It’s finally here, the annual BlackHat and DefCon29 events are back again in Las Vegas, Nevada. What are these events? Evan & Brad unravel everything you need to know about BlackHat 2021 and DefCon 29 in this week’s UNSECURITY episode.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:20] Evan Francen: Okay. Welcome Listeners. This is the unsecurity podcast. Episode 142. That’s 42. More than 100 like 58. Less than 200. It’s a lot of podcasts. But that’s uh, that’s the number today. We’re in the middle of not in the middle sort of failure in the middle of this all this black hat defcon goody stuff happening in Vegas. We’ll talk a little bit about that. But before we do that, you know, Brad Nigh. He’s here, how you doing Brad?
[00:00:56] Brad Nigh: I’m doing well.
[00:00:59] Evan Francen: Yeah, telling you man. Good fun.
[00:01:06] Brad Nigh: We’ve had some, you know, some stuff going on with work is being, you know, it’s crazy. It’s good. It’s very busy. So that’s what you want.
[00:01:18] Evan Francen: Yeah, yeah. Yeah. There’s, there’s a good busy and they’re not so good busy, you know what I mean?
[00:01:25] Brad Nigh: Nothing good busy. Yeah.
[00:01:28] Evan Francen: Well, one of the things we talked about earlier this weekend and we won’t get into it here on the podcast is using resources I think too. Um, most appropriately, you know what I mean? Yeah. Well we all struggle with that uh, in management when you’ve got really high end resources and they’re using them maybe on tasks that they’re not best built for. So you’re kind of over engineering that and then you also go the other way, sometimes we’ve got, you know, people that just aren’t capable of doing some of the things that we asked them to do and that’s always a challenge trying to figure that stuff out and made to those waters. But you know, that happens all the time.
[00:02:12] Brad Nigh: Yeah. Well, you know, I will say that, you know, one of the nice things with my role is, you know, there when they said, hey, we’re gonna take away your HR responsibilities, but you get to keep all the security responsibilities and manage the programs. Oh yeah, Okay.
[00:02:29] Evan Francen: Right. Yeah. Well it’s always a double edged sword because you never know how one how people are communicating map, you know, like where they’re coming from, you know, because like we did that with Kevin Kevin’s, I wouldn’t have a listener so he’s going to hear this and probably getting a crap about it. But uh, we took that away from Kevin, not because we thought it was, I mean, after the same reason it happened with you for him because he sucks at managing people, I think, You know what I
[00:02:59] Brad Nigh: mean? Hi Kevin love you.
[00:03:06] Evan Francen: Right? Well, he knows, I mean, it’s not like it’s, he’s a fantastic ally is great to have on the team. I can’t imagine doing the stuff I do and us doing stuff we do without him because he does that stuff in the back end. People don’t really realize that he does. And then when you do hear him, when you guys popped his head up, you know, it’s like, oh shit, what is it now? You know
[00:03:33] Brad Nigh: you mean no go karts,
[00:03:34] Evan Francen: kevin? I know, right? Well, I would tell you about the, you know, there’s all these conversations that happen to have the scenes that I don’t think people, uh, you know, like there’s executive conversations that happen that people don’t know. And if you did, you’d be like, are you kidding me? Because that’s how I feel. You know, I get an email from Kevin and like, really? I mean, I got 10,000 things on my list. This isn’t even close to one of them. Uh, but you still gotta deal with it. Right?
[00:04:09] Brad Nigh: That’s funny.
