A

Anything new and fun to talk about?

New attacks, new strategies, new anything?

B

I saw some good talks, but nothing like, for me, like, you know, like, kind of like my. My sweet tooth for, like, the red team or some other, like, you know, attack. You know, offensive attack stuff. I didn't really see too much of that. There was a wild kind of variety of talks. Some of them were pretty good. I. One. One. One person who. Now it's upsetting me that I'm forgetting his name right now, did a whole talk about. What do you call it? Adding more than just your hobby as your job to your resume, which was actually really good. It was a whole talk about what he learned from becoming a photographer and how that applies. It was good. So it's a good talk.

A

But.

B

Yeah, Josh, right? Yep. That was a good talk. That was a good talk. No tech stuff. No. You weren't there, were you?

A

I was virtual. So I saw that talk you were.

C

Talking about, Ryan felt a little called.

D

Out, tried to copy a link and said, I just copied text. Go figure.

B

You thought what?

D

I was just trying to copy a link and I pasted it in the live chat channel on Discord.

B

Oh, perfect.

D

And it was just the text. It wasn't the link. Noah was laughing at myself because it's.

C

Like, oh, I saw the one you were talking that you were talking about, that one there. And I felt kind of called out just a little bit, but that's okay.

B

You felt called out like it's personally talking to you? Yeah, yeah.

C

Like, hey, what do you mean? I can't have my job and my hobby be the same thing. And the only thing in my life.

A

It was. It was.

B

It was a good hook. It was a good hook.

Ryan, what do you think was your favorite talk? You watched them all? Every single one of them, actually.

D

Actually haven't watched them all. I scammed through them all.

A

Let's see.

D

The ones that interested me, though, were the.

How do I say her name? Meryl on social media. That one interested me. I did actually watch that one, and I haven't watched Josh. Josh's talk yet.

B

It was good.

D

I do want to watch that one. I did watch Paul's talk because it's usually Paul Fixie, the opening. His opening keynote talk.

B

Okay. Yep.

C

After we got.

D

Want to see my stupid face show up accidentally during the opening? That's the one to watch.

C

That's like. That was the highlight.

D

It was the highlight because that's where we. We started the stream and we. One of our computers that, oddly enough, was in charge of sending audio to GoToWebinar. The blue screen crashed and restarted and then tried to install updates.

B

Classic Windows.

A

Yeah.

D

Poor Paul Vixie had to tell motorcycle stories while we waited for the laptop.

B

Yeah, he was telling motorcycle stories and.

D

As trying to swap in John Bever's laptop. He was trying to swap in his laptop to work in place. And while he was doing that, we're trying to rush and things are happening, we're getting crazy. He runs out to go into the room for something and he accidentally knocks his laptop off the table. So it's like, hang in there. Somehow the webcam turned on so you could see us pop up on the screen. And then you see me run over to grab the laptop, pick it up, and it's my big face looking at.

C

The lab, very worried. It was just Ryan's very worried face. And I'm like, I felt bad for you, but.

D

Well, I was watching this. This past week was breaking up all the videos because it's. Each day is one long recording. So I was breaking them up into individual videos and I was watching that over again and I just. I'm laughing my ass off because I thought it was the funniest thing.

A

For those who couldn't partake. When will those be out? Estimated Months, weeks, Years?

D

Well, it depends. And I say that because we do have a webpage where all the videos are available and we could share that publicly, I guess, as it's already been shared by some people publicly. So you can get to that? It's a GoToWebinar page. I can grab the link for this chat because. Why not? As far as getting on YouTube though, it's going to be a while before.

A

It gets on YouTube because you need to produce it.

D

Yeah, YouTube is typically. Would get the more polished stuff where this link, which I'll just share in the chat here, the big chat, public chat.

A

That's so nice.

D

This is all the raw videos. So they're. They're broken out into individual videos, but they're. They're not fancified.

But that's.

B

You haven't had your golden touch to them.

C

Yeah, he hasn't put the special effects in yet. Yeah, it's missing all the pyrotechnics and whatnot.

B

Yeah, there's tons of pyrotechnics. It was nuts, man. The hotel was really upset though. They thought it was going to burn.

A

Down, so.

D

I didn't see any of that.

B

Yeah, well, that's because you haven't added it yet.

D

I've got to there yet.

B

Welcome to Black Hills Information Security talking about the news. I'm your host today, Ralph. May we. John is traveling across the country. It's kind of what he does every week. But we've got a great show for you guys today. We've got Noah here. We also got Rob showing up. Haven't seen Rob in a while. Welcome back. And as always, we have Ryan in the background doing his thing, keeping the audio and streaming going and making us look pretty with pyrotechnics, right?

D

Yes, yes.

A

Keeping the mics going.

B

That's what I was hoping for. So I guess let's get this rolling. We got a bunch of news stories. Talk about. Some of them are, like, pretty short, like a paragraph. I felt like I read a couple of those. But some of them are still pretty good as far as the. You know, even though they might be short.

A

So which is your favorite?

D

Which you want to start with?

B

Oh, geez. You know what? Let's start off with that. Western Digital. All right, for everyone who didn't read about this, Western Digital, my book, NAS devices are being remotely wiped clean worldwide. So what I thought was interesting about this is that this kind of came out last weekend or this. This weekend or around that time. And what happened was, is that these Western Digital, my books, they're. They're NASA's. They're really just a hard drive that's plugged into the Internet and you can remotely manage these. And I guess some users were realizing that their drives were getting wiped and they thought that Western Digital had possibly been hacked, so on and so forth. And come to find out there is a cve. These. These devices haven't been patched and are updated. Excuse me. In the last couple years, and there was a CVE with remote code execution. I guess there was an attacker online, finding all of them via UPNP or, you know, whatever it was to expose the port. And they were actually compromising these and remote wiping all of the hard drives. And Western Digital's response was unplug them from the Internet.

