle data. You know, they have one lawsuit and complaint after another. I think if, as John has said, if we educate and get Joe and Jane, US citizen involved and in understanding really what we're. The most important thing we have is our data and our identifiers. I, I think that'll win over checklists and, and hammers.
Ryan
All right, let's move on. I really want to talk about the new HIPAA proposed security rule changes. I don't know if anybody had a chance to read this, the Kelly show or what.
Mike
Gosh.
Kelly
Wait, hold on, hold on. No, we can do a quick bingo thing in between. Okay, who has show. Okay, who had classified. Well, we'll come back to hipaa, but for bingo people out there who had War Thunder forums leaking classified information.
Ryan
Was that on your bingo card?
Corey
Yeah, that's all that's on my card because.
Ryan
Okay, I didn't see this meme of.
Corey
Like it's been X number of days since classified information.
Kelly
It's a two second story.
Mike
It's not the first time, it's not the second time. This isn't even the third time. This is the fourth time. Government classified data has been leaked to War Thunder in order to prove an argument.
Ryan
To prove an argument.
Kelly
Kidding me.
Mike
This is the best thing ever. Someone needs to hire these guys. Like, honestly, like, just hire the War Thunder. What do we need to know about the new Chinese stealth bomber? They'll get it out to us and let us know.
Kelly
War Thunder.
Ryan
What is this game like?
Alex
It sounds like an amazing game.
Kelly
Just a realistic version of the game.
Ryan
Ever like.
Kelly
No, it's a combat Simulation.
Corey
Yeah, but it's highly accurate combat simulation, which is why these things happen with the classified documents. Because somebody will talk about, like, oh, there's this tank is represented this way in the game. And someone will go, no, no, no. They don't have it right. They don't have this right. People go, of course they have it right? And they go, what would you know? And then they go, I know the capabilities of this class. They have it wrong. Because here's a classified document showing its specs. And I know what I'm talking about. You know? And they use it to win Internet arguments.
Mike
So the best part about this one, though, is he didn't just win in any argument. Say they're arguing about it. He mentioned it. Then he said he was gonna post it. And they warned him, don't post it. And you know what he did? He posted it. Anyway.
Ryan
Here'S the quote. I will take this opportunity to again remind everyone here, please do not under any circumstances, try to post, share any sources unless you're 100 certain they are legally declassified and publicly state for use, we will never handle or use them. And all it does is actively harm any possible future changes being possibly being possible by trying to use them. Do not do it. No goodwill will ever come of it for you or the vehicle you're trying to post for. And you said this happened four times. This happened to the Challenger 2 tank, the Larec main battle tank, Chinese Ammunition Services Systems. And now the. The Captor Captor radar for the Typhoon Eurofighter platform. Holy crap. I gotta be playing this game. Like these guys, these wars.
Kelly
It really does prove the most powerful force in the universe is thinking that you're about to be proven wrong.
Ryan
Yeah. Why are you still awake while somebody's wrong on the Internet?
Mike
Maybe just needs, like a section for classified documents, you know, like a special login and everything. Like, this is where all the classified stuff goes, just in case, like.
Alex
And then the War Thunder CTF Village. Oh, yeah.
Ryan
Do they have a con? Do they have a War Thundercon? We should go.
Kelly
All the people are sanctioned. They can't go.
Corey
Just kidding.
Ryan
They're all caught. I'm sure, I'm sure I'd have to let the. I'm sure I'd have to, like, notify the FBI. Like, where were you? Estonia, Latvia. All these places. I went to a War Thunder. Oh, my God. We need a full scope, probably for.
Kelly
This man right now.
Alex
Right now.
Ryan
Right now.
Kelly
Sorry for the diversion.
Ryan
More about nukes.
Kelly
So back to the HIPAA thing. After our Quick diversion, didn't we. Did we already talk about this, Kelly? No, I forget. No.
Wade
The happy HIPPA present.
Ryan
I like it. It looks to me like they're like, addressing a lot of the things that we just talked about. Right? Like, a lot of the changes seem to be like, just fantastic. Like, oh, this one require vulnerability scanning at least every six months and pen testing at least once every 12 months. Hooray. Another one required network segmentation. Great. Acquiring multi factor authentication with some limited exceptions. Like, so far this looks, this looks pretty good.
Kelly
So what are the changes? Like before, it was just a risk assessment, right? Not an actual pen test or what? Like, what were the. What are the big high level changes here?
Wade
So the big high level changes is they're taking out the mushy language and it used to be addressable and required. They've cleared up that confusion around those two words. Everything is required. Now. They used to have a risk assessment piece before. Now, John, the thing that gets me all excited is that risk assessment, they've said, listen, we want to see a technology asset inventory.
Ryan
Oh, my God.
Wade
And, and a network map of how EPHI goes through the systems. This is crazy that we're finally asking for a technology asset inventory finally in 2024 December.
