Talkin' Bout [Infosec] News – Episode Summary (August 13, 2021)

Main Theme Overview

This episode of "Talkin' Bout [Infosec] News," hosted by John Strand and the Black Hills Information Security (BHIS) crew, dives into hot-button security news and industry stories of the week. The team's friendly banter and in-depth expertise come together as they break down the Apple photo scanning controversy, ICS security nightmares (with a focus on train ticketing hacks), Microsoft's Patch Tuesday, and leaked ransomware manuals. The team also weighs in on the fallout from the Iowa courthouse pen test and Gigabyte's ransomware attack, with a healthy dose of skepticism, technical insight, and dark humor.

Key Discussion Points & Insights

1. Opening: "The Ransomware Song" Parody

[00:05–02:18]
- Lighthearted musical segment parodying ransomware's place in the security landscape.
- Lyrics satirize the pervasiveness of ransomware, the mechanics of encryption, and society’s growing reliance on faulty systems.
  
  “You can make a fortune in ransomware...” – Bo Burnham ([00:15])

2. Apple’s On-Device Photo Scanning Controversy

[03:25–15:24]

The Issue

Apple announced plans to scan user photos for child sexual abuse material (CSAM) using on-device algorithms.
- Intended to protect children, but stokes significant privacy concerns.

Panel’s Analysis

“This is really, really, really horrible, right?” – John Strand ([04:39])
The hosts unanimously agree that while the intentions may be good, the technical and ethical implications are far-reaching:
- Slippery Slope: Once a tool for CSAM detection is implemented, it could be quietly repurposed for broader surveillance, political suppression, or other non-criminal enforcement.
- API Reverse Engineering: "If you open up a backdoor, you create an API for just the good people... there’s going to be some jackass kid in Sweden... to reverse engineer that API and share it with literally everybody." – John Strand ([05:13])
- Potential for Denial of Service: Corey imagines abuse vectors where someone could upload malicious images to others’ iCloud accounts to trigger reviews ([07:20]).
- Historical Parallels: Comparison to the Patriot Act—tools built for one “good” purpose tend to expand scope.

Notable Quotes

“The whole premise of nothing to hide is complete garbage for a number of reasons.” – John Strand ([04:58])
“Just because someone shits themselves doesn’t mean that we all have to wear diapers.” – John Strand ([10:43])
“Algorithm... watching your child...yes, Ashley's child is a furry. And then they're going to start putting all these weird ads on top of it. Like it’s creepy.” – John Strand ([14:14])

Broader Concerns

Chilling Effect: Potential for parental overreach, inappropriate flagging, and overbroad application.
Precedent Risk: “Every time we open these things up... it can be used for a wide variety of other things.”

3. Train Ticketing System Hacks & ICS Insecurity

[16:04–32:05]

Iranian & UK Train Ticket Hacks

Ashley reports on sequential attacks: first on the Iranian railway ticketing (July 9), then the UK’s Northern train ticket system.
Attackers disrupted public services and posted taunting messages.

ICS Security Context

Legacy Risks: “They are definitely the rule.” – Ashley ([19:12])
- Most ICS environments are using outdated technologies (e.g., Server 2000), vulnerable by design, and universally share the same patching and technology deficiencies.

Cultural & Procedural Issues

ICS Field Mindset: Old-school “keep the process running” attitudes persist; incidents default to manual workarounds, not technology fixes.
Lack of Tailored IR: “I think...there should be two completely different IR processes” for SCADA vs. IT systems. – Ashley ([26:14])

Financial Incentives

Reluctance to Invest: “They don’t want to spend $9 million one time on firewalls...We’ll pay the ransom and...lose data or whatever.” – Ashley ([31:59])

Notable Quotes

“We're using new technology mixed with old technology, still stuck in a mindset that was developed in the 70s and 80s.” – Ashley ([23:50])
“Until there’s a financial incentive...there will be no protection added.” – John Strand, citing a chat comment ([30:41])

4. Patch Tuesday (Microsoft July 2021 Edition)

[32:30–36:19]

Highlights

Microsoft patches three “zero days” (the group jokes they’re more like “tweet days”).
- PrintNightmare, HiveNightmare, PetitePotam NTLM relay, plus 44 other flaws.
IT Operations fatigue: “Patch Tuesday for IT support people like me is hell.” – Quoted by John ([34:45])
Ongoing struggle: Even with high-profile vulnerabilities, patches are slow to be implemented in both IT and especially in ICS.