So if you have one of these things, take them offline, I would say.

D

Probably already affected you if that. If you did.

B

Yeah, that's true. That's true. Well, all right, so the way the. From. From what we've got, information we have so far, is that they were scanning the Internet looking for these devices. If it came back, then they tried to either, you know, compromise them or remote wipe them. So, you know, if they didn't make it to your ip, you know, depending on how much they were scanning or you know, your device just didn't respond. So just because it's online doesn't necessarily mean it's prob. Exploitable. I'm pretty sure you'd have to have a port open so that it could communicate directly with the device. And that's not necessarily a guarantee unless.

C

You have UPNP turned on.

B

If you have UPNP turned off, though, you know, then you might be okay. You might be okay. Details are a little. Still a little fuzzy here, but Western Digital is recommending you take them offline. But there is a CVE from 2018 which you have here pulled up, and there's actually remote code execution and they haven't patched these in a while. So couple things here.

A

Do you really need the RCE if you have the default password? Like, seriously, like, all you have to go is get on the interface and go delete.

B

Yeah, I know, I know, I know. But assuming you change the password or whatever.

A

So is it an unauthenticated being made here? Is it unauthenticated?

B

I thought it was unauthenticated. I don't know. I could be wrong here.

A

Can you a little bit. Oh, let's go back out. You went right past it.

Description. A little bit more.

B

A little bit more.

D

What? This thing. What are you looking at?

A

Up, up, not down. What are you going down? There you go, right there.

B

IP address.

A

It doesn't say.

B

No, it doesn't say. I don't think it was authenticated, though, or what is it? I think it was unauthenticated. Right. I don't think that they knew the password for the device. Right. I don't think it was just like admin.

A

Default admin password. That's why I was asking.

B

Yeah, I mean, it could be either way. I don't know what the CVE putting.

A

Your NAS is on the Internet.

B

It was just default credentials. That's not really a cve. I'm sorry, let's cut that one.

C

Right?

A

I mean, okay, so yes, there's a cve. Let's say it's authenticated. But a NAS isn't supposed to necessarily give you a shell. Right, sure.

B

Yeah, yeah, yeah.

A

So even authenticated via the web interface, that you shouldn't get a shell out of that. Right. So you still get a cve, but, like.

B

Yeah, but I don't need a shell to probably go to like, the web interface that says, like, format disk.

A

Right, right, exactly.

B

Anyways, I thought it was kind of funny that, you know, not for the people who actually got their drives wiped, but kind of interesting. Just Someone scanning. Kind of a different take on malicious.

A

So, so you're good with or. Or. So you've learned your lesson about backups. You have backups on site now you have to learn your lesson about off site backups. That's the second lesson.

B

Yes, it's the trifecta there.

A

I learned that the hard way.

A long time ago. I was dumb enough to overwrite my os, which had my pictures directory with a new operating system and all of my pictures disappeared. And that's when I learned the hard way that backups are important and off site. Especially since you're, you know, you're the one managing it. Or maybe in this case, you're not deleting. Delete.

B

Yeah.

A

Oh, man. I've used, I've used backup solutions a bunch just to greet. And there's a backup solution that you like, right, Ralph? There's a specific or I've got nowadays.

B

Yeah. So the one that I, the one I really like for backup is backblazer B2, depending. Because B2 is pretty much S3 bucket, incredibly cheap. And I know that Backblaze is actually unlimited backup.

D

Great way to backup stuff with limits, though. You can't back up a nas.

B

Oh, no, no, they know. They know better. Like, nothing's a limit.

D

Right. So they, if it's a USB3 or Thunderbolt connected RAID, you can back up.

B

Absolutely, absolutely. And some of the new ones now are doing immutable backups so that even if you were to get into like a ransomware scenario, it doesn't affect those kind of backup files. They're kind of right once, and then they have like a long cooldown period to remove them off. And it requires a much higher stringent level of authentication before you can remove those files. Cool. Watch your backups, guys.

A

RSA's new, new term, mutual backups. Immutable backups. That's all I've been hearing for like the last like five weeks since RSA is immutable backups. Ransomware, immutable backups.

B

Read it, love it, list it, I don't know.

Let's talk about the hackers using fake call centers to trick victims. So this is ransomware, right? So I actually, I've heard this one before, but I kind of wanted to bring it back up. This is a tactic that's being used in kind of the general gist of this is that I send a phishing email and I'll have something along the lines of, hey, your subscription has expired for this thing that you probably had at one point or maybe you have now, but you don't want to continue paying. So like, you know, that introductory trial for Netflix or something like that. And then what they do is they put some phone number in here, hey, call us and we'll cancel it. And then once they get you on the phone is when they actually go through the process of, you know, utilizing that to do ransomware or other, some kind of other compromise. It's a pretty common attack vector. And the big thing here to get is that they get you hooked, right. So they get you worried about having to pay for something continuously. But the other thing is they get you to call them, which is the big way that they continue the SE scenario. Once they get you on the phone, they can, you know, do a lot more social engineering to convince you that this is real and that they can help you, you know, get out of this and so on and so forth. So usually if you have to call someone, you should go look at the public number for whatever the company is and call them directly and not call them from, you know, a listing from an email.

D

So the company you worked for signed up for a free trial of Disney plus.

B

Yeah.

A

Given all that, all kinds of the, that stuff out recently. So it's unbelievable ruse.

B

I mean, yeah, so yeah, this is really common. Another one that this is, or this kind of same avenue. Not necessarily the ruse itself, but, but this call center piece is actually a really, really common attack vector, especially for older population. They're easily convinced on this about, you know, something. And then this is also where a lot of these scams come from. So there's full call centers that are just running these scams. Getting you on the phone is really the crucial piece of this. In this particular case, they're, you know, sending a document that has a macro and then they're doing some ransomware or something else to compromise your computer further.