Mike
Every network that's about to be shut down right now.
Ryan
I love this because every time we pen test a, like, hospital, we have to fight this crap. Every single time. They're like, well, we're just going to make some exceptions. And look, I get, you know, that there's a need for exceptions, but seriously, some of their exceptions, like, well, you know, people might die. I'm like, this is for like the dermatology section. Like, I don't know.
Mike
They got lasers in there.
Ryan
They got lasers, right? But they use this so often as, like, you know, this is something that we need to take care of. It's like literally it's exposed from anyone who can access your wireless network. They can take over your MRI scanner. That's bad. That's a critical. And it's.
Kelly
Our network map is more of a cloud. It's more of an asset cloud.
Ryan
Asset cloud.
Kelly
It says all the assets are just floating up there.
Mike
You're saying that multiple people have told you that in the past.
Ryan
Oh, my God. The legacy technology that you find in healthcare facilities is insane. And having that, that, that asset map technology list. Oh, my God.
Mike
Like what I have, I have an interesting idea. Why don't we have like, you know how like there's like big tech, big, big pharma, big why don't we get like Big Red Team to like start lobbying and like create a whole lobby and then get all these like really like this type of stuff put into place, right? How do we get that money in order to lobby the government? And they get this, oh, does anybody, does that, does that make sense at all? Big Red Team, right?
Kelly
Problem is hackers are way too we funded, we're too benevolent. We like to just give things away. We wouldn't, we would never do that.
Ryan
Here's a bunch of crap that we're sick and tired of doing findings on. And it's just like, don't have this in your organization anymore. I don't want to find.
Kelly
We just have a list of on our website, like default findings. It just says like if you've been pen tested by bhis, these findings affect you by default. Number one, not having network diagrams. Yes, we're talking to you specifically.
Ryan
I feel just like attacked here. Yes, you are.
Kelly
That is absolutely not having, having no network segmentation. We're talking to you specifically, website reader.
Ryan
I, I, I, I, I just. But you see all of those things that you hear about and you always talk to people in the healthcare industry, they're like, well we're precious snowflakes. And then you talk to DOD people and they're like, well, we have to have legacy systems and all of this stuff because we're precious. And then you go to finance and accounting and like banks and they're like, well, we need to have this legacy technology on a flat network because we're precious. No one, no one understands the plight of the hospital, the DoD installation, the finance, they're all the same God damn problems that show up again and again and again. Don't think you're special. You're not. Oh my God, it's another rant I'm feeling.
Corey
Right on, John, right on.
Kelly
Okay, okay, I have.
John
Everybody's a precious snowflake.
Ryan
Nobody is.
Mike
All right, As a blue teamer, as someone who has to test detections, I am special, all right? I need all the access I can get every.
Kelly
You're a documented exception because you're in.
Ryan
The domain users group all the time.
Daniel
What finally made HIPAA go?
Kelly
You know what?
Daniel
I feel like we're not doing security very well. We should probably do something about this.
Wade
Well, Daniel, I've got an answer to that for you. It actually Biden administration.
Ryan
What?
Wade
The Biden administration back in 2023 said, listen, we need to come up with a cybersecurity strateg protection around different U.S. organizations. And he tasked OCR, Office of Civil Rights, which oversees Health and Human Services. And they actually came out with a white paper and said, here's the good things we think we should be doing. So they actually made recommendations to the HIPAA security rule themselves.
Ryan
Nice.
Alex
That's a start. Goodness, definitely start.
Daniel
I love how John tells us that their big complaint is like, well, if, if you test this, you test that, it could, it could kill somebody. Yeah. And you leaving these systems open literally has killed people financially.
Kelly
Right. But it's kind of the difference between a mistake.
Ryan
So.
Kelly
Yeah, yeah. If we can cause the issue, chances are a threat actor can cause the issue.
Ryan
Right.
Wade
It's the ransomware attacks on health care. It's gotten to be so bad. We had, remember we had Change Health, we had United. It's gotten so much attention, I don't think OCR and HHS can ignore it anymore.
Kelly
Well, let's get into the breaches because EFF published the breaches. 2024.
Mike
They stole our idea. We needed to do this. I don't know why we never did this.
Kelly
I will say they didn't. To my knowledge, they haven't given anyone a trophy. So I'm sad. But this is basically. We won't probably go through the whole article. There's a bunch of fun. It's worth a read. So take a look at it yourself. But they basically issued, you know, fun awards for the best breaches of 20. The highlights are, you know, we have national public data that was probably the worst. The, you know, just disaster to end all disasters change Health was another huge one that Kelly just mentioned. The city of Columbus thing with a research. I mean most of these spoiler alert we talked about on the news. So go back to previous episodes. I think we talked about Snowflake every week for like.
