Loading summary
Wade
Now that we went live, we're not talking about anything.
John
About Wade.
Kelly
The invisible generation.
Wade
The invisible generation over in Japan. It's super, super interesting to me, especially because I feel like half the time I'm almost like, want to be like that. I just want to stay in this office and do computer stuff all day. And then my wife pulls me out, says, no, you have to see the.
Kelly
Sun or mow the lawn or maybe two for one. See the sun and mow the lawn.
Wade
No, you can't do those both. You got to do it late. Late night lawn mowing. That's why I have an electric lawnmower so no one hears me.
John
Late night lawnmower.
Bronwyn
Yeah. Before hobbies, it's like I had some times to where it was like, how, when, how many days has it been since I've left the house? And it was just sort of like, well, you know, you work from here and get food delivered or you get the. What, those meal deals?
Justin
Yep.
Bronwyn
And just sort of like, okay, well, I just make healthy, healthy food in my oven and ingredients get delivered and I don't have to leave. And yeah, it's not, it's not the fun. It's not the most fun time. So if anybody's out there like that in the audience, like, yeah, find some hobbies or you know, chat people up. Like, world's not as scary as you sing. You can go outside. It's okay.
John
Just put on the sunscreen.
Bronwyn
Yeah. Remember sunscreen even in the winter. Like, even in the winter. It's like from Wisconsin. So they go, I don't need sunscreen. And it's like, yeah, you could get, you can get frostbite and sunburn on the same day.
Wade
So you can see it's slightly cold outside today. I'm wearing a long sleeve T shirt. It's probably around 50 and raining.
Justin
Jeez, it's raining down there.
John
Brutal.
Wade
Yeah, it's raining down here. Did it snow up there where you're at? Yeah, no, it snowed at my parents house.
Justin
I'm not high enough elevation. I'm only about 1200ft, so.
Wade
Ah, okay. All right.
Kelly
Okay. Are we gonna bring the spice this week or not?
Wade
It looks like it if. Yeah. Kelly, are you gonna run it then or am I gonna run it?
Kelly
No, no, no, no. Wade, you're all about the spice.
John
The spice.
Wade
I have to.
Bronwyn
I selected. I specifically selected a story to be the ice cream sandwich after we have all that spicy food.
Wade
Do you.
Bronwyn
You got that spicy. You got that ice cream sandwich and a little palate, cleanse so, okay, wait.
Kelly
What do you think we should talk about?
Bronwyn
Well, we haven't really started yet.
Wade
There's too much Russia. Okay. Okay. Before we say there's too much, I'm just so scared because now it's like. It is me talking about Russia. Political. Completely. There's a bunch of Russia. A bunch of AI Stuff is normal. You know what? You know what? There isn't a lot of that. I'm honestly not scrolling down because I don't want to see it. Not a lot of ransomware.
John
Good.
Wade
Good job. Good job, everybody. We did it.
Kelly
Any chickens?
Wade
I have no chicken. Oh, thank God. John's here. Okay, cool.
John
I've never heard. Can you guys hear me okay? Yeah.
Kelly
You look great.
John
Thank you.
Justin
Hey, John, did you get your special delivery?
John
Is it the swear jar? Because if that's the special delivery, that's a yes. Pretty awesome.
Justin
I hope you liked it.
John
I do.
Justin
Good.
John
Come on. I'm gonna try to do some zooming.
Kelly
And all of a sudden, John did a special package. We don't know what it is, and we're live on the Internet.
John
Yeah.
Justin
So now that. Now that we have the swear jar, I decided he needed a physical swear jar, and I found one on Etsy.
John
That's a good point.
Justin
It has not safe for work words imprinted all over it. So.
John
It does, actually. And Justin Walker was the one. Justin was the one who brought it to me because he's the one that can handle that a little bit better. It's like, this is not safe for work, and it's something for John. This is a job for Justin.
Kelly
Okay, let's cannonball into a news story here. Let's go with Russia.
John
Hope you get a little intro. Yeah, we've not done any intro.
Kelly
Excited.
John
All right, I guess we're ready to go. Let's do it. Ready, Wade? Ready, John.
Wade
John. He's trying to zoom in.
John
I was trying. It's not working. Camera HUD does not work well when you're. When you're already streaming at that point. But if the audio is good, and I think the video is probably. All right, I think this looks okay behind me for now. So let's do it. Hi. Welcome to another edition of Black Hills Information Security. Talking about news. I'm one of your hosts. My name is John Strand. I'm the owner of Black Hills Information Security. And I want you to know, regardless of whatever your political persuasion is, this particular webcast is probably going to make you angry. Like I said, either side, I've got stories are going to make conservatives mad. I've got stories are going to make liberals mad. So if you could just take a couple of seconds to just take a beat, take a breath, it's going to be fine. It's going to be okay because we have to honestly talk about these things and we'd love to hear your opinions in an absolutely respectful manner that doesn't involve throwing any poop at each other. So without further ado, let's go ahead and let's get started. Kelly, do we want to do. Okay, so do you guys, should we, should we enrage liberals or should we enrage conservatives first? Which way should we go?
Kelly
Point to us.
John
I'm going to go with liberals because last week was a good conservative rage. All right, we did good liberals. I don't know if we have this story, but I just want to ask did anyone see the story about like the FBI and like we, we talked about Great Britain. Right. Talked about Great Britain asking Apple for backdoors into crypto. Right. And it turns out that the United States FBI was also asking the same thing. Yes. Back in December. So before we actually got into the current administration, this is. Somebody just put it libs, no back up. I think we can pretty much say that everything's poopy right now. Not yet, says Kelly. Not yet. Hold. When we're talking about this, do we have anything else to add? Because we did talk about this as it relates to the United Kingdom where we, like, this is dumb. Like nation state should not be asking for crypto backdoors that only the good guys can take advantage of. I, I think if we look at the history of that, it's never worked out well. I think the most recent example would be like T Mobile, Verizon. We had all of these, or was it AT and T? We had large telco providers that got Comprom by the Chinese and they were actively gaining access to things that the United States, like intelligence community was, was using and they were using that against us. So if you're creating these backdoors, if you're creating these, what is it? Export grade ciphers, or if you're creating backdoors into communication for nation state, it's just a matter of time before it gets used by, quote, unquote, bad people. I, I don't know if that changes anyone's views when it's the United States FBI asking for this. So I'd love to put that out to the panel. Like, what are you all thinking? Because we have to start here. And yes, this is under the biden administration, folks. So before you start getting, oh, well, is this the bumper sticker? Like, is this my political group or the other political group? Oh, no, no, no, no. We're going to be coming off both sides today. So what, what do we think about this one? I mean, I got a pretty good idea. And by the way, if you're on Discord or In your, in YouTube, please give us your thoughts on this as well, because I think it's important.