[00:04:11] Evan Francen: Yeah. You gotta be careful for people that want to be executives and we’ve said this before for people that want to be Csos be careful what you’re asking for. Yeah, you might, you might just get it when you be like, oh, wish really? But I honestly, at the end of the day, man, I’m really grateful. I’m grateful to be, you can take a step back and look at things and you can be grateful content. You know, I mean, it’s just, I’ve been blessed. You’ve been blessed, We’ve been blessed with a lot of really good things and I think the blessings are only the beginning. There’s a lot of good stuff, a lot of good work left to do, man,
[00:04:50] Brad Nigh: uh you know, I was having a conversation with one of our newer, so uh what’s Today Tuesday? It was and she was like, we were talking about the job and she was, you know, there was an issue with one of us can from last year this year and I took care of it and we’re just talking, you know, she was on vacation. So it was like just to catch up and I just appreciate it. It’s amazing how, you know, everybody here supports each other and it doesn’t matter who you are. It was really awesome to hear because I think make good concerted effort to keep that as part of it. You know, it is who we are as an organization and it is top to bottom. So it’s always awesome to hear that, you know, new people are they recognize that they under that that is coming across, it’s still there, you know, it makes a huge difference.
[00:05:56] Evan Francen: Oh, man, totally. Well, today is dr smith and like we mentioned, kind of at the beginning of the show, you know, it uh today is the last day of black and so it’s thursday for people who have never been to black cat, you should go once. Uh I’ve been enough, I’ve been there enough times. I just have no interest in going anymore.
[00:06:20] Brad Nigh: You know, the problem is it’s gotten so marketing.
[00:06:24] Evan Francen: Oh my gosh, man, so
[00:06:27] Brad Nigh: copyright that, that market e
[00:06:30] Evan Francen: You’re right, man. I mean for people who have been, who are there, you know, in the earlier years, I mean, I don’t know how many numbers this is now. It’s gonna be 20 nine, Actually, 24 from black at its 20,
[00:06:45] Brad Nigh: 29.
[00:06:47] Evan Francen: But you know, the first black head I went to is nothing like the black hats today and teachers. All right. I’m not, I don’t want to be overly negative, but to me, black out is just too commercial, too, uh, too much foam. Oh, too much. Like, oh my God, you know, don’t miss out on this. Don’t miss out on that. And it’s like, you’re not missing out on crap because you still haven’t figured out the fundamental, so go back and work
[00:07:18] Brad Nigh: Well for us. It does. I will say. I think it still has its place. Yes, for sure. It’s not, Yeah, I’m not the target audience,
[00:07:31] Evan Francen: right? Well, the fact that it’s in Vegas for one, you know, it’s, that’s cool. You know, Vegas is cool for some people, but the, the fact that in Vegas, the fact that it’s become so commercialized, uh, the talks, you know, are nowhere near like the, what they used to be, the talks used to be much more. Um, I think it didn’t seem like there was a motive. I wish it
[00:07:59] Brad Nigh: went from like, hey, here’s what we, here’s what we’re finding here is what we’re doing to, hey, here’s why you should buy our product
[00:08:07] Evan Francen: pretty much. Yeah. So if people don’t know black at, uh, you know, this year was, you know, three days or four days of my saturday, sunday, monday, four days of training. So they call that the Black Hat trainings, which are the couple that I’ve been to in the past have been amazing. Some of the best training in the world happens. Blackout expensive as hell. But good training the, and then it’s two days of briefings. So Wednesday yesterday was the first day of the briefings and then, uh, today to wrap it up.
[00:08:43] Brad Nigh: Yeah. And to be clear yesterday today that we’re talking about, like you said, the training portion is very different.
[00:08:51] Evan Francen: Yeah, totally. So nothing. I mean there wasn’t really any breaking news yesterday. That was like, oh my God, that’s insane. Usually there’s a little bit of that, you know, but I haven’t, I haven’t seen anything that was like earth shattering, more of the
[00:09:08] Brad Nigh: same print nightmare supposed to be released during black hat and it got, yeah, so there you
[00:09:17] Evan Francen: go. Well, that’s one of things that’s frustrated me too, is, you know, people want to wait to disclose something at black hat when, why, why? No reason why you’d be waiting to disclose it and black at would be for the notoriety,
[00:09:35] Brad Nigh: Maybe 100%.
