Podcast Episode Summary

Podcast: Talkin' 'Bout [Infosec] News
Host: Black Hills Information Security
Episode: Talkin' About Infosec News - 7/6/2021
Date: July 12, 2021

Overview:

This lively episode features the Black Hills Information Security (BHIS) crew and friends dissecting the most significant stories in infosec from the previous week, focusing heavily on ransomware trends, cyber liability insurance, and recent notable vulnerabilities (especially Kaseya and PrintNightmare). The conversation blends deep expertise, industry insights, and a dose of humor, all while delving into the evolving threats and responses within cybersecurity.

Main Discussion Topics & Insights

1. Ransomware Readiness & CISA's New Tools

[02:32 - 06:14]

CISA’s Ransomware Readiness Assessment (RRA) and Security Cybersecurity Evaluation Toolkit were released to help organizations prep for ransomware attacks.
Skepticism voiced around these tools being "a gateway drug" for security – might mostly help those already aware rather than truly vulnerable orgs.
- Quote: "The answer to that question is literally what we've been telling people to do in the world of computer security for the past 20 years." — Host [02:55]
Focus on whether the detection tools actually empower small/medium businesses or simply reinforce the echo chamber.
- Quote: "Is it actually going to be helping the people that we need to be reaching out to?" — Host [05:42]
Historical Parallels: Nostalgia about "white hat" worms from early 2000s, but with acknowledgment that today's threat actors are financially motivated criminal organizations, not hobbyists.

2. The Economics & Pragmatics of Ransomware and Negotiation

[07:27 - 14:49]

Ransomware actors operate like businesses, offering "customer support" to facilitate payments.
Ransomware negotiation is now a specialized skill in the industry, with professional brokers developing relationships with criminals and being able to quantify their value by how much they "save" victims.
- Quote: "So what do you do here? Well, I'm a ransomware negotiator." — Panelist [14:20]
- Quote: "Would that lower the insurance rates for a company if they actually had a full-time negotiator?" — [14:27]
Insight: Ransomware demands are set against cyber-insurance policy limits – attackers are aware and aim for the "ceiling."
Observation: Insurance companies are changing how they operate—limiting policies, increasing premiums, or requiring specific pen testing, sometimes offering assessment services themselves.

3. Cyber Liability Insurance: The Shifting Landscape

[08:32 - 19:33]

Cyber insurance premiums projected to increase by about 32%.
Insurance companies struggling to actually model or predict breach likelihood/scale – traditional actuarial models are outdated by the rapidly evolving threat landscape.
- Quote: "They set up all these different formulas and all these things, and they're like, this is what we should charge... And then 2021 hit. And it was like, oh, our math was way off on this." — Host [08:32]
Insurers increasingly require more prescriptive security measures, sometimes conducting their own assessments, not trusting third parties.
The panel notes echoes of past compliance schemes (e.g., PCI) and fears the development of similar security "rackets" driven by insurance demands.

4. Printer Vulnerabilities: PrintNightmare

[20:48 - 29:44]

Discussion on the then-recent remote code execution vulnerability in Windows "Print Spooler" service.
The patch was ineffective, and most solutions involve disabling printing services altogether, which is seen as impractical for many orgs ("Burn printers to the ground"— Host [21:22]).
The panel reflects on the evolution of exploit types: from technical buffer overflows to business logic errors, noting that "95% of attacks" are still users clicking malicious links, despite advances in hardware-level security.
- Quote: "It's almost like you have these parallel paths...then it’s like, nope, somebody just ran this random driver..." — Host [24:45]

5. Supply Chain Attacks & Kaseya Breach

[31:32 - 39:10]

Kaseya VSA attack is dubbed "perhaps the world's largest ransomware attack" (Host [00:24]), even "bigger than SolarWinds" [31:58].
The crew sympathizes with Kaseya, noting that being a ransomware victim is more the rule than the exception.
The attacks likely had accidental, opportunistic beginnings, not necessarily master-planned—supply chain connections can be exploited through "dumb luck."
- Quote: "It's not that hard to, after you break into one, kind of break it into the next one." — Panelist [35:12]
Sidebar: Many deeply embedded supply chain firms (like Akamai) are not household names but critical infrastructure.
Notable: The exploited Kaseya vulnerability was reportedly privately reported and nearly patched before the attack happened, reflecting challenges in vulnerability disclosure and patch timing.