Jake
There is no such thing as a good guys only backdoor, period.
Wade
Great.
Jake
That's my, that's my honest thought on it. It weakens anything. And the second you put a weakness in there, a weakness will be exploited, whether intentionally or unintentionally.
John
Now I've got to throw a question out there. This is, this is the, this is the argument you get at Thanksgiving when you're talking with friends and family around their turkey. Regardless of different things. You get this argument all the time where people say, well, then you're just supporting pedophiles and criminals at that point because all of this stuff is being used by pedophiles. And you want to stop pedophiles and you want to stop terrorists. Don't we need to have backdoors so we can intercept the data so we can monitor what these bad people are doing? You don't want the bad guys to win, do you? You don't want King George coming into your house and telling you what to do. At least that's how it tends to escalate. So we've got to find ways that we can communicate that effectively. So what are your takes on that communication? Like, how do we communicate that better?
Wade
Well, I'm going to go, I'm going to go rated R. Right off the bat. I ask them if they want, if they want everyone to know their search history. If you don't, then you still want security. Right? Do you want everyone to know what exactly what you've been Googling and what you're looking for? And no. And everyone's like, all right, okay, that makes a lot of sense, right?
John
You have to be real careful because we have family members. I'm sure I'm not the only one that would be like, yes, Would everyone like to see my search history?
Wade
Oh, my God.
John
I can bring it up here on the Roku for everyone.
Wade
Like, oh, God, I guess my family's a little different then, because I know.
John
None of them go for it.
Kelly
Wait, if I can piggyback on what you're saying there, let me take it a step Further, it isn't just about browser settings or history in the browser. It's an invitation to your private thoughts. And I think if people realize that backdoor encryption is actually backdoor into some of your private thoughts, your hopes, your dreams, your aspirations, maybe they would think about it a little bit differently. Because, you know, I think some crazy thoughts most days and some of them don't. Thank goodness there's a filter over my mouth. But if, if watch. Really don't believe it, but that's what the privacy folks like to talk about. It's not. Well, it's already out there. So what am I afraid of? It's. It's inclusion. We have this assumption that what we think in our mind is still private or what we do in our house is still. And the minute it's not considered private anymore, if we don't have encryption, I'm concerned.
Wade
I have a. I have a decent story about this that happened to me recently. So I don't have my smart TV connected to my network, right. And that's because of Samsung has been proven to be actually recording what you're watching and they have a background program to be able to tell what you're watching. And I was talking to my sister about this and she's like, why do you care? And I was like, you don't just feel weird about some corporation just being able to watch, you know? Exactly. And then profit off of that data. I don't want to help them out. They don't. They're not helping me make money. And it. But it honestly made me rethink. I'm like, why do I care? Like, maybe the Samsung TV should be online. Because this is the other thing I found out that if you stream on a computer, you do not get 4k, but if you stream on a TV, you do get 4k. If anybody didn't know that Apple does not stream on a PC at 4K, only 720, same thing as Disney Plus. But so, like, do I give up my rights so I can watch better tv? And I'm going to tell you, I haven't. I have found ways past the system.
Bronwyn
But, well, and yeah, and as far as. I think I had a technical glitch. But as far as the argument on, well, what about, you know, do you care about like, you know, the pedophiles and the criminals and all those that are going underground? There have been news stories and I was trying to find those news stories where they've caught these cyber criminals that aren't using these things. They're not using backdoors. They go, okay, well, we did some advanced analytics, looked at their traffic. They, you know, looked at some of the, you know, small breadcrumbs that they were putting out, and we were able to figure out who they were, identify them, and bring them to justice. So I, you know, these encryption backdoors are. It's like, yeah, they're. They're easy mode, but when they're dealing with criminals, and they already have dealt with criminals and pedophiles that don't use those tools have things very locked down, and they're still brought to justice. So I would point to those and say, we'll just have law enforcement do more of what they're doing in those areas. But understandably, they want an easy mode. We don't have to give them that easy mode.
Kelly
So John teed up the argument, are we protecting everybody? Are we protecting just the criminals? Did I get that right, John? Sort of.
Bronwyn
You just gotta move on yourself. We can't hear you.
Wade
Yeah, we can't hear you.
John
I think that now you can. There you are. I don't know what's going on with this mic. Maybe it's got some hand gesture, weird AI crap. But, yeah, it just muted me. But I think that you're right, Kelly. I think that people can't dismiss, like, what is it? They can't dissociate those two things from each other. If you're doing something that criminals use, then clearly you support criminals. Right. I think it's interesting because you get into, let's say, conversations of firearms. People are like, well, we need to restrict firearms. And then you have people that say, well, then only criminals will have firearms. And that. There's some logic to that, right? There is some. It's. It's some logic with it. When you're looking at, like. Like the idea of cryptocurrency, a lot of people, when in the early days of cryptocurrency were like, well, cryptocurrency is a scam, and it's used predominantly by criminals. Yeah, there's some truth there, but it's not 100%. You could say the same thing about cash as well. But I think that whenever we talk about that easy button and the idea of taking that easy button away from law enforcement, I think that people get very uncomfortable. Right? I think that people are very much. They want to make it. They want to be able to catch bad people. That's what they're thinking about at that time. And then they don't think the same time about privacy. Because if you have these two conversations separate, right? If you say, how do you feel about the government going through and gaining access to your browser history, gaining access to your television, being able to see absolutely everything that you do in your home and your kids do on their computers, they're like, that's horrible, that's awful. Because they're thinking in a security privacy mindset. And then if you have a criminal mindset where you say, well, how do you feel about the United States government having access to encrypted communication so they can catch bad people, they're like, well, that sounds good, right? I don't think that human beings outside of computer security and IT are very good at merging those two and understanding that those two things are somewhat in conflict with each other. And being able to think that through is really hard, Right?