A

So, so how do you stop something like this? Do you, do you just tell people to call their, the number directly? Because that's not always, you know, an instant win, right? Like that's, you know, people might forget to do that or just, you know, hit the number on an email and basically click the link to call. Right. So how, how do you.

How do you know when you're in that situation?

B

Yeah, I mean, I think there's a couple things you could do. So like first is just trying to validate that email address, right? Like it's not going to come from netflix.com I mean, that's an easy quick look, right? Just checking the email address to make sure it possibly is coming from the company to taking a step back and then maybe being like, well, I do have a Netflix account. Log in there, see if that is still valid or what it is. Right. Like think about the scenario that you're in. A lot of these times it's a phishing, so they don't technically know if you do or don't have these things. So sometimes it's going to land where, where you're just happened to be there and you're thinking quick and sometimes it's not. So just taking a step back to make sure that whatever company is asking you to do something that it makes sense in your scenario and that you can validate outside. Like just logging into your account and seeing, hey, is this a trial expiring, like when, when is this happening? You know, and just going through that process. Anytime somebody wants you to call them to do something, that should probably be your red flag at this point there. A lot of companies don't want you to actually call them. They want you to use their online system. They want you to use the autom, whatever, because that actually saves them money. So anytime you try to get a human on the phone immediately and they pick up like red flags should really be going off in your head. That's kind of my take.

C

They also want you to pay for the product and not just run on a free trial.

B

Yeah, yeah. They don't want you to cancel the free trial. Like, yeah, actually that's a great point. Like how many times you get those emails? It's not like they send you 10. Like, are you sure? Are you really sure? Just to let you know, we are.

C

I don't think they send any.

B

None. Yes, exactly. I don't think they sent any.

C

It's right there in the like agreement when you, when you sign up that like it will automatically renew and proudly says right there and we will not contact you.

D

Yeah, it's opt out.

B

Yes, yes.

A

So one of the things that I set up with my bank is a confirmation code, right? So normally they'll ask you for your phone password. Most banks will actually allow you to set up a confirmation code for them as well. So you can say, hey, my confirmation code is Starry Night or whatever. Right. And so you, when you call them, you can say, please read off my confirmation code. And then they'll say back to you the word. And if they can't say it, they don't have access to the system or whatever, then you know it's not them. Right. So adding that second factor Essentially is always an option and most people don't take advantage of it because they don't like offer it up and say, hey, this is here. It's a lot like your like security. A company, like home security stuff. They'll, they'll have a password or passphrase for you to say if you're in a situation versus not that kind of thing.

B

Yeah, yeah, for sure. No, I mean, those are definitely good things to use. I know my bank has something like that where you have to, you know, say your code or use the. Something like that.

A

You say your code, but you can have them say a code as well.

B

Okay, yeah, the other way, the other way around. Usually I call them though. So I, I had the number on my phone or whatever.

A

So still I want, I want to make sure that they're.

I've.

C

Basically the human equivalent of server side authentication.

B

Yeah, exactly.

A

I mean there are, there are cases where you can take over phone numbers, right? Like even 1, 800 numbers. Right. So I want to confirm that they are looking at my account. Then I have their password, their, Their code sent. Sent to me.

B

World we live in. No one's who they say they are. Not on the phone at least.

A

Zero trust.

B

Zero trust, exactly. Another buzzword. Did you hear that rsa?

D

I could be a dog and you think I'm a human.

A

Hey, if you're a dog and I think you're a human, you're doing a pretty good job as a dog.

C

You're good.

B

Yeah.

All right.

Let'S talk about the old Dell BIOS disconnect.

D

The old Dell. Old Dell. I think it was this one.

B

Yeah, yeah, yeah, yeah. So for everyone who might not know, Dell has got this thing called BIOS Connect. It actually reminds me very much of how Mac OS works as far as its recovery os.

The point of this is that if you have a corrupt hard drive or you need to recover your computer from the bios, you don't have the disk. You can use this to connect in and actually recover your system or get the copy of Windows, so on and so forth. Well, I guess this.

Dell BIOS Connect suffered from multiple CVEs. And the two big ones here to kind of take away is one, there was a server, server side, kind of a certificate, not request, but authentication verification. Yeah. So you could be, if you. In this attack, you would be the middleman and you could pretend to be Dell's BIOS Connect. And then in addition to that, There was also three more CVEs that followed that, which were pretty much A buffer overflow vulnerability with a, you know, authenticated malicious actor can take from there. So a bunch of things there. But the, this affected tons of systems. The, the amount was a little staggering how many systems it affected.

It is kind of a interesting attack in the sense that this is most likely going to happen on internal. So some already level of access, most likely not over the Internet, but possibly if you could convince somebody, but your system would typically not try to connect to that device, you would have to have something in the middle to fake a DNS request.

A

Is BIOS connect always trying to connect or is it only during boot? Like, yeah, hard attack to take advantage of?

B

Yeah, I don't know. I don't know. I think that it possibly might do some intermittent connections in between there. But I mean you got to realize that if you are successful in this, this is really low level, this is below the os, right? So this could be bias level, rootkit, so on and so forth. Now how you would play out this attack or how successful it could be, I mean, there could be a couple more kind of stipulations in making this all work out as opposed to just like, hey, I found this on the Internet and compromised it. Right. I don't think it's that easy, but yeah.

C

So this is part of Support Assist. Like it plugs into the Support Assist suite and that Support Assist suite is pretty much always beaconing out to its update servers and also its remote control servers. I did a lot of work with Support Assist in the past and honestly it kind of scared me a little bit. I'll just say I don't put Support Assist on any of my systems anymore after what I learned about it working in the Enterprise.

