Podcast Summary: Talkin' Bout [Infosec] News – 7/28/2021
Podcast: Black Hills Information Security
Hosts: John Strand, Ralph, Ryan, (and regular guest Noah)
Date: July 28, 2021
Episode Theme:
A lively weekly roundtable on recent infosec news, focusing this time on major Microsoft vulnerabilities, reflections on the Kaseya ransomware saga, authentication flaws, issues with legacy technology, ransomware economics, legal humor, and the quirks of security culture.
Main Topics Covered
- PetitePotam ("Petty Potum") Attack: Vulnerability in Windows AD Certificate Services
- SeriousSAM Vulnerability in Windows 10/11
- Kaseya Ransomware Attack: How Did They Get the Key?
- Password Cracking & the Persistence of Credentials
- Ransomware Payments, Rebranding, and Legal Nonsense
- Security Culture, Humor, and Industry Musings
Detailed Breakdown
1. Warm-up Banter & Intros
The episode begins with classic BHIS banter: jokes about YouTube algorithms, playful ribbing about firing cohosts, and stories about old plaid shirts making their rounds in the hacker community.
"He's like Wesley and the Dread Pirate Roberts. It's a constant. Very well done, Ryan. I'm very likely might fire you tomorrow if you do something wrong."
— John Strand [02:50]
2. PetitePotam ("Petty Potum") Attack Discussion
[04:00–13:42]
What is PetitePotam?
A new Windows NTLM relay attack that can exploit weak configurations in Active Directory Certificate Services, leading to domain compromise.
Deep Dive into the Vulnerability
- NTLM Authentication: Explains the old Landman protocol, NTLM, and the long-standing weaknesses (lack of timestamp, weak hashes, vulnerable to replay attacks).
- Attack Mechanics:
- Typical NTLM relay attacks involve capturing user hashes using tools like Responder.
- PetitePotam takes this further: can trigger a domain controller to send its own system account hash, which can then be relayed to an AD Certificate Authority to obtain a valid certificate for the controller, yielding control over the domain.
- Barriers/Requirements:
- Requires that Certificate Authority web enrollment is enabled.
- Relaying to self is blocked, but relaying to another system (CA) is possible.
"If we can elicit the domain controller to send the computer’s hash, we can then relay that to something else…like the certificate authority in the domain and request a certificate. Game over."
— Ralph [11:15]
Broader Concerns
- Increasingly, infosec vulnerabilities are architectural and not just memory corruption or simple bugs.
- Fixing architectural attacks is slow because vendors often wait for proof-of-concept exploits before patching (per "Josh Wright's Law").
"These zero days quickly become forever days because people don’t shut things like NTLM down. These things just continue to lurk..."
— John Strand [17:17]
Mitigations
- Disabling NTLM and enforcing SMB signing is strongly advised, but adoption remains low due to legacy software and inertia.
- Microsoft’s slow response to disabling vulnerable services by default frustrates the security community.
"We've been telling organizations to shut that off. Eventually, a decade and a half later, we'll get around shutting down NTLM."
— John Strand [16:22]
3. SeriousSAM: The Local Privilege Escalation in Windows 10/11
[19:02–25:49]
What is SeriousSAM?
- Exploits lax access controls introduced by a patch to copy the local Security Account Manager (SAM) file from shadow copies as a non-privileged user.
Attack Mechanics
- Requires Volume Shadow Copy to be running and 128GB+ drive (for shadow storage).
- Once accessed, attackers can obtain all local password hashes and escalate privileges.
Mitigation & Impact
- Using Microsoft's LAPS (Local Administrator Password Solution) can help, but many orgs leave auxiliary privileged accounts exposed.
- Microsoft is expected to patch, but a familiar cycle of reactive defense is discussed.
"If your organization has other services that install an administrative...account...then we gain access to those password hashes using SeriousSAM."
— John Strand [22:05]
4. Kaseya Ransomware Saga: How Did They Get the Key?
[30:31–41:47]
The panel speculates (with dark humor) about how Kaseya got the universal decryptor for their global ransomware incident:
- Theories range from:
- A suitcase/USB drive falling off a truck near HQ
- The attackers just feeling generous
- Secret negotiations via an intermediary
- Presidential intervention (Biden calls Putin: "We're tired of this malarkey. Give us the key.")
- Most likely: Kaseya paid a lower negotiated ransom
"Usually money…they were probably like, you know, I know you're asking for...$70 million. How about we pay five and we call it a day? And, like, sure, here's the key."
— John Strand [32:39]
Ransomware Gangs "Disbanding"
- Panel notes that Revil and DarkSide shut down their sites and "disbanded" (but are likely just rebranding to avoid heat and relaunch operations).