6. Miscellaneous News Headlines

.NET Core Remote Code Execution: Brief mention of RCE vulnerability; reminder to patch infrastructures using affected packages. [42:01 - 42:48]
Intuit (TurboTax) sharing payroll data with Equifax [42:54 - 48:02]:
- Panel pushes back on lack of user consent and the ongoing problems with data brokers (especially Equifax, given their 2017 breach).
- Joke: "They should just xed out the Equifax and said devil. Just with the devil." — Panelist [43:08]
- Repeated frustration with the state of consumer data privacy in America, lack of GDPR-like laws, and the credit industry's self-serving business models.
Open Source Software – Audacity "Spyware" Controversy [52:04 - 54:43]:
- Audacity purchased by another company, adds objectionable telemetry and age-related EULA updates.
- Immediate open-source response: Conversations about forking to keep the software clean.

Notable Quotes & Memorable Moments

On ransomware "Groupon" discounts:
“Are you literally calling this like the ransomware groupon? It's like if everyone gets together, we're gonna drop the price from 70 million to 50 million.” — Host [07:27]
On ransomware negotiations as a job:
“So what do you do here? Well, I'm a ransomware negotiator.” — [14:20]
“Would that lower the insurance rates for a company if they actually had a full-time negotiator?” — [14:27]
On security automation:
“People wonder why people in security drink.” — Host [30:40], after a story of sysadmins clicking the 'Remediate' button that crashed half the server infrastructure after being told not to.
On compliance rackets:
“The whole idea of PCI asv, and I say it's a racket, because it is.” — Host [17:10]
On the scale of supply chain risk:
“There’s a ton of firms out there that...give you a security scorecard and they’re like, well, Black Hills Information Security has these four vulnerable servers, we’re giving them a D minus on their security...by what their mail records are configured to.” — Host [34:31]
On credit monitoring:
“Oh, my credit monitoring expired and I go to the like folder labeled credit monitoring. Pull out the next page, like, oh, here's a code. Let's see if this one works.” — Panelist [47:04]
On open source “betrayal”:
“It's kind of the gross side of when you take this open source software and then kind of like buy the name and then start maintaining it and then just start to, you know, to your own bidding.” — Panelist [53:06]

Key Timestamps & Segments

[00:24] — Episode theme: Ransomware, cyber insurance, Windows exploits, Kaseya
[02:32 - 06:14] — CISA’s ransomware readiness assessment debate
[07:27 - 14:49] — Ransomware negotiation as a profession; attacker “customer service”; insurance pricing
[19:33 - 20:41] — The specter of new compliance standards driven by cyber insurance
[20:48 - 29:44] — PrintNightmare vulnerability: technical details, business logic flaws, and the persistence of “classic” vuln types
[31:32 - 39:10] — Kaseya VSA breach: scale, supply chain discussion, disclosure timelines
[42:54 - 48:02] — Intuit/Equifax data sharing, privacy woes, credit bureaus
[52:04 - 54:43] — Audacity, open source, and the spyware controversy

Additional Community Announcements [49:33 - 51:33]

Digital Forensics Research Workshop: Affordable, highly academic event for digital forensics professionals.
The Diana Initiative: Sold out rapidly; high praise for speaker lineup.
Upcoming BHIS “Advanced Endpoint Investigations” Course: Scheduled for July 27-30.
Active Countermeasures Webcast: Network security and packet analysis fundamentals.

Conclusion

The episode offers a well-rounded, humorous but insightful commentary on the present and future of cybersecurity: ransomware’s evolution into a legitimate business, insurance companies and compliance introducing their own new challenges, persistent vulnerabilities in legacy tech like printing, and the risks buried in the supply chain. Blending practical advice, war stories, and a healthy dose of skepticism toward industry trends, the BHIS team demystifies the sometimes absurd state of infosec in a rapidly shifting threat landscape.

Note: For stories dropped due to technical difficulties (e.g., the unresolved gift card serial number tale), tune in next week!