A

There's still a lot that you have to do here.

You have to, man in the middle, you have to have a UE5 BIOS ready to go, right? To inject into this thing. Unless you're only updating some other piece or some other code or something. If you're, if you're doing a full BIOS update, sending a new BIOS update, it's going to take. You're going to have to code it pretty well. And then you also have the fact that UEFI verifies sign signatures, so you have to have a valid code signing cert from one of the big companies, right?

C

It has to come from Microsoft to my understanding. I mean, the biggest thing is that. Well, yeah, for secure boot it needs to come from Microsoft.

A

I think it said this really okay.

B

That this exploit bypassed the secure boot. If I'm not mistaken.

D

Yeah.

C

You can bypass secure boot with just the shim. I mean that was the whole boot hole thing and everything else.

A

But I'm just saying, like, it's cool. Awesome research, huge lift. Like, they make it sound super crazy sensitive. Like huge impact, right. But like, sure. How many people that, you know, you and I know can pull this off?

B

Yeah. I mean, not without three letter agencies or countries in their name. Right. Most likely that would be. Who would do something like this or take that and weaponize it for a very specific attack. Right. But yeah, you're right, it's not a. This isn't one click. This isn't remote code execution on, like I said, some public. Public interfaces, they could do a showdown scan and find a bunch of IP addresses and then just, you know, go after it. Right?

A

Like Western digital.

B

Yeah.

Yeah, like that one. That one, that one. It makes perfect sense, right? So that's, that's how some of this stuff goes, right? Finding the vulnerability and you know, I think it's funny, you know, if we take that step back, Robin, we think about that like in a more sophisticated attack, they might be like, oh, and then they use these three CVEs to take over BIOS Connect and then they were able to take over this company and then they did a supply chain attack and took over this other company. And so that was like the, the beginning of the whole process. And while I agree with you, definitely more difficult, it's still kind of part of the chain, right? Or could, could have been part of a chain. Right. A more advanced attack.

A

I mean, I don't know if you've ever tried programming anything in uefi, but I did. I was reading a book and I did a ping pong and it was super freaking hard, right? All I ping pong, like pong. I did pong and just trying to imagine an OS load and programming that to go along with any. Whatever malware you decide.

I'm just saying, like it's.

B

You would find pretty much any other attack in this one, right?

A

Yeah, but it does say, you know, you know, you get that persistence, right? If you get something solid, if you have a good C assembly programmer or whatever, if you can get well into this UFI space, you're there, right? You're not getting out. Like they have to. Even if they rip the hard drive out, right? No, the hard drive is UF on or UEFI is on the hard drive. Nevermind.

B

Well, no, they would be on the bios, so they'd be putting it on the bios. So they're in the firmware, right?

A

Yeah. So you're there permanently.

B

You're in there, dude. There's a bunch of articles that came out like, bios.

A

Never mind. I was confusing UEFI with bios, man. So not only do you have to update, do crazy amounts of programming for bio stuff, you have to match the BIOS version. Right. So every system has a different BIOS, right. Or 98% of the systems. Right.

B

Well, you just pretend to say you've got a new version, like, hey, there's an updated BIOS version.

A

But how many systems have been built with, like, America Core or whatever the one BIOS name? And then every single motherboard I've ever installed has a different type of BIOS or version. Like, I don't think I've ever updated a BIOS that wasn't very specific to that model.

C

I'm just saying, like, also, Dell's BIOS Connect.

A

So you can limit it to Dell.

C

But you can limit it to Dell. And then in my experience, like, if you have a Latitude series, it's a lot. If you buy it at a certain period of time, a lot of them will line up with that. And you can get the time of purchase from the service tag, which is available from the OS technically.

A

And you have to do that at attack time.

C

Yeah. I'm not saying it's easy. I'm just saying, like, you could do it.

A

You have to have a large amount of BIOS versions ready to go to do this attack.

That's a lot of coding, a lot.

B

Of recode or code sharing inside of those bioses that you could just find your little spot inside there and then put it in all of them. Right. But still, obviously, like you were saying, it's kind of. It's not hype. It's not necessarily all hypothetical. It's just hard to get there. Right. It's hard to get into that position to. To do this and quickly. And you're. You most probably. People probably wouldn't use this to attack a ton of systems on the Internet kind of thing. It would just be like a really specific targeted attack. So, yeah, if you're doing this, you.

C

Really want in there.

B

You want.

A

You're doing this as a red team. You're freaking negligent. Because this is permanent. Right? This is hard to handle and cle up.

B

This is. This is toxic. Toxic. Toxic.

A

Like, there. There are some. Oh, man, I could get on a tangent so easy right now. There are some attacks that have been talked about recently that no Red Teamer should ever do. And I'm just. Yeah, it's frustrating. People put blog posts out there that like, have all of these things and like, do this and do this and do that, and it's just like. No. Do you understand what you're saying? And how hard it is to clean that up? There was a blog post the other day that said, hey, change this configuration in active directory and everyone who can authenticate can have domain admin anytime they want. And it's like, oh, my God. No.

Sounds good.

B

Yeah, I get it.

C

Now that you've overwritten the firmware on your hard drive, we are not going to include instructions on how to revert that.

A

Right.

B

So I got another article for us and I hate to bring this one up, but it is ransomware.

A

Oh, boy.

C

We had a rule about that.

B

Yeah. No. So no ransomware. It's all we ever talk about. No, so this one actually, it's. Do you see it? Right?

Yeah.

A

So.