[00:09:37] Evan Francen: Yeah, so that’s a pretty selfish reason to be holding back, you know something. Um but it is what it is the sponsors, you know, they don’t know what they pay for sponsorship nowadays but holy ghost, I look at some of the sponsors and I’m like uh adam money, I’m gonna say something I shouldn’t so let’s move on man, Black black hat today ends and then we go to defcon death camp starts tomorrow. Death friends, you know if you again if you’ve never been it’s worth it’s worth a go. If I were to go to either one black hat and def con if I had if I could only go to one I would definitely go to def com.
[00:10:23] Brad Nigh: Absolutely
[00:10:25] Evan Francen: it’s more it’s more of the agriculture, it can kind of get yourself immersed into, you know what all these weird geeky people do.
[00:10:32] Brad Nigh: Oh yeah you can go on the, there’s got like the itinerary and some of the things it’s like wow.
[00:10:41] Evan Francen: Yeah
[00:10:42] Brad Nigh: and there’s like the various centric ones too, they have like a Tinfoil hat competition like they’ll give you 10 for you have to make the hat and they are gonna judge and declare a winner. It’s so funny.
[00:10:56] Evan Francen: Yeah, I think it’s a lot of it’s funny and it’s a lot of fun. I think one of the things that sometimes people do if you’re not in that culture is you may think that oh my God you may come away either being scared shitless or think oh you can do this Well then this must be happening everywhere kind of thing. No, this is a lot of one off kind of like stuff you probably will never encounter in your own business, but pretty damn cool stuff.
[00:11:29] Brad Nigh: Well, you know, it’s, I was talking with a couple of the uh my VC so clients and telling him like, hey, by the way, I’m gonna be Uh huh dan for out of pocket for the capture the flag and you know it for that for us to an incident response for the pen testers doing the red teaming stuff. It’s valuable experience.
[00:11:53] Evan Francen: Yeah, for
[00:11:55] Brad Nigh: Mhm. The people I’m working with your like that would be cool. I’ll never use it. Right? Yeah, it’s interesting to, you know. Yeah, that’s fun to do, but it’s a fairly narrow skill set or you know, that can well use it in any sort of regular wave,
[00:12:19] Evan Francen: Yep 1st. Sure, so def con 29 kicks off today, it will run through the safe. Sunday thursday sunday yeah, I can’t do the numbers, right? So it kicks off today. Today’s thursday the fifth. It will end on sunday the egg. That’s when they’ll do all their awards and give out the black badges and all that good stuff. We have a team. So you’re doing your own and we’ll talk about that, you’re doing your own like you’re going solo on the CTF to just see what the hell you can do.
[00:12:52] Brad Nigh: Uh
[00:12:53] Evan Francen: we have a team out there too. We have we have actually a team at black hat and at def con but the team is, how many, how many cts are they doing this year? Do you know?
[00:13:04] Brad Nigh: So officially we’re not disclosing what we’re doing. Well the problem is a lot of times you’ll start on some of these and be like, you know what, this is stupid and so you know, because marketing was asking like, hey, can we know because yeah, there’s a couple we’re gonna do, but what if we choker decide like, you know, a couple hours in like this is ridiculous, we’re not doing this. And so you know, so usually I’ll say this, how about this last year? Uh I know the red team did okay and they focused on one saying this is a blue team and then kind of work together on a couple like the bio hacking village and um So one other one, I
[00:13:57] Evan Francen: can’t remember the medical
[00:13:58] Brad Nigh: one. Yeah, that was bio hacking.
[00:14:00] Evan Francen: Oh yeah, yeah. What shoot, what was it was? I know an Iot
[00:14:07] Brad Nigh: yeah, it was something I don’t remember what it was, you know, so usually, but usually you don’t work, you know, the the open sock one this year is like I think it’s like noon to eight on Friday and then central and then the finals are on saturday, so there’s gonna be time to work on other stuff or you know, as you’re doing it. So it’s you know, never really just one thing you’re doing kind of doing a bunch of stuff. Yeah,
[00:14:40] Evan Francen: Yeah. The team last year, I think it was in four CTS, right?