Justin
It is a conundrum. It really is. And I think one of the challenges is trying to figure out how to address the highest good. When you look at the total population of any. When you look at the breakdown of any population, we'll use the United States as an example, the percentage of criminals compared to the percentage of normal, ordinary law abiding citizens is tiny. And so, I mean, as a former sheriff's reservist, I understand the desire to be able to have good tools and good ways of helping to identify the bad guys more quickly. And at the same time, as someone who loves the democratic republic aspect of where we've been so far, it is a conundrum and it's always going to be this push me, pull you back and forth. And the bottom line for me is how do we support the highest good for the largest percentage of the population and communities that we're trying to serve.
John
Yeah, go ahead.
Jake
I think that following through a little bit with that and the whole idea of, well, privacy is good, but criminals is bad. We live in a society in a world that likes to divide things hard. Good, bad, black, white, when everything is really sitting inside of this shade of gray and nobody teaches that, nobody. Growing up, you don't learn that. You develop that mindset sometimes only in specific areas. There are people, I'm sure in our field that go ahead and we'll take a look at encryption and say, okay, yeah, it can be used for good, it can be used for bad, and backdooring is a bad thing, but might look at something outside of it, some other conundrum out there that could wind up being happening in the physical world where something could be used for good or bad, and say, yeah, but it's really a gray area and that's where our mindset stops. So how do you teach people to go ahead and look at things in shades of gray instead of in black and white?
John
And I think that this is nothing new. I think the quote is from Abraham Lincoln that simple solutions are almost always wrong, you know, when you're talking about it, because your head gets around it. So, yeah. So I. I think let's kind of. Let's bring it back to. You know, by the way, I love the poli sci angle that we're taking today. This is great. But if we can look at it from a security perspective and kind of explain for people that might be confused in why this is bad. Right. Because if you put in an exploitable hole within crypto, then it is inevitably going to be used by bad actors. There's a zero chance that you're going to have this magical backdoor that just the NSA or the FBI or the CIA has. And by the way, they can set up all the best things they can say. You have to have a warrant to be able to do this. You have to get authorization. My favorite example, going back to Edward Snowden, and this is something I can speak to with personal experience, whenever I was working on classified programs, one of them with an unclassified name was Intelligence Community Multi Acquisition Program, which I've talked about on the show before when we were talking about gaining access to data, when we were discussing how we were going to gain access to data that involved United States citizens, you had to go through and get a FISA warrant and you had to go to a FISA court and you had to get authorizations. And there was all of these steps that had to be put that you had to, like, meet in order to gain access to that data. And it seemed good and it seemed wonderful. We were in compliance with a bunch of requirements associated with fisa. And then some of the programs that I was working with in conjunction, because ICMAP was a conglomeration and tying together a bunch of classified program data together, then I find out with Edward Snowden that one of the programs that integrated with that had been completely replaced with a freaking dropdown menu that was literally like, what's the reason for the warrant? And you could go through for a FISA warrant and you could go through and just choose other and would automatically gain access to that data. So what happened is that system of checks and balances that we put into the kind of the breakdown of, you know, we're looking at gaining access to sensitive United States citizens. Data started with the best of intentions, started with the best of controls and after a number of years it got completely replaced by a drop down box. And then also looking at what happened when we talked about China gaining access to telco providers, all of these different telco providers have hooks where they can meet the requirements of warrants, where they can start tracking communication with United States citizens, whether it's FISA or internal law enforcement for the US Marshals, FBI, Secret Service with the appropriate warrants in place. But the bad people were able to gain access to that. So you cannot make a guarantee that these backdoors are only going to be used for only good people doing good things. It is going to be exploited. Um, and I think, well, I tried to come up with a simple solution and try to explain this to somebody and I don't think I did a very good job of it at all.
Kelly
I think you did, John. It's such a complex and nuanced issue. Like Sheki said, it's great. It's also something deeply personal that people are passionate about, about who they are as individuals, what they're interested in. And the other thing we talked about last week was the ease of Apple encryption. And now if you've been reading on Reddit, people are recommending to people who live in the uk we'll try this tool or try that tool. We know people don't always understand how to use tools and that easy on by default button is taken away. And I think that's the thing that makes me the most sad is now we've made encryption much harder for the end user.
John
Well, and I keep wondering about these products like Signal and Wire and all these different things. And you know, usually whenever I sit down and I have a conversation with somebody that is concerned about privacy, right. They may have some legitimate concern and I start giving them recommendations. If I'm like, hey, use Signal if you're going to communicate with family members, if you're going to communicate with loved ones, let's train people how to use Signal. It's kind of funny because they'll be interested and then they'll start using it and then you talk to them a little bit later and you're like, well, how's that going for like, yeah, I just stopped using it. I just use the built in one just because it's easier and then what do I have to hide? And that's a scary place for me. Um, when people are willing to start just giving up some level of privacy for the sake of being easy to use. Kind of like going back to Wade's 4K television. It's like, well, I should be watching this on a TV because it looks better than it does on my computer screen and that's really scary. Or 12 Reza said, I have nothing to hide, right? And Moxie Marlinspike, a number of years ago, great security researcher Moxie Marlinspike wrote an article where he was talking about how the average American breaks multiple laws and felonies just throughout their standard day and they don't even know that they're committing felonies. It might be one of those things where you're like, I have nothing to hide. But at the end of the day, if somebody has full visibility into all of these things that you're doing, they absolutely can find something to use against you. I think that that's the really scary thing, that people are kind of forgetting about this, that when law enforcement gains access to all of those things, even if you're innocent, they can absolutely just like just destroy your life with what they can pull down on that as well. Rada said, I love Signal, but it stopped being able to send SMS users outside of Signal. And there was reasonings reasons for that. So yes, this is something that started last year, right? Started last year. And this is a huge security issue. We're dealing with it in the uk. And by the way, this isn't the first time a bunch of different vendors have already kind of given into the whims of China. A bunch of security vendors and a bunch of these different vendors have already done it in Singapore. There's been a number of countries that already pushed IT companies over the edge to where they can start tracking, intercepting and monitoring that data. And it's just a matter of time. So what I would like to leave before we move on to another story, because I would like to get onto another story is assume that your standard comms from Apple and from Google and possibly I would say from Microsoft too are compromised, right? And start looking at those alternatives like using Signal just because it's the best place to be, because it's not a matter of if this is going to happen, it's already happening in a number of places. Further, whenever you have this data that you know China has already gotten access to or Singapore has gotten access to, or the UK gets access to, you have to understand that bilateral agreements for intelligence sharing many times allows those countries to intercept data, find things, and then possibly hand that data over to the United States as well. If that data traverses through those through those countries. So you gotta go and find these third party apps, go talk to security friends. If you're a security minded individual, get people using these encrypted apps and I hope that you all come up with better narratives about how this stuff is used for everyday people rather than just criminals. So is it okay if we just kind of leave that folks and then we move on to another news story?