B

By the way, you don't even really need to read this article just. Just to. To get this one little piece. All right, so 80% of orgs, organizations that paid the ransomware were hit again. So they did a study. Yeah, exactly. So that this. So in 80 of organizations that paid ransomware were hit a second attack. And almost half were hit by the same threat actors. So once they figured out that you would pay, guess what they did. You know, yearly pen test, a yearly ransomware engagement. Right. So I don't know.

A

Wait, wait. Criminals repeat their crimes.

B

I know.

I know.

A

No, wow. Revelation.

B

It is a revelation.

C

Right?

B

But, you know, this. This one comes up to the big question, whether you should be paying or not. And so, you know.

A

Really? That's why.

B

Yeah, well, I mean, should you.

A

You're the one putting it out there that because they repeat their stuff, you shouldn't pay. So tell me why.

B

Tell me why you shouldn't pay.

A

Yeah. If I'm getting my data back every time that I pay and I get my operations going again, if they're, you.

D

Know, you just gotta create a budget line item for this next year.

B

Yes, a budget line item.

A

Yeah, already for theft. Right.

Already a budget item in every single. In every single.

Company plan. I forget what it's called.

B

So what do you think's cheaper?

So I was gonna say, what do you think's cheaper? Sorry to interrupt you paying the ransomware or making a better backup, like, you know, a faster restore process for your backups. Like I.

A

Show me. I'm just playing devil's advocate here, but show me a fast backup re restore process. Give me one.

How do I restore an application that requires three other applications to run slowly?

B

Right?

A

So do I pay the money and have the easy button unencrypt everything or do I, I hold to my guns and say I'm not going to pay anymore because. Yeah, right.

B

I mean, so then that steps it back. I'll take it one step. Take that step back one more time. Right. And say, well then, well, do I really need more security? Because I could just pay the ransomware. And security costs money too, right? Like hiring people to do security. So maybe I should just not hire them and just have a bigger ransomware budget. Like, I mean, like, you know, where do we draw the line there? Right. You know, just something to think about. And I don't disagree with your points that you're just paying your way back to business.

A

So call. The difference is that we have to start finding better solutions to ransomware because backup and restore is not. Not an easy one. Not a. In the fast paced world of IT&E commerce and all of this stuff, backups are great. Backups will save you in the end. But it is not a solution to ransomware. And we have to start working on solutions. And there are solutions out there. It's not just better backups. And that's what everyone totes. Right. But we need to work on actual solutions to these things.

B

That's true. That's true. It's not going anywhere. The other thing was the FBI had reported a 225% increase in total losses from ransomware in 2020.

A

Of course, it's a successful business model.

B

It is a successful business model. That is correct. All right, well, we don't have to keep harping on ransomware, but I just thought I would say what you obviously pointed out was obvious, that they would keep going back for more because it's part of their business model to keep going back to paying customers. Right, Exactly.

A

Why would you not go back to a paying customer?

B

Yeah, they're the best. They are.

C

Maybe, maybe the next iteration will be a subscription service where you just pay once a year. Like, yeah, of like 199.

A

You can keep a perpetual decryption key.

C

And we won't, we won't encrypt.

A

Ideas.

B

Or it'll be like the mafia style where there'd just be like people guarding other people's turfs. Like, yeah, don't mess with these people. They pay me.

A

What do you think everyone in security does? Like, that's literally what we do. For a living is. No, no. So that we can help protect them.

B

No, no, we tell them what the vulnerabilities are. But we're not, like, sitting at the front gates or, like, going and picking on other, other, like, ransomware companies or, you know, ransomware operations. We're not hacking them because they hacked your, like, person that you're protecting.

C

Right.

B

You know.

D

Wouldn'T it be a shame if this vulnerability got out?

B

Yeah, wouldn't it be a shame? All right, well, in other news.

A

Can I pull you back one second?

B

Yep.

A

So let's talk about real, real solutions to ransomware.

B

Okay, what you got?

A

Okay, so, and I got a long blog post about this I'm writing. But let's, let's talk about it from the point of view of the kill chain. Right. So we obviously know recon's not an option here to stop. So the, the next is that first infection. And that's, that's really where I think that we can do better. Right. And, and Windows is already working on that. Right. So Microsoft is getting more secure and more secure and more secure. Right. And what we really need to do to stop ransomware is work on the racing model. Right. So if you haven't heard of racing, it's essentially defanging ransomware. Because what it does is it identified.

I forget his name, like Florian something. He identified the fact that 98% of ransomware tries to delete the volume shadow copies. And he denied the privilege of deleting shadow volume shadow copies. And ransomware stopped working. Right. Because it couldn't delete the volume shadow copies. It assumed that it was on like a VM or some kind of protection thing. So it stopped doing its thing. It couldn't continue. The programming was not good enough to say there was an error correction put into this link, into this code. So it stopped where it saw the volume shadow copies were not able to be deleted and it didn't get ransomware. Right. So let's take that step back and say, okay, what other piece of ransomware can we make it stop doing its thing? And in ransomware, it's very common for you to encrypt the file names. Right. And if you encrypt file names, you tend to have default length encryptions. And so if I start seeing file names that are 16 characters and 32 characters or 8 characters.

Come across in a backup solution, for example, you can start like, something active, something like backblaze or carbon something. Was the carbon copy or something. And all of these backup solutions, if you start seeing.

A file that was Bob. TXT, go to 32 characters of random characters or 16 or whatever. Carbonite.

B

Thank you.

A

And then you can stop it. You can say no more. Backups make it immutable. It looks like the system's being ransomware. You can do this with Defender, you can do this with av, other AV products, you can do this with EDR solutions, you can do this with OS query, for God's sake. So stop them where they start encrypting file names. You can also stop them by not getting infected in the first place. And to do that. No, I'm serious. I'm dead serious. Right? Like, you can laugh about it, but like how many people, how many people in your organization need a full operating system? They don't, right? We're going to this zero trust model where everyone's online, everything's web based, very few actual applications need to be installed on your os. They're if they're, you know, if they are, they're. Everything's going app based, right? Even Windows 11 has Android as apps that you can install because everything's going app based.

