2025-01-13 — An RGB State of Mind

John

John, they do make a lot of these like mini. So like the nook size devices that you could pick up, those are also another good alternative. And like Corey was saying, you put Proxmox or something on there and you can run tons of VMs on there, totally free, no licensing and you know, kind of get pretty much the same results.

Corey

But you can't play games on them.

John

You can't play games on it.

Ryan

That's true, yeah. So the only thing I don't like about it is I've got to go in and I know it's just a matter of.

Corey

That was the first thing I did. I turned that off so quickly.

Ryan

Like gaming shit. Like I don't need my computer to like be sparkly like some kind of goddamn Twilight movie.

Corey

RGB is a state of mind and you don't have it.

Ryan

Oh, I'm so. Yeah, I. Greetings and hallucinations. But it works really well. I got Windows subsystem for Linux working on it. I can run a bunch of wireless tools on it. I've got Debian now running on it. I've got my class VM running on it. Also I love the fact that if you go to their website, they have instructions to pry the thing open and put a much larger hard drive in it. And it's built into the BIOS to restore it. So you can, you can put in a new hard drive. You go into the BIOS and do cloud restore and it joins a wireless.

Corey

Down that firmware right from China and pulls it down right backdoor firmware mainlining.

Ryan

That shit like right into this, right.

Corey

Onto your WI fi. It's way to join a botnet. I love it, it's, it's awesome.

Eric

But it works so simple.

Ryan

I'm swearing again. I need to stop swearing by the way, if I swear anybody.

Corey

So we have a swear jar and then it all goes to like swear jar.

Ryan

And every time I say any naughty word or anyone does, we're going to donate more money to the Electronic Frontier foundation, right?

Corey

Start a swear jar.

Ryan

Whose job was it to tally that by the way?

Kelly

John, are you creating a challenge for me to do further donations to various organizations?

Ryan

Sir, I gotta be careful about this, this can, this can, this can blow up in our face. But we have to do better, right? It's not just about that. I got a very well written, very respectful email from somebody that was a little bit disconcerted with or like. And it's funny because they're like, well this person was swearing and they were listing out all the swear words and all this. And I'm like, oh, that was. That was me. That was me.

Corey

John's like ready to call me up and be like, corey, what are you doing? He's like, dang. It was. It was actually me. That's.

Ryan

Yeah, it was all me.

Corey

I do think so. If you swear early on, then the whole stream gets categorized as like an adult stream on YouTube and then like on YouTube and then on YouTube, people are watching on their work computers and they have to like log into login.

John

Yeah, yeah.

Ryan

We don't want this to become an only fan style. Infosec.

Corey

I did hear.

John

I do hear, John, that it is very profitable. Only fans infosecs.

Ryan

Yeah. But no one wants to see my feet.

John

You had to show your feet.

Ryan

See, I can. I can go to that line without swearing. Right? I can go right up to that line and the other.

John

Huh?

Corey

I don't think you can. The swear jar will be the judge.

Ryan

Well, the swear jar will be the judge at the end. At the. At the end of the show. Right.

John

We'll have AI calculate all the swear. So it's like an automatic counter.

Corey

Yeah, that would be amazing if it just pops up on the screen. It's like John owes $5 to the EFF.

Ryan

So as I swear, if we could pop up on the stream, just how flipped dollar amount is?

John

Oh, my God.

Shecky

What's the value for work?

Corey

Yeah, what's the value? Is it different for different words?

Ryan

Let's let.

Corey

How.

Ryan

What should the amount be? It's gotta be like a real amount.

Corey

I think. I think you have $5 per swear. But the swears are subjective to only the worst ones. Like, if I say poopy. That doesn't count.

Ryan

No, that doesn't count.

John

Yeah.

Ryan

If anybody is like, he said poopy. And I consider that to be a swear word. You won. You're not fun at parties. No one likes you.

John

You were definitely not fun at party.

Ryan

Will abandon you when you die. So, you know, see, I can be offensive without swearing.

Corey

Yes, John, that's the goal. That is the challenge.

Ryan

I swear, Mr. Goal. I didn't swear. I swear.

Eric

I didn't swear.

John

I swear.

Ryan

Brian is going to be the judge of whether or not it's a swear.

Ralph

I. Yeah.

John

Funny that people like, you're offended because someone is swearing, but you could be like really offended and someone could not say any swear words.

Corey

Correct.

John

This bar is weird.

Ryan

Yeah. I mean, and I. And I grew up in ranching community and that's how we communicate with each other. Right? I mean, it's like. It's. It's our hesitation noises. And I especially like it whenever around people. It's like, well, someone who swears it's a sign of low intelligence. It's like, no, it's not.

Corey

Do you remember the scene in the Wire where they don't say a word other than curse words? And they do, like, a whole crime scene investigation? Like, they're like. They're lining up the bullet. They're like, F. Oh, that reminds me.

Kelly

Can we do a competition against south park and how many times they said the F word? How many times?

Ryan

No.

Kelly

Oh, okay.

Ryan

Now I got.

Corey

I don't think you want to compete.

Ryan

With Southern words, but no, I like Anthony Jesel Neck's take on this. Right. Like, you have comedy. Right. And that comedy can be offensive.

John

Right.

Ralph

And if you're.

Ryan

If you're offending people, you suck, basically. You're. And the artistry comes in getting away with it. Right. So how do you say these things in such a way that is not full offensive?

John

Yes. How do you. How do you make them laugh but also still be offensive, but not offensive to that?

Kelly

Right.

Ryan

Well, not even that. But yeah, it's. We've got to go for the artistry, and I need to be doing better because I've been swearing since I was like, two. So they're gonna log.

Corey

The key is to either use it in a pun or use a word that's plausibly the same. What you don't want to be doing is throwing out frax and fricks and shites.

Ryan

I can do that, though. I think that if I want to say what was the Battlestar Galactica? F word replacement?

Corey

It was. It was definitely frack. Yeah, right.

Ryan

It was frack.

Corey

But then that's also Frack magazine, baby.

Ryan

Oh, yeah, right.

John

You know. You know where they swear a lot, the military? Everywhere, Everyone, literally every other word.

Kelly

Every word to the. Over to the.

Corey

Yeah.

John

Oh, yeah. There's zero. There are zero Fs given.

Ryan

Yeah, I think.

Corey

I think.

Ryan

Sounds like there's a lot of giving anytime. I trained at Fort Gordon, 25 Delta 255 Sierra down in Hulbert Field, Destin Beach, I think I literally had one day where I taught the entire class. Like that episode from a Wire. It was nothing but swearing, and it was my highest scoring day ever.

Kelly

And, you know they're related to you.

Ryan

Yeah, absolutely.

John

The one reason I realized that swearing is so prevalent in the military is there are no children anywhere to be found in the military. Like, it's really?

Corey

They don't just give kids M16s and let them go.

John

I know it's weird. I know it's weird, but it's like there's no, like, there's like, no really, like a whole lot of cross section of like kids around anyone. So, you know, it doesn't.

Ryan

Also, people are kids around my children. That makes me a bad father. All right, let's kick it off.

Corey

All right, send it.