Notable Quotes

“This is the best case scenario... patching Microsoft...better than literally anything else you have.” – John Strand ([33:42])
“We make the messes. We don’t have to clean up.” – John Strand ([35:12])

5. The Iowa Courthouse PenTest Lawsuit

[36:19–43:28]

The Incident

Two physical pen testers arrested during a courthouse assessment; now suing the sheriff’s department.
Lively discussion about scope, communication, and real-world risk in physical pen testing.

Insights & Lessons

Coordination with law enforcement is crucial in physical engagements involving breaking and entering.
“Scope better, I guess.” – Corey ([39:40])
John casts the incident as a “whole big can of suck,” with both the testers and Sheriff Leonard acting with reason, but caught in a process failure.

Notable Quotes

“If I'm the boss and I hear... that one of my people smells like alcohol, that's going to be a concern for me." – John Strand ([42:01])

6. Leaked Ransomware Manual / Tools Debate

[44:22–51:56]

The Leak

A disgruntled Conti ransomware affiliate leaks technical manuals (intended for criminal operators).
The manuals are basic “how to” guides—largely indistinguishable from entry-level pen tester tutorials.

Security Industry Reflections

Debate Over Blame: Should the industry blame public tooling (e.g., Cobalt Strike, Metasploit), or focus on underlying systemic security problems?
John’s position: “If there's a tool... you literally have the damn source code to help write signatures to stop it... The more we’re sharing information and talking to each other, the better off we all are.” ([46:41–48:43])
False sense of “nation state” sophistication; attackers just use whatever works.

Notable Quotes

“Somehow people think it’s a goddamn Easter egg hunt, that once we've written signatures for all the bad tools... we’re going to be secure.” – John Strand ([49:28])

7. Gigabyte Ransomware Attack and Code Signing Fears

[52:07–56:13]

The Attack

Gigabyte, major hardware manufacturer, hit by ransomware.
Hackers threaten to release data on partners like AMD.

Panel's Concerns

The greater risk: theft and abuse of Gigabyte’s code signing certificates—potential for widespread supply chain attacks on PCs globally, echoing Stuxnet incidents ([53:26]).
Humor about attackers tripping over nation-state actors already in Gigabyte’s systems.

Notable Quotes

“When you hear about a company get ransomware[d], that’s pretty much like saying the farm league baseball team... beat you. This isn’t the MLB that came in.” – Ralph ([55:10])
“The training manual tools tell people how to use YouTube videos to learn how to use Metasploit.” – John Strand ([55:28])

Memorable Moments & Quotes

On Apple’s slippery slope:
“It always starts with good intentions, right? Something, something, road to hell...” – John Strand ([10:43])
On ICS’s outdated culture:
“They’re worried about safety to an extent, but realistically, they've been drilled in so long that the process has to keep going no matter what.” – Ashley ([25:15])
On ransomware threat sophistication:
“They’re using AnyDesk, which is just some remote access tool that regular companies use... Nation state, dude. Legit.” – Ralph and Corey ([48:43–49:11])

Timestamps for Important Segments

[03:36] – Start of Apple photo-scanning debate
[16:04] – Ashley introduces train and ICS hacking stories
[32:30] – Patch Tuesday Microsoft vulnerabilities
[36:19] – Iowa courthouse physical pen test lawsuit
[44:22] – Discussion of the leaked ransomware manual/tools debate
[52:07] – Gigabyte ransomware attack and supply chain fears

Tone & Style

The hosts mix cynicism, technical insight, and joking camaraderie. They shoot straight, often using gallows humor to underline the seriousness of security incidents, while stressing “big picture” systemic issues rather than getting bogged down with the surface-level technical details.

Conclusion

This episode paints a vivid picture of InfoSec’s dilemmas: well-intended policies turning intrusive, legacy infrastructure exposed by modern connectivity, and the daily churn of patching and vulnerability management. The team highlights the persistent gaps between technology, policy, and human behavior—urging listeners to look past headlines, questioning root causes, and to keep sharing and improving through an open, sometimes chaotic, community.

Talkin' Bout [Infosec] News – Episode Summary (August 13, 2021)

Main Theme Overview

Key Discussion Points & Insights

1. Opening: "The Ransomware Song" Parody

[00:05–02:18]
- Lighthearted musical segment parodying ransomware's place in the security landscape.
- Lyrics satirize the pervasiveness of ransomware, the mechanics of encryption, and society’s growing reliance on faulty systems.
  