B

So bless it, right?

A

So if we're, if we're focusing on apps and web apps and stuff like that, we. Why not switch our entire model for our company into a least. Into a siloed and least privileged operating system level where we can say, hey, you get a Chromebook, you get a tablet, you get whatever. Like, here's your. Instead of refreshing the, you know, the constant drawl of, you know, new Windows machine, new Windows machine every two years, why not give them something that's fast, boots up, has a long battery life and protects them against ransomware?

B

I mean.

A

Yeah, like a Chromebook, right?

B

Yeah. So, I mean, I agree with you. The zero trust model, I mean, especially moving from more like a lot of the stuff we do. I'd say like 99% of the even stuff that I do is it's a lot of, it's web based, right? That's how we interact with everything.

A

And even if it's not web based, there's a, there's an app for it, there's a version of things for it, right. I can SSH from a Chromebook, I can, like, yeah, I can do all the things that I need.

B

Yeah, no, and I get your, I get your, you know, your take on just moving the data off of that piece. Right. And then also just watching for it. I think we don't have a lot of solutions yet that really we're watching for these kinds of attacks. That's the other piece that we're going to catch up on is saying, hey, volume, shadow, copy, hey. Other things like that, you know, hey, where is your data? The important stuff at SMB shares, you know, and how that, how you access those and just being able to encrypt all of those or just being able to detect. There's a lot of products that are even trying to do this and they're not good yet at detecting that files are getting encrypted, that they have a hashed name now suddenly and lots of them. Right. Like that should be like a red flag that comes up in some kind of detection model. A lot of these systems were made 10, 15 years ago, file system, so on, so forth. And so you know, they weren't thinking about that when they made this. So they don't have that stuff built in there. So.

A

Yeah, but we, we have some of these solutions down right. And, and, and stuff like putting Chromebooks or tablets or like it doesn't have to be a Chromebook, can be literally any other Android based operating system.

B

IOS.

A

Why is it, why is it Android, iOS, whatever.

B

I'm just kidding. I'm just messing with you, dude.

A

Like I don't care. Like give them an OS that the attacker doesn't expect and you will buy yourself years. Like there' reason why, there's a reason why a remote code execution in Windows operating System went for $5,000 recently and one in iOS goes for a million dollars. Like there's a reason for that and we should get on board and understand that and start working with that instead of, you know, just paying for, you know, the next Dell Windows laptop.

B

Yeah, I mean you're taking a lot of Dell business away.

A

Yeah. With a BIOS problem.

B

Euro Trust, it's being a buzzword used right now. How would you guys define it? Anybody want to take that?

A

I would define it as Beyond Corp. What Google first put out in their Beyond Corp paper in 201314 as a model where everything's single sign on, including applications like ssh, sftp, like any, anything that you need to get to has Duo or some other mfa and single sign on like you just automatically go there. Everything you're needed for that. That validates the whole CIA triad and you can move on. Right. And that's the great thing. You can be, you can see be the exact model that we told everyone to be against. Right. Sitting in a coffee shop on a publicly available system. You can save all of your stuff, you can even save your password onto a, onto a shared system that the next person, you have no idea who they are. That's the model we need to get to, is where that can happen and nothing can be affected on your network.

B

Yeah, there's a couple solutions to do this too. I know Cloudflare's got one right now to implement SSO on a lot of different interfaces that typically wouldn't have them. It's also kind of a model to get away from VPNs as well, where you would just be like, I'm on the vpn, so I have access to everything.

This kind of takes that step back and be like, okay, well no, you have to authenticate to everything. Like everything. I'm going to decide whether you have access to that one thing or not. As opposed to just, I'm on a VPN so I can reach all of those things. Right.

A

Love of God, turn on your host based firewalls.

B

Yeah, serious.

A

Like I've been on that soapbox for years. Just turn them on, let them be on Windows. Your default domain policy should never be enabled. It should be public. Always.

B

Yeah, but yeah, that's what I pretty much.

Say. That's pretty much what zero trust is. Right. Moving to that model where we're authenticating on every asset that we try to access and that actually gives you kind of a wider. You can access it anywhere, but you're always having to authenticate for that access.

A

Yes. And that way. That way it's more instant. Right. So I no longer have multiple authentication stores. I have one. And as soon as you leave the company, I remove you from the one and that's it. Right. And instead of having, you know, 25.

B

Systems that I have to go through and reprovision and do this and, you know. Yep, exactly. Exactly. That's pretty much Zero trust is all right. What other things did we have for articles? I know I wanted to bring this one up. John McAfee died last week. He. I guess it was a parent suicide. He hung himself in jail. John McAfee, for everyone who doesn't know, he started McAfee Antivirus. I think later on in his years he got pretty into, I would say conspiracy theorist, but, you know, thinking everyone was after him. And I guess he was going to be exported back to the US for extradited. Extradited, that's right. Exported.

A

He's gonna put it in a box and sent. Gotcha.

B

Yes, exactly. Now. And I guess apparently exported import taxes. Yeah. Imported. Yeah, apparently tax. Tax evasion. Tax fraud. Yeah, that's what he was gonna get. Extradited. For. But anyways, I just thought I'd bring that up and.

A

Yeah.

B

Any. Any words about McAfee? No.

A

Always bad that a human passes away, but not too shooken up about it.

B

Yeah, he was. He was an interesting character to say the least, especially of the. Of the recent years. So anyone else got any articles that they want to talk about, we could talk about?