Mike
We did.
Kelly
Yeah. I mean there's some fun stuff in here worth reading on your own. But basically all the breaches, we've already talked about them, but it's fun to see them tied up in a nice little bow.
Ryan
And it's written so well and it's so funny. Like it is really an amazing article you all need to read. It's coming from the eff, so it's good.
Kelly
And to dovetail with that. I wanted to talk about the salt typhoon thing because salt typhoon was the, the threat actors that breached American telecoms. And there's a bunch of spin off stories here. But the spin off story I want to talk about first is Verizon @&t basically published and said we're Safe. We haven't seen any alerts in the last 60 days, so we're good. Like, and the other thing is, wasn't there three entities breached? So the other one's just like, guys, we're not.
Ryan
Okay.
Corey
I think it was nine, wasn't it? And you started with, like, the top one, then got down to, like, the lower.
Kelly
Yeah, I was like, Lumen Networks is another one. There's others than just AT and T and Verizon, but they've both now issue press releases saying we're good. Thumbs up. You could use SMS again.
Corey
Yeah.
Ryan
Please feel free to continue doing all the unencrypted communications that we can intercept.
Daniel
I didn't know the wizard of Oz ran telco companies.
Ryan
Look behind that curtain, Daniel, don't I.
John
How were they proving a negative? I always thought you can't prove a negative.
Kelly
No, no, no. It says here no alert, though, like.
Ryan
A little bit to the Beyond Trust thing. It's like kind of putting all of these eggs in these baskets and then we're surprised when the basket gets kicked and we're like, holy, all these eggs broke. That seems bad. I. I just. It just seems like there's too many of these choke points that exist in it today. Like, we need, we need. We need some people to come in and start breaking up Big Tech. That's what I think, like, right now.
Kelly
Well, this isn't Big Tech. This is Big Telecom. It's a whole different lobbying group.
Mike
Different than Big Red Team.
Kelly
Big Tech and Big Telecom are actually.
Ryan
Big Red Team is fine.
Kelly
So Big Tech and Big Telecom are actually beefing hard with the whole net neutrality thing and the whole, like, you know, basically the, the news article is that net neutrality is basically dead. Unfortunately.
Ryan
It is.
Kelly
It's dead. Dead as of, like last week, they basically. The outgoing fcc, you know, had a lawsuit in place and it got essentially struck down, saying that they don't have the legal capability to set these kinds of rules.
Ryan
Because. Because the Internet is not a utility. It's not like it's used to run our entire lives and health and everything. It's not.
Kelly
Well, as a. As a judge, I don't use the Internet at all. I just drive my 1952 car to the 1952 building, crank it, start it.
Ryan
Yeah, it's one of those kind of annoying.
Kelly
You know what? I still have a flip phone, so that's fine.
Ryan
You just cannot get in the way of big companies making more money. I think that that's, that's the lesson we've learned for the Thousandth time here. It's like big telco wants to make even more money, y'alls, and we can't get in the way of those amazing. It's like in Star Trek, we're the goddamn fringy.
Daniel
If you've never read the Rules of Acquisition.
Ryan
Rules of Acquisition. It's. We're so them.
Mike
This is a good newscast.
Ryan
They have taken retaliator retaliatory steps against some of the whistleblowers. You mean the ones who are dead? Could you clarify that? Never mind. So yeah, the net neutrality thing is gonna suck.
Kelly
I mean it already has sucked. This is a super old court case. This ship has sailed long ago. We already have fast lanes, we already have all the stuff that the negative. You know, it's, it is what it is. At this point it's just status quo.
Ryan
Yeah, I mean I, I feel bad for Ryan. You know, we've got business class. I mean, I think technically Ryan's Internet is faster than what we have at the main Black Hills Information security offices, but because we're a business and we pay a ton of money, like it doesn't glitch in the middle of the day like Ryan's does. Ryan picking on you?
Daniel
I want to nominate you for grand Negus.
Ryan
That.
Mike
I don't know, I was like, damn, John is on key with the Star Trek references.
Ryan
I watched Deep Space Nine in college before the, this millennium began.
Daniel
And my favorite Star Trek series, so.
Ryan
Oh my God. Oh geez.
Daniel
What the hell, right? He, he actually paid. There was a. They did a documentary on what could have been with Deep Space Nine on like newer episodes and stuff. And he, he paid to be like a Kickstarter or whatever. Got his name in the credits. We went to the theater and watched it. Yeah, it was really interesting. So Deep Space Nine, a lot of love.
Kelly
Check that out. Just to go back to the net neutrality thing, what I was thinking about this is we know we don't really trust these organizations to set up things that are secure. And so there's gotta be tons of hacking related things around net neutrality. Right? Like there's gotta be like, oh, if you.
Corey
I'm sure it is.