Kelly
Yes, please do it.
John
Let's do it. What's another one? What do you guys want to do? Because it's Monday and I hate Mondays. It's so bad. The.
Wade
The Disney Discord follow up is pretty bad.
John
The what?
Wade
Disney Discord follow up.
John
Oh, go ahead and take it away, Wade.
Wade
All right, so if you guys remember a while back Disney got breached and a bunch of their data got released in private communications, employee data, you name it all came out and it during the actual breach the act I remember the actual attackers messaged in Disney Slack saying who gave them access to Right. So there wasn't a lot of information back then about exactly what happened but it's finally come out and released that they even even puts his name right here that it was a dev and he got breached via his personal computer and most likely a password manager on that computer and they were able to hop from that into Disney. So it goes a little bit further and that it was a Russian threat actor and of course they also said it was a Russian threat actor who was attacking large operation, large organizations who are using AI for art and that type of stuff. But pretty much this guy's life got completely turned upside down which I would completely imagine like this is exactly what happened. Disney fired him over it, but they fired him for a different reason behind it. They said that he was looking at explicit information on his employee laptop which he claims he didn't and he all of his personal information was completely released as well as like all of his social media was just completely like run through saying semi belligerent things all over it. This is why I like key, key reason why your personal security shouldn't just be at work but at home as well. Right. While you do have to do a little bit of investment, invest into a password manager, possibly secure your environment and others environments just a little bit more because you don't want to be next on this list which any of us.
John
Could be and I'm looking at this attack and I know that what is it they think you didn't have multi factor on a password manager.
Wade
Was that one of the reasons I didn't see that. Is that what they said? I don't remember.
John
That's one of the things I've been reading in different places. And once again, I don't know 100%, but it doesn't matter. I mean, if you're looking at this guy getting compromised, one of the things I hate is the level of let's blame the victim here. Like, well, he was stupid because he got hacked. I got a little surprise for you all. Like a directed targeted attack against any one of you. I can, I can, I can, I can take you over. Now, you may not think that, but I want you to think that. All of your information of every single loan, your Social Security number, the street you grew up on, your mother's maiden name, I can get all of that for $5 through a background investigation company. I can also go through. And many times you have like these info stealers. You have brief breached data, like how about the poem type stuff? That's all accessible. Then you couple that with being able to do a successful social engineering attack against somebody having access to that level of data. It's just a matter of time. If you're targeted, you can definitely get weighed like weird down. So please do me a favor. When something like this happens to somebody, please don't blame this person. It happens all the time, right? It just happens all the time. And like I said, I absolutely horror how we kind of create this space where it's like, if I can blame this individual, I can rationalize it away as one person being an idiot that led to a catastrophic breach. But my point is, if Disney's entire security architecture can crumble because one person makes a mistake, then they really need to reevaluate their entire security architecture. But you see this again and again with breaches. If you remember what was that? The Equifax breach where they got compromised and they blamed a systems administrator who didn't patch a system. You see time and time again where they like to blame a specific individual. But if your corporation has that type of security architecture where you can get completely blown out of the water by one user getting compromised, we need to, we need to kind of step back and we need to reevaluate further on that. I'm willing to bet something like 90 plus percentage of companies are absolutely exploitable through one single point of failure. And many of the different organizations that are out there. So this also goes back to Target when Target got compromised. You know, a lot of the people that worked at Target, they had trouble getting jobs afterwards because people were blaming the IT people about what happened in the target breach. So that's the thing I take from this is yes, he did something that was probably stupid, but I guarantee you, you all have skeletons in your closet. I know I do. That people could absolutely take advantage of. So please be nice when this happens and I hope this guy gets his life back in order.
Kelly
Well, the other interesting thing is we talk about the whys of why organizations are compromised and most of us have pretty good feelings about Disney. They entertain their kids. Come on now. It's a pleasant place to go. People go there to forget what life looks like. If organizations are willing to attack Disney or somebody nation states they're going to attack your grandma and grandpa. And I wanted to make this point on the last topic, John, I just want to tag on to what you're saying. Let's not forget about the non digitally natives. That's our mothers, aunts, uncles, anybody potentially older than us or the Luddites that we live with. Because there's a certain age group and I'm not going to get into which one that are digital natives, they understand how to use technology and they use it quite well. And I think I'm right on that edge. I'm lucky enough to understand it that there are people in my same age group who do not use technology well. So not only do we need to make encryption easy for everybody to use, we have to have an extra bit of sympathy and caring for the non digitally natives.
Justin
Kelly, I'm going to disagree with you slightly on a point. I understand the age divide in terms of technology users, but I'd like to point out that technology users often don't understand what it is they're using. And I see this all the time in that just because you know how to download an app and you know how to text at 90 million characters per minute, that doesn't necessarily mean that you understand what's going on underneath. You don't understand how the app is interacting with other things. Yeah, there is a digital divide in terms of people who are using technology and who are comfortable with using technology. But my personal experience as a technologist has been that probably 90 plus percent of the people who are using technology have no clue how it works or why it works. So that's part of the reason why. One of the biggest challenges that I think cybersecurity professionals are failing at is making security easy for the users because they don't want to know how the protocols work, they don't want to know what an API is, they don't Care. They just want to book their vacations.
John
Or you know, post like whatever other people do on computers that doesn't involve hacking.
Justin
Yeah, they want to do other things. They want to live their lives. They don't want to have to do.
John
All recipes without getting compromised. Right, you know, exactly.
Kelly
That's a fair point. That's a fair point.