Ryan

Hello and welcome to another edition of Black Hills Information Security. Talking about news. I should call it Bis and Friends because we have other people that are not Black Hills Information Security. But they're, they're very cool people nonetheless. You should check them out. In today's episode, we're going to be talking about Chinese hackers breaching more networks because that's what the Chinese do. Ransomware crew abuses AWS native encryption. Basically finding S3 buckets that are open. You can create a digital copy of yourself and your own personality in just two hours and it won't like you either. We'll also be talking about LDAP nightmare and four fake proof of concept malware. We're going to be talking about how a hacker broke into Path of Exile game. I was surprised Beyond Trust wasn't involved in that one. License plate readers leaking real time video feeds and all kinds of vehicle information and woke up, got out of bed. A day in the life of a prolific voice fishing crew. Speaking of crews, I'm joined by the illustrious crew that we tend to have on this. We have run GRC with us. Hello. We also have Shecky. As always, thank you so much for joining. We have Ralphie. After a long, long absence, he's finally back. We have make dir news or make dir Hackety hack. Don't talk. We thank you for joining. Eric is on. Speaking of friends of Black Hills Information Security that do really cool security stuff that hopefully we'll talk a little bit about. And of course Ryan, the man who makes us all look and sound fantastic. And more importantly, if you're just dialing into this or you're watching a recorded version, I'm going to attempt to swear less. I apologize profusely for swearing. It's a, it's a, it's a, it's a bad personality trait. I'm aware of that. But every time I do, I will donate $5 personally. Not from bhis or anti siphon because that will bankrupt the company. I am going to donate $5 to the Electronic Frontier Foundation. Eff. So you guys can help Ryan keep count of that. So I'M not going to go through what the swear words are. If I say poopy, is that freebie? That's like the free.

Corey

Also if it's part of a pun, it doesn't count if it's money, like if we're talking about us or it's.

Ryan

In the source code, it does.

Corey

Okay, what about direct quotes? If someone in a news article has direct quotes don't count either.

Ryan

No, direct quotes are fine.

John

It's just like reading for direct quotes that have swear words in it.

Ryan

C. Whitlock says John is going back on cheap. You're not, you're not. No, we're not going to do the George Carlin list, even though the George Carlo list would definitely be included in those lists. But let's jump straight in. Do we want to. Which one do we want to start out with? Corey Ralph?

Corey

I mean, I think so. I mean my take, I think the prolific voice fishing crew was a really, it was a really, I would say eye opening, like my blood was pumping reading this article. Especially because in the article there's a video linked that basically is a live vishing call. For those of you, if you've never participated in one or done one, they're quite the adrenaline rush, especially if you've done a lot of them. It's really crazy and kind of gut wrenching to see someone get vished live. It's kind of just criminals turned on each other as they typically do and a member of a criminal group decided to contact Brian Krebs and leak a ton of information about their operations and how they do things and what they do. You know, this is how things work in the criminal enterprise. Right? You have the biggest threat to criminals is not FBI or CIA or whatever. It's other criminals. Right. So, you know, it's a cool article. They're. They're using kind of normal techniques that we would see for vishing. The main one they're using that they call it in the article is they basically spoof someone's phone number and they call an Apple support line and then that Apple support line lets them send a password reset to the phone, you know, because they're spoofing that number. So it's basically like a lack of verification on, you know, phone numbers because there's no way you can do it. There's no way you can verify an incoming dialer. If you're like an automated phone service or at least not there isn't one implemented right now for this service. So we see this attack before. I mean we've even demonstrated this before. Like if you spoof someone's phone number and call their isp, it'll usually be like, are you talking about or are you calling about service at. And then it'll just give you their whole address. They're abusing known vectors that are kind of, they're not breaking any ground here. But it is cool and kind of gut wrenching to see in this case, they're going after someone's icloud account and then they actually, you know, end up getting. But they've, they get access to is icloud. But yeah, it's a cool article, worth a read. Not really super newsworthy, but it is interesting to see criminals turn on each other and share all the ttps. Kind of like Conti or other. You know, there's, there's fun examples of this.

Ryan

So I've got a question for the, for the panel. Do Are we seeing more of this because it's a new attack vector and it's effective, or are we seeing this because going after the endpoint, going after creds is difficult, or is it a company?

Corey

I think it works because companies have put verification. It's required because companies have put increasingly strict verification methods in place. Right. If you can just, if there's an MFA bypass in someone's icloud, you can just use that. Right. That's. Previous icloud hacks we've seen have relied on MFA bypasses. But now that there is MFA and all this account verification stuff, I think it's just required. I think we'll see a rise in phishing for 2025. That would be one of my predictions. More vishing, more of this, like, handoff. They actually talk a lot about the criminal organization. Like they have four people on the call. One is doing the call, one is draining the accounts as they get access to things. The other one's just sitting there watching, taking notes. And the other one is, you know.

Ryan

But it also lends credence to social engineering calls whenever you can hand it off to somebody else, right?

Corey

Totally.

Ryan

Oh, well, hey, I'm going to hand this off to my manager. Can you just hold for a couple of seconds? As soon as you do something like that, it doesn't feel like just this one random person's calling you up to.

Corey

Exactly.

Ryan

Right.

Corey

And they're using known services. So like on the call, like if you watch the video, they, they, they spoof the number, they call Apple and then the guy gets a verification on his phone that says you've requested a password reset. And then that's when he literally says out loud, oh, so you are the real Apple. Yeah, exactly. So he literally says, oh, so you're Apple. Right. Because they abused a known like a valid channel to reset an account. I mean, you could argue Apple will probably end up disabling this method now of accounting reset, like they probably should. I think it's just there's a higher level of trust required to pull off these attacks and so many more steps, right? Like you have to get access to the Coinbase, you have to get access to the, you know, icloud account. Then you have to submit a transaction, then they have to approve the transaction. It's just a lot more steps these days.

Ryan

Yeah.

John

To also, to answer your question, John, this isn't new, right? Like, this was like Kevin Mitnick's, you know, I would say bread and butter, 1999.

Corey

Yeah, totally.

John

Well, like, I mean, this, this isn't new. But, but to follow up what Corey just said, which is absolutely true, is that the reason I feel like it has felt like it's a resurgence is because a lot of technical controls have, have gotten into place. And hacking the human on the phone, right. Is easier than necessarily coming up with a new compromise to a MFA system or something else that's unknown, so.

Corey

Totally. And it's incentivized. Like, if you look at the criminal, like, the way they monetize this, they do everything from a flat fee per call to you get 10% of the take to you get 100% of the take. Like, it's totally like kind of like initial access brokers, right, where you have like, oh, are you good at social engineering while I'm good at draining Coinbase accounts. Let's team up, share the profits.

Ryan

Yeah, Yeah. I, I, I think the midn thing is, is a really important aspect of it. Right. Like you said, there's nothing new with this. But I, I, I keep wondering though, you know, in the industry, are we in fact getting better in the aggregate on the whole, or is it just my echo chamber is getting better? Right. Like, this is one of those things we've talked about. Eric, I'd like to get your opinion on this too. I think that there's a big selection bias in a lot of security firms because whenever I'm talking to other people in like, say, larger firms, and I'm saying, man, some of our customers are getting really good. Like, they're running EDRs, they're tuning EDRs, they're doing adversarial simulation. They're doing really good let's risk based analytics and their sim and all of these different things. And I, you know, I talk about we're seeing all of these good things they're using and they're like, yeah, our customers are still using password 1234 for their cloud accounts. I don't know what you're running into. So I always wonder are things getting better? And this is just attackers evolving and going back to some of these tactics which always work because trying to do malware is hard or is it just. That's what we're seeing. So what's your take on that?

