John Strand

Okay, this is the ransomware song.

Bo Burnham

One day I asked my teacher, what use is math to me? She answered, when you're older someday, my boy, you'll see. There's a world of computer systems out there full of valuable data and not secured with care. And you can make a fortune in ransomware.

John Strand

Ransomware. With a little bit of math.

Bo Burnham

It's called encryption. Just a little bit of math. Cause a conniption lock the data hide the key. They'll pay up eventually. It's all just math.

Ransomware is big now because it's organized. You can buy it as a service and sell it for a prize. There's a whole world of tempting targets to hack. Governments, hospitals, schools to attack. And they pay up in bitcoin. Hard to trace back. It's all just math. We call it crypto. Just a little bit of math. No need to tiptoe. Hackers whisper, don't be nervous. We take pride in customer service.

Well, then I told my teacher, I'm feeling terrified. How can we protect ourselves from all this cybercrime? She said, don't click weird links or use password. 1, 2, 3. Make offline back. Invest in security. And that's when I realized how screwed we might be. Just do the math.

So many systems. If they all took a bath, wouldn't we miss them? Next time there's no meat or water or gas. And we slide a little closer to the day of Wrath. You can blame it or some Russian sociopath, but personally, I blame math.

John Strand

Well, we just found Infosec. Bo Burnham, everybody. That was fantastic. And I too, blame math. Welcome, everybody, to another edition of Black Hills Information Security. Talking about news. My name is John Strand. I am just one of many hosts, hostesses that we have here today. Going through. We have Ryan, who's always here and always makes us look and sound better than we actually are. We have Steve, who's showing off his fantastic model plane collection. We have Ralph, who's adequately blurring his background today, which is good. We have Corey, who needs to clean his shelf. And we have Ashley, for the first time on the show, who's going to be talking about SCADA its and her love of trains. So I had a couple of news stories and I know, Ralph, that we have this notion thing that we've been using and we have something new for people that want to like, like see the links that we're talking about for the shows and they can see those. So what do we have for the first news story of the day that we want to go through? Because you had a lot of stories.

Ralph

Oh, yeah, I did. I found a lot of stories. We might not make it through them all, but if you want to go with the heavy hitter, we can start with that.

John Strand

I don't know, let's, let's, let's start with the big stuff.

Ralph

This is the one that no one has stopped talking about. And that is Apple, right?

John Strand

That one up. Yeah. I can look at all my.

Ralph

And there goes the show.

Corey

The show's over after this.

Ralph

So this is the only one anyone wanted to hear about. So yeah, this is right from the, the eff. And for everyone who doesn't know and maybe is living under a rock, doesn't have Twitter or the Internet or any other kind of news source, Apple pretty much is going to start scanning your photos and we're doing this, protect you. And they're obviously looking for things like child pornography and other things that are bad. Arguably totally cool, I get that. But yeah, we're gonna start doing that, so. And they just kind of dropped it on a Tuesday. I don't know, it was, it was weird. So what do you guys think?

Corey

Having used Siri, I just can't wait for all the photos that I took of my food to get flagged.

John Strand

Yeah, and they have those algorithms, Corey, that'll be like hot dog, nut, hot tuck.

Ralph

Think about the children.

John Strand

Think about it. So, okay, so this is really, really, really horrible, right? Because we get into this, this, this kind of weird confrontation where if you're like, this is horrible, this is a God awful thing, they should not be doing this. Then you have everyone, they're like, well, you must be for child pornography then. Yeah.

You must have nothing to hide. Yeah, well, if you have nothing to hide, then you got nothing to worry about then. And that whole premise is complete garbage for a number of reasons. One, you open up a backdoor, you create an API for just the good people to use to gain access to this. And there's going to be some jackass kid in Sweden who's like 17 years old, who is now working very, very, very hard to reverse engineer that API and then share it with literally everybody.

That's not a thing that might happen. That thing is going to happen. Like I almost 100% guarantee it. If Apple and their security engineers have the hubris to think that, oh, well, you know, no one's going to be able to figure this out, reverse engineer it, crack a hole through it, and then drive a Mac truck right through the middle, they're sorely mistaken. And over their history, they should Know better. So that opens up one thing and then the other thing about the whole argument for me where people say, well, if you have nothing to hide, you have nothing to worry about, is also garbage. A great write up once by Moxie Marlinspike I think, is that signal or wire? Now I think he's at wire. He did a write up and he basically was like, you have no idea how many crimes you commit a day, but you actually commit quite a few crimes and the government can use these against you if they so choose to. So yes, we always open these things up and it's like the Patriot Act. Well, it's against terrorists and it was very rarely used against terrorists. It was used for a whole bunch of other crimes. So anytime we open these things up and we say, hey, we're going to protect the children, it opens up this huge, huge hole where it can be used for a wide variety of other things. So that's my thoughts. What do other people seem to think on this?

Steve

Well, reading into this a little bit, it does look like this feature may be limited to child accounts. Part of this, it says it's two parts to this. One is that all photos will get scanned as they are uploaded into icloud to see if they match the database for known child sexual abuse material. And then the other one is for all imessage. Imessage images sent or received by child accounts. And this feature can be turned on or off by parents.

Ralph

So.

Steve

But yeah, I mean, kind of like a gateway drug. Looks like this is their entryway into that full maybe, you know, backdoored account encryption just beginning.

Corey

Well, I feel like it has a vector for like a denial of service potentially as like. So they say, like there's a threshold at which if you have enough of these photos in icloud, then it triggers some like manual review process or something. So it's interesting to think about, like if there, you know, like is an API abuse or something where you could upload images to someone's phone or what or into ipod or if there's like a full shared folder or something that's exposed, then you could potentially just spam them in and then dos their entire account. Right? Like, it's interesting. I mean who knows what the vectors could be.

