![Talkin' About Infosec News - 6/7/2021 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistor.fm%2FAukI425sRBc3M3UIa9lVng7qjeNeYEQ8BZfzCEXhALs%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS8xZTA1%2FZWZhNDcxZGM4ZTFj%2FZGJhMTMwNmYzMmJj%2FZjBkNi5wbmc.jpg&w=1200&q=75)
Podcast Summary: Talkin' Bout [Infosec] News – June 7, 2021
Host: Black Hills Information Security Team (John/“A”, Monopixel/"C", Dale/"D", Ralph/"B", Ryan/"E")
Overview
This episode brings the BHIS team together for their weekly roundtable on the latest infosec news and topics. Highlights include humorous (and serious) takes on ransomware (despite promising not to dwell on it), a bizarre story of a mom "pen testing" a school, the state of containers security, end-to-end encrypted messaging, password manager debates, and a legal development affecting security research. The discussion is lively, practical, and peppered with both industry insight and banter.
Key Discussion Points & Insights
1. “Pen Testing” Without Permission: The Texas Mom Incident
[01:24–06:26]
- Story Recap: A Texas woman posed as her 13-year-old child and spent a whole day at her daughter’s middle school – unauthorized, under the premise of “testing security.”
- Takeaways:
- Physical pen testing without permission is illegal and just trespassing.
- Having a point about insecurity doesn't pardon illegal entry; proving a school isn't safe by breaking in doesn't provide new insights, as physical ingress is almost always possible.
- The damage from determined attackers can’t always be prevented — proper reaction/response is more realistic goals.
- The podcast team jokes about how the woman might have reacted if the school had forcibly removed her (turning the story to “police brutality”).
- “This is someone who is looking for attention, and she got it, and we're giving it to her.” — John (A) [05:08]
- Security Industry Reflection: Even with authorization, misunderstandings of intent or law can land testers in trouble — always get thorough sign-offs.
2. First Malware Targeting Windows Containers
[06:26–10:40]
- Headline: Malware is now targeting Windows containers—compromising Kubernetes and exploiting misconfigurations.
- Insights:
- Containers, especially Kubernetes, are not security barriers — they're for managing dependencies, not inherently for security.
- "When you're running a container, it's just kind of like an isolated process. Like it's not really. It's not a security construct, okay?" — Monopixel (C) [07:08]
- Most container risks come down to bad configuration, particularly permissions (many Docker containers run as root).
- The issue isn't new vulnerabilities, but old practices: attackers use familiar post-exploitation steps inside containers, just as on regular hosts.
- There’s a recurring myth that new tech—cloud, Linux, virtualization—equals better security by default. It doesn’t.
- "You actually have to have a plan. You need to have the technology, need to have the architecture, need to have the process and procedures to support that, to actually make it secure." — John (A) [08:45]
- Containers, especially Kubernetes, are not security barriers — they're for managing dependencies, not inherently for security.
3. Ransomware: Why We’re Still Talking About It
[10:40–22:27]
- Context: Multiple organizations hit in recent headlines (JBS Foods, unidentified news stations, etc.).
- Team’s Perspective:
- Ransomware now targets “soft” targets (schools, small municipalities), not just corporations.
- Even attackers sometimes “land” on high-value targets by accident, due to interconnected networks.
- “It was a Bogo event, right?” — Monopixel (C) [12:29]
- The hosts mock attackers’ dismay at government intervention: "Why are governments getting involved with our illegal activities? This is a mystery to us."—John (A) [12:36]
- On Proposed Legislation Banning Ransom Payments:
- The team agrees that outlawing ransom payments is unlikely to deter attackers, and would push things underground or make victims doubly trapped.
- “Now, who's holding me ransom here? Is it...the criminals...or is it my own government...saying I can't pay this? Either way, I'm out of business.” — Dale (D) [15:39]
- “There's awesome precedent in governments setting up laws to punish victims. That always works.” — John (A) [16:02]
- The real solution is for organizations to start implementing security basics (strong passwords, two-factor authentication, patching, etc.).