Kelly

I, I have to agree. I think our echo chamber is, you know, it's more of we need to turn around because we're preaching to the choir analogy, right. So we're talking to our clients even on our side of the fence and they're getting better. And they're getting better because they got hit. I had an incident. So you know, they're a little bit more aware. But however, post incident what we see, nine times out of 10, within about two years they fall back into the de facto what their business operations used to be. You know, this Apple thing really is nothing more or just a different flavor of what's already been going on with Apple. You could take Microsoft device authentication method and be able to get access into the domain just by phishing as well. If you've been around in the industry long enough, like most of the people probably in, in on this call in in the chat, you know, anytime there's say about 10, 15 updates, old exploits start creeping their way back into product line because they, we don't remember why this thing got commented out or whatever the case was. And we just see old exploits coming back over and over again to the tune. I don't think the industry as a whole is getting better. I've made the statement many, many times that, you know, you take a look at the past 5, 10 years of CESA reporting for Cyber Security Month, it's the same, it's the same thing.

John

I could see money just like in.

Ryan

Your brain, dollar bills coming up. Yeah.

Kelly

It'S just the same thing over and over again. So I think our echo chain, we're just getting really good at communicating to our clients. They are getting wiser for it. But I am of the massive belief, and I think I said on here several times that a business is not going to change until they're required by whatever external force to make that change.

Corey

Let's talk about a change that a company had to make. Let's Talk about that. Dental one. Did anyone see that? It's pretty funny. It's kind of a brief. A brief stop. The pun in the article title was just so bad. Which the pun. The pun was basically that the. There was a dental company based out of Indianapolis, I believe, that was caught lying through their teeth. There should also be a pun jar. Should there be a pun jar?

John

Yeah, yeah, negative five.

Corey

Yeah, negative five. Wait, what?

John

Come back.

Corey

So basically this is a, I guess I would call it a mid or small size dental company based out of Indianapolis. They were recently fined 350,000 doll because they were hit by ransomware, specifically Medusa locker. And they told their clients, oh no, we just lost your data because we were formatting a hard drive. Which like that excuse might have worked 10 years ago, but today apparently not. So, you know, talking about consequences like 350k, obviously not the, you know, it's not the going to bring down the house. It's not that big of a sum for a. But I think for a smaller company, I mean they have like five or six locations. That's a decent chunk of change.

Kelly

Corey, I remember this story very vividly. Like, so people who don't know, I mean, this is literally five years ago where they are. It's almost like QuickBooks Online. They were actually hosting servers for dental organizations. And they literally came out at the time and said, no, we were dealing with a cyber security incident, AKA ransomware, and they were all over the place. So for them to go back, I guess maybe they tried to scrub their data and like remove all the posts and everything. But I remember it all over social media that they admitted that they had, you know, cyber. They were hit by Medusa. And Medusa came out because they were bashing them all over the place saying, you know, these guys are not taking it seriously. They don't want to make a reasonable offer. They were actually taunting this organization for not doing proper negotiations.

Corey

Sure. And the other crazy thing, and Kelly can definitely chime in here, they weren't fined for lying. They were fined for other HIPAA violations, which include lying is fine. No one will.

John

It's anticipated, Corey.

Corey

It's expected. But I would say lying definitely should be maybe criminal thing like fraud. But I mean, if you look at their HIPAA violations, it's essentially a summary of they didn't really do the whole HIPAA thing. They kind of just were like, hipaa, Hippo. Never heard of it.

John

Oh.

Corey

So yeah, if you look at the list, I mean, Kelly, have you read, I mean, chime in here like, is this a normal size fine for hipaa? This seems big for hipaa. Is it just me?

Shecky

Well, that's interesting. You mentioned that HIPAA finds were relatively small. They've gotten bigger over the last 10 years or so and they're going to get bigger now. We talked about this a couple newscasts ago where HHS has a proposed security act rule coming out in 2025. But let's be honest, the thing that's really disturbing is how often healthcare systems are hit by ransomware. And I think they're just really trying to say, listen, you guys can't say, well, the doctors need access, so we're not going to do MFA or any sort of security. They can't be using that excuse anymore. Okay, here's my two cents. I don't think HIPAA is all that difficult to implement. And if you look at what they were fined for, they weren't doing any awareness training whatsoever.

Corey

Right? Yeah, they did nothing. They, they, they basically didn't. I mean, there was like to, to give everyone. You know how low the bar can get. There was no password policy until January 2024, mind you. They were breached. They were breached in 2024 years. It took them after the breach to be like, maybe we should have a password policy. Maybe you should put one of.

Kelly

It took him four years to get through the incident of the investigation to determine reasonable measures.

Shecky

Well, and the servers were in the break room. So you could heat up your burrito and check on the server at the same time.

John

No, here's the, here's the best part. So the server's in the break room. They have no password. They have like zero security posture at all. And they made backups, but they didn't test them. So when you needed.

Corey

No, it's okay. It's okay. We were just formatting a hard drive. Oh my God.

John

You know.

Kelly

Yeah, let's just use John's. John's analogy. Just look at the darn cats in the chat. Look at the darn cats.

Corey

Yeah. Well, I mean, even like Some of these YouTube comments or comments are hilarious. One, one person, Casley Joseph said, we had your data in our pocket when we had them in the washer. Sorry. But let me.

Kelly

I guess let's take a. Because I don't know too much about the organization. At what point does the business. Okay, so we have a hosting company that's hosting the data. Granted that their fault. They had, they had some problems. But there was mention of cybersecurity awareness training. Is that really up to the hosting companies? Like Saying, you know, Microsoft or AWS is supposed to give me training because I'm hosting data in their infrastructure.

Corey

No, no, I think there's a hosting company. I think that might be a different article you're thinking about. But, yeah, this is just a small dent. It's just like a small dental. They have, like, five locations. It's just like a small dentist firm.

Kelly

The data center one. Okay, my apologies.

Corey

No, I mean, I. I'm. Yeah, I mean, there's been a lot of ransomware hits. Right. But so I think.

John

I think the HIPAA was going after the organization as a whole. So, like, they're saying, like, if there is HIPAA data, you have to do these things, like, have a password policy and, like, have, like. And, like, the bar is, like, really low, by the way. Like, having a password policy.

Corey

Like a poster that says, remember. Right.

Ryan

Like, they're planning on updating that. And, you know, we can have Kelly talk about this, but they're planning on kind of updating that HIPAA st.

Kelly

So, yeah, they released a preliminary of it for it, and CESA released one for it last Friday or today. One of the two.

Ryan

Huh.

Shecky

Mr. Strand, did you go away and swear and then come back?

Ryan

Probably did, actually.

Corey

He just goes off in the corner, punches a pillow, and says the F word 15 times and then comes back.

Kelly

That's actually a good idea.

Ryan

So. So what happened, let me demonstrate.

Corey

Is.

Kelly

Somebody accidentally unmutes them.

Corey

I think Ryan can't. I think Ryan can't actually unmute.

Ryan

And that's about all I've got to say about that.

Corey

We should get someone to, like, be the live sensor and, like, beep while.

John

We, like, beep listening on audio. John just, you know, said a lot of cuss words in a row.

Corey

If you're a lip reader, we apologize.

John

You may possibly be offended by this podcast.

Kelly

Yeah.

Corey

All right, so let's talk about that. Let's. Let's get on the gravy train. Let's get on that gravy train.