  “You can make a fortune in ransomware...” – Bo Burnham ([00:15])

2. Apple’s On-Device Photo Scanning Controversy

[03:25–15:24]

The Issue

Apple announced plans to scan user photos for child sexual abuse material (CSAM) using on-device algorithms.
- Intended to protect children, but stokes significant privacy concerns.

Panel’s Analysis

“This is really, really, really horrible, right?” – John Strand ([04:39])
The hosts unanimously agree that while the intentions may be good, the technical and ethical implications are far-reaching:
- Slippery Slope: Once a tool for CSAM detection is implemented, it could be quietly repurposed for broader surveillance, political suppression, or other non-criminal enforcement.
- API Reverse Engineering: "If you open up a backdoor, you create an API for just the good people... there’s going to be some jackass kid in Sweden... to reverse engineer that API and share it with literally everybody." – John Strand ([05:13])
- Potential for Denial of Service: Corey imagines abuse vectors where someone could upload malicious images to others’ iCloud accounts to trigger reviews ([07:20]).
- Historical Parallels: Comparison to the Patriot Act—tools built for one “good” purpose tend to expand scope.

Notable Quotes

“The whole premise of nothing to hide is complete garbage for a number of reasons.” – John Strand ([04:58])
“Just because someone shits themselves doesn’t mean that we all have to wear diapers.” – John Strand ([10:43])
“Algorithm... watching your child...yes, Ashley's child is a furry. And then they're going to start putting all these weird ads on top of it. Like it’s creepy.” – John Strand ([14:14])

Broader Concerns

Chilling Effect: Potential for parental overreach, inappropriate flagging, and overbroad application.
Precedent Risk: “Every time we open these things up... it can be used for a wide variety of other things.”

3. Train Ticketing System Hacks & ICS Insecurity

[16:04–32:05]

Iranian & UK Train Ticket Hacks

Ashley reports on sequential attacks: first on the Iranian railway ticketing (July 9), then the UK’s Northern train ticket system.
Attackers disrupted public services and posted taunting messages.

ICS Security Context

Legacy Risks: “They are definitely the rule.” – Ashley ([19:12])
- Most ICS environments are using outdated technologies (e.g., Server 2000), vulnerable by design, and universally share the same patching and technology deficiencies.

Cultural & Procedural Issues

ICS Field Mindset: Old-school “keep the process running” attitudes persist; incidents default to manual workarounds, not technology fixes.
Lack of Tailored IR: “I think...there should be two completely different IR processes” for SCADA vs. IT systems. – Ashley ([26:14])

Financial Incentives

Reluctance to Invest: “They don’t want to spend $9 million one time on firewalls...We’ll pay the ransom and...lose data or whatever.” – Ashley ([31:59])

Notable Quotes

“We're using new technology mixed with old technology, still stuck in a mindset that was developed in the 70s and 80s.” – Ashley ([23:50])
“Until there’s a financial incentive...there will be no protection added.” – John Strand, citing a chat comment ([30:41])

4. Patch Tuesday (Microsoft July 2021 Edition)

[32:30–36:19]

Highlights

Microsoft patches three “zero days” (the group jokes they’re more like “tweet days”).
- PrintNightmare, HiveNightmare, PetitePotam NTLM relay, plus 44 other flaws.
IT Operations fatigue: “Patch Tuesday for IT support people like me is hell.” – Quoted by John ([34:45])
Ongoing struggle: Even with high-profile vulnerabilities, patches are slow to be implemented in both IT and especially in ICS.

Notable Quotes

“This is the best case scenario... patching Microsoft...better than literally anything else you have.” – John Strand ([33:42])
“We make the messes. We don’t have to clean up.” – John Strand ([35:12])

5. The Iowa Courthouse PenTest Lawsuit

[36:19–43:28]

The Incident

Two physical pen testers arrested during a courthouse assessment; now suing the sheriff’s department.
Lively discussion about scope, communication, and real-world risk in physical pen testing.

Insights & Lessons

Coordination with law enforcement is crucial in physical engagements involving breaking and entering.
“Scope better, I guess.” – Corey ([39:40])
John casts the incident as a “whole big can of suck,” with both the testers and Sheriff Leonard acting with reason, but caught in a process failure.

Notable Quotes

“If I'm the boss and I hear... that one of my people smells like alcohol, that's going to be a concern for me." – John Strand ([42:01])

6. Leaked Ransomware Manual / Tools Debate

[44:22–51:56]

The Leak

A disgruntled Conti ransomware affiliate leaks technical manuals (intended for criminal operators).
The manuals are basic “how to” guides—largely indistinguishable from entry-level pen tester tutorials.