[00:14:43] Brad Nigh: I’m like, yeah, that sounds about right.
[00:14:46] Evan Francen: I think the team
[00:14:47] Brad Nigh: final than all of them uh with I think so the command and control was I think second maybe okay, um Open sock, which last year was the first time we have done As a team and we had a bunch of relatively new people, we finished, I want to say 9th, It was like 10 minutes after the first place finisher. So are off and then we did like, we’re top 15 for the bio hacking which was a like literally like when we had time. Yeah, it wasn’t even a full time. Yeah, and I don’t remember what the other one was, but it was top 20 for sure.
[00:15:29] Evan Francen: Yeah, that’s cool. I’m excited to hear the updates from you and Oscar as you know, as things go on. I I actually stay out of the way until uh Yeah, I mean Oscar will paying me, I’m sure on sunday monday and you will, you know, hopefully you and I you and I are always kind of, you know discussing things. So
[00:15:52] Brad Nigh: it yeah, it’s fun. I’m interested because last year I was was part of the blue team piece because we’re still training up a bunch of people now and those guys have just come light years so we’re going to let them, I think Oscar is going to let them just how to do their thing. So you, how did you know? Yeah, so
[00:16:14] Evan Francen: goodbye. That’s so cool. When you talk about baby Bird, I mean true that blue team is, You know, I would say top 10 in the world and people don’t realize that because they’re in the back end and you never see them, you never really see what they’re doing, but their damn damn good man,
[00:16:38] Brad Nigh: We’ll see how they do this year. But I mean yeah, yeah, finish their last year. I mean realistically this is kind of the best way to the only real way to judge how some of these going and it’s an even playing field because you’re not using any of these customized tools or anything like that. You give you, hey, here’s, here’s the tools go. So it’s a and the
[00:17:08] Evan Francen: that’s cool man. Well I think and after maybe next week or the week after we’ll have you Oscar me, maybe pinky join us. You know, we can talk about how things went.
[00:17:21] Brad Nigh: Maybe eric just have a big party.
[00:17:23] Evan Francen: Yeah, right, because I’m excited to hear, I love, I’m like that, I’m like the dad, you know who watches his kids go out and play on the field. Holy crap, they’re so good.
[00:17:36] Brad Nigh: Oh yeah, yeah, those guys are well, we know are are renting is amazing, you know, they just, do you grow big blue is so new. Like if you think back two years ago it was like me and Oscar and we just hired
[00:17:57] Evan Francen: that I was doing crap then.
[00:17:59] Brad Nigh: Yeah, tom just two years. He was the first one. I think so. I mean, yeah, from where we were to where they’re at this guy’s man. Nothing but yeah, these for them.
[00:18:13] Evan Francen: Yeah, yeah, that’s cool man. So all right, so that’s kind of where we’re at their, I think next week we’ll have an update on, you know how things went down, you know, def con more so than black hat. I mean if you want to know what’s going on in black cat, just check the news because black, that’s a place where all the marketers are going to be spewing all this stuff, you know, that came from black hat. So it won’t be hard to find really good information on black It. I think it’s important, you know, at def con to see some of the inside stuff that happens. Our team, our team, is there not as tourists. I mean our teams are active participants that actually worked their ass off. Some of them like hardly even sleep for the entire, you know, 34 days
[00:18:59] Brad Nigh: here. It was The same thing. I started like noon on Friday. I think I went to sleep at three a.m. And was back up at eight and went so I don’t even, I don’t Yeah
[00:19:16] Evan Francen: crazy.
[00:19:16] Brad Nigh: Well into the night. Yeah. And then sunday as well I think. Gosh, we’d have to go back and work. It was like 6 40 hours over that three day window.