Kaseya Forcing NDAs on Affected Customers
- Kaseya required customers to sign non-disclosure agreements (NDAs) before giving them the decryptor; panel strongly criticizes this as both futile and unethical.
"Anytime you're in a conversation, they're like, 'we're gonna help you out, but you need to sign this NDA'–that means something, man."
— Ralph [35:59]
- John points out NDA gag orders on breached customers probably aren't even legally enforceable due to the Consumer Fairness Protection Act.
5. Password Cracking, Hashes, and Rainbow Tables
[27:09–30:07]
- Legacy protocols (LM, NTLM) remain easy to crack if exposed—rainbow tables still work due to lack of salt.
- In practice, modern attackers prefer raw compute via GPUs and advanced cracking tools (Hashcat, John the Ripper) using smart dictionary and mangling attacks.
"An eight-character NTLM hash stands no chance nowadays, especially in a brute-force scenario."
— Ralph [28:23]
- Long passwords do help, but people’s phrase-based choices can undermine intended protection.
6. Ransomware: Payments, Refunds, and Support Nightmares
[41:08–43:54]
- Victims that had already paid ransoms before Kaseya got the universal decryptor are questioning if they can get "refunds" from the criminal gangs.
- Panel jokes about ransomware gangs having to handle customer service, returns, and complaints, adding stress to their criminal "careers."
"I can understand why the REvil gang shut down: I don't want to support this crap. I don't want people contacting me being like, 'hey, can I get a refund?'"
— John Strand [41:32]
7. Legal and Industry Humor
[43:23–46:45]
- Discussion around the futility of suing big tech companies or domain squatters—legal action almost always favors those with deeper pockets.
"If you got to be careful about who you take advice from...if you're taking advice from attorneys that are like, 'you can totally win this, Ralph!', what they mean is, 'you have a lot of money, Ralph.'"
— John Strand [46:01]
- Comparison between legal extortion and ransomware—both just want your money, after all.
8. Industry Musings & Petty News
[47:53–53:13]
- Microsoft’s recurring security headaches; lamenting the cycle of patch-after-patch and industry inertia.
- Light-hearted detour on Jeff Bezos’ cowboy hat and astronaut status post–space trip.
"I hate that jackass has ruined cowboy hats and cowboy boots for me."
— John Strand [48:07]
- On banning cryptocurrency to stop ransomware: “You can use anything as currency—even spam in Hawaii.”
— John [50:44]
- Final banter about malware/tool naming conventions—why the next C2 framework should just be called “Random Crap.”
Notable Quotes & Timestamps
-
On Modern Vulnerabilities:
"You see these vulnerabilities getting more complicated and inversely what happens is the likelihood of organizations to actually patch and deal with those vulnerabilities starts to go down..."
— John Strand [13:42] -
On Closing Out the Kaseya Story:
"If Biden was able to make a phone call to Vladimir Putin and get the key personally, there's no freaking way politically...they’re walking around town waving the key around. ‘Look what I got you!’"
— John Strand [40:22] -
On Passwords:
"Passwords are fun. I think passwords are going to be here for a while. I know we've had a couple shows where people are like, oh, passwordless society. It's like, I don't think so."
— John Strand [30:07] -
On Security Morale:
"This whole episode was gallows humor. People are like, why are you laughing about this? Because sometimes it's literally the only way we can."
— John Strand [51:10]
Key Takeaways
- Architectural attacks on authentication in Windows are difficult to patch and likely to persist for years in legacy-fraught networks.
- Old, insecure protocols (NTLM, LM) carry major risk, yet remain enabled in countless environments.
- Ransomware economics are complex, and incident response is muddled by negotiation secrecy, legal nonsense, and the endless cycle of criminal "rebranding."
- Calling for aggressive action and change—both technically (disabling old protocols) and culturally (better, longer passwords, faster patching, less inertia).
- Security community uses humor and candor to cope with unending industry challenges.
If You Only Listen To...
- [04:00–14:00] — Deep technical breakdown of PetitePotam relay attacks.
- [19:00–25:30] — SeriousSAM Windows vulnerability and why patch cycles drag out.
- [30:30–41:50] — The full Kaseya ransomware decryption key saga and industry commentary on incident response.
- [43:30–46:45] — Legal realities of infosec and domain disputes, with real-world war stories.
- [50:00–51:30] — Sharp critique of anti-crypto logic in ransomware debate.
Tone:
Conversational, irreverent, technical-but-accessible, with lots of infosec insider humor and healthy skepticism for authority (legal or technical).
![Talkin' About Infosec News - 7/28/2021 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistor.fm%2FAukI425sRBc3M3UIa9lVng7qjeNeYEQ8BZfzCEXhALs%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS8xZTA1%2FZWZhNDcxZGM4ZTFj%2FZGJhMTMwNmYzMmJj%2FZjBkNi5wbmc.jpg&w=1200&q=75)