Podcast Episode Summary

Podcast: Talkin' 'Bout [Infosec] News
Host: Black Hills Information Security
Episode: Talkin' About Infosec News - 7/6/2021
Date: July 12, 2021

Overview:

Main Discussion Topics & Insights

1. Ransomware Readiness & CISA's New Tools

[02:32 - 06:14]

CISA’s Ransomware Readiness Assessment (RRA) and Security Cybersecurity Evaluation Toolkit were released to help organizations prep for ransomware attacks.
Skepticism voiced around these tools being "a gateway drug" for security – might mostly help those already aware rather than truly vulnerable orgs.
- Quote: "The answer to that question is literally what we've been telling people to do in the world of computer security for the past 20 years." — Host [02:55]
Focus on whether the detection tools actually empower small/medium businesses or simply reinforce the echo chamber.
- Quote: "Is it actually going to be helping the people that we need to be reaching out to?" — Host [05:42]
Historical Parallels: Nostalgia about "white hat" worms from early 2000s, but with acknowledgment that today's threat actors are financially motivated criminal organizations, not hobbyists.

2. The Economics & Pragmatics of Ransomware and Negotiation

[07:27 - 14:49]

Ransomware actors operate like businesses, offering "customer support" to facilitate payments.
Ransomware negotiation is now a specialized skill in the industry, with professional brokers developing relationships with criminals and being able to quantify their value by how much they "save" victims.
- Quote: "So what do you do here? Well, I'm a ransomware negotiator." — Panelist [14:20]
- Quote: "Would that lower the insurance rates for a company if they actually had a full-time negotiator?" — [14:27]
Insight: Ransomware demands are set against cyber-insurance policy limits – attackers are aware and aim for the "ceiling."
Observation: Insurance companies are changing how they operate—limiting policies, increasing premiums, or requiring specific pen testing, sometimes offering assessment services themselves.

3. Cyber Liability Insurance: The Shifting Landscape

[08:32 - 19:33]

Cyber insurance premiums projected to increase by about 32%.
Insurance companies struggling to actually model or predict breach likelihood/scale – traditional actuarial models are outdated by the rapidly evolving threat landscape.
- Quote: "They set up all these different formulas and all these things, and they're like, this is what we should charge... And then 2021 hit. And it was like, oh, our math was way off on this." — Host [08:32]
Insurers increasingly require more prescriptive security measures, sometimes conducting their own assessments, not trusting third parties.
The panel notes echoes of past compliance schemes (e.g., PCI) and fears the development of similar security "rackets" driven by insurance demands.

4. Printer Vulnerabilities: PrintNightmare

[20:48 - 29:44]

Discussion on the then-recent remote code execution vulnerability in Windows "Print Spooler" service.
The patch was ineffective, and most solutions involve disabling printing services altogether, which is seen as impractical for many orgs ("Burn printers to the ground"— Host [21:22]).
The panel reflects on the evolution of exploit types: from technical buffer overflows to business logic errors, noting that "95% of attacks" are still users clicking malicious links, despite advances in hardware-level security.
- Quote: "It's almost like you have these parallel paths...then it’s like, nope, somebody just ran this random driver..." — Host [24:45]

5. Supply Chain Attacks & Kaseya Breach

[31:32 - 39:10]

Kaseya VSA attack is dubbed "perhaps the world's largest ransomware attack" (Host [00:24]), even "bigger than SolarWinds" [31:58].
The crew sympathizes with Kaseya, noting that being a ransomware victim is more the rule than the exception.
The attacks likely had accidental, opportunistic beginnings, not necessarily master-planned—supply chain connections can be exploited through "dumb luck."
- Quote: "It's not that hard to, after you break into one, kind of break it into the next one." — Panelist [35:12]
Sidebar: Many deeply embedded supply chain firms (like Akamai) are not household names but critical infrastructure.
Notable: The exploited Kaseya vulnerability was reportedly privately reported and nearly patched before the attack happened, reflecting challenges in vulnerability disclosure and patch timing.

6. Miscellaneous News Headlines

.NET Core Remote Code Execution: Brief mention of RCE vulnerability; reminder to patch infrastructures using affected packages. [42:01 - 42:48]
Intuit (TurboTax) sharing payroll data with Equifax [42:54 - 48:02]:
- Panel pushes back on lack of user consent and the ongoing problems with data brokers (especially Equifax, given their 2017 breach).
- Joke: "They should just xed out the Equifax and said devil. Just with the devil." — Panelist [43:08]
- Repeated frustration with the state of consumer data privacy in America, lack of GDPR-like laws, and the credit industry's self-serving business models.
Open Source Software – Audacity "Spyware" Controversy [52:04 - 54:43]:
- Audacity purchased by another company, adds objectionable telemetry and age-related EULA updates.
- Immediate open-source response: Conversations about forking to keep the software clean.