John
I agree and I agree, I really agree with that. 110. But, but my point is, you know, even with people that are very technically competent, they still get compromised. And with a targeted, determined attacker, they're going to get you. So how do we deal with that, Bronwyn? Right. Like I think, you know, I don't know, you know, being nimposec luminary and all. Absolutely. If people know how to set up the right attack coming at me, guarantee you that they, if they're patient enough and they try long enough, they're going to get. All you have to do is say here's an article that proves the OSI model is legit. Click this link right there. Right off the bat. Right. It's just the right thing to get the, it's using the right bait for people to be able to get them, get them compromised. Also, I, I think I want to put this out there. I don't think the big telco providers are really doing us a lot of favors though. Like they're still allowing ads to come in. They're still, there's just not a lot of protections for us. And I don't know how much they honestly care about protecting us as well. I think it's lit service predominant. Oh, technically Sasparilla said technically overconfident people. They're our favorite people in pen testing. They are amazing targets because they tend. It's like we had, we had one. This is years ago when I was still like pen testing. I did a fish. I said, this is a fishing test. Do not click the link below. And I had a large number of people in the IT team click the freaking link. And when I asked them why did you click the link? They were like, well, I wanted to see what would happen. It's like you got popped. That's what happened. But they thought that they were smart enough that it wouldn't happen to them. All right, what other stories do we got? This is much more subdued than last week. It's gonna get worse by the way. It's coming.
Justin
You're not quite as ranty as usual.
John
Oh no, the rants are coming.
Justin
Okay.
Wade
I feel like it's a deep hearted rant. It's not as usual like loud and anger. It's like coming like fatherly rant.
John
Exactly. That's fatherly love kind of thing.
Wade
Okay, in the name of Corey, I want to talk about the have I been Pone ads? 284 million accounts stolen by info stealer malware.
John
Are we going to talk about how they raise their prices too?
Wade
Oh, I didn't know that. I don't.
Bronwyn
Go ahead.
John
Why don't you take us through the story and I'll talk about the price increase.
Wade
All right. So have I been pwned?
John
Really?
Wade
The breach notification service. Right. Pretty much took 284 million accounts stolen by information stealer. Wow. Malware. And usually found on telegram channels and threw it into their services. So the one thing I like about them usually is for individual users like myself or just personal stuff you can actually create an account sign up and then if your name ever appears anywhere you'll get an email. Exactly. About you being in that data breach. Right. And I think this now venturing into more of info stealer malware is definitely very interesting and something probably Corey, I definitely think we'll talk about a little bit more. I don't know like there are some services that actually discover. Look for some of this or I'll throw you the link. I know a lot of the credit monitoring services as well as some banking information will actually monitor this stuff for you. But I think it's a big upgrade and at least for the individual person it's cheap and easy to set up. How much did they raise their prices?
John
I'm trying to find their prices.
Wade
Don't you have your personal database for this?
John
No, I don't. Yeah, we've got our own that we have but their actual like being able to have your company hook into it that one. They did raise their prices and I can't remember exactly what they raised it but there was a lot of people that were very very frustrated for this. Okay, that's. I don't see a lot of problems.
Kelly
Wait, I heard your point about info stealers and how prevalent they are and just the amount of information that they are just grabbing so easily. Were there. Was there another point you wanted to highlight in in this article too? Are you saying that have I been pwned as less helpful than it's been in the past or am I reading too much?
Wade
I am saying it's been more helpful. More helpful now that it's giving more data out. Like we've seen a huge rise in these infostealer malwares Right. And it's actually caught been the cause of a numerous breaches that we've talk about in the past. So having this now extra step, and I would say this is also something that almost targets individuals and your personal, personal computers more than your corporate because usually you have some type of security there, but this can come from number of different ways that you get infected. And bam, there go all your creds. Right on the telegram.
John
Yeah. So it does look like they did have a price increase. I still don't think they're that expensive, but there are some people that are frustrated with it. Then another article kind of rolling with this that came out 13 February, which is earlier than this story, they're banning resellers. So basically what happened is there's a bunch of people that are hooking in have I been pwned? Pulling the data and then reselling the data. And I'm going to agree with Troy, Troy Hunt is the main person behind this. And I just think that that's absolute garbage to do that unless it's explicitly approved by the vendor that you're using. So like Flare, you have the capability of buying flare and then you have the capability of getting a type of license where you can basically allow your customers to gain access to that data, but it's all on the up and you do it the correct way. Right. So I don't know, it seems to me like the value of this tool has gone up quite a bit since they're incorporating info stealers. And I've always liked Troy. I don't really see him as one of the bad ones in the industry. So I think that this is good and hopefully they keep loading more and more data into it. And yeah, I don't see the price increase as being something that's too onerous for people out there at all.
Wade
So it looks like they added another tier, that's why. Yeah, I looked up the price increase.
John
For certain tiers, which would also make sense too, because one of the problems with making it too cheap and gaining access to that data is it can definitely be used by malicious actors. Basically saying, what data set do I need to go to? But if you're looking at these prices, like these prices are pretty solid folks, that's not bad.
Kelly
Also, I regularly listen to Troy's podcast. I almost never miss it and I don't want to misrepresent what he's been saying. But like, just over the past year, it's come up more than once that people just aren't paying you know, and he's such a nice guy that he will, you know, he'll just kind of keep them in, you know, going in perpetuity or whatever the phrase is, but they're not paying. And so I think he's gotta compensate somewhere for it.
John
Well, and the other thing, like the quality of what Troy is producing and the cost that he has is like, like completely negligible to a lot of companies that have like 20, 30 million dollars of VC funding and they don't, they don't even have the data that he has. So, yeah, it's kind of a bit terrifying when you look at somebody trying to do the right thing and like people actively taking advantage of that. It's like when we do pay what you can training, right? I have people all the time, they're like, I was able to rip the video off this pay what you can training out of discord. And I could post it anywhere. It's like I'm giving it away for free. And it's also posted on YouTube. Like, why are you being an asshole about it? It's weird. You're always going to have those people. You're always going to have those people. But Troy has been doing this service and it's still somewhat for free. Like, if you just want to check and see if your email address is compromised, go do it. It's fine. It's just go do it and stop taking advantage of somebody that's trying to do something awesome for the community.
Wade
The domain search is actually something I recommend people do in my CTI course is you sign up your domain for that and then he email you when 1. When any type of account with your domain in it is posted on his website. So easy stuff, still free stuff. You just don't get to query it as much.
John
Yeah, exactly.
Bronwyn
Yeah. I mean, I like that this information is much more, you know, prolific for tools because I enjoy the automation that you have some tools that go. We have it on go to authority that this password is compromised. Okay, awesome. I'm going to hook that into a tool and just force a password reset in our environment. And it's just, you know, it's straightforward. You're not having this, okay, it gets emailed to somebody that they're having a really busy week and they're not looking at it. It's the, okay, as soon as it gets picked up, okay, that on good authority that the password is compromised, just reset it. Just, you know, force them to reset. And that's going to, you know, be automation that keeps you Know, just another level of security for enterprises.