Ryan

Solved my swearing problem.

John

No, just mute.

Corey

Let's get on that. Let's get on that gravy train.

John

What's in the gravy?

Corey

So this. This hit my radar, and I think a lot of people's radar. Gravy analytics, which is apparently a location tracking service, which. I don't know. Like, that sentence is kind of a nasty sentence. I don't even know why that exists. Basically, this hit wide because on a Russian forum, someone posted a data sample from a location tracking company called Gravy Analytics. One of the interesting tidbits, I went searching for the breach data, couldn't really find it. The, you know, it seems like the rumor is that they paid the ransom or whatever and so the attackers took down the data. But there could be, I mean that's just a rumor, but there's actually a list though that was published of over. I think it's like 10,000 apps that, that they track data from, that they get location data from. So that's terrifying. But yeah, basically it's just kind of a, puts the fine point on these organizations that track people's locations are notorious targets for hackers. Right. It's a US based firm and there's Over. You know, it's collecting location data from over 10,000 applications or whatever. Like it's going to be so much impact you could do with that data. Right? Like, I mean it's, it's, you can dox tons of people and they claim to have like 17 terabytes of data, which is like a terrifying amount and probably includes US politicians and high profile individuals and et cetera, et cetera. Obviously everyone plays games on their phone. If you're a US official, you gotta play all the good games on your phone that track your location.

Ryan

They gotta be doing something whenever you're waiting for votes, right? And it's funny, I can't. I went and watched the Big short again last night. If you, if you haven't, you should watch that movie. Much better than Margin Call. But Margin Call is good too. But it, it seems like with a lot of this, a lot of this data, it's a lot like that movie where you take this data and then you repackage it, you resell it, you repackage it, you resell it until the end of time. Right? Like where they were talking about, oh my gosh, they got people's location data and there's another one about license plates leaking real time data feeds and vehicle locations. Once for five bucks I can find all the different, like traffic cameras and parking garages and different places because these cities are selling this license plate data out to data brokers all the time. And I think that there's this weird disconnect that exists whenever people are talking about the privacy of this data and they're talking about the privacy of license plates and they're shocked whenever they find out about it. But I think they're more shocked about just how cheap it is if you're willing to go through legitimate sources. I also don't think that people quite understand just how much of their Information is out there.

John

So this license plate article, so what it was is their Motorola makes these ALPR cameras and what they're designed for is actually like police departments and other kinds of like mobile deployments. Right? And what, what they do is they put them on vehicles and they automatically capture all these plates. Okay. And the goal of these systems is to put them into a database so they can create alerts, right? So they could type in a license plate and probably be able to correlate where that car was at a certain time. Other things like that, maybe just another police car saw it but didn't know, or the police car could get alerted that that is a suspect vehicle. Right. And so that's why they're out there. But when this security researcher started diving into them, they found out that, you know, essentially there was no security on these devices. You could access them remotely, you could pull down the straight ALPR data. So just the license plate, make, model, stuff like that.

Ryan

And that's the thing that I think is new in the story, right? Like you could always access a ton of cameras and you can find those. But whenever you get the ALPR data, it's like, whoa, whoa, whoa.

Corey

That's where the talk about location data. Can you imagine how much you could dock someone with this, like, you know, where their car is all the time, or, you know, potentially all the time.

John

You're not supposed to have access to these. They're supposed to be vehicle mounted in a car, like on a local network. So I guess the security deployment was more of like supposedly a layered approach that everyone forgot about. That first layer which was, you know, blocking it off from the Internet. That's essentially what happened.

Ryan

People forget that all the time.

Corey

Well, a lot of this law enforcement stuff, I mean, we've even seen one of our clients, actually, we found an exposed camera and we were like, how did this happen? They were like, well, it was required to be exposed for law enforcement purposes because they, I mean, basically like they required for whatever law enforcement reason that the stream of this camera would be exposed. But they never provided an IP address list or like a host name, something to allow list this access. So it's like kind of the Wild west when it comes to this sort of stuff. Like they need to have access to these camera feeds, or maybe not, maybe they're just badly configured. But in their minds they need to have access to these feeds or their tools or their vendors do, but they just never actually go that extra step of lock it down.

John

I'll say it years ago, we were.

Ryan

Testing an organization just kind of kicking out a story for this. And the, the. The organization was an external penetration test coming into the organization. It's actually one of my favorite tests. We're able to gain access to their conferencing camera system and they had default creds so we could go through and we could watch the videos of like meetings live. We could just go in, but they were also recording the videos as well. So we could go back and we could look at all the different videos associated with each of the meetings that they were using for their IT team around the world. And I think we, we did get domain admin. Like we, we got it. It was just standard spearfish and, and pivot gain access to da. It was. It was pretty straightforward. But the reason why I absolutely loved this test is we were able to go through, find all of their meetings and then the IT meeting there was IT meeting to discuss current penetration tests. And we basically just went into the recording of the meeting. And it's a lot like this where the person that's talking gets the video camera feed and that's Ryan that's doing that in the background because he's awesome. But this is one of those where the person that's talking gets that feed and then it goes to the next person, goes to the next person, goes to the next person. And one of the people was just ripping on us like the whole time. Like this company. Who the hell is Black Hills Information Security? These guys suck. There's no way they're going to get anything about this entire company just ripped on us up one side and down the other. And it was great because we put the picture of that person talking about how bad we sucked in the pen test report with the caption quoting that person. Black Hills Information Security. Who the hell are they? I'm sure they suck. End quote. And we, we. I love that report. I. I've got to go find that report. So you see these cameras exposed, not just like traffic cameras and things like that, but the amount of video conferencing systems and cameras that are exposed. Just like a Shodan search away. And I think there's probably like 10, 15 different types of Shodan searches to pull down and identify these devices. And the data that you can find sometimes just outright terrifying.

John

Yeah, the RTSP streams are out there. A lot of these things are not configured properly. They're all over the place. Right. And actually it comes really to the fact that a lot of the vendors like hardware or excuse me, hardware software is not updated right like it has this like life where you just set it up, plug it in and never update it again. And so, yeah, they've, they've got a reputation.

Shecky

So yeah, that's a great lead into our, our cybersecurity mark of trust story.

John

The mark of the web.

Corey

I don't know what this is. What.

Ryan

Oh God, where is this going?

Shecky

The, the, we put it in the link in the, in our show. Notes about the new cybersecurity trust.

Ryan

Like Greens keeping seal of approval from the government.

Corey

I see it, I see it. It's the Verge, which we know if you've watched the Verge, PC build, video, you know how good they are with tech.

John

Oh, they love computers.

Shecky

Well, so this is something that the, the Biden administration has been pushing for a long time is to put a, as John would say, the Good Housekeeping seal of approval on devices. And, and I think, Ralph, one of their objectives was to do that thing that you just mentioned. These devices sit years not being updated with software, firmware updates, bios, blah, blah, blah, blah, blah. And yeah, it is kind of cheesy and it's a government program, but I think it's a good place to start. We just have to tell everyone, hey, there is such a program, hey, there's reasons to trust that label. And if it, if it makes you pay 3 or $4 more at Walmart, it's worth it. Those are my thoughts on it.

Eric

The question that I have about it, because I was looking at a couple articles over the last week on this subject, is it sounds like it's voluntary. It's not like everybody sends stuff to a UL or some laboratory or someplace that actually tests it. It sounds like it's self reporting, self saying. And a company has to volunteer in to go ahead and be able to do this stuff. Nor did I see any sort of repercussions. If something gets hacked and doesn't have this seal on it, will it be able to catch on in that instance?