John Strand

But that kind of goes back into Ralph's joke about taking lots of pictures of his food and like, oh God, Ralph's taking pictures of his food again.

Ralph

What I was reading is that they're going to scan the files on your, like the photos on your phone for the non like child version of this, right? They're going to be using a exploited child pornography database, which makes kind of a hash of the image and looks for actually similarities. So it's not like a direct signature hash. And they're going to be using on device. So I guess it's not going to be using icloud. So your phone will have software looking for stuff like that. Any photos that you take, looking to see if it matches those identities, if they are, it sends it up, flags it, so on, so forth, right? But the potential for abuse here to look for any kind of photo starts to really expand and expound as you kind of look at it. Because right now they're just saying this child pornography. And you're like, yes, it's for the kids. And I get it that that's all bad stuff. As you kind of like kind of twist it a little bit more, we could expand this to other things, right? Like maybe we're just looking for a suspect, just a person, right? And then, okay, so we're just looking for criminals now. We. Every time we can use a whole network of iPhones to find them. And you know, you can kind of see how you could keep turning and turning until you know it's whatever they want.

John Strand

And it's like if we also look at the whole thing with Apple, if you remember with the San Bernardino shooters, there was a bunch of pushback against Apple to try to gain encryption keys to be able to gain access to their phones, right? And Apple traditionally, what's weird, traditionally Apple has pushed back against this quite hard. Now all of a sudden they're open to the idea and I understand, right. You know, somebody's mentioned the Batman movie Arctic brought that up, which I think is a great point. But you know, the thing that really makes me uncomfortable with all of this is once this starts, it's very, very difficult to say where that line ends, right? So if you start with child pornography, which everybody's gonna be like, yeah, that's just, that's just horrible. That's God awful. That's. That's bad. And everyone's like, yeah, that's. We all agree that's bad. They're like, terrorism. Yeah, we hate terrorists. Yeah, terrorists. Terrorists. That's bad. Yeah, that's bad. What about money laundering? Yeah, we hate that too. Yep, money laundering is, is, is really bad. And the next thing you know, it's like, I think Noah brought up and said, well, what happens if you have civil disobedience in a country and all of a sudden you have Somebody from some country on the other side of the world and like, let's say Malaysia or something says to Apple, we want to know all the people that were at this particular square at this particular time because they're civil dissidents. We can now say, I want to know all the people that are, you know, have anything that they're sharing pictures, the things associated with the religion or specific sexuality. It's like, where exactly does this line, where does this line end? It always starts with good intentions, right? Something, something, road to hell. And I think that at some point we have to get used to the idea that bad things are going to happen in society and we don't want to impinge upon all the rights of everybody because of these bad things. Like, just because someone shits themselves doesn't mean that we all have to wear diapers.

Corey

Yeah. And it is interesting to think there's an API somewhere that lets you load a database of bad images and then they'll be scanned locally on the device, right? So it's like, what if I'm like a country that's like, yeah, if anyone has pictures of this, just scan it and you know, delete the pictures or flag their account. Right? Like, can I make requests of Apple? Can I be like, oh, actually, if anyone has a swastika in their images, just tell me, right? Like, how far does it go? Because it's interesting.

John Strand

So let's talk about that. Slippery slope. So myself and some of the other people at Black Hills Information Security, we actually worked on projects associated with like the nsa, the nro, CIA, those types of intelligence types projects, and they were classified. I'm not going to go into details about like these classified programs, but it was. You had the ability under certain circumstances to actually review data of US citizens. Now you had to go and get a Pfizer request, set up a FISA warrant. That was a very, very complicated process if you actually wanted to grab and view data on a specific U.S. citizen. And it was very much manual and it was very much hard to do. Now a lot of these programs that we actually worked on, we were on the security team, we helped set this stuff up and it was intentionally difficult. Now the thing that blew my mind was some of these programs that we worked on were actually released by Edward Snowden. And, and basically what they did is there was actually a box where you had to put in your justification for your FISA warrant, and then it had to get approval and had to do all these things. And all of that was completely replaced by a dropdown box that had like a list of pre built things and at the bottom was fricking other. And if you wanted to gain access to certain people allegedly from the Edward Snowden leak, you could just simply go through, click that box, click other and then immediately gain access to this data. So once that API is there, once that data is there and you can access it, you can set up all of these protections. But over time those protections and all those roadblocks start to erode.

Ralph

This is bad.

John Strand

Well, you know, we got people on YouTube. Let's see if anybody thinks that this is good. I don't see how this is good. I also don't see what Apple gets out of this. Like does Apple make money on this?

Ralph

Here's the worst part. If you just want to talk about that specifically, I think this is the worst thing they could do because the whole, the whole thing that they've been like, you know, very vocal about over the last couple years is how much they care about your privacy.

John Strand

Right.

Ralph

Well, they want to lower the average.

Corey

Age of the iPhone owner down to like six, Right.

John Strand

This must be one of their protections to try to get.

Corey

That's my guess, right? Like if I was a parent I'd be like, I don't know how, how soon is too soon for an iPhone? Well now maybe a little earlier, right? Because there's all this protection in there. They can't even send nudes or what? Like, I don't know, like, yeah, this.

Ashley

Makes me want to take away my kids phones, not give them a phone. I'm like, good luck looking at, you know, the hundred thousand pictures that my 14 year old daughter has probably taken of the cats and outfits. Like yep.

John Strand

Now the algorithm, Ashley is like watching your child and saying, yes, Ashley's child is a furry. And then they're going to start putting all of these weird ads on top of it. Like it's creepy. People are like, yeah, just destroy it. So I had a friend of mine talking about like small children taking pictures and sending them to each other. A friend of mine was talking to one of his family friends and they had an iPad. And the guy comes up to my friend and says, I got this iPad. And my son who's 16 was like, and showed my friend like there's pictures where he was sending naked pictures back and forth with him and his girlfriend and he's like, what do I do with this? My friend grabbed the iPad, smashed it very quickly and said, okay, that problem has been solved. And they're like, that was my son's iPad. And today he learned a lesson.