Kelly
You know, if you put this header in your packet, it, you know, just magically goes the speed of sound or.
Ryan
Whatever this IP address or this packet and it throttle somebody else's Internet connection.
Kelly
Yeah, like there's gotta be more here. Right. So I'm just saying, like hackers of the world unite. Take advantage of these crappy corporate things and you know, show the Vulnerabilities that might exist. Right? Like, well, that's what hackers.
Mike
When you.
Ryan
And kind of the salt typhoon thing. I think the thing that's really, really terrifying about that is, you know, when you're looking at law enforcement and intelligence communities putting in these closets, putting in these servers, putting in these rooms, the skiffs in these telco providers, like there becomes this black hole that no one can ever test, right? Like you cannot pen test it, you cannot talk to that IP address. You got to stay as far we don't look at it. Don't look at it. You know, this one goes to 11, stay away. And what happens is the people that are responsible for that in the government, like if they're in the military, they roll off their assignments after five years and you end up with just this incredibly old legacy technology that is plugged into these infrastructure and no one is taking any responsibility for them. So that's why I think it's really interesting that AT&T and Verizon are like, we're cool, everything's fine. What they're saying is everything that's theirs is probably fine. But I'm willing to bet there's still vulnerabilities as far as portals and access ways there.
Mike
Unless there's an inside man.
Ryan
Unless there's an insider.
Kelly
You mean Big Red team consultant?
Ryan
No, we're gonna be Talking about a 20 year old army soldier who is being indicted on, suspicious of being Kyber Phantom. There we go. I think I got that right. A cybercriminal who's been selling leaked sensitive customer call records stolen from AT&T and Verizon. And he's also a fan of selfies.
Kelly
And just being generally a cyber scumbag based on his Telegram channel.
Ryan
John Wingus. Yeah.
Alex
So yeah, he's web 3.0 ready. Look at him. Oh.
Ryan
Oh my God.
Corey
Yeah.
Ryan
Oh my God.
Alex
Yes, he's web 3.0 ready.
Ryan
Dude, that's roast worthy right there.
Kelly
Well, the one, the one that was the, the piece of this that stood out the most to me was where it says, well, first of all, the. The kid's mom said I never was aware he was into hacking. Which is a hilarious quote. Yeah, I mean basically. So scroll down to the bottom because there was a quote from a journalist that just. So this is the best quote I have ever seen. Keep scrolling.
Ryan
When they were like six or seven, that one.
Kelly
John, I'm gonna need you to read this quote from, from this reporter. It's the second to last paragraph.
Ryan
Oh, yes. All right, here we Go. I know all that. Young people involved in cybercrime will read these articles. Nixon said, you need to stop doing stupid and get a lawyer. Law enforcement wants to put all of you in prison for a long time. Those are called manifesto.
Mike
That's Allison Nicks, right? She's the. She's one of. Yeah, she's up there. She's one of the VPs of unit 2221B, right? Who specializes in finding these people.
Kelly
She was like, this was too easy. Your OPSEC sucks. Stop hacking and get a lawyer. That's basically what it says.
Ryan
We got to get Allison on the show because Allison, she used to be on Security Weekly all the time and she's a friend. I haven't seen her in a long time, but she. You can go back and look at her first Black Hat presentation. I can't remember what vendor, but there was like a CEO of some vendor came up and challenged her live at Black Hat to do something. And she just goes up to the mic and says, challenge accepted. And did that shit live in front of an audience. She is amazing. She is. She is really one of my favorite security researchers. I also like how she has zero corporate polish at all based on this quote.
Kelly
I love it. It's amazing. Yeah.
Ryan
All right, who else are we going to pick on? Do we want to go over to the Bad Tenable plugin?
Kelly
Yeah. I mean, no. I think this is such a. It's such a nothing burger. It's just like broke. They didn't even blue screen all the computers.
Ryan
Like, try harder, tried harder.
Kelly
They didn't. All they did was crash their own agent. That's weak. You got a blue screen at least at 200k computers. I mean, come on.
Alex
Isn't it like kind of cross site scripting yourself and calling it a vulnerability in a roundabout way? Just saying alert. Yeah, Kind of drop it in the Dom, baby.
Kelly
We can talk about the other article. I had another article that was kind of Kelly related.
Wade
Oh, give me a break today, Corey.
Kelly
I'm sorry.
Mike
The guy who got. The guy. The guy who got 60 months worth of prison.
Kelly
No, that's not Kelly. We can talk about that. But the Kelly related article, since she hasn't talked that much in the last 20 seconds, was the DOJ rule to block data transfers to adversarial. Like, it's like. Is that just blocking data brokers? Is that all that does?
Wade
Basically.