Notable Quotes & Memorable Moments

On ransomware "Groupon" discounts:
“Are you literally calling this like the ransomware groupon? It's like if everyone gets together, we're gonna drop the price from 70 million to 50 million.” — Host [07:27]
On ransomware negotiations as a job:
“So what do you do here? Well, I'm a ransomware negotiator.” — [14:20]
“Would that lower the insurance rates for a company if they actually had a full-time negotiator?” — [14:27]
On security automation:
“People wonder why people in security drink.” — Host [30:40], after a story of sysadmins clicking the 'Remediate' button that crashed half the server infrastructure after being told not to.
On compliance rackets:
“The whole idea of PCI asv, and I say it's a racket, because it is.” — Host [17:10]
On the scale of supply chain risk:
“There’s a ton of firms out there that...give you a security scorecard and they’re like, well, Black Hills Information Security has these four vulnerable servers, we’re giving them a D minus on their security...by what their mail records are configured to.” — Host [34:31]
On credit monitoring:
“Oh, my credit monitoring expired and I go to the like folder labeled credit monitoring. Pull out the next page, like, oh, here's a code. Let's see if this one works.” — Panelist [47:04]
On open source “betrayal”:
“It's kind of the gross side of when you take this open source software and then kind of like buy the name and then start maintaining it and then just start to, you know, to your own bidding.” — Panelist [53:06]

Key Timestamps & Segments

[00:24] — Episode theme: Ransomware, cyber insurance, Windows exploits, Kaseya
[02:32 - 06:14] — CISA’s ransomware readiness assessment debate
[07:27 - 14:49] — Ransomware negotiation as a profession; attacker “customer service”; insurance pricing
[19:33 - 20:41] — The specter of new compliance standards driven by cyber insurance
[20:48 - 29:44] — PrintNightmare vulnerability: technical details, business logic flaws, and the persistence of “classic” vuln types
[31:32 - 39:10] — Kaseya VSA breach: scale, supply chain discussion, disclosure timelines
[42:54 - 48:02] — Intuit/Equifax data sharing, privacy woes, credit bureaus
[52:04 - 54:43] — Audacity, open source, and the spyware controversy

Additional Community Announcements [49:33 - 51:33]

Digital Forensics Research Workshop: Affordable, highly academic event for digital forensics professionals.
The Diana Initiative: Sold out rapidly; high praise for speaker lineup.
Upcoming BHIS “Advanced Endpoint Investigations” Course: Scheduled for July 27-30.
Active Countermeasures Webcast: Network security and packet analysis fundamentals.

Conclusion

Note: For stories dropped due to technical difficulties (e.g., the unresolved gift card serial number tale), tune in next week!

wavePod

Talkin' About Infosec News - 7/6/2021

Powered by Wave AI

Summary

Podcast Episode Summary

Overview:

Main Discussion Topics & Insights

1. Ransomware Readiness & CISA's New Tools

2. The Economics & Pragmatics of Ransomware and Negotiation

3. Cyber Liability Insurance: The Shifting Landscape

4. Printer Vulnerabilities: PrintNightmare

5. Supply Chain Attacks & Kaseya Breach

6. Miscellaneous News Headlines

Notable Quotes & Memorable Moments

Key Timestamps & Segments

Additional Community Announcements [49:33 - 51:33]

Conclusion

Summary

Podcast Episode Summary

Overview:

Main Discussion Topics & Insights

1. Ransomware Readiness & CISA's New Tools

2. The Economics & Pragmatics of Ransomware and Negotiation

3. Cyber Liability Insurance: The Shifting Landscape

4. Printer Vulnerabilities: PrintNightmare

5. Supply Chain Attacks & Kaseya Breach

6. Miscellaneous News Headlines

Notable Quotes & Memorable Moments

Key Timestamps & Segments

Additional Community Announcements [49:33 - 51:33]

Conclusion