[00:19:32] Evan Francen: Yeah, that’s cool. All right, well let’s uh stay tuned for some updates there. Uh Other things going on around here. I’m doing a lot of work with states and local governments trying to crack that nut. That’s easier said than done. Uh I don’t know your you’ve been working here all over the place. You’re
[00:19:52] Brad Nigh: I mean my big focus is what we call program management. So taking we’ve got so much good information, but it’s all decentralized. So, you know, people don’t maybe just working to make it Standard, right? Just one voice. You know, everybody knows. Okay. I have a question about in response. Here’s where I go to find it from sales and marketing side. Or where the expectations for uh our case managers or the, you know, project manager, what are they expected to do? And where do I go to find that information? So it’s fun. It’s a lot of work.
[00:20:34] Evan Francen: But yeah, and you’re all over the place. It’s like herding cats.
[00:20:40] Brad Nigh: Yeah, it’s basically, I mean every single Mhm. Group, you know, outside of like some of the back end stuff. Yeah. Ignoring finance are about the only ones that I’m not working.
[00:20:57] Evan Francen: That’s cool man. I appreciate I appreciate all the good work. It uh it’s a big deal, otherwise you get chaos.
[00:21:07] Brad Nigh: You know, it’s fun. It’s good to do too. It’s a good sanity check for us as an organization because you do find I did I R last quarter and we, we found some like we’re like, oh wait we’ve updated that. We need to fix that in the statement of work to make sure that it reflects the current status because I mean, let’s be honest, we’re as fast as we’re moving. It’s very easy to miss and it was, yeah. Oh yeah, no, we should change that language is, it’s not how we refer to it anymore. Yeah
[00:21:46] Evan Francen: yeah accurate, very cool. Well I have three news pieces today. Nothing, it sort of has seemed a little quieter out in the world. Yeah. Uh huh. That’s not uncommon either around this time of year. Um, All right. So first one is from bleeping computer, it’s locked bit ransomware recruiting insiders to breach corporate networks. Not the first time we’ve heard of criminal gangs using insider, so trying to find somebody on the inside who is maybe money motivated, maybe hard up on cash. They were going through a divorce, whatever. I mean there is, there is a, there is a profile of the ideal person to approach and how to essentially convince them to help you. There is a profile that Attackers used to do that and it’s all those things that people are going through life changes because if you think about it as a human being, I may not have a criminal record. So if you do the background check, you won’t see the fact that there’s nothing right because I wasn’t motivated to, but now with Covid and I’m going through some mental issues going through a divorce, my wife is gonna want a bunch of money that the lawyers are going to cost a whole bunch. Yeah.
[00:23:10] Brad Nigh: Yeah, there’s, it’s, well, you know, it’s funny when I saw this, I was like, I had to look at the date. I was like, did he send one from like did he look at the date wrong? No, that’s okay. That’s yeah, interesting. Yeah. Like you said it is not, it’s common, sadly
[00:23:29] Evan Francen: it is. Um, and and there is the ideal person. I mean they have automated this, they’ve gotten so good at this. It used to be almost spray and pray. Right? You just make all bunch of phone calls, how much of emails, who’s gonna respond. Okay? There we go. I got somebody on the hook, they still do a little bit of that. But the really good ones, they will, they will create a profile or they have a profile of who the ideal target is when they will use search engines and you know their own ascent to identify who those people are and then keep it quiet because if I do this frame pray method, you might be tipping off somebody else.
[00:24:06] Brad Nigh: Yeah. Well you know, it’s funny because in that article at the very very last sentences in august 2020 the FBI arrested in Russian national for attempting to recruit Tesla employee. So I was like, okay, I read that. It’s like, all right, okay. That’s why it felt like wait, didn’t we? Uh huh.