Kelly
Okay, I was. I wasn't super clear on this, but basically the article is a new DOJ rules blocks or halts bulk data transfers. To adversarial nations, which is defined as anyone that posts memes about Joe Biden, basically that, you know, rule will block, I guess, bulk data transfers, but not commercial activity. So I'm a little. I don't know exactly how this will be enforced, but it's.
Wade
I think it's both. And I might be confusing stories here too. There was an initiative earlier 2024, to finally say, listen, why are we allowing data brokers to sell data on US citizens? I don't think it was specifically DoD, the DoD environment. But yeah, I think they're similar acts or similar rulings. But honestly, it's about time somebody stood up and said, hey, why are we selling all this information? For those of you who had. Who had a. Oh, John, what is it? The SF Special formation. That's it.
Ryan
Yep. Yes.
Wade
So if you've ever gone through that, they ask you everything, like who your second grade teacher was, who your first boyfriend was. You know, at least that was the form I got. But that was involved in a huge, huge data breach many, many years ago. So those of us in that space are like, hey, we're aware of how important data is about us, because, I mean, everything's on there your entire life history. I'm kind of excited that this has brought attention to Joe and Jane. American citizens saying, hey, all this information about you is being sold outside of the country and you have legal idea that's going on.
Kelly
Yeah, before it was legal. That's the crazy thing. It's like, like, so, like it's crazy to think about, like, okay, let's say here's our company, we're called Evil Corp. What we do is we take Americans data, we sell it to China. That's completely legal. That should not be a thing.
Ryan
Okay, so fun fact about that, a lot of these corporations, they will take that data. And this ties into some stories that we talked about in the beginning of 2024, where the United States government, for law enforcement and intelligence community purposes, were buying data about U.S. citizens from these data brokers. And there was huge questions as to whether or not that in and of itself was legal. So you have a lot of these data brokers that are harvesting data, and the United States government can't acquire that data directly from them, but if they sell it to a third party outside of the United States, and then the United States government buys that data from a third party, then somehow that makes it okay, as long as there's like another layer of separation in there as well. This is just skeevy. I. I Still come back to, like, all of this data, all of the ad data that's being tracked by Facebook and Google and. And Amazon. This all they. This needs to stop. Like, we need to stop collecting data at this level because. What is it? Just, we didn't have a story on it. But isn't Facebook in trouble by creating very customized bots to interact with people and they're having the bots and the AI bots interact with people based on the, like, the information that they're collecting about you as an individual to make you stay engaged on their platforms. Like, this was that movie Her. Was that the name of the movie where the guy fell in love with his AI chatbot that was running his house?
Kelly
Like, he fell in love with Siri.
Ryan
Oops, he fell in love with Siri. Yeah. So that's where we're headed with this stuff. So, no, this all needs to be protected, and I think it needs to be protected under hipaa.
Kelly
So I have this article about this.
Mike
About the AI created profiles. I haven't seen them, the. The actual profiles speaking to people, but pretty much it's like a complete fake profile, all completely AI made. And then it's on there, but it actually says, like, AI generated, AI created. But then, like, why have them? Like, I don't understand if this is a social.
Ryan
Right. Like, like, why it's like that. What was that? That horrible. It was a Saturday Live sketch. A whole bunch of mad scientists getting together and they're like, who came up with the most evil thing? And this one side's like, I created a robot that touches children. And all of the other mad scientists are like, whoa, whoa, whoa. What? Like, Zuckerberg, I'm creating these AI chat bots to communicate with what the what? Like, and they've probably put billions into this. Who the hell knows? Like, it's not good.
Kelly
So, yeah, I mean, I don't even.
Ryan
I.
Kelly
If you have an article about them being in hot water for it, I'd be very curious because they have trouble.
Ryan
I think they're pulling them out now, but I don't think the project is dead. Like, I'm not seeing anything from Facebook that's like, we are going to kill this project and never revisit it ever again. It goes back to the dead Internet theory. If people haven't seen it, you need to go read the wiki article on the dead Internet theory. That basically is eventually the Internet is going to be nothing but AI generated chatbots communicating with each other, and we're just floating around real humans don't touch or talk to each other.
John
Yeah, they. They had that one African American profile. I just put the link inside of our chat that caused the huge backlash on everybody.
Ryan
Oh, no. Was it every single racist trope like.
Corey
Oh, is that Taylor?
Kelly
No, it's Microsoft is old Internet. And that was Microsoft.
Ryan
Yeah, that was a long time.
Alex
That's way long. Wow.
Kelly
That was before large language models, for sure.
Ryan
Yeah, they got. They got tay to, like, start saying Hitler was awesome and things like that. This, like, clearly, clearly meta didn't learn anything from that. They're like, no, no, no. I think we can get that right this time. We're not gonna do anything. Oh, God, it is bad.
Kelly
Yeah.
Wade
I mean, all of that joy and peace that we experienced in the new year, we just killed it with this podcast.
Ryan
Just gone. Oh, God.