John
Well, this also gets into a bigger question of people taking advantage of services like this. Did I, did I rant last week or did I have time to rant about commercial tools using just a whole bunch of open source tools under the hood?
Kelly
No, I don't think you did last week.
Wade
You've definitely ranted that before.
John
I have. I saw another tool while I was out and about in the universe that was a commercial tool that had something like $50 million of VC funding. And under the hood it like literally the output was like straight up output from a whole bunch of open source tools. Like, you know, I saw Graph Runner in there, crack Map Exec, they were running Bloodhound and literally it was just a really, really nice front end for a whole bunch of open source tools that it was just kind of running all of this stuff and it kind of, kind of pissed me off because there was a number of tools in there that were BHIS tools that we released to the community for free or tools that people when they worked at bhis release those tools for free. And that, that kind of frustrates me. And this comes back to Troy and what he's doing right? Whenever you're looking at like something like, have I been pwned? I remember years ago, you know, Troy was, you know, this is back when Tim Tones was still here in the early incarnations of Recon ng and things like that. But when, you know, you have people that buy a subscription, they scrape all of the data and then they basically just feed that data through their other commercial source threat intel tool, that's just, just garbage. And we see that all the time where we have like commercial tools are taking active advantage of, you know, free services, free tools, free APIs that are out there without giving back to the community or they're paying for it, but they're paying a very, very nominal fee and then they're packaging it up in a different tool and reselling it. And I know that that crap happened for a long time for having been pwned and I'm hoping it's better now. I haven't talked to him in a long, long, long time. But, but seriously, it's just one of those things where people taking advantage of the open source tools, people that are doing cool things and that, that's just crap that's got to stop. That wasn't so ranty. I wasn't angry. You didn't see that vein popping out of the side of my head.
Justin
Not this time.
John
Not this time. What other stories do we got before we move on to talking about Department of Defense in Russia? Because that's what everyone wants us to talk about.
Kelly
I'd like to catch the. The. The Dragos article.
John
Okay, go ahead, Will go.
Kelly
Because for those of you who don't know Robley, he's pretty amazing guy. Anyway, so Dragos released their 8th annual OT Cybersecurity Review document. And the nice thing is, if you want to go and read it, you don't have to type in your name and your phone and all of that sort of thing. They're one of the few vendors that actually has a skip button where you can just go and read through report. But for those of you who aren't familiar with Dragos, they specialize in ot. And of course, it just popped out of my head. Industrial networks. Let me say it that way. And the interesting thing is we were talking last week with Corey in our webinar about an uptick in ransomware. And the interesting thing that came out of the Dragos study was they too are seeing an increase in ransomware, 87% increase against industrial organizations. And it's nice to see different highly respected reports corroborating the same information. And like we said in the webinar, we're not doing all that we could be, or we're missing the spokes on the wheel or something's not quite adding up in all of this. Why are we still suffering so much from ransomware? And that's probably another big, long grant in and of itself.
John
Mm. I would agree it is a long rant, but just kind of piggyback on what you said. Dragos is a great company. You know, one of the things I always like is look at a company who has their hands out to give, who has their hands out to take. And if you have a company that's releasing reports like this, and I, I don't. I couldn't see the skip button. But if they're releasing these ports to the community and sharing it, they're. They're strengthening the community with more knowledge of what different attackers are actually doing. Like, once again, my hat's off to them. And if you're looking to buy anything from a vendor, see if the vendor does release open source reports, do they release open source tools? Do they have free tools that they make public to the community as a whole? And if they don't f. Em, go find somebody else that does. And I cannot stress that enough because.
Wade
And make sure they're good reports.
John
What's that?
Wade
And make sure they're good reports. All right. A lot of them release reports that aren't so great. This is like my favorite time of year is the end of the year report month. And I just like, sit there reading reports for like hours a day and then come up with a list like, all right, here's all the detections I have to build at least back to work.
John
All right. Do we want to talk about Russia? I'm going to try my best. Time to be ranty. Last week was bad.
Bronwyn
Yeah.
Justin
Yes.
Bronwyn
We're limited to 15, I guess.
John
Yeah, we're limiting it to 15. So the news story is Department of Defense and somewhat cisna. I'm going to come back to that one here in a second. Have been told stand down when it relates to Russian investigation, cyber activities. Now, that doesn't necessarily apply to intelligence gathering like nsa. And initially reports are coming out that CISA was told to stand down with what they were doing as it relates to Russia as well. But then on X today, or was it this? I can't remember if it was yesterday. Later today, early, they said that it was misinformation and they weren't. But we still haven't seen any CISO alerts dealing with Russian threat actors in quite a while. So there, there is something happening there. I don't know how I want to take this. You know, the, the. Let me talk about why, why it's bad. Okay. We can argue about whether or not it's happening. We can get to that. But we were just talking about pregos. Right. Dragos releases a report and Wade said, I'm going to take this report and I'm going to write detects around this report support. Okay, that's great. Awesome. Now take that idea and have CISA have DOD internally different ISECs where you have the government correlating, infusing information as it relates to a number of different threat actors and what they are actually doing and being able to correlate and fuse that data. What that does is it allows organizations to generate detects faster than they would if they didn't have that centralized clearinghouse. So that means the cost for doing cyber attacks goes up because your, your time to being detected goes down because the community is. Comm. Is basically, the community is sharing intel very, very, very quickly across the board. So the attack techniques that you use today will not work very long. Whereas if we aren't sharing that information, once again, we don't know 100% on what's going on with CISA. We'll wait and see. If they continue to release reports and alerts on different bear groups or Russian groups, but if that stops and we are not tracking that information, then that means that the overall cost for doing cyber attacks against the United States is going to go down for our adversaries, and the cost for us defending our network is going to go up because the Clearinghouse is not as robust as it was now on the DoD sides. Talking about offensive operations, working on intel for years. That's what, that's what countries do. Folks like offensive operations, offensive intel, gaining access to systems. You know, they're doing it against us, we're doing it against them. And I sincerely hope that it isn't stopping under the current administration. But this is another one of those things, kind of wait and see. But I'm going to tell you, if the news is correct, which may be maybe