Corey

It's a carrot. It's a carrot, it's not a stick.

Ryan

Okay. I don't know. I'm going to try not to win it because if I rant, I swear.

John

Can we get a bhis seal of approval? Could we do that?

Corey

Okay, so I will say that, yeah, John, resist the rant because you can't not swear if you rant, right? Basically, I guess my take on this is if, let's say hypothetically, your weird uncle calls you up and says, hey, I met Best Buy, I'm looking for a new WI fi router what should I buy like is? Would you be able to tell them anything? With the magical government checkbox, you can buy like is. Is that the idea? Or I mean, could we end up in a world where that could be the case? Because if so, that would actually be pretty cool. But I feel like if I told him to buy the government approved router, he'd be like, hell no. They put the 5G in the router. They got the microchips. Yeah, I don't know.

Ryan

This is a start. Okay, so I'm going to start out by trying to do the poop sandwich, right?

Corey

Good job, John.

Ryan

I think it's a start. Okay. I think it's hearts in the right place. That's the outer part of the sandwich. Now we get to the poop. This is stupid. And the reason why I think that this is absolutely stupid is if you put this like seal of approval on a device, okay? You put the seal of approval on a device. Let's say we have a device that is magically secure. Today, the code is completely secure, top to bottom. Today we wrap it up, we vacuum seal it, and we put it into a Radio Shack that's going out of business, right? Radio Shack goes out of business. It stores closed down, it collects dust for five, six years. And then all of a sudden this magical package that was vacuum sealed by the way, and protected against the elements comes out. And it still has that Good Housekeeping seal of approval on it. You unwrap it, you put it in your house. Is it still secure?

Kelly

No.

Ryan

My problem with this is I look at it, somebody said false advertising. I don't want to say it's false advertising because that's, that, you know, some type of malicious intent. And I don't like that. But if you're looking at this whole idea, it's. It strikes me as an idea of a bunch of people that don't understand computer security trying to come up with a solution to computer security where they're like, you know, we need, we need a seal approval. Me and Corey are great on stupid people accents. I just sound like I normally do outside of this. All we need to do is put a little sticker on it. We just make sure that stuff's secure, you see, we just. And now all of a sudden I'm Ross Pro, right? So we'll stick with Ross Pro. It's like, ah, you got the sticker, you put it on the thing, you see, and no, that's not Ross Pro. I'm jumping over my accidents at this point now. I'm, I'm a gangster in the 30s. Sticker on the box, you say it's secure. People buy it because it's secure. And that doesn't mean it's secure moving forward into it. And as Eric just question is, does the governing body issue these stamps? Are they now liable if it's not secure? I like that question. So I'm going to close out the sandwich. This is a start. People's hearts are in the right place. Instead of putting a sticker or something on the box or a device or any of those different things, I would like to see it go to companies. Right. You can say that this company produces as secure software. They have good software development lifecycle practices. They're doing things the best that they possibly can. There's some type of audit. You can put in an letter of attestation from a testing company since it can go and give these things away, but they can lose it. It is something that, like if all of a sudden God forbid, Oracle or heaven forbid or. That's $5.

Corey

No, it's not. No, it's not. God forbid is not $5.

Ryan

Thank you, Corey. So the point is, I think we need something like this, but it's like completely anathema the way that this is being running. Ran for computer security completely because it has this idea that something can be a secure state, a device can be secure, and once it's secure, it's secure. And security is a continuous updated process that we always have to work for. And that's what we're actually missing.

John

I can think of some products too that are like actually well maintained from a security perspective and they still have issues, right? They're getting updates, they're getting tested, they're going through these processes. But because there's so many of them out there and maybe just whatever something happens then, you know, it, it, it, it still has an issue, like you're saying, John. Right. Like this sticker's never going to go on. But, but the other, the other side of it is though, is the real question that I have about any sticker, any, anything would be are they actually getting tested and are they continuing to update this thing? What's the, what's the life cycle? When do I know that I need to get rid of this thing because it's going to get least Microsoft and Ralph?

Ryan

I think that for me is a much more interesting question. A company that comes up with an exploit, do they have the capability of pushing out updates and do they do so successfully?

John

Yeah, I mean that's really something you need.

Ryan

Right. My fear is there you're going to have product X ends up with an exploit for it. Product Y is immediately going to petition the competitor, the United States government to remove that Good Housekeeping seal of approval. It starts to get really nasty about but something.

Corey

Sorry, go ahead, Eric.

Kelly

Yeah, sorry. I was going to go down a massive dumpster fire here but you know, let's just say I got a Linksys or whatever generic Best Buy big box store router and it has that stamp on there. Six months later one of you find folks or somebody else creates an RCE for it.

Ryan

Yeah.

Kelly

And I don't know because I'm grandpa just watching my Netflix and chilling. Well I can't say that nevermind I'm watching Netflix and I don't know that this thing is. Is there going to be a mechanism to send out massive mailers to everybody? Are you going to require everybody to give legitimate address as to.

John

They got a recall, they need a recall.

Corey

Recall. Well, I, I think my hot take would be if the device has this stamp of approval, it should have auto updates enabled. Like I don't think this. That would be my.

Kelly

That would be why Microsoft doesn't do it.

Corey

No, but Microsoft doesn't have the stamp. They also don't really make IOT stuff either. But I would say like yeah, I mean truthfully, like if in my. I mean I don't know what the criteria actually are but if one of the criteria is auto updates, that would be such a huge bar. Like if I could tell a family member go buy one of these devices that has this checkbox because it means you won't have to manually update it when an RCE comes out. That's actually a huge win for me and I would tell someone to do that. The other thing, they talk about scanning QR codes on the boxes. How cool would it be if you could scan a QR code on the box and it would take you to the pen test report for the product from a company like Black Hills Information Security or iActive or any other firm that does this type of penetration testing. That'd be really cool to see like a little support dolls.

Ryan

It's like those dolls from that show Wicked that takes you to the website wicked.com but it's a pen test report.

Kelly

But how many of you guys and gal are in the mindset that I am in currently? This is just a bunch of noise to get us talking about something that's never going to see the light of day.

Ryan

It is, but it kills Time on our show. So.

Corey

You just figured it out? You figured out the point of a podcast, my friend.

Ryan

It's all. It's all marketing and turtles the whole way down the title.

John

We figured out the point of this podcast that.

Corey

All right, speaking of zero days and rc, we should probably talk about that. I mean, I think we should let the audience decide if God forbid, is a swear. That is not. That is not a swear to me.

Ralph

Why don't.

Ryan

Because.

Ralph

Why don't you just use Stormlight Archive swears? Just start saying, like storms and stuff like that.

Corey

Storm and bloody ashes or whatever. Let's talk about Avanti. Let's talk about this.

Ryan

Let's talk about Avanti.

Corey

There was a. Yeah. Talking about RCEs. I mean, this is. Again, it's like T Mobile. Every time we bring them up, they got hacked.

John

They always get hacked every time.

Corey

Yeah. So, I mean, basically, there's not a huge story here, but patch your Avanti Connect Secure stuff. There's another rce, it's been abused by Chinese threat actors for remote code execution and it's already hit the UK domain registry Nominet. This is in the wild. Patchers, patcher, Avanti stuff, if you have it.