Security Industry Reflections

Debate Over Blame: Should the industry blame public tooling (e.g., Cobalt Strike, Metasploit), or focus on underlying systemic security problems?
John’s position: “If there's a tool... you literally have the damn source code to help write signatures to stop it... The more we’re sharing information and talking to each other, the better off we all are.” ([46:41–48:43])
False sense of “nation state” sophistication; attackers just use whatever works.

Notable Quotes

“Somehow people think it’s a goddamn Easter egg hunt, that once we've written signatures for all the bad tools... we’re going to be secure.” – John Strand ([49:28])

7. Gigabyte Ransomware Attack and Code Signing Fears

[52:07–56:13]

The Attack

Gigabyte, major hardware manufacturer, hit by ransomware.
Hackers threaten to release data on partners like AMD.

Panel's Concerns

The greater risk: theft and abuse of Gigabyte’s code signing certificates—potential for widespread supply chain attacks on PCs globally, echoing Stuxnet incidents ([53:26]).
Humor about attackers tripping over nation-state actors already in Gigabyte’s systems.

Notable Quotes

“When you hear about a company get ransomware[d], that’s pretty much like saying the farm league baseball team... beat you. This isn’t the MLB that came in.” – Ralph ([55:10])
“The training manual tools tell people how to use YouTube videos to learn how to use Metasploit.” – John Strand ([55:28])

Memorable Moments & Quotes

On Apple’s slippery slope:
“It always starts with good intentions, right? Something, something, road to hell...” – John Strand ([10:43])
On ICS’s outdated culture:
“They’re worried about safety to an extent, but realistically, they've been drilled in so long that the process has to keep going no matter what.” – Ashley ([25:15])
On ransomware threat sophistication:
“They’re using AnyDesk, which is just some remote access tool that regular companies use... Nation state, dude. Legit.” – Ralph and Corey ([48:43–49:11])

Timestamps for Important Segments

[03:36] – Start of Apple photo-scanning debate
[16:04] – Ashley introduces train and ICS hacking stories
[32:30] – Patch Tuesday Microsoft vulnerabilities
[36:19] – Iowa courthouse physical pen test lawsuit
[44:22] – Discussion of the leaked ransomware manual/tools debate
[52:07] – Gigabyte ransomware attack and supply chain fears

Talkin' About Infosec News - 8/13/2021

Powered by Wave AI

Summary

Talkin' Bout [Infosec] News – Episode Summary (August 13, 2021)

Main Theme Overview

Key Discussion Points & Insights

1. Opening: "The Ransomware Song" Parody

2. Apple’s On-Device Photo Scanning Controversy

The Issue

Panel’s Analysis

Notable Quotes

Broader Concerns

3. Train Ticketing System Hacks & ICS Insecurity

Iranian & UK Train Ticket Hacks

ICS Security Context

Cultural & Procedural Issues

Financial Incentives

Notable Quotes

4. Patch Tuesday (Microsoft July 2021 Edition)

Highlights

Notable Quotes

5. The Iowa Courthouse PenTest Lawsuit

The Incident

Insights & Lessons

Notable Quotes

6. Leaked Ransomware Manual / Tools Debate

The Leak

Security Industry Reflections

Notable Quotes

7. Gigabyte Ransomware Attack and Code Signing Fears

The Attack

Panel's Concerns

Notable Quotes

Memorable Moments & Quotes

Timestamps for Important Segments

Tone & Style

Conclusion

Summary

Talkin' Bout [Infosec] News – Episode Summary (August 13, 2021)

Main Theme Overview

Key Discussion Points & Insights

1. Opening: "The Ransomware Song" Parody

2. Apple’s On-Device Photo Scanning Controversy

The Issue

Panel’s Analysis

Notable Quotes

Broader Concerns

3. Train Ticketing System Hacks & ICS Insecurity

Iranian & UK Train Ticket Hacks

ICS Security Context

Cultural & Procedural Issues

Financial Incentives

Notable Quotes

4. Patch Tuesday (Microsoft July 2021 Edition)

Highlights

Notable Quotes

5. The Iowa Courthouse PenTest Lawsuit

The Incident

Insights & Lessons

Notable Quotes

6. Leaked Ransomware Manual / Tools Debate

The Leak

Security Industry Reflections

Notable Quotes

7. Gigabyte Ransomware Attack and Code Signing Fears

The Attack

Panel's Concerns

Notable Quotes

Memorable Moments & Quotes

Timestamps for Important Segments

Tone & Style

Conclusion