You know, maybe we should all be smashing iPads anyway for our kids. I don't know. But so is this the biggest fear that we should be worrying about is like, you know, with like the kids? I worry about the targeting of ads. I worry about, you know, setting up profiles and these types of things. There's a lot of other stuff that we should worry about too. That's terrifying.

Corey

Yeah, I think it also is. Like, what channels will these people use? They'll use whatever channels are available.

Yeah, it's like terrorist attacks were planned on PlayStation Network. Right. It's like no one was.

Ralph

We shut it all down.

John Strand

We're good. Yeah. No one's paying attention. It's like. But Corey, Corey, what we did though is we now have to pat down everybody and we have to go send them through these things called rapey scans to scan their bodies. It's like no PlayStation Network. And. And that. Yeah, yeah, we're going to scan everybod and full pat downs on everybody getting in the airplane. All right, well, let's move on to another story because we're talking about incredibly depressing things.

Ashley, can you talk to us about why we probably now need to be afraid of trains? And I don't mean necessarily in a maximum overdrive Stephen King. No, I actually mean exactly like a maximum overdrive Stephen King. This is going to suck. All right, Ashley, take it away.

Ashley

Yeah, absolutely. So this came out like a couple weeks ago. It was like Friday. Yeah, it was July 9th. There were some details that came out on the Iranian railroad system got hacked. So it was mostly just the ticketing system. So they didn't actually, you know, take control of any trains or anything like that. It was kind of the, you know, there's speculation on why they did it. They have a new president coming into term and so there's speculation that it was maybe just to kind of embarrass him that, you know, he didn't have a handle on, you know, government owned things because the train system there is owned, is kind of owned by the government. They wreaked havoc on the ticketing system for a while. Nobody could get on the trains. There were a lot of delays. They, you know, put some messages up on the boards. And there's speculation on that too. They're not sure whether that was the actual train system that did that or it was the hackers. And there was a telephone number there and there's speculation on who the telephone number belonged to. So they're not releasing a whole lot of information and data on it. But then about a week after that, something similar happened in the uk. Another train system was attacked, and the ticketing system was the big target and everything. I couldn't find any data whether it was the same ticketing system or a different ticketing system that they happened to be using. But it's just, it's like, it's that, that next thing, right? The next step of, of what can we attack in ics, where can we go with this? You know, and, and it's just like they're, you know, these groups are really poking at every little hole in ICS that they can get to. And it's, we're seeing more and more of these attacks, more and more of the ransomware and that they're really just kind of feeling out where can we go with this? And really kind of exposing things that I think people don't think on a regular basis is considered ics. People don't think when they're sitting at a traffic light that they're being exposed to an ICS system that somebody could hack and take over. You know, I think it's really kind of shedding light on how big of a problem this is. It's much bigger than I think people realized. Even people in it realize that these, these things are, they were made in the 80s and they really haven't been updated a lot since then.

John Strand

So one of the questions that I wanted to ask you about this is do you believe that the Iranian train ticketing system and these, these other trains that. Train systems that have been attacked, do you believe that they are the exception? Like, they're just insecure, but everybody else is secure, like Washington D.C. new York, all these other places? Or do you believe that consistently these systems were put in, in like the late 90s 80s for some of the controllers and things like that, like these representative. They're more the rule or are these kind of the exceptions?

Ashley

Oh, no, absolutely. I think, I think that they are definitely the rule. I've, I've been in lots and lots of different ICS environments. And when you're doing, you know, when you're doing scanning and you're, you're poking around and you're seeing, you know, you're seeing the same, not only just the same technology, but the same vulnerabilities, right? It's like you go, you, you go to one place and you're like, oh, well, this vulnerability is there. And then you go to the next place and you're like, why this one's here? Was there Like a memo that went out that we just don't patch this one. Or, you know, it's very, you see a lot of similarities and you really start kind of correlating that data together and it's across the board. You know, whether it is, they can't apply this patch because the system that they would have to apply the patch to only runs on Server 2000 because that system can't function on anything beyond that. There's just so much, so much of that, that same, same across the board that, that these are, these are not one offs. These are not something that is just, oh, hey, we happened to, you know, this spray and pray attack and we, we happen to find this. No, this is pretty generic for across the board in ics.

John Strand

So why does it, why has it taken so long? Like we're starting to see more of these attacks? I think one of the first ones everyone talks about, Stuxnet, Stuxnet didn't surprise me because that's hot nation state state action. But whenever we got to Ukraine and shutting down the power grid and things like that, that's kind of for me where a lot of this started. Even though that was in fact also hot nation state on nation state action. But do you think that attackers haven't been hitting this as much? Just because I'd like to believe that some of the attackers are like, whoa, that's, you know, it's people in trains and that's power plants and that's, I'm going to leave that alone. Or do you think it's just a matter of they've already been crawling around inside of these networks, they just haven't done anything yet. Like, how come we haven't seen more bad stuff? If the security is as bad as we all know it is in this.

Ashley

Industry.

I think it's a little bit of a combination of both. Right. I think they're realizing now that they can get to these things. I think we're also putting more of these devices directly on the Internet than we were in the past.