John
At least we not mark something off of our to do list.
Mike
I'm going back to the war thunder.
Ryan
Okay, let's go back. Tiny robots kidnapping 12 big robots.
Kelly
There's multiple fun stories we can close with the tiny robots kidnapping other robots.
Ryan
That's adorable.
Kelly
I. I mean, it's adorable. It. It's such a fun thing to imagine. It's basically. It turns out it was kind of a nothing. Like, it was a test or whatever. But basically the article is that. And there's a video which you can watch, but essentially a robot is. Comes into the room and talks to the other robots and says, how much do you work? Do you work too much? Do you have. Do you work over to read it?
Ryan
Because the conversation is great. The robot who will play the part.
Kelly
Of Robot one, Kelly, are you working overtime?
Ryan
Robot. Large robot replies, I never get off work. Long robot says, so you're not going home? And, oh, no, I can't scroll down.
Kelly
I don't have a home. Replied the large robot, me.
Ryan
And, like, got all of the robots to follow it. It's adorable.
Kelly
It's like Wall E. So it's not fake, but it is intentional, I guess. Like, it's not, you know? Yes, they kidnapped them, but they programmed them to be able to be kidnapped, right? Like, well, I don't really understand. What is this test?
Ryan
Permission to do this? And these robots were literally, like, as soon as it said, follow me, all of the other robots were like, okay, yeah, of course. Robots at the United Red Carpet Club that follow you around and try to ram you all the time, those robots.
Kelly
Mean what you got to do is say, follow me, then just walk off a cliff.
Ryan
Walk off a cliff. That's all I got to do. To solve that.
Kelly
Yeah. I mean it is interesting to think.
Ryan
About that the pre limit kill meter and then kill anymore.
Kelly
I mean it. It's pretty. It's interesting, but it also is really just simple to think about. If your robot is programmed to respond to all voice input, you can use another robot that can give voice input. Right? So like you can. You can give a, you know, voice command to a robot as long as it doesn't have some kind of validation.
Ryan
I mean, Caliban Avenged said. And now it's a Corey doctor out novel. And I got to know if Caliban. Is that. Is that from Away of the Kings? Is your name based on that just out of curiosity Bridge four type thing?
Mike
You've. I didn't know you were. Okay.
Kelly
I'm currently churning my way through that monster of a last book. It's like six.
Mike
I am halfway through it right now. Yeah, that's pretty good.
Ryan
That's good. I hope the next one, the new one comes out and it's better. But.
Kelly
But John, they discover the magical. They discover the magical ancient technology of therapy. Yeah.
Mike
The next book isn't coming out until like 2032, he says.
Ryan
Okay, that's okay.
Wade
What's the name of the. The.
Ryan
The Way of the Kings?
Kelly
Stormlight Archive is the first. Brandon Sanderson has an infinite amount of good but not amazing books that you can just churn through for hours.
Ryan
Mistborn series, amazing. Way of the King, a lot of good ones. What is. The second one was amazing. He has a lot of amazing books. But you're right, there's a ton of them that are just kind of. They're not mad. They're all good.
Kelly
It's like the Marvel Cinematic Universe. It's all good. None of it's going to change your life, but it's still a fun watch or read.
Ryan
Now we're going to set off a fight here. So fight me.
Kelly
I read all of Wheel of Time. I hate myself.
Mike
It wasn't bad.
Ryan
I've got a signed copy of the last book in that series signed by Brian Saverson somewhere.
Kelly
The last book was good because it wasn't written by. Anyway, we. We should. This is not fantasy books podcast. That's a different podcast. We have it's secret.
Mike
No, this is the pivot. This is the pivot to fantasy books. We're no longer.
Ryan
We're no longer. Do we want to talk about major biometric data farming Operation Uncovered?
Kelly
Oh, I actually, if. If you don't mind a pivot. Did everyone see the one about China Persecuting a ransomware group for using chat GPT to help improve their ransomware code. Feel like it's just them. It's just them slapping them on the wrist. Right. Like. But I just thought this was interesting. If you search chat GPT, it'll probably come up. Let's see. Find the article. Yeah. China arrests four people who weaponized weaponized chat GPT, you know, for ransomware. And basically this kind of dovetails into. China has banned chat GPT. So of course they're like, you should have used our AI to write your ransomware, not chat GPT. But yeah, they actually. I mean, people in China getting arrested for ransomware seems like a noteworthy, newsworthy thing. So I guess the moral of the story is don't use.
Mike
Which website did you get this from?
Kelly
Hackread.com?
Mike
Oh, I got it from the South China Morning Post. I thought that was a little bit more credible.
Ryan
Were you on Bayview?
Kelly
Yeah, I don't know. It's in the article list.
Daniel
So it's super mad at them because they're spending so much money for that chat GPT license, right?