not, it's bad. I don't know how else to put that. That other than it's bad. Right. Because there's a number of different intelligence agencies that are tracking a number of different threat actors. Then you get into questions about when we're targeting or not targeting Russia. Does that apply to different organized crime groups in Russia and cyber criminal organizations? Because there's very little like daylight between organized crime and the Russian government and the Russian military. They very much work with each other, directly with each other. Now, once again, CISA came out and said that this isn't true. I've heard people from people that are working inside of CISA where they're saying, no, we're getting verbals that we're supposed to start, stop doing these types of alerts on Russia. I, I think it'll remain to be seen. We have to continue to watch the CISO alerts. And if we start seeing more and more CISO alerts coming against Russian threat actors, then we know that it's moving forward. But if it stops completely, if it stops and we're not getting anything about Russian threat actors, that would be weird. Either, A, the Russian threat actors have completely stopped, or B, we stopped reporting on it. If it's B, it's bad because it's going well. Sorry, let me back up for a second. It's good for you all. Like, it's good for all of us. Let's be completely blunt for just a couple of seconds. Let's be real, real talk with John Strand. If we stop doing any and all reporting on any Russian threat adversaries, it's fantastic for Black Hills information security. I'm not going to lie. It's going to be great for business. Going to have more breaches, there's going to be less correlation infusing of all this data together. It's going to be banner year in 2025, but not for the right reasons. So let's sit back, let's watch it, let's see if alerts continue to come from CISA on these different threat actors. But the DoD stuff is scary once again. It doesn't necessarily apply to NSA and some other groups, but still, it's a very, very scary directive. And usually what happens whenever you're working under Dodge, you run into situations where something like that comes from the top and it paralyzes a lot of activities that are currently going on because people are like, is it happening? Is it not happening? IRAD gets irad. Funding for different research and development gets frozen. A whole bunch of people that have funding to do offensive research, working with Lockheed Martin, working with General Dynamics, working with Northrop Grumman, working with Raytheon, that funding gets frozen because of this type of direct directive that comes down. So it remains to be seen. I'm going to shut up and try to leave the next 10 minutes for you all, but I think that that's the least ranty way that I can possibly do this. So Biden administration really mad at you for the whole encryption thing that we were talking about under the FBI. That's bad. Shouldn't do it. Trump administration, Pete Hexseth, you frustrated with you because you can't turn your back on any adversaries. And what we're doing, we need to keep moving forward. So you're both. John, go ahead.
Kelly
Kelly, there's a simple explanation for all of this. I think you've made it really way too complex. Somebody didn't put it on their top five things they did last week. And that's the reason why I got.
John
You're gonna set me off. You're gonna set me off. Okay, that's Kelly's hot shade. Any other hot takes?
Justin
I. One thing that came to mind while you were talking is that I know that attribution is a really challenging thing under any circumstances. And by saying we're not going to monitor X Group, whatever that group is now, we've basically given a, you know, come in for free pass to anyone who wants to spoof that particular exempt group. Group that we're not monitoring anymore.
John
Yeah, that's a. That's a really, really crappy hot take. That's 100 accurate. Sorry. If you go back and you look at. I know, I know I know you don't mean to, but if you look at the vault breach, the vault breach for the CIA, there's actually a document in there on doing misattribution and trying to make our ops in the CIA look exactly like the Russians or the Chinese, like trying to repurpose the exact same malware, use the exact same types of techniques, setting up C2 servers. So the United States has been doing this. And by the way, this is a surprise. Shouldn't be. Because that's just what nations do. But drawn one's absolutely 100% correct. If China wants to kind of blend in, all they need to do is make it look like it's possibly coming from Russia or things like that in the hopes that it won't be disseminated properly. So that is scary. I agree with that. Now, there are some people that, like, maybe this is part of negotiations for Ukraine, possibly. I. I still think it's a bad move. By bad mood, I mean potentially horrific. But no, Bronwyn, thanks for that horrible take because it's probably right and it makes me sad. Anybody else have a sad take they would like to make?
Wade
My take was the same thing. If you. So Jake Williams, malware. Jake also wrote an article about this and pretty much hits the same. The same thing that Bronwyn hits, right? Threat actors are just pretending to be Russia and never get caught from there, right? And then at the same time, how is this even going to work? Because when you're tracking an unknown threat actor, right, we'll take Mandiant's naming convention, which when they don't know who the threat actor is, they use unc. Unc, right. So you're going to be tracking this stuff and then you figure out it's Russia and it's like, okay, delete all that. Website, don't track anymore. We're gone. Like this.
John
I don't think.
Wade
I think this is just a laugh statement.
John
There's no possible way of idm, and all of these different groups don't do that. I'm hoping that they continue to track. But then you also get into the idea of government contracts, right? If you're Mandiant, if you're like crowdstrike or somebody that's trying to track these threat actors, a huge part of your revenue comes from government contracts. And this gets back to the chilling aspect of, you know, what this has on the impact on the entire community. Because if all of a sudden they're like, no, no, we're not going to allow anybody to say anything bad about Russia anymore. And CrowdStrike wants that sweet, sweet government contract dollars. Right. So are they going to continue to release this information publicly or are they just going to keep them unk the whole time? And unk is now Russia. I hope it's the second. I hope they're like, you know who these people are. Oh, it's weird, but they like swirlic, you know.
Bronwyn
Yeah, it doesn't. It also gives a lack of intelligence on the. On the front of any other threats that are coming in. As you saw, the US intel shows Russia and China are trying to recruit disgruntled federal employees. So if Russia is trying to recruit people that are either disgruntled, have security clearances, and either laid off or about to be laid off, hey, we should have some enhanced intelligence around that. And having Cyber command go or be directed to just ignore that. CISA being directed to ignore that. That, you know. Yeah, that doesn't, you know, that, that doesn't help with the information sharing. You know, like, you know, we've said earlier in the. The program is, you know. Yeah. Having all these different groups that, you know, share their intelligence, share what they're seeing.
John
Yeah. I think we handle this well. I think we handle this much better than we did last week. And I think it has to do with the fact that I can get done teaching for four hours and not sleeping. So do we want to hit the follow up on. Yeah, let's go ahead and hit that up. Bronwyn, Go ahead and let's do that one. That's a good one.
Justin
Kelly had something that she wanted to touch on first.
Kelly
Oh, I was just going to ask in all seriousness, could this. Can we put a difference then on this or a different hat and say, is this a disinformation campaign?