If you look at the Purdue model or even the zone and conduit model, concept and idea is that they have these air gapped networks which we're now realizing are not as air gapped as they, you know, as they thought that they were, right? Oh, we put this, you know, we put this here and we put this firewall in front of it and now we're, you know, we're air gapped. Well, that's, that's A, not how it works and B, I think that People are realizing that more now. And I think now they're, that we're, we're growing, right? Our populations are growing way faster than they've ever done before. So, you know, you think about an electric company, right? Well, they're providing power to a city. Well, when that city, if you look at numbers from the 2020 census and you look at the growth that we've had since the 2010 census, you're seeing state populations go up by 30, 35%. And most of those people are moving into a metropolitan area. Well, when you're moving into a metropolitan area like that, the electric company has to grow with the size of the city growing. And I think now we're just, we're standing up technology so fast that the, the concept behind securing it, the concept behind making sure that, that ICS devices are not in an internal network has just gone out the window. And that's allowing things to be more connected than we were before, which is allowing for way easier attacks.

John Strand

So let me see if I got this right. So we used to have, we've always had bad technology, right? Like old server 2000 systems. Right. And those have been predominantly air gapped from, you know, let's say from 2000 up until fairly recently. So part of what you're saying is it's kind of that confluence of newer technologies being put together with these older technologies. Like you may want to put a newer monitoring technology on top of it. That monitoring technology requires Internet connectivity because there's so much connectivity happening. It's now opening up inroads to some of these legacy ICS technologies. And now these things are starting to be exposed in a way that they weren't up until fairly recently. Is that kind of what you're saying then?

Ashley

Yeah, yeah, absolutely. Yeah, that's exactly what I'm saying. Yeah. Somebody in chat just said, you know, when is the culture in ICS going to change? That's a big thing too, right? Is that we are.

We have, we're using new technology mixed with old technology.

Still stuck in a mindset that was developed in the 70s and 80s. A lot of this knowledge and stuff like that has been passed from person to person. When you talk to somebody in ics, every time I've gone in to do an ICS test, they're worried about safety, that something I'm going to do is not going to blow up a pipeline or cause a manufacturing device to break. But they're not so much worried about the data that they have and what happens if that gets out or what Happens if they can't access it. You know, I've done interviews where, you know, I'm just trying to get data from them. And I've asked the question, well, what happens? What happens if this. This PLC goes offline? What happens if this. This device goes offline? What happens if your entire skate SCADA network goes offline? They're like, oh, well, that's fine. We'll just pull out pencil and paper and we'll do it that way. We'll manually do our processes. And I'm like, does it break? But does it break down? They're like, no, not really. We'll just keep everything running. We'll just do things manually. And that concern for that safety system that you've now connected to the Internet, that is offline, there's no thought to that.

They're worried about safety to an extent, but realistically, they've been drilled in so long that the process has to keep going no matter what. And so the technology is just an afterthought for them. It makes their job easier, but they don't worry about what happens if it breaks or what happens if somebody gets into it.

Corey

One question I have about response, and I know that it kind of was brought up that, like, the response was a little bit disjointed or, like, they weren't sure whether the hackers were tampering or whether it was a response from the actual entity. Like, should. Should companies have, like, a separate incident response plan for, like, the SCADA stuff? Like, should they have, like, a. Okay, this is the break glass in case of corporate ransomware, and this is the break glass in case of ICS compromise. Like, just out of curiosity, like, what is the response? Should companies split that out at all, or is there. Is it really just the same, like, change the passwords or tell people not to use it or whatever?

Ashley

Oh, no, I think. I think that they should have two completely different IR processes. You don't handle SCADA devices the same way as an internal network.

They're very different. Right. They're very sensitive. A lot of the times.

I've gone in to do vulnerability scanning and something like that. And you have to be very, very cautious. I've gone in and I've scanned things very, very slowly, making sure that we're not tipping stuff over, because you do have that potential for loss of life in an ICS environment. And I think that response to an incident should be handled very, very differently than if you're just worried about somebody being in your internal network and getting into your Email servers or your databases and stuff like that. That's. Is that bad? Yeah, absolutely. But it's not loss of life bad and I think that they should be very much handled differently. But realistically I don't know that there are that many people out there that are doing that.

Steve

So both of these attacks were apparently towards government systems. So the one in.

The UK was a British government run northern train ticket system. So I'm wondering if these are targeted attacks, what are the chances of this being supply chain if they're a specific ticketing system? Because the, the attacks in both cases were limited to the ticketing system. So what if, what if those are already breached and they're being put into these locations and attackers are either setting up for these attacks a long time in advance, knowing that they're going to get some nation state level targets, or these are just purely targets of opportunity. Right. Where it's a ticketing system, you can go to a web page, it's on the DMZ somewhere, you can buy your ticket and then somebody just SQL injected this thing and then ransomware it or you know, is this more of an advanced attack? Those are my questions.

Ashley

Yeah, yeah. And that was, that was a big curiosity of mine. I did a lot of digging to really see like to figure out what, what they were using for a ticketing system. I know that I want to say it was like probably five or six years ago. I was actually looking into working with somebody with a CTF and they wanted to do kind of a train system thing, right. And I actually found an open source, it was open source software that was available and we were going to, you know, make some modifications to it to make it more vulnerable. And then we were just kind of going to kind of try to, you know, discover some vulnerabilities for ourselves. So I know that there is open source software out there, which, which I mean obviously open source is the way it is. Right. And you know, it's great when you have collaboration, but it also doesn't necessarily stop the bad guys from doing bad things. I couldn't find if they were using the same ticketing system, I would lean towards the likelihood, especially with the attacks being so close together that it was. And supply chain issues. That's a hole.

John Strand

I was going to ask you about that because there's not many vendors that actually create these systems. Right. It's not like you got 400 different vendors for ticketing systems on trains. It's probably like what, six maybe, Maybe.