- “A lot of these [mitigations] aren’t rocket science to take care of.” — John (A) [16:11]
- Security teams often ignored in favor of flashy vendor solutions; ransomware could be the “kick” that forces change.
- The team agrees that outlawing ransom payments is unlikely to deter attackers, and would push things underground or make victims doubly trapped.
4. Legal News: The Van Buren CFAA Ruling
[22:27–24:41]
- Summary: The Van Buren Supreme Court decision narrows the scope of the Computer Fraud and Abuse Act (CFAA) to protect some security research.
- “Van Buren is a victory against overboard interpretations of the CFAA and protects security researchers.” — Ralph (B) [22:32]
- Takeaways:
- Security researchers still need to be cautious, as laws remain “gray” and local interpretations/charges may differ.
- EFF is available to help if you run into legal issues as a researcher.
5. Microsoft Teams Adds End-to-End Encryption
[24:43–29:36]
- News: Teams will soon offer end-to-end encryption for 1:1 voice calls (not group/video calls yet, and only on desktop/mobile, not web).
- Background: Many users mistakenly believed Teams already had end-to-end encryption.
- “SSL is not end-to-end encryption. That's not how that works.” — Monopixel (C) [26:27]
- Service providers (Slack, Discord, Teams, etc.) can read/search your messages unless real end-to-end encryption is implemented.
- Caveats:
- Features are limited vs other secure chat apps like Keybase, Telegram, etc.
- End-to-end encryption doesn’t end usability features, but complicates bots/search/predictive features.
- “Just be smart about what you say in what channel.” — Ralph (B) [28:12]
6. Are Password Managers Safe? — Blog Debated
[29:35–38:15]
- Background: Discussion about Tavis Ormandy's blog, which questions the security of many password managers, especially third-party options.
- Highlights:
- Tavis seems to hint at forthcoming vulnerabilities.
- He suggests built-in browser managers (e.g. Chrome, Firefox) are at least as secure, if not safer than third-party ones, due to stricter sandboxing and stronger security teams.
- Major convenience of password managers: device sync, unique and long passwords.
- All password stores are vulnerable if your machine is compromised; browser managers and tools like KeePass can be compromised via extracting secrets from memory.
- Notable Quotes:
- “What is your threat model, right? Is it someone on your system?...Because does using the browser password manager protect you from someone compromising your system?...It does not. I can tell you that for a fact.” — Monopixel (C) [37:35]
- "You just start writing all your passwords in a little book...locked in a box." — Ryan (E) [38:08]
- Practical Advice:
- No 100% solution—best practices still apply (unique, long passwords; 2FA; careful with browser sync; know your own risk model).
- Even recommended tools like KeePass have well-known master-key extraction methods.
Notable & Humorous Moments
- On why management ignores internal security:
- “Listening to you, IT security people, is their last possible choice that they want to choose.” — John (A) [19:03]
- Password-sharing security best practices:
- "Right now if I want to send something super encrypted, I'll send it PGP over carrier pigeon." — Ryan (E) [30:16]
- On password manager paranoia:
- “Forget password managers, you use TikTok.” — Monopixel (C) [35:36]
Timestamps for Important Segments
| Segment | Topic/Insight | Timestamp | |-----------------------------------|----------------------------------------------|--------------| | Texas Mom “Pen Test” Incident | Physical security, legal/ethical boundaries | 01:24–06:26 | | Windows Containers Malware | Technical deep-dive, mythbusting containers | 06:26–10:40 | | Ransomware Discussion | Attacks, legislation, root causes | 10:40–22:27 | | Van Buren CFAA Ruling | Impact for security researchers | 22:27–24:41 | | Teams End-to-End Encryption | Messaging security, user misconceptions | 24:43–29:36 | | Password Manager Debate | Security models, practical recommendations | 29:35–38:15 |
Final Thoughts
- The hosts anticipate further ransomware discussion (“we’re going to fix ransomware this week!” [41:01]) and sign off with their trademark blend of biting honesty and humor.
- Next episode will follow the Reno Way West Hacking Fest, with a brief hiatus in the weekly schedule.
Summary produced by Podcast Summarizer AI — capturing the practical infosec wisdom and wit you missed, so you don’t have to listen at 1.5x!