Podcast Summary: Talkin' Bout [Infosec] News – 6/28/2021

Podcast: Talkin' Bout [Infosec] News
Host: Black Hills Information Security
Date: June 30, 2021
Episode Theme:
A lively and wide-ranging roundtable of industry professionals discussing the latest news, threats, and trends affecting information security. The episode covers recent security incidents, critical vulnerabilities, trends in ransomware and backup strategies, the future of zero trust, and the human side of the infosec world.

Episode Overview

The hosts and panelists dissect notable infosec news stories from the week, blending technical insight with practical advice, OSINT-style observations, and their signature banter. Discussions range from technical breakdowns of remote storage wipes, novel ransomware delivery methods, and BIOS-level vulnerabilities, to cultural touchpoints like smart home IoT risks and the implications of John McAfee’s passing.

Key Discussions and Insights

Conference Recap & Noteworthy Talks

• Panelists mention recent talks they watched, including a standout presentation by Josh Wright on applying lessons from photography to infosec careers.
  • “It was a whole talk about what he learned from becoming a photographer and how that applies. It was good. So it's a good talk.” (B, 00:09)
  • There’s a jovial recounting of technical mishaps at a virtual conference, including blue screens (03:06), accidental webcam appearances, and behind-the-scenes struggles to keep streams running.

[06:41] Western Digital My Book NAS Remote Wipe Vulnerability

• Summary:
  Western Digital My Book NAS devices were being remotely wiped worldwide due to unpatched vulnerabilities (CVE from 2018, remote code execution). This attack was likely carried out by scanning the internet for exposed devices (often thanks to UPnP) and then wiping them, potentially via unauthenticated access.
• Important Details:
  • Western Digital’s official guidance: “Unplug them from the Internet.” (07:51)
  • Discussion on whether default credentials or a true RCE were involved.
• Notable Commentary:
  • “Do you really need the RCE if you have the default password?” (A, 08:54)
  • “If you're dumb enough to put your NAS on the internet, it was just default credentials. That's not really a cve.” (B, 10:00)
• Lessons Learned:
  Importance of both on-site and off-site backups and the perils of exposing management interfaces to the internet.

[11:47] Best Practices for Backups & Backblaze Recommendations

• Advisory:
  The hosts recommend solutions like Backblaze B2 for cheap, reliable cloud backups, especially highlighting features like immutable backups that persist even in the case of ransomware. (11:47-12:41)
• Security Trend Noted:
  “RSA's new, new term, mutual backups. Immutable backups. That's all I've been hearing for like the last like five weeks since RSA is immutable backups. Ransomware, immutable backups.” (A, 12:41)

[12:58] Ransomware Call Centers & Social Engineering

• Attack Vector:
  Attackers are using fake call centers in phishing emails, luring victims to call and then social engineering them into ransomware or other fraud.
• Advice:
  • “If you have to call someone, go look at the public number for whatever the company is and call them directly and not call them from, you know, a listing from an email.” (B, 13:51)
• User Awareness Tip:
  Discussion of how attackers prey on subscription anxiety (“free trial is ending” ruses), especially targeting older populations.
• Defensive Strategy:
  Using confirmation codes and other verification steps with banks and critical service providers.
  • “You can say, hey, my confirmation code is Starry Night or whatever. Right. And so you, when you call them, you can say, please read off my confirmation code.” (A, 17:31)

[19:44] Dell BIOSConnect Vulnerability

• Summary:
  Dell’s “BIOSConnect” (part of SupportAssist) suffered from several vulnerabilities, including man-in-the-middle potential and buffer overflows that affect many systems.
• Details:
  • Attack typically requires internal access and man-in-the-middle manipulation, not a remote, easy attack.
  • “I don’t put SupportAssist on any of my systems anymore after what I learned about it working in the Enterprise.” (C, 22:22)
• Real-World Feasibility:
  The exploit is hard to weaponize at scale, more likely useful for high-value, targeted attacks.
• Red Teaming Cautions:
  • “If you're doing this as a red team, you're freaking negligent. Because this is permanent. Right? This is hard to handle and clean up.” (A, 28:16)
• Underlying Message:
  BIOS/UEFI-level attacks are gaining researcher attention, but are impractical except for highly targeted, sophisticated adversaries.

[29:32] Ransomware Repeat Victimization

• Findings:
  80% of organizations that paid ransomware were hit again, almost half by the original attacker group.
  • “Once they figured out that you would pay, guess what they did.” (B, 29:44)
• Debate:
  Should companies pay or focus resources on backups and resilience? The panel discusses the complexity and real-world hurdles of fast recovery vs. just paying to “buy back” business continuity.
  • “Show me a fast backup restore process. Give me one.” (A, 31:36)
• Critical Take:
  “We have to start finding better solutions to ransomware because backup and restore is not an easy one.” (A, 32:36)
• Statistics:
  FBI reported a 225% increase in ransomware losses in 2020 (B, 33:12).
• Satirical Spin:
  Ransomware-as-a-Subscription jokes: “Maybe the next iteration will be a subscription service where you just pay once a year.” (C, 33:54)

[35:02] Mitigating Ransomware with Technical Controls

• RACINE Defense:
  New research (by Florian Roth) on blocking ransomware by denying deletion of volume shadow copies—most ransomware dies “confused” and stops if it can’t delete VSS.
  • “98% of ransomware tries to delete the volume shadow copies, and he denied the privilege … ransomware stopped working.” (A, 35:55)
• Detection Angle:
  Identifying suspicious filename changes (e.g., mass randomization) as an early sign of ransomware activity.
• Zero Trust & Siloed Endpoints:
  • Calls for the use of Chromebooks/tablets and least-privilege endpoint strategies.
  • “Give them an OS that the attacker doesn’t expect and you will buy yourself years.” (A, 41:04)

[41:43] Zero Trust Architecture Explained

• Definitions:
  • “I would define it as BeyondCorp, what Google first put out … a model where everything's single sign on, including applications like ssh, sftp.” (A, 41:51)
  • “I'm going to decide whether you have access to that one thing or not. As opposed to just, I'm on a VPN so I can reach all of those things.” (B, 43:13)
• Actionable Advice:
  • “Turn on your host-based firewalls.” (A, 43:27)
  • Importance of centralized authentication and instant revocation for departing employees.