Ashley

Yeah, I mean, and that's, that's that's across the board in ics, right? You know, you can go from, you know, you could, you could go from, from a, you know, an oil and gas company to another oil and gas company to another oil and gas company, and you're going to see similarities. You know, there may be some, some one offs here and there, but the likelihood of, of one manufacturer being the same in all three of those companies is really, really high. Because there's not a variety, right? And, and then they're all getting their parts and pieces from the same place and you know, then they're putting their, their firmware on it, right? Which if you look at the, you know, if you kind of go in and you look at the, the back end of those and you're looking at, you know, the, the interfaces and stuff like that, they're all really similar too. So it's, it's a lot of, a lot of similarities and not a lot of thinking outside the box, right? That was created in 1970.

John Strand

Somebody posted like, there's, there will be no protection added to this until there's a financial incentive to do so. And that's, that's actually that that comment has multiple layers and they're all terrifying.

Ashley

Yeah, absolutely. You know, I worked for, I was, you know, was doing work for a company and they decided to put in firewalls at some of their, their facilities. And it was like eight or nine million dollars in firewalls. And it's like, okay, well, you know, I, I think that, that the, the C suite starts looking at that and saying, okay, well, we're spending $9 million on firewalls, but how much will we have to spend in a ransom? Would we spend 4 million in a ransom?

John Strand

You know, yeah, you know.

Corey

We have cyber insurance that'll pay for it.

John Strand

We just gotta, you know, that's gonna cover, that's gonna cover everything. Exactly.

Corey

Yeah.

Ashley

I mean, it's, it's, it's. Realistically, that's, that is, that is honestly how it gets looked at. And that's, I think that's the most terrifying thing, right, is that we don't want to spend 9 million one time on firewalls. It's fine.

We'Ll pay the ransom and, and you know, we'll lose data or whatever. It's. Yeah, it's terrifying.

John Strand

Well, and we can talk. It's probably a webcast. We can talk how, how slowly some organizations react to incidents as well. But that's a longer conversation. All right, well, that was depressing. Thank you, Ashley. That was just Great.

Ashley

To the Depression.

John Strand

Forget all these trains and cars. I got my horse outside. All right, so what other stories do we have? We have good news.

Ralph

We have some good news.

John Strand

Good news.

Ralph

All right, so Microsoft, if you didn't know, today is Patch Tuesday. Microsoft patched a bunch, three zero days, which I honestly, I don't know if we could call those zero days. I feel like they were just like no days. They're like tweets, mainly tweets. Like, hey, did you guys know? Yeah, tweet days.

Corey

There you go.

Ralph

So three zero days. The biggest one being the print nightmare and hive nightmare and all the nightmares. There's like four nightmares in addition the Petite Potum, I think that's how you pronounce that. Anyways, that's the NTLM relay attack that was patched as well. As long as 44 other flaws. So get out there, get excited, use that w sus and make it happen.

Corey

We got some patches.

John Strand

Yeah, yeah, Great. Now if there's only some kind of unified patch thingy for ics, that would be great.

Corey

Yeah, yeah, we'll see the patch in a year.

John Strand

What's that one, Corey?

Corey

I just said if you're on an rtu, we'll see the patch in a year.

John Strand

I always like to point out people rip on Microsoft constantly. They're like, oh, Microsoft bad. Microsoft bad. Which is a stupid conversation anyway. But what people don't understand is this is the best case scenario, like patching in Microsoft and Active Directory and all your Windows components. Better patching than literally anything else you have. So that's the high watermark, folks. And we still like these vulnerabilities that they patch today. Guarantee you pen testing companies are going to be nailing these for at least the next eight to 15 years.

Ralph

Yeah, there's a bunch in there that come down to my favorite vulnerability, which is really just, you know, misconfiguration. Right. That's like the best thing for ATT and ck and the worst thing to defend. Right? Because if you don't know how to configure something properly, that's really where you're going to get hosed up as opposed to, hey, you know what? I'm on patch level X and that's the latest, so I'm good. And that's, that's where a bunch of these were. Not all of them, but you know, the certificate authority and some other stuff like that, you know.

John Strand

So, yeah, I like Nelson Mendez had it. Had a quote said patch tease Tuesday for an IT support people like me is hell and I. I think it's funny. Like, in security, we're like, patches at help desk, and everyone else is like, oh, dear God. Like, you guys got this. You guys got this. Well, I probably won't be sleeping for the next 48 hours. Good, good. If you need anything, call me. Security's out. The patch has been deployed.

Corey

We make the messes. We make the messes.

John Strand

We make.

Ralph

Yeah, we make the messes we don't.

John Strand

Have to clean up.

Steve

Tuesday supposed to go away in favor of some kind of, like, rolling.

John Strand

Rolling patch every day.

Steve

Yeah.

Corey

But I assume the admins revolted against that. They got that we're just gonna be up for 24, 1765 now, right?

Ralph

Yeah. When patch Saturday comes along and everything breaks, that's when sneaking up behind you.

John Strand

And hitting you in the back of the head. Oh, God. It's patch Friday afternoon.

Steve

Yeah, it's funny you say that, Ralph, because that Petite Potam vulnerability, the. They patched it, but they what they fixed. There's no backwards compatibility, so who knows? This could be breaking, like, NAS devices or whatever. It might be using that RPC call because they just shut it down instead of saying like, well, okay, if you're an administrator on the box, you can use this. RPC called. No, they've gone.

John Strand

Yeah, that's. That's pretty harsh. So, like, that's why I think that this is going to be the gift that keeps on giving. They're like, well, we installed that patch and it broke something, so we rolled it back, and we'll never install that patch again. So the hackers will be like, bad patch. All right, what else do we got? What else do we got? That is.

Ralph

Oh, I got one. This one's close to home for you. Well, I would say you were somewhat not involved in this, but you somewhat got closer to this one. And this is the old courthouse pen test.

John Strand

Do you remember that? Oh, yeah. Yeah. Adele. Adele. Not Adele, Iowa. Adele.

Ralph

Yes, Adele, Iowa. Yeah. So I guess the two gentlemen who performed the test, they are filing a lawsuit against the county sheriff.