Ryan

It.

Corey

They used to be Pulse secure, if you don't know what it is. But, yeah, that's basically the. I mean, they probably shouldn't have a security seal of approval. They've had a lot of RCE in the last year.

John

How many breaches do they have to have before, like, you, like, you, like, can't get one. Yeah, like, you know, you're kind of like on the ban list. I mean, because T Mobile doesn't be a carrier anymore.

Corey

Yeah, I mean, we talked about.

Ryan

It's into the question. Everyone talks about how. What is it going to take for companies to move forward with any type of computer security. And I think we always say it comes down to the money. Right.

John

And you haven't reached.

Ryan

And then two weeks later, their stock price is right back up to where it was. No one cares. Right in the exact.

Corey

And this is a legacy product. This is a legacy product. I don't think they're actually trying to sell this product anymore. I could be wrong, but I think this is. This is the worst acquisition in the history of acquisitions. They acquired this Pulse Secure product and then I will say to their credit, they have issued patches for all of the vulnerabilities that have come out. They haven't. They haven't pulled a D link and said, buy a new router. Sorry, yeah.

Ryan

Who just bought silence from BlackBerry.

Corey

Wait, silence again? Yeah, Silence got sold again. We talked about it. It was someone you wouldn't expect.

Ryan

Are you sure that. Yeah, I don't know. There's some pretty bad purchases or the. The first sell to BlackBerry where BlackBerry lost a billion dollars on that sale. That's pretty bad.

Corey

Why?

John

It feels like they're selling off scraps. Anyways, not to rehash.

Corey

Do you guys want to talk about this Path of Exile thing? It's kind of an interesting one.

Ryan

That's cool. I swear, when I was reading this, I'm like, is beyond trust in here? Is beyond trust in here. Beyond trust. It's got to be somewhere.

Corey

Basically, this is a hack in path of Exile 2, which is the newer version of Path of Exile, which is like a Diablo type game. Like, I forget what they call it. A dungeon crawl. Arpg. What's that?

Ralph

Arpg. You are correct. Action rpg. Yeah. I would accept dungeon crawler as well.

Corey

Okay. Dungeon crawler slash, ARPG. Path of Exile 2, an admin account was hacked. So this is like on their website, which they use to facilitate in game transactions. It sounds like these admin accounts didn't have two factor auth someone password, guest or credential stuff their way into an admin's account and then disappeared a bunch of items from people's, you know, inventories.

Ralph

Do you think this is how Elon got to the top 20?

Corey

Yes, that was in the article. They were like, apparently. I mean, apparently Elon's been cheating at Path of Exile too.

Ralph

He's been cheating at all video games.

Corey

So maybe this is people that real life.

Ryan

Yeah.

Corey

So, I mean, I guess really, I. I do want to give a shout out to the company behind this.

Ryan

Yes.

Corey

The developer went on a podcast and basically said like, the direct quotes are in the article. But it's. We effed up, up. We screwed this up. We're sorry. We're gonna make it right. I will say the number of affected accounts was like 66, which is a ridiculously low number. 250,000 to go and own up to.

Ryan

It is just awesome, right?

Corey

Totally. Yeah.

Ryan

And I think we're all shocked whenever we see that in the news today. And I keep wondering, how long is it going to be until companies can see like the right way and wrong way of handling a breach and notifying their customers? And, you know, whenever you see it done right, we, you know, the security community is like, okay, you messed up. Okay, what are we going to do different? That's what we're going to do different. We move on with our lives. It's the companies that try to minimize diffuse lie and just kind of downplay the entire thing that really get into a tremendous amount of trouble. And I'm just wondering how long it's going to be until companies start to see that trend. And yeah, this was, this was really a class act for them. So kudos.

Corey

The people in chat using the Stormlight archive swears.

Ryan

Is that what we're doing now?

Ralph

I love it.

Corey

Thank you.

Ralph

I love it.

Corey

Yeah. So we talked about this on the beginning, John, but the whole hackers hiding info stealers inside of POC exploits on.

Ralph

Have you already talked about it? No, we submitted that news.

Corey

No, you're here for it.

Ralph

We submitted that news article just for you. Once I read that I was like.

John

The same, he's going to bring it up.

Corey

He couldn't help.

John

He'd sniff him out. He'd read everyone for that.

Corey

Let me get my BHIS issued soapbox out from under my desk. This is another, this is another info stealer article. I think it's funny to read through the exploit chain. So basically this is on GitHub, very in my opinion, sketchy looking exploit for LDAP Nightmare, which is a high profile vulnerability which I don't think has an exploit yet. If you look at the repo testing.

Ryan

Companies have been looking for it though and this is, this is one of those things that spooks me about bhis.

Corey

Yeah but John, look at the repo. So Ryan, pull up the repo and, and tell me John, would you clone this so Ryan could pull up the news article with the repo it's just.

Ryan

POC exe so the repo which for sure.

Corey

So I will say I, I agree with you.

Ryan

Oh my word.

Corey

I will say, I will say I agree with you that it's spooky. However, in this instance I don't think there's any self respecting pen tester that would clone a purported Python repo that just has one file called POC exe and then run that exe.

Ryan

It's like free candy exe.

Corey

So basically I disagree.

Ryan

I think that there's a.

John

Read the source code because he's on GitHub. Right.

Ryan

I think there's a huge number of pen testers that get stuck and they're like they need something. They need something and they're stuck.

Corey

But they're on Kali. They. I can't even run poc.

Ralph

I'll give you, I'll give you another one. There's a huge number of blue teamers who are just gonna pull this down and they're like, oh, all it is is an exe run it. Hopefully. Hopefully. Then they can then build detections for.

John

It, which exe is definitely.

Ralph

Hey, I, I fell for one of those back when the dude put a canary token in it. But I will admit, just my, my vulnerability manager guy hit me up. He's like, hey, Wade, run this for me so you can like, run the detection. Not even thinking about it, just trusting him. Pulled the repo down and immediately saw this PDF and I'm like, that's weird. I opened the PDF and it's a canary token. And I'm like, you son of a. I'm gonna. I didn't agree to anything. I wasn't here at the beginning of the news.

Corey

So, I mean, the chain of exploits.

Ryan

Remember the Anna Kournikova naked thing? Some of you may not be that an email.

Corey

Like original email fish.

John

Yeah.

Corey

Yeah.

Ryan

So I came into work one day kind of on you're talk about your manager. I came into work one day, I open up my email in the morning, and I have like thousands of emails that are like, anacornova naked. Anacova naked. And I, I, I like Mundo. Hey, Ed Mundo. And just as I'm yelling at him, I all of a sudden get a bunch of emails from him that he clicked on it, right? And he's like, why? And I'm like, like, never mind. So. But it was so awesome because he was like, in my defense, you wanted to click on it too. And I'm like, no.

John

After John finished checking every single one of those emails, then he, everyone.

Ryan

Because one might be legit. Well, you know.

John

Yeah, yeah. If anyone would do that, that could have saved you a lot of time.

Ryan

So when, when people are talking about infosec, people doing dumb things, like, I totally, I'm with Wade. I, I'm totally right there because, boy, we. I've seen pen testers, especially junior ones, that are super, super desperate. I, I remember when I used to have to pull down all of my exploits from packets form. I remember there was an exploit that I was pulling and it was just like heavily encoded. It was like 19 pages long. And I'm like, I, I, I, I, I don't know if I trust this. But no, I almost, I almost ran it. I did. And it was totally a backdoor.