Kelly
That's true. They're like, dang, our gpus hurt. Please stop. Yeah, I just thought that's kind of funny. And apparently also China has their own national AI.
Corey
That's what it sounded like they're trying to get upset about with, like, not that you used OpenAI, but that you didn't use.
Kelly
You should have used Ernie Bot.
Ryan
Yeah, Ernie Bot.
Kelly
Yeah. And then there's Birdbot.
Wade
The other interesting thing about that article, Corey, is that a couple of the folks are in Inner Mongolia. Excuse me. And remember, there's that tension between the we. What? The weaker we. The weird Muslims. So it could have been something more. I don't want to say a hate crime, but they're still targeting people who aren't ethnically Chinese.
Kelly
Selective enforcement of ransomware laws. We've never seen that before.
Mike
Never seen that. That's what I was gonna say. We don't hear about this too often in China. Right? I don't know. When's the last time you heard a ransomware operator in China?
Kelly
They just didn't make enough money. That was the problem.
Mike
I would imagine the chat GT bot's probably better at English than Erniebot, but I don't know.
Ryan
I've never done a head to head comparison between the two, but. So they're both good enough.
Kelly
I only use Erniebot. It's nice when an app just requests all the permissions on your phone. Just all of them. I like that, Yeah, I like that a lot.
Ryan
Like interdimensional portal. That's.
Kelly
Wait, this app has permissions to modify gravity within a six foot radius.
Ryan
This is a portal. Portal. Like something about cake. I, I, I don't know what this, what does this thing want from me?
Kelly
DNA sample.
Ryan
Wow.
Kelly
They're adding features to Android all the time.
Ryan
Oh my God.
Daniel
Grandpa Rick starts inventing apps for your phone.
Kelly
Come on.
Ryan
In and out. Just, just a quick, just a quick adventure. Real quick. In and out.
Kelly
Daniel, come on.
Ryan
So good enough is my life motto says Disco Elite. Not bad. Not a bad life motto in there as well. All right, do we have any other final stories to, to wrap it up? I mean we have the man accused of sequel injection gets 69 month prison sentence. I mean it's a really short article that is literally bending over backwards to add more words to just that one sentence. But he apparently was landing at JFK airport following a trip to Ukraine where they picked him up and they basically discovered computers and other storage devices that have been carrying hundreds of thousands of stolen payment credit. How do we have to train people? Like if you're going to fly through an airport, two things like number one, don't do crime. I think that that goes with, that's a given.
Kelly
But it's just SQL injection. It's like SQL, but if you're, if.
Ryan
You'Re going to commit crimes, don't put the stuff on your hard drives. And if you're gonna put stuff on your hard drives, encrypt it. I, there's just so many life lessons to learn from this. Starting with don't commit cybercrime. And everything flows out from there, I think.
Kelly
Yeah, the 69 months was basically the time the person had already served. So they'll get out like next week or something.
Ryan
Which is a long time to spend in prison for, for SQL injection.
Kelly
Yeah, that's a long time for a few command injection.
Ryan
Throw away the keys.
Kelly
That's if they blue screen. Yeah, they didn't blue screen anyone. So it's okay now if he blue.
Ryan
Screens a sizable percentage of all the computers on the face of the planet. Well, that man, that, that is a straight shooter with upper management written all over him.
Kelly
I was gonna say we should invest in his company which is going to be an accounting. Yeah.
Ryan
What he did. CEO of a company.
Kelly
So he fat fingered a single, single quote.
Daniel
Nine months in prison.
Ryan
I just, I, I, I don't know. You just like hear these stories. I, I still love malware Tech blog. Whenever he was talking about being Arrested and the FBI was asking him questions in this, in the airport in Vegas. And he thought they were, he thought they were fans of his and he was just talking about like all the things that he had done when he was younger. And they're like, nah, nah, nah, you're, you're, you're completely hungover, possibly still a bit drunk. Like you probably need to get an attorney at this point. So point is, whenever they start going through your devices, nothing good is happening in your TSA experience at that point. So it's like, I need an attorney now. You do not have a warrant. Something like that very, very quickly. But, but then again at the beginning, don't commit crime like that. That's the easiest way around all of these things. Follow the words of Allison Nixon. Don't commit crimes.
Daniel
John. It's never going to happen.
Kelly
To end on a kind of high note. Did y'all see the Germany black holing a bunch of Bad box devices article? That was kind of interesting.
Ryan
That was kind of fun.
Kelly
So basically Germany has, essentially, Germany has instructed ITS ISPs, ITS, you know, Internet providers to black hole these domains. The interesting thing about it I think is the whole, the threat model of this Bad box is basically, it sounds like, like it's an Android device, but it seems like it's already installed at the time of sale. And it's basically like designed to be a backdoor into people's networks and like, as a, for like DDoS or other proxying stuff. I thought it was an interesting thing. It's like, why don't you buy a digital picture frame off of Alibaba? Well, this is why, that's basically the under story here.