Yep. So, interesting, right?

Steve

I thought they were a little bit outside of the scope of their roe, were they not?

Ralph

Well, that's. There's lots of questions there, and I'm glad you asked. I think there was a Darknet Diaries, if I'm not mistaken, on this whole thing.

John Strand

There was, yeah. Yeah. And I actually had a good long conversation with Sheriff Leonard, so his take on this was interesting. Right. Whenever we went and we interviewed him and we went down there, we opened ourselves up to the community like, hey, hack happened here. Come come talk to hackers. We had a couple people that showed up and they were all like, you're all bad and you should all go to jail. And then after about two, three hours, we're all sitting around having lemonade and cookies together, and they started asking us questions. It was a great. It was a great conference. It was awareness con. And Sheriff Leonard showed up, which I thought was pretty amazing. And his take on it was, look, we were never notified of this whatsoever. And number one, whenever you get notification that there's people in a courthouse and there's like, they're breaking in and then they're setting off the alarms and all that, you have police officers that drive really, really fast to get to that scene, and that creates a risk, and that's stupid, and it's an unnecessary risk to have these police officers drive somewhere in the middle of the night. That's number one. Number two, police officers go into this armed with their weapons out, and that's putting the pen testers at risk as well. And he goes, also, we showed up and these guys were acting a bit shady, whatever the hell that means. Right, but they were acting shady. And now from their perspective, they basically showed up and like, we're here, we're pen testers. We're hired to do this. But as pen testers are want to do, Sheriff Leonard brought up to me, they were wearing tactical gear. A lot of pen testers and people in the industry, they got like, you know, the tactical backpacks and all that stuff. And he's like, they really looked like they were armed. And we were very concerned now with all of that. He then said they should be the all charges should be dropped completely. He doesn't. Didn't think that the charges should stick. And he was actually asking for the charges to be dropped and things like that. But I think that there's some points that he has that are pretty solid points. I don't think that you can just stand up in the industry and be like, yeah, Sheriff Leonard is bad. His points are incredibly valid, that if we're doing physical pen tests and it involves B and E, we might want to notify law enforcement. And that was kind of the point of awareness con was to kind of get people out in the industry so that people like law enforcement around the country would have a better understanding of who we are and as an industry and what we do. So, yeah, there are lawsuits going forward. That's fine. That's absolutely their prerogative. I think that the lawsuit has some Very, very, very solid points. But I also think that Sheriff Leonard has some very valid points as well.

Corey

Scope better, I guess. What, and personally better. If I was going to do a late night thing, I'd rather do it in a tabletop at like noon, you know, over, you know, just talk about what would you do if someone broke into the courthouse at late night? What would you, you know, would you, would you drive there really fast with your guns out? Because if so, I'd rather not. Let's not put that in the sow, right?

John Strand

Like, let's make sure that's called out.

Corey

Yeah, My, you know, my. Obviously I don't know the people involved, but, but you know, just my two cents.

Ralph

I, I personally, I probably would have passed on the engagement. I would have been like, you know, after hearing, it's a courthouse, all the other fun stuff. It, there's a lot of risk there, you know, and how you're going to control it. So that's just me. Well, other people make their own decisions.

John Strand

But I also have a question for you. Like if you were the police officers on site and you're Sheriff Leonard, right. And you show up and these guys are like, look, we were hired. This is what we did. This is what we do for a living. Here's all this stuff. And then they gave you their get out of jail free card and you called one of the people that was supposed to vouch for the pen testers and they said, no, no, no. It seems to me like they might be exceeding their scope a little bit and they didn't have permission to do what they did. I might arrest them too at that particular point.

Ralph

Yeah, sure, sure. So we're talking about two things, right? We're talking about like the actions that were committed and then like the agreements that were made beforehand. Right. Like, like, you know, and, and the lack of knowledge in between those two and people not knowing. And it's even worse when they say, hey, yeah, call this person and they don't have a full understanding of the agreement.

Steve

Right.

Ralph

And also that they should be like ready for that call. Right. That should like you, you should be in contact with that poc saying, hey, yes, yes, today we're going to be doing this stuff. Right. I mean, hopefully you don't get a phone call. You do just let you know, it could be in the late hours. Okay. Like just it, it shouldn't be a surprise. And like, well, let's talk about what this agreement was that you said you were doing. You know, I mean, beside. Yeah.

John Strand

So anyways, Y we have them to.

Corey

Tank for improved s all across the board.

John Strand

Thank you.

Corey

Thank you for your sacrifice.

John Strand

Yes, you shall be a cautionary tale for everyone. Now, there are some things, like the defamation side of it that I think is interesting because Sheriff Leonard's story did kind of change in interviews. By the time, I think by the time that we got to the point where we were interviewing and talking to him, I think he kind of saw like, what kind of like poop storm was created. And some of the earlier comments that he said kind of backed off. One of the things I thought was interesting is in some of the earlier things, he's like, well, one of these guys smelled like alcohol. Which that's a hell of an allegation in our industry. Like, if somebody's doing a physical pen test and I'm the boss and I hear from a customer or the arresting officer that happens to work for the customer that one of my people smell like alcohol, that's going to be a concern for me. And that might fall under the defamation side of it as well. Also, I think it's bigger. Like, it's not just Sheriff Leonard, but also going to the entire state of Iowa. You know, maybe they're just picking on Sheriff Leonard because he's a single person that they can actually do this against. But I don't know if this makes things better in the industry. Like, I don't know if this is improving the relationship between law enforcement and penetration testers. I'm sure that they have their reasons for bringing charges. I'm absolutely certain that they have reasons and I'm certain that they're valid. But at the end of the day, I don't know if this deescalates the problem and actually facilitates education, awareness, and all of us working together, or is this just going to have a whole bunch of law enforcement officers that are like, I see any of these people pen testing, I'm throwing their asses in jail.