Corey

Well, so this program isn't that much more advanced than Anaconikova VBS or whatever? No, no, it's not this basically. So the exe is a upx exe which upx? I'm assuming it didn't get an unpacker.

Ryan

For execute that still works.

Corey

People still use. Well, I mean, okay, not really. Right. But it pulls down a UPX which extracts a PowerShell script which then creates a scheduled task. It's a disaster of chained exploitation. Lights. It pulls down a stager from Paste bin. There's so many red flags. Oh my God. This is like a bingo.

Ryan

But it feels like the way we tested probably eight, nine years ago.

Corey

Right?

Ryan

Like we would use maybe longer than.

Corey

That, maybe 10 PowerShell with the stager. Yeah, yeah.

Ryan

I used to use UPX and Yoda and the Mida and all of those different things.

Kelly

Oh, gosh.

Corey

Yeah, I will say I would do after the random Korean characters. They would bother people I love Eric.

Ryan

G8857 said, President of the company I worked for in May 2000, clicked on the attachment of an I love you virus. He couldn't believe that anyone actually loved this.

John

Wow, that one burns all the way back in 2000.

Ryan

It does kind of like me after the testers meeting today. I'm not clicking on anything from you guys, so.

John

So, Corey, what did happen though? This essentially wants all of that magic mean.

Corey

Basically, it's an info stealer.

John

Yeah.

Corey

Okay, so it pulls down a PowerShell script.

Ryan

It always ends up there.

Corey

Yeah. So it's, it's target. But it's, I will say, like it proves, which, you know, you might not think this, but we are, we are targets as pen testers, as people who have the keys to the kingdom that we obtained illicitly. We are, you know, targets for this kind of thing. So it's just to keep in mind, I mean, we've talked a lot about supply chain type stuff, vulnerabilities in exploits or exploits and exploits. And this is just one more of those. So yeah, use a trusted repo like Black Hills Information Security or other people's repos that you can actually trust.

John

If you can't see the source code, don't run it.

Ryan

Yeah.

Corey

And maybe just run that through VirusTotal. Maybe run that through VirusTotal.

Kelly

That's a nice sandbox.

Ryan

Yes.

Corey

Sandbox. Yeah.

Ryan

Like pen testing, you know, checking like, like it's like, oh, that looks like malware. Of course it does. Right. That's what it's supposed to be.

Corey

I'm gonna, that's funny. I, I, I actually, I, I wonder. I don't think it is funny though. Yeah, you're right. Of a real poc, eventually would get flagged as malware. Eventually.

Ryan

Eventually.

Corey

Yeah, I mean this is why we really rarely trade around binaries like this. Usually, I mean there. It does happen when you have something like Java you have to exploit that only is exploitable via a binary. Like you need a JavaScript binary to do it or a Java binary. But generally these types of exploits are not binaries. They're usually like open, you know, Python typically.

Ryan

And even if it is a binary, usually the source code is provided with it, you know.

Corey

Yeah, yeah, yeah. I want to compile it myself. Exactly, yeah. So let's talk about this AWS native encryption thing. This is a quick article, but I do think it's cool. It's pretty cool.

Ryan

I think it's cool too. But they're back to just looking for open S3 buckets.

Corey

No, it's not open S3 buckets.

John

It's not an open S3 bucket because that's not how the encryption works.

Corey

No. So this is seriously all it is is ransomware can affect S3 buckets once they compromise an account that has access to S3. The cool thing about it is they just use a customer provided key to encrypt the data.

Ryan

Wait, wait. Oh, publicly. Sorry. Using publicly exposed or compromised AWS keys. I thought it was publicly exposed or compromised.

Corey

If you expose data in S. I can't change your server side encryption. I have to have a, I have to have a token to do that. Right. So I have to have API access.

Ryan

So mean.

John

Yeah, so what?

Corey

So, but it's actually not that mean. And the reason it's cool is because. So ransomware, do you trust if the decryptor works because you might pay the ransom and then the decryptor doesn't work. At least with this, you know the decryptor works because it's just native S3 encryption. Yeah.

Ryan

But the self destruct timer for seven days, it's like. Yeah, it's just.

Corey

Well that's, that's an industry standard in.

John

The ransomware region, so.

Corey

Oh wait, wait, Corey.

John

So the way the S3 server side encryption works, right. Is that you can add a key. Right. In the S3. So they're adding their own key. So obviously for everyone, for context, you have to have access to the API. Right. So they, they have an API credential.

Corey

For disclosed key or compromised account. Yeah.

John

Once they do that then they're going to use their. You can go create a customer. So I'll say, oh, I'll use the word customer, but you can create an encryption key to use on that bucket.

Corey

It.

John

Right.

Corey

Which is Great for security if you're HIPAA compliant. If you want to be hipaa compliant in S3, you're gonna have to provide your own keys because you can't have Amazon keys encrypting your data. Yeah.

John

Yes. So that's a server side encryption key. So what they do is they upload their own key to the service to encrypt it and then remove the key. Is that, is that the idea?

Corey

Yeah, they basically upload, I mean, they basically supply a custom key, encrypt all the data and then they have the custom key. So unless you pay them to buy that custom key and if it was destroyed, then the data is unrecoverable.

Kelly

The way that I. Correct me if I'm wrong, this is an honest question. The way I view this is like this SSH version of we have updated our SSH keys, here's a new private key. That way you can authenticate against the SSH server. It's kind of the same thing, right, where they've updated their own custom certificate and now they can do whatever they want to. They ransomware the files and you cannot access or do anything because you don't have the new private key, correct?

Corey

Basically, yeah. I mean, so it's like normally on S3, I would say it's probably rare for people to be using these customer provided keys. Usually most people are either having no encryption or they have Amazon provided keys which are basically just generated and managed by Amazon. The key part of this pun intended is that with the customer provided keys, Amazon does not have a copy, which is good for security if you're trying to do end to end encryption, but bad if you're trying to recover stolen data. So again, it's nothing new, it's just ransomware being ransomware. But it is interesting to think about using native functions of a cloud app to encrypt data. I mean, I don't know, it's kind of cool. They have to.

John

So here's my thing though, right? So the way S3 works, if you have like a custom key or you use Amazon's key, is when you add an object, it encrypts it with that key, right? So let's say you upload a file, right? So but if there's a bunch of files already there, you would have to re upload every one of those files to be encrypted.

Corey

No, I think it has a function to roll all of the data.

Ryan

Yeah, I thought it.

John

Amazon in the back end is just taking each chunk and encrypting it.

Corey

Right, with that key. Yeah.

John

Like full data. Is that the thing? Oh, man, that's wild.

Corey

I think there is like a RE encryption management function in aws. I'm not sure that's getting into, like, the deep. But yeah. I mean, like John said, though, they do also use AWS to set the expiration date of the file. So it's basically like, you know, you could, as an admin, cut out the threat actors and unset the expiration date, but you'd still have to get that key back. So it's basically just kind of an interesting. You know, we've seen a lot of.

John

Way to do the encryption. Right.

Corey

Exactly. It's. It's just. It's not really new or scary. It's just kind of a novel technique for encrypting data. Because we know for ransomware threat actors, it's a race. If they can't encrypt all the data before, you know, they get caught, then they don't have a valid ransom demand. So it's just kind of interesting to think about. Like, let's say you had backups in S3. Cough, cough. All the organizations that do that now, you know, that's a potential risk.