[45:03] John McAfee’s Passing

• Discussion:
  • John McAfee, founder of McAfee Antivirus, died by apparent suicide while awaiting extradition.
  • Mixed sentiments on his controversial legacy: “Always bad that a human passes away, but not too shooken up about it.” (A, 45:29)
  • Brief nods to his “interesting” personality in later years.

[45:48] Texas Smart Thermostat Controversy

• Issue:
  • Utility companies offering “free” smart thermostats (Nest, Ecobee) with fine print permitting the utility to change home temperatures during peak usage.
  • “People didn't realize that and wondered why it's really hot in their house.” (B, 46:43)
• User Pushback:
  • Stories of customer frustration—unable to override the utility’s changes (47:09).

[49:19] If You’re Not Paying, You Are the Product

• Maxim:
  • “If you're ever in a situation where you're not paying for a product, then you are the product.” (C, 49:19)
  • Applies to smart devices, email, and many online services.

[51:17] Kerberos and SSO (Single Sign-On) Clarification

• Technical Note:
  • Kerberos technically enables SSO, but isn’t the kind of time-limited, centrally managed, and easily revocable model preferred today.
  • “Kerberos ticket … I can take that Kerberos ticket anywhere I want.” (A, 51:39)

[53:00] Mercedes Benz Data Breach

• Incident:
  • Affected around 1,000 customers who submitted PII between 2014 and 2017. Likely due to an old S3 bucket or VM left unsecured.
  • “We just call those cloud providers now.” (C, 53:44)
• Commentary:
  • Jokes about the frequency of such incidents and the “compensation” of a year’s worth of identity protection (B, 54:06).

[55:38] Ferocious Kitten APT Analysis

• APT Name Discussion:
  • Coverage of Iranian group “Ferocious Kitten,” with commentary on how APTs get their quirky names and how many use standard, unsophisticated tactics for years undetected.
• Spotting Bad Traffic:
  • “If you see HTTP requests going to anything.php … it's bad. There’s very few … websites that I go to that actually still have .php at the end.” (A, 56:57)
• Telegram Mentioned:
  • Recognized as the “new IRC” for hackers, with more features than classic tools.

[58:47 & 59:08] Active Directory Certificate Services (ADCS) Attacks (Preview for Next Episode)

• Brief mention of new research from SpecterOps on Active Directory Certificate Services attacks (Pass-the-Cert), but panelists decide to cover it in detail next episode.

Memorable Quotes

• “If you’re ever in a situation where you’re not paying for a product, then you are the product.” (C, 49:19)
• “Criminals repeat their crimes.” (A, 30:22)
• “If you’re dumb enough to put your NAS on the internet, it was just default credentials. That’s not really a CVE.” (B, 10:00)
• “Give them an OS that the attacker doesn’t expect and you will buy yourself years.” (A, 41:04)
• “Immutable backups. That's all I've been hearing for like the last like five weeks since RSA is immutable backups. Ransomware, immutable backups.” (A, 12:41)
• “Anytime somebody wants you to call them to do something, that should probably be your red flag at this point.” (B, 15:43)
• “Do you understand what you're saying? And how hard it is to clean that up?” (A, 28:28 – on reckless red team behavior)

Other Notable Moments

• Multiple times the panel emphasizes realistic, practical security over buzzwords or bleeding-edge, high-effort attacks.
• Informal, witty banter characterizes the entire discussion, often using sarcasm to make points about security culture, user error, and incident response.
• The team closes with reminders to improve basic security hygiene (host-based firewalls, SSO, backup integrity) and preview upcoming deep-dives (ADCS attacks).

Episode Structure & Timestamps

| Section | Timestamp | |---------------------------------------------------|-------------| | Conference Recap & Talks | 00:00-06:41 | | Western Digital NAS Wipe Story | 06:41-11:47 | | Backup Best Practices & Immutable Backups | 11:47-12:54 | | Ransomware Phishing Call Centers | 12:58-19:24 | | Dell BIOSConnect Vulnerability | 19:44-29:14 | | Ransomware Repeat Victimization & Response | 29:32-35:02 | | Mitigating Ransomware & Zero Trust/Least Privilege| 35:02-44:20 | | John McAfee Passing | 45:03-45:35 | | Texas Smart Thermostat Controls | 45:48-51:17 | | Kerberos and SSO | 51:17-53:00 | | Mercedes Data Breach | 53:00-55:38 | | Ferocious Kitten APT & PHP Web Traffic | 55:38-58:47 | | ADCS Attack Research Tease | 58:47-59:17 |

Conclusion

This episode delivers a comprehensive rundown of the week’s most significant infosec news, blending technical rigor with humor and pragmatic advice. The team stresses foundational security best practices while spotlighting emerging trends like zero trust, immutable backups, and the dangers of both new and legacy vulnerabilities.

If you missed the episode: This summary provides a detailed guide to the conversation, making it easy to understand what happened in the infosec world—minus the ads and digressions.

For more, catch future episodes live on YouTube at Black Hills Information Security.