That's my concern, is that this is just going to continue to escalate.

Corey

Good luck to the jury. I guess if it doesn't get settled, I guess it'll get settled. But, yeah, finding a jury. All right, so what is a computer? Do you know how to answer that?

John Strand

Do you know, do you guys want. I would love, just for once, I want to be on a. In a trial that has like, something like this so I can give everybody in the jury a lock picking set and give them like those south third crystalline locks, teach them how to pick locks and things like that. Because I could just See, the jury just eating that up. It's like picking locks is easy. It's like. That's right. Jury it is. So I wish everybody the best in this, because the thing that sucks is I met Sheriff Leonard. He was incredibly nice. The people, the two testers at Coal Fire are very solid testers. It's just. It's just a whole big can of suck. So.

Ralph

Yep.

John Strand

All right. For sure.

Ralph

Well, should we talk about ransomware? I know. Steve, you wanted to talk about this, right?

John Strand

Let's do it. Steve, what the hell? It's the ransomware hour.

Ralph

This isn't quite the ransomware hour. I did. I do have one big one that did happen, but that's what we're talking about. So this is the. The ransomware technical guide. Did you want to talk about this one, Steve?

Steve

No, I have no idea what you're talking about.

John Strand

Oh, my God.

Corey

Dude. It's more like how to pen test.

John Strand

I mean, it's like a strikeout and T ball. Geez.

You know what?

Ralph

That'd be a thing to say.

Corey

I'll tee it up for you, Ralph. So someone leaked a disgruntled employee of a ransomware group.

This opens up the whole discussion about, like, what? You know, should these ransomware groups be really treating their employees better? Right. We need to talk about those ethics and standards. No, I'm just kidding. But basically, they leaked some of their technical manuals, which are really just, like, all the articles I would give to, like, a junior pen tester. Right? How to use Cobalt Strategy, how to, you know, use install Metasploit. That's, you know, that's a hard first thing, though. I just thought it was funny, you know, some of the guides, like, I was like, is this ransomware specific? Like, they don't talk about crypto libraries. They don't talk about, you know, anything that you would associate with ransomware. It's more just like basic. You know what? At least I would consider more just like basic TTPS for a pen tester.

Steve

Right? And, you know, like, people out there are calling this, like, advanced contis. Advanced, you know, attacks and things like that.

John Strand

Oh, no, no, no, no, no.

Steve

And it started like this OST debate again on Twitter to where, you know, well, you should be detecting that if you're getting pwned by this, it's not that you deserve it. It's that you should be starting with the basics, right? And there should be some basic stuff implemented Shell, who am I? Or how are they getting on the box in the first place with the types of loaders and the stuff that they're using are so outdated and antiquated. You know, it's like, like you said, it's kind of like what you would give your junior pen tester going on their test. Is this really a fault of the tools that they're using or is this something that we should already be mature enough in the industry to stop this?

John Strand

This is a fight that pisses me off to no end. And I actually do have a fairly firm opinion on it. It's like the ost, the open source tool debate. Everyone's like, well, all these tools they use are all released publicly and that's bad. I like my malware having GitHub pages. And seriously, in the, in the anti malware part of the universe, we really need to get really good. If there's a tool that's being used, you literally have the damn source code to help write signatures to stop it. I don't know, I just think that a lot of this OST debate that actually arises from this is like, look, they're using Metasploit. Look, look, they're using Cobalt Strike. Look, they're using things like Silent Trinity. It just blows my mind. And I think what it is is you have an attacker. Don't know who they are. They're nebulous. They got these hoodies, God only knows who they are, where they are. We think they're in Russia maybe, I don't know. And then all of a sudden you have this poor pen tester, this poor security admin that released a tool that the attackers used. Now all of a sudden there's something you can focus your anger and rage at that person. And it's just incredibly unfortunate because I've always said this in the industry, you know, years ago when I got started, and I'm old and I'm becoming more and more gray beard, we were very, very much underground for literally everything we did, all the malware, we created, any type of testing tools. A lot of that stuff was very, very close to the vest. We didn't share it except with our closest friends. And the techniques that we used were black magic. And you don't want the community, the offensive community, to go back to that point where we aren't releasing tools, we aren't releasing techniques, we aren't releasing all of these different things that we're working on, we aren't sharing. You don't want us to go back to that. And that's not a threat. That's just basically, I think the industry is better. The More we're sharing information and talking to each other, the better off we all are. And those days sucked. They were horrible. And I think it's so much better now. Let's fix the problems. It's not a tool. There's a lot of systematic issues that we have to deal with here.

Ralph

It is. It is a little funny looking at this list though, of the things that were like included in the manual because it's pretty much like the. So you start at ransomware. But what I guess is not that funny about it is that they're doing this because it works. It doesn't require a higher level. Right. Like these are just what, like they're using any desk, which is just some remote access tool that regular companies use to get back into these systems.

Corey

Nation state level persistence. Dude, don't you don't even.

Ralph

Nation state, dude. It is, it is legit. They're using our clone to just Send data to mega.com, you know, co or whatever. That's how they're exfilling data. Just, you know, it.

John Strand

But the truth is it works. But I think that you're getting to the point, right? You know, it's not about the tools. It's like somehow people think it's a goddamn Easter egg hunt, that once we've written signatures for all the bad tools that immediately we're going to be secure. It goes back and take a step back and look at the techniques that are being used, not the specific tooling, because the tooling can change. A lot of the techniques stay consistent for years. And I don't think that, especially on the defensive side of security, we're all that great at understanding how to actually write signatures for things like data exfiltration, for lateral movement, for a lot of the techniques that we use and reuse again and again and again.