Mike
But they're so cheap.
Ryan
They're so cheap and they.
Mike
10 for $5.
Kelly
Yeah, you're right. Exactly. Yeah. This is why you don't buy something that runs Android off of Teemo and then connect it to your home network.
Ryan
I still, I still can't believe like the Chinese are just like, so how are we compromising all these systems in the United States? They buy our crap stuff and they install it on sensitive networks. Like that's it. Like that's it. Yeah, yeah, that, that's what we do. That, that works every time.
Kelly
It's fine. John. Only 70,000 Android smartphones, CTV boxes and tablet devices were pre installed with malware. So that's, you can't DDoS someone with only 70,000 bots.
Daniel
They're cutting back.
Ryan
There's a theme here with the War thunder story, the biometric story where they were paying people to take a selfie of themselves and send it in. And then this story. It's like, like there's something here. There's something here I can't quite put my finger on. I just don't know what it is.
Alex
They seem that they start selling fake flippers and. Oh, man.
Ryan
I, I, we, we had a pen test years ago where I created a whole bunch of cards with Joff and they were like credit card sized things and they had a USB stick that popped out the side and it was on the front of the card. It said somebody in your family or your friends basically supported this Kickstarter on your behalf. This and space simulator game. Thank you so much. We meet, we met all of our funding and as promised, here's the first version of the game. And we sent that to all the systems administrators at this company.
Alex
Oh, my God. Land party.
Ryan
Yeah. It didn't work. And the reason it didn't work is apparently the game I picked sucked. It was not a good game. I should have done better. Oh, my.
Kelly
Was it War Thunder? No.
Ryan
Early prototype of War Thunder.
Alex
Oh, my goodness.
Ryan
All right, everybody, thank you so much for coming. Looking forward to 2025 and we appreciate all of you for showing up. Thanks again and we will see you next week on the news.
Kelly
Happy New Year.
Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: 2025-01-06 - Coffee With Wade
Release Date: January 9, 2025
The episode kicks off with the hosts engaging in light-hearted banter, sharing humorous anecdotes and jokes to set a relaxed tone for the discussion.
The primary focus shifts to a significant cybersecurity breach involving the U.S. Treasury. Ryan delves into how the Treasury was compromised through the Beyond Trust identity and access management solution.
Key Points:
Nature of the Attack: The Chinese threat actor exploited a command injection vulnerability within Beyond Trust, allowing unauthorized access to modify local account passwords.
Implications: This breach underscores the risks of centralizing critical identity and access management systems, where a single vulnerability can expose extensive assets.
FedRAMP Certification Concerns: Wade highlights skepticism about the efficacy of FedRAMP certifications, suggesting that compliance does not necessarily equate to robust security.
Wade [09:42]: "Jake Williams was actually quoted and wired and I got to kind of agree with him. His take was it was a command injection vulnerability... Fedramp really doesn't mean anything." [09:44]
The discussion evolves into the broader debate of compliance versus actual security measures. The hosts argue that organizations often treat cybersecurity as a checklist to meet compliance standards rather than genuinely addressing underlying risks.
Key Points:
The hosts review the newly proposed changes to the HIPAA security rules, which aim to strengthen protections for electronic protected health information (ePHI).
Key Points:
The discussion moves to recent breaches in the telecommunications sector, particularly involving major providers like AT&T and Verizon. The threat actor group Salt Typhoon is identified as a key player behind these attacks.
Key Points:
A notable incident involving the popular combat simulation game War Thunder is discussed, where classified information about military hardware was leaked through the game.
Key Points:
The hosts lament the recent repeal of net neutrality regulations, discussing its implications for internet security and corporate control.
Key Points:
A segment is dedicated to the rising concerns over AI-generated bots interacting with users, drawing parallels to data privacy issues and the manipulation of user engagement.
Key Points:
The episode covers China's recent actions against ransomware groups that utilized AI tools like ChatGPT to enhance their malicious activities.
Key Points:
The hosts discuss a recent case in Germany where inexpensive Android-based devices were found with pre-installed malware, posing significant security threats.
Key Points:
The episode concludes with a mix of additional cybersecurity anecdotes, humorous exchanges, and reflections on current trends.
Key Points:
This episode of Talkin' About [Infosec] News offers a comprehensive dive into recent cybersecurity incidents, policy changes, and emerging threats. The hosts provide insightful analyses, blending technical expertise with relatable commentary, making complex topics accessible to both seasoned professionals and newcomers in the infosec realm.
Notable Quotes:
For listeners seeking a blend of in-depth cybersecurity news and engaging discussion, this episode serves as a valuable resource, highlighting the critical intersections of technology, policy, and security in 2025.