John
That is another thing that I've been hearing. If it is, it's stupid. And like I said, the reason why it's dumb is because a bunch of groups that, like I mentioned, like CrowdStrike and all these companies are going to all of a sudden gonna start pulling their punches for anything that they would do that they were doing investigations for Russia because they don't want to be seen as in violation of this whenever they're going after government contracts. It could be, I think you're right. It could be like, well, we're not doing anything against Russia in the whole time. They're like amping it up. But I'm telling you, from the people that I work with, DoD and IC, that is not the case. I have not seen any indication of that that has not been the communication that I've been receiving from people in the classified world. Hopeful maybe, but not likely at this point. But who knows? Who knows? Maybe there's some type of 4D chess going on right now.
Justin
Yeah, somehow I don't think so.
John
It's a non zero chance. Anything possible in the world of quantum theory? All right, all right, let's wrap it up, everybody. Wait, Bronwyn, you had one more story about the army soldier you want to talk about real quick? Go ahead.
Justin
Yeah, I know that the accused army soldier in the AT&T heist. This is a classic example of shooting yourself in the foot. You would think that someone who is going to hack things and share secret information would have a clue that his Google searches would be trackable, but hey.
John
Oh, man. Yeah. So, yeah, if you're going to commit crimes, don't use Google. Google how to commit those crimes. Unless you want to do the T. I don't know. Whatever. It's a. It's a. So. All right, everybody, thank you so much. Ryan. Let's bring out the crooked finger, and let's take it out.
Podcast Summary: "2025-03-03 - Not Talking About Anything"
Podcast Information:
In this engaging episode of "Talkin' About [Infosec] News," the Black Hills Information Security team delves deep into pressing cybersecurity issues facing both individuals and organizations. The discussion ranges from the controversial topic of encryption backdoors to the latest trends in ransomware attacks, providing listeners with insightful analysis and expert opinions. Below is a detailed summary of the key discussions, complete with notable quotes and timestamps.
The episode kicks off with a heated debate about the United States FBI mirroring the United Kingdom's requests for backdoors into encrypted communications. This move raises significant concerns about privacy and national security.
John Strand (04:10):
"If you put in an exploitable hole within crypto, then it is inevitably going to be used by bad actors. There's a zero chance that you're going to have this magical backdoor that just the NSA or the FBI or the CIA has."
Jake (07:53):
"There is no such thing as a good guys only backdoor, period."
The hosts argue that creating backdoors compromises the integrity of encryption, making it vulnerable to exploitation by malicious entities. They highlight historical precedents where nation-state backdoors have been exploited, underscoring the futility of such initiatives.
The discussion emphasizes the delicate balance between aiding law enforcement and preserving individual privacy, concluding that backdoors are inherently insecure and counterproductive.
Transitioning to cybersecurity tools, the conversation focuses on the rise of information-stealing malware and the role of "Have I Been Pwned" (HIBP) in addressing data breaches.
The hosts commend HIBP for expanding its services to include data from info stealer malware, enhancing its utility for both individuals and enterprises. However, they also discuss recent price increases and the issue of unauthorized reselling of breached data, highlighting the challenges of maintaining such a vital service.
The episode underscores the importance of responsible usage and support for cybersecurity tools that protect against data breaches.
The podcast then examines Dragos’s 8th Annual OT Cybersecurity Review, which reports an alarming 87% increase in ransomware attacks targeting industrial organizations.
This surge is attributed to the vulnerability of operational technology (OT) environments, which are increasingly targeted due to their critical role in infrastructure. The hosts discuss the need for enhanced security measures and better threat intelligence sharing to combat this trend effectively.
The conversation highlights the importance of collaboration and information sharing among cybersecurity professionals to mitigate the growing threat of ransomware in industrial sectors.
A significant portion of the episode is dedicated to recent developments involving the Department of Defense (DoD) and the Cybersecurity and Infrastructure Security Agency (CISA) in relation to Russian threat actors.
The hosts express concern over reports suggesting that CISA has been directed to reduce or halt its monitoring of Russian cyber activities. This move could potentially lower the barriers for adversaries, making cyber attacks more feasible and cost-effective.
They discuss the implications of such directives, including the potential for increased cyber threats and diminished intelligence capabilities. The debate touches on the complexities of attribution in cyber warfare and the risks of geopolitical maneuvers affecting national cybersecurity measures.
The difficulty of accurately attributing cyber attacks to specific actors is another critical topic covered in the episode.
The hosts delve into how threat actors can obscure their origins, often mimicking other nations' techniques to evade detection. This challenge complicates efforts to defend against and respond to cyber threats effectively.
The conversation underscores the need for advanced threat intelligence and sophisticated attribution methods to accurately identify and counteract malicious activities.
Towards the end of the episode, the hosts discuss a real-world incident involving an Army soldier implicated in a cyber heist against AT&T, emphasizing the pitfalls of poor personal cybersecurity practices.
This case study serves as a cautionary tale about the importance of maintaining robust security both at work and at home. The discussion highlights how personal negligence can lead to significant breaches, affecting broader organizational security.
The episode concludes with a reminder of the interconnectedness of personal and professional cybersecurity, urging listeners to adopt comprehensive security measures to protect against potential breaches.
This episode of "Talkin' About [Infosec] News" provides a thorough exploration of some of the most pressing issues in the cybersecurity landscape. From the debate over encryption backdoors to the rise of ransomware attacks in industrial sectors, the Black Hills Information Security team offers valuable insights and practical advice for both individuals and organizations. The discussions emphasize the need for robust security practices, responsible use of cybersecurity tools, and the importance of accurate threat intelligence sharing to navigate the ever-evolving threats in the digital world.
Notable Quotes:
John Strand (04:10):
"If you put in an exploitable hole within crypto, then it is inevitably going to be used by bad actors."
Jake (07:53):
"There is no such thing as a good guys only backdoor, period."
Wade (34:35):
"Have I Been Pwned... took 284 million accounts stolen by information stealer malware."
Kelly (43:25):
"Dragos... are seeing an increase in ransomware, 87% increase against industrial organizations."
John Strand (46:00):
"If CISA stops reporting on Russian threat actors, it's fantastic for Black Hills Information Security. It's going to have more breaches."
Justin (52:41):
"Attribution is a really challenging thing under any circumstances."
Wade (54:28):
"Threat actors are just pretending to be Russia and never get caught from there."
John Strand (58:06):
"If you're going to commit crimes, don't use Google."
This comprehensive summary captures the essence of the episode, providing listeners with a clear understanding of the discussions and insights shared by the Black Hills Information Security team.