John

They encrypt your encrypted data from your back.

Corey

Exactly. They're like, well, it's okay, we have backups in S3. They're like, oh, those are encrypted too. You're like, dang it.

Kelly

Yeah, I'm looking through some of the IOCs right now, and just like in a traditional ransomware where they delete the VSS volume shadowshares, they're actually deleting the snapshots and all the versioning in S3.

John

Yeah, I was going to say.

Corey

So there is immutable backups in S3.

John

So the immutable ones, you can't modify, you can't encrypt later on.

Corey

You can't.

John

That's like. Like they don't have that function. Right. I think there's like, the way that they do the immutable backups is they pretty much put like a time lock on it. So there'll be like a certain time that has to expire before you could delete the files or whatever.

Corey

So, yeah, I mean, you could still do it. It's just if you use the native default settings in S3, and that's where your crown tools are, this is something to think about. Don't just assume, well, it's a ransomware threat actor. They got into our on Prem file shares. Those are encrypted. But S3 should be fine.

John

Fine, yeah, yeah, for sure.

Corey

But I mean, I will say also a growing number of companies do not use on prem file shares at all. So this is just a way for ransomware threat actors to hit wider. A wider audience. One more article. I want to talk about the Steezy cannabis hack specifically because of the data that was disclosed in the hack and on the high. Yeah, nice head. So I'm assuming it's pronounced Steezy, but it's S T3I's Z Y. So Steezy. I don't know marketing on that. Anything with three repeating letters in it. You know, it's marijuana related. But yeah, basically the company got hacked. This is a marijuana delivery or cannabis delivery service that's apparently pretty popular in California. They're living in 2035 being able to get weed delivered to their door by. But the interesting thing about the. As you'd imagine, this company has to do kyc. So know your customer.

John

Meaning to get.

Corey

To get cannabis products delivered to your door, they have to verify that you're over the age of 21. What that means is they have to have copies of your driver's license or your KYC data. And in this case we see that the KYC data was disclosed. So it's kind of just. I think it's a tough thing. This is actually wrapped up in other industries right now. Like there's all these porn bans in different states that require kids KYC to access. But I think this type of data, KYC data of like people's government documents, people's, you know, health information, medical cards, is really risky to store it. And it's increasingly more and more required to have it. And so it's kind of a tricky thing where like, you know, if you're just walking into a pot shop and dropping $20 on the counter, no big deal. But if they have your driver's license, it's a much bigger deal. So I think it's just interesting like, like to think about where our KYC data is being stored, how it's being stored. It's so tough like to keep that data locked down.

John

Yeah. If you don't have to collect it, you don't want to collect it. That's just like the rule number one for data security. If you don't need that, don't try to collect it.

Corey

Yeah, yeah.

Shecky

Corey, I got a question. Why. I don't quite understand why they were collecting and keeping government issued IDs.

Corey

Because they have to be able to prove to the government that all the customers were over the age of 21. That's the thing for weed shops.

Ralph

You have to show an ID in order to get in, and then they have to scan it and put you in a database in order for you to be able to buy.

Corey

To deliver?

Ralph

Yeah, no, not even to go into a shop and buy it. You have to give them their ID and you have to make an account and you have to give them your address as well as a copy of your photo ID in order for them to have that. Like, I, I've thought about this. They have all that data for every customer that comes in forever.

Kelly

Like, there's no, like, we only keep it for like 30, 60, 90.

Ralph

And then.

Ryan

No.

Ralph

And then the, the scarier part is that data was then being used for other stuff that was like saying like, if you had ever gone to any weed shop and your idea was scanned, you can no longer get a concealed weapons permit or you couldn't buy guns. There was a bunch of weird stuff then tied with it. This is back in the day. I don't know. I'm not as caught up as much now. But to this day, when you walk in, I got kids.

Corey

I mean, to this day, I actually.

Ralph

Went to one on New Year's to go buy like CBD for my dog. Dog. And they had to take my id. They had to like scan it in the system. I already had an account there because I had bought CBD for her last year.

John

You're on a watch list now.

Corey

I know.

Ralph

That's not the only watch list I'm on. We all know that. Come on.

Corey

Yeah, I mean, I just think it's, it's tough. Like I, I, I do, I think the funniest thing that came out of the chat is that the suggestion that like there would be like a weed delivery guy that would like come to your house and check your ID when he gives you the weed cheap.

John

I mean, they do that if you get alcohol delivered.

Ralph

Yeah, yeah, they do.

Corey

So they don't do KYC in advance. They do on delivery. Is the, is it like the doordash driver being like, yo, dude, show me your id.

John

The difference, kyc, is know your customer. So you have to get their like actual, you have to save that information.

Corey

Government id.

John

Yeah, but the, the alcohol is just proof of eight, Right. So you, I don't need to know that your date is, you know, on a government issued is, is update, but I don't need to save that information. Like I don't, you know, need to take a picture of it to prov.

Corey

I definitely think we need a better system for storing KYC type data. Right. Like more and more this is becoming required. Like I mentioned the porn thing. Like basically the, you know, the company that runs pornhub and all those other large porn sites is basically not serving like 13 states right now. Like Florida, North Carolina, South Carolina. Like there's a whole article about it because they are required to do KYC for their customers now.

Ralph

VPN sales are out the roof.

Corey

Yes. Now obviously for, for marijuana is one thing I guess we can all get behind of. Like kids shouldn't be buying marijuana and having it delivered to their doors. But it gets into like this KYC data is risky data to hold on to. And the more companies that are holding on to it, like bigbutts.com probably shouldn't have a copy of my driver's license.

Ralph

Or do you want them to? Right, Companies are going to want.

Corey

But that's what the law has has required if you think about it.

Ryan

So I want to know for these sites exactly how many McLovin are are in their daily bas.

Ralph

One thing to remember, if you order, if you go in person and on, like they have all the technology to verify that those IDs are absolutely real. And every single one of those places has an armed guard.

Corey

Wow.

Ralph

Because. Because that the way that they handle money. Right. They can't put their money in federal bank banks or anything that ways because it's still illegal federally.

Ryan

Yeah.

Ralph

So there's a bunch of sketchy stuff when you go in there. Almost all of them are really good, really clean looking though to tell you the truth. Like I'd rather go there than most of McDonald's.

Corey

Like, oh yeah, they're hauling in huge stacks of cash. But I gotta say the best comment. Bambulance's comment. New FIDO2 token needed exclusively for weed and porn.

Ralph

Oh, there we go. Yeah, that's a great idea.

Corey

I mean I will say like it's a risk. Anytime this data is being collected, it's a risk. And now it's like government laws, things are requiring this data to be collected by more and more entities. It's kind of crazy. And right.

Eric

This cannabis place gets hacked, all that data goes up in smoke.

Shecky

Oh, well played, Shaggy.

Ryan

Wrapping it up everybody. Thank you so much for joining. See you all in the next next edition.

Ralph

Can I make one quick announcement?

Corey

Plug.

Ralph

I have one plug. I just wanted to announce that Kelly is B side San Diego's keynote speaker this year. It'll be on March 29th. If you want to come out to sunny San Diego on a Saturday and it'll be a good time.

Corey

San Diego is known for being not on fire.

Ryan

And I'm on. No, no.

Ralph

There was. There's been some bad fires in San Diego.

Corey

All right. Never mind. San Diego hopefully will exist in March. It.