Oh, gosh. Oh, this is a great one. I hit this one up really fast. This one is not a hack in any way, shape or form, but with the heat waves affecting the US right now, it is kind of interesting. So I guess energy companies in Texas. I don't know why it's Texas, but it's definitely Texas. We're offering smart thermostats, let's say like Nest and that part of the deal. And I'm not sure exactly what the deal was, whether you get a free Nest thermostat or whatever with the energy company, but they can control the temperature in your house to alleviate the consumption on the grid during high usage times. Okay. And I guess some people didn't realize that and they wonder why it's really hot in their house because the electric company's turning down the AC or up the heat, however you want to look at that. So to save on the stress on the grid. Kind of interesting.

C

But like, I actually got a letter in Iowa for the same thing where they were like, oh, well, we'll give you a new smart thermostat. And you just have to like, you just have to link your Google account with this.

D

I'm like, yeah, I think customer tries to override what the energy company did. Does the energy company say, no, you can't do that and turn it back to where they want it.

A

They're.

C

I was reading on that. You can change it back to whatever you want it to be, but there's no guarantee necessarily that they won't like change it back in five minutes.

A

It won't send another update.

C

You can go in there and overwrite it.

D

That would tick me off. If I say, no, I want it back to this. And the entry company says, no, you can't do.

A

All right, who's.

B

I think there was like a life.

C

Frame or something at this point.

D

Is it me or the time frame?

C

Like, if you change it, it'll be stay there for like, you know, so an hour or whatever, and then. And then it will go back. Eventually it will revert back and then they will re. Have that control thing. But jw, I did also see some.

D

People were mad because disable well, but.

C

If you disable it, don't you lose.

D

The benefits, you must lose the discount or whatever it is that they were giving you?

B

Yeah, they gotta be offering something to get you in it.

C

Well, I saw that some were saying there was an article about this that was similar and it was something to do with the sweepstakes. Like you would sign up for the sweepstakes, but you would also give them permission to use your thermostat in the same time.

A

Yeah, it wasn't like the guy installing our thermostat when we upgraded our AC unit, he's like, okay, so we're going to install this new Internet connected thermostat. It's going to be benefit. It's free. Don't worry about it. Like, it's not an added cost or anything. I'm like, I want the old one. He's like, no, no, you know, like there's no hidden costs. Like, I promise you, there's nothing. Like, there's always a cop. Well, inner. We'll connect it to your Internet for free. Like, we'll get it all set up for free. It's not a big deal. It's, it's the new, new thing. I'm like, I want the old one. No, no, you don't understand. Like this, like, we're not, we're. I'm, I'm not gonna lie to you. I can put it on paper. Like, here's the conversation, here's the update. I'm like, I want the old one.

I don't want an Internet connected IoT piece of stuff on my network. And he's like, that you don't have control of, obviously, that I don't have control over it.

D

Right, yeah.

C

That just boils down to two. I've heard it said before and I just say it more, but if you're ever in a situation where you're not paying for a product, then you are the product.

B

Absolutely.

C

And don't forget that sometimes you're okay with that. I mean, that goes for social media, that goes for new thermostats, smart thermostats. Like.

Email.

B

Email, that's another one too. Email is not free. No.

C

Yeah, email cost a fair amount of money. Like, I pay for my email that I use because I want to retain my rights to that. But yeah, I mean, there's some pretty big email providers and just take a guess as to what they're doing with your email in the meantime.

B

If it's not, if it's free, it's not really free. Oh, man. That's funny too, because I have a. I have a smart thermostat in my house. I have two of them, Right. I have the Ecobees. And I've had them for a while, right. And I like them. But here's the funny thing about this, and this goes to your point. Since I work at home all the time, they're always just one temperature, so I don't even need.

The thermostat.

D

Yeah.

B

A button that says on and off like it doesn't matter.

A

Right.

D

Like.

C

So I have some IoT stuff, but it's connected to my local home assistant server. I just think it's fun vlan with separate firewall rules.

A

I like it.

B

Yeah. I have a ton of IoT stuff in my house. I'm like anti security with my IoT stuff that I have. I do supplement. It has its own WI fi for just IoT that can do its own little thing. And they could all make like an IOT botnet or something. I don't know.

D

Party.

B

Yeah, like an Iot party botnet. And that'd be, you know, China has.

A

A party at your house every day.

D

They all start talking to each other someday.

B

Yeah, but.

A

So Skyworm asked, would Kerberos be considered single sign on? No. I mean, yes, technically it is, but you should not do it that way.

B

I mean, that's kind of its. Its purpose, but it's not. That's not what single sign on. And the way we think of single sign on is. Right.

A

This is problem with, with Kerberos is I can take that Kerberos ticket anywhere I want. Right. I don't have to stay connected to any network I can.

B

It's.

C

That's.

A

It's authentication in a bubble.

B

Yeah. It's a piece of a bigger authentication.

A

Model and you can't revoke it.

B

Yeah. So.

Yeah, not, Not. Not the same thing. Not the same thing. We're talking about like with Zero Trust. Yeah. You can have expirations. Not the same thing as talking about the Zero Trust, where you're kind of, you know, having these time locked, you know, events and you're using some second authentication provider and you can set the rules and change the rules when you want and set the timeouts when you want and all this other fun stuff. And then the service on the other end has no idea what that is. They don't under. It doesn't need to know how Microsoft Authenticator works to be giving you access.

A

So, I mean, Samuel does kind of operate a lot like Kerberos.

B

He's gonna Just dive in here. Now.

C

Samuel 1 did it operated fair amount like Kerberos in that sense. But yeah, Samuel 2's got a little bit of changes, but it's still kind of this general premise underneath.

B

Yeah. All right, what were the last two links? All right.

D

Mercedes.