Corey

And good luck banning any desk. It's like, that's not like you can't ban that persistence technique. So like, even whether I post it to GitHub or whether I post it, whether it's just publicly available software, like if it's used maliciously, it's used maliciously. You can't just. It just seemed. Yeah, it's a little bit backwards. Fix the problems, don't fix the tools or the, you know, techniques.

John Strand

Yeah, we lost Ashley. She left. Of course, then again, if you're listening to this, take a look at the people that are on this web break into places for a living. So I'm just going to caveat this with an asterisk that says hosts of bhis Talking about news are biased. Not. Might be.

Very biased because every one of us have released tools or techniques that have been used by bad people, but we use it every day to help good people protect you.

Corey

The other thing we were debating is real Cobalt Strike license or cracked trial license.

Steve

Yeah.

Ralph

Are they going through the proper, like purchasing channels or they like going underground?

John Strand

Right. Well, you know, if you go to the Cobalt Strike website, if you're like, what are you using this for? It's ransomware is like at the bottom, right above other. You know, so it's like testing security assessment.

Ralph

So you're telling me that they. They found out how to get licenses by just using the other tech? Got it, man.

John Strand

Dude. Dude.

Corey

Mega is like, we're selling so many pro accounts, man. We're making a lot of money.

John Strand

And I just see Cobalt Strike, you know, sitting around, you know, I can't remember the name of that.

Steve

Bought it help systems.

John Strand

Yeah, yeah. Helps. They're not like these are. These have got to be cracked licenses.

Corey

Right.

John Strand

It's not like they're making it. And I saw one article. It wasn't an article. It was a comment in an article, which I should never read the damn comments ever. Strikes. Just raking in the money for this. I'm like, I don't think so.

Steve

No, not so much. They. There was actually a released version on GitHub a few weeks ago, and that kind of caused quite a stir because it was up there for quite a while for people to download the crack version.

John Strand

Do you remember when Mudge at. I think it was at derbycon, literally went through how to bypass his drm. He's like, so here's how it completely shuts down the licensing for my tool. Any questions? It was just like.

Ralph

And the last ransomware to cap it off, Gigabyte did get ransomware.

John Strand

Oh my gosh.

Corey

Gigabyte got bitten.

John Strand

They got.

Ralph

They got bit. They got mega bited.

Corey

Their ransom was.

Steve

I want 10, 30, 80 tis.

Corey

Gigs. They need to pump up those numbers. Those are rookie numbers, right?

Ralph

Yeah.

Corey

Only 112 gigs, dude.

Ralph

Yeah.

Corey

I bet it's email. I bet it's just exchange or something. Like, I don't. I doubt they actually got anywhere. I mean, I don't know.

Ralph

I know for a fact John has more space than that in his email inbox right now. So that there's.

John Strand

You'd be surprised. You'd be very surprised.

Yeah.

Corey

So they.

Ralph

They got ransomware. And I. I guess the ransomware gang, whichever one it is this week or whatever new name they call Themselves, they're holding some of this data ransom. And not only that, but they're also threatening to release some new sensitive data on AMD and other partners that gig has.

John Strand

Let's think about how bad this could be. Like, okay, they got ransomware. O. Okay, fine. What about code signing certificates? Like this. This is, this is the best possible scenario for Gigabyte getting hacked, right? Like, they get hacked and immediately the attackers are like, we got you, pay us. The worst possible scenario is they get hacked and like the attackers start pulling code signing certificates out of that environment. And I'm like watching this.

Ralph

What about modifying BIOS.

Corey

Firmware?

John Strand

I would like to think that if they did that they'd be like, well after solar winds, probably not going to go that route because they're probably going to immediately start checking BIOS code and making sure that there's no backdoors in it, which I'm hoping that they would do anyway. But yeah, the code signing cert for me is the gift that just keeps on giving. If you go back to Duke, the malware that was out a number of years ago, that's its goal in life. You go back to Stuxnet, Railtight and Jimicron were two vendors that code signing certificates were stolen from and were used to actually sign the malware as it was put into the Siemens PLC controlling systems. And you damn well know that Gigabyte has code signing certificates that are literally accepted by freaking everybody and their uncle. Like, no questions asked. Just run.

Corey

Yeah, I mean it also you got to wonder, are they going to discover the nation state actors that were already in there during the ransomware?

The branch similar actors got in. You know, there's nation states hanging out.

Ralph

Oh yeah, dude.

John Strand

NSA backdoor request form is like, they got that email. It's like, oh, God damn it.

Corey

Oh man, how many countries we're gonna have to boot out all these?

John Strand

Seriously, when.

Ralph

When you hear about a company get ransomware, that's pretty much like saying like, you know the farm league baseball team, they. They beat you. Right? This isn't the MLB that came in. Right. This is like, like the farm league they're using, you know, pretty much some. The basics, right?

Corey

Yeah, there's no bad.

John Strand

The training manual tools tells people how to use YouTube videos to learn how to use Metasploit. Right. We just literally got done talking about this. It's like hacking 101 with next gen hacker 101 and. Oh man. So. And that, that might be another thing. The ransomware people be like, while we were in we realized that the Russians, the Israelis, the United States, the Chinese, you know, it was actually almost the UN But Lichtenstein, Liechtenstein was in here. Come on, now.

Corey

They don't even have.

They can't get a license for Cobalt Strike.

John Strand

I feel like we were last at a party here. Like, do they know about me?

Corey

He's like, he's a nation state. Because he asked if he could be. They're like, yeah, sure, dude. You're the hacker.

John Strand

Some people in America. Is that. Is that next to Canada? I don't know. Where's Lichtenstein? I don't know.

Oh, God. All right, we need to wrap. Yeah, let's wrap it up.

Ralph

Let's wrap it up.

John Strand

Hey, thank you so much, everybody. Ryan, take us out.

It.