B

Oh yeah. So Mercedes Benz had a data breach. What was interesting about this is that it affected a subset of customers. So I think it only affected like a thousand customers. And the data breach was from, I think it was 2017. 20 or the data was from 2017.

D

2018, 2014 to 2017.

B

2014 to 2017, it affected about 1,000 customers who possibly signed up to buy a car, submitted some PII information and I guess it was on a cloud provider that was vulnerable. When I say cloud provider, just probably some VM that they had up there from a long time ago or an S3 bucket.

C

S3 bucket, we just call those cloud providers now.

B

Yes.

A

Because they don't want to look bad. Because everyone say, oh, I had an open S3 bucket.

C

Yeah. Because it's getting to the point that an open S3 bucket is a common thing. And yeah, so now we're just like, oh no, it's my cloud provider. It's my sophisticated threat actor.

A

That's the new APT writer.

B

Yes, yes, there's probably an S3 bucket. And so I'm sure all thousand people are getting one year of identity protection. I don't know.

A

Right.

Identity protection for life at this point.

B

Yeah, exactly. That's.

It's going to be like health insurance instead of, you know, like you need, you should. Well, okay, you don't have to have health insurance, but I mean, that's risky. All right, so just assuming, you know, it'd be like one of the things you always buy like. Oh yeah, no, I always get identity protection. You never know. It'll be next week, it'll be leaked out there. So even though I'm not really sure how effective identity protection is. Wasn't it the guy who had like the, the commercial. Yeah, yeah, yeah. He had the commercials about like, it was like a lifelock.

C

His social number on the ads.

D

And then he lost his identity.

B

Yeah. And then they. Someone sold his identity, coincidentally enough, which.

A

Is, I think multiple people did.

B

Yeah.

A

I think it wasn't a one time deal. I think multiple people took advantage of that. So I guess my point is it's.

D

Just asking for that to happen. You're just challenging people to.

B

Yeah, right.

D

Well, he blatantly was challenging people too. And everybody said, sure, we'll do that.

B

I bet you I can. Yeah, you put people up to a challenge, then you're all surprised when they meet it. You're like, what? No, it's never supposed to be possible.

C

Yeah, not so great a marketing ploy now, was it?

B

Yeah, exactly. No, you're right.

D

We have, I don't know if everybody read this one, but this one looked interesting about ferocious kittens.

A

Ferocious kittens.

B

I did not read this one. I think this is the only one I did not take a look at.

A

Six years of COVID surveillance in Iran.

B

We were talking about what we would make our apt name like. Just thinking about, you know, this is another one of those.

D

What an awesome name for.

B

Oh yeah, and the Enable content, that, that's actually great. Just you can't read something Enable content. And if you ever see that, that's danger. Will Robinson.

D

From July 1399.

Yeah, seems legit.

A

I mean, didn't you have email back then?

C

Yeah, back. Yeah.

A

I mean I, I, I had prodigy in 1399. That's where my email was.

B

I do think it's kind of interesting all of these apt groups as they like get or you know, start to become successful in their like attacks and then getting, getting the dissection and that's kind of what this is about. Like, kind of what they were doing and like how that, that were using this to kind of move through, you know, without. And a lot of this stuff is already known. It's just kind of like just watching someone's playbook or watching someone's like style of attack method. And then.

A

Can I say one thing? Sorry, go ahead. If you, if you see HTTP requests going to anything php, anything, anything PHP at this point in like years, like it's bad. It's almost certainly bad. Like there's very few, very, very, very, very few websites that I go to and I go to a ton of websites that actually still have dot PHP at the end of it. Usually you get a slash or whatever. Like they'll, they'll reverse proxy it, they'll have web APIs and all these little routes and stuff. Right. 1% of 1% of the sites that I go to might have PHP. And if you want any indicator of compromise, look for any requests to go to a PHP site.

D

I like that. The kitten connection. There's a lot here. This Android, they were doing a lot of different things. Telegram.

C

I mean if you have six years to do something, you're bound to do a little bit.

A

Dig in pretty deep.

B

Yeah, Nation state, unlimited budget.

A

Telegram. I played a bit with Telegram.

B

It's where all the. It's like the new IRC of hackers.

A

Except for it has, like, way more functionality than just messaging.

B

Yeah, well, that's, you know, obviously it's the better version, right? It's not like the rebirth of irc.

A

I mean, irc, you did have all those DFS shares or whatever, like the old, like, D something file transfers and stuff.

B

All the good old IRC days.

A

Well, like FTP.

B

Yeah, yeah, for sure, for sure. I think that's all we had for today.

D

That's a full show. We're over an hour.

B

We rocked it.

A

Have you guys. Have you guys talked about the certificate stuff at all? Anyone talked about the certificate stuff in the which one?

B

Nothing.

C

If you want a certificate, call us. We'll get you a certificate.

B

Yeah, you want a certificate? After the end of this, we'll. We'll get you guys certificates for watching this.

A

No, I know that. Active Directory Certificate Services.

B

Yeah, yeah, the one with Spectre Ops. The active directory attack. Pass. You know, we have. We have. I haven't talked about that, but we should probably talk about it next episode, though. Yeah.

A

Oh, fine.

B

I haven't used an attack. Actually. I read the article and I was like, they said they have more, but I feel like I know everything I need to know already. I think we should. Let's talk about it next episode. We'll. We'll dive into it. All right, well, I think that's all we have for today. I really appreciate everybody riding along with our news articles and hanging out with us for the last hour.

D

I just realized I haven't been putting the links in the chat, but I'll have them all the. Oh, gosh.

I'll put them in. I'll put them in.

A

One job.

C

That's what happens when you go on two weeks.

D

Yeah, I was away for a week.

A

Forgot what I was doing.