[00:24:26] Evan Francen: You are always people are always the best, you know, right? The best method of getting what you want so locked at 2.0, they promised millions of dollars to insider. So you come help us. You know, we will pay you through the nose. Uh, it’s locked it, you know, two dot org is a ransom as a service for people who don’t know what that is, essentially. It’s you know, we want, you know, here’s here’s what the email says. I’ll quote it. Would you like to earn millions of dollars? You know, if I’m hard up on money man and you know, you might have piqued my interest something I you know when I sit here in my normal frame of mind, when I sit here and I’m not, I’m not going through life events that require me, you know that that doesn’t pique my interest. But if you can put your put the shoes on of somebody who is, they’re desperate, they’re down on their luck there like things that they normally wouldn’t do. They do. Yeah. And if you talk about, you know, a company with 1000 employees, couple 1000 employees, you’ll find somebody who’s going through some desperate times and they haven’t told anybody either. That’s nothing at work, you know, with the culture of some organizations the way they work, you’ll never know the person who’s going through this desperate hard time, especially at home now and now we’re working at home.
[00:25:49] Brad Nigh: Yeah. Yeah. I saw it just kind of a little bit of a non sequitur bit. I saw comic like, yeah, it was like why don’t men talk about things? And it was like inside the box, I’m going through some stuff comes out was like, hey, I need some help and gets the stomach punch and then goes back in and like, nope, never doing that again. And I mean, unfortunately that is far too common.
[00:26:14] Evan Francen: Oh yeah, my son, you know, who’s a police officer in Lenexa Kansas, you know with all the things going on in law enforcement and he’s a good cop man, he’s out there to serve. I know him deeply, you know, I mean just I know he’s a good kid and uh so I was talking about, you know, what kind of support do they have for you guys in terms of mental health, you know, I mean it’s got to be hard, you know? And he’s like, well there’s a, you know, we do have a mental health, you know, doctor and everything. I’m like, have you gone to see them? He’s like, no, like why not? Is nobody goes to see them that goes on your record.
[00:26:52] Brad Nigh: Yeah, I mean how does that help?
[00:26:57] Evan Francen: Doesn’t but I know that I was talking to somebody last week. I think he was a former state patrol person but he has a lot of inside information on just different police departments and the procedures they are changing that. So there is a wave of like encouraging officers to get mental health and not holding it against them right almost in giving them awards for doing it right for stepping out
[00:27:25] Brad Nigh: definitely that like sigma Yeah, getting help. Does not mean you’re weak. Doesn’t either. Something wrong. Everybody needs it at some point.
[00:27:35] Evan Francen: 100% man. I mean show me the person who can get through this life without any help from somebody else that doesn’t exist. All right. So anyway, would you like to earn millions of dollars are company acquired good english. Yeah. Our company acquire access to networks of various companies as well as insider information that can help you steal the most valuable data of any company. We can provide us you can provide us accounting data for the access to any company. For example log in and password to rdP VPN corporate email et cetera. Are open our letter at your email launch the provided virus on any computer in your company companies pay for the for us companies pay us the foreclosure for the decryption of files and prevention of data leak. You can communicate with us through the tor messenger https slash slash talks to chat slash download dot html using talks messenger. You will never know, we will never know your real name. It means your privacy is guaranteed if you want to contact us news tour I. D. And then whatever you can trust us, your privacy is safe with us Attackers who are trying to convince you to steal millions of dollars from your company.
[00:28:58] Brad Nigh: Oh and by the way, open our letter at your email that we don’t know who you are.
[00:29:04] Evan Francen: Yeah. Yeah. Yeah just funny. Uh but it works obviously if it didn’t work then they wouldn’t do it.
[00:29:12] Brad Nigh: Which yeah it’s sad unfortunate.
[00:29:17] Evan Francen: Yeah so I think you know one of the things that as the sea so right, understanding that information security is more about people than it is about information or security keeping focused on that if you try to create an environment where people feel safe coming to you, you know they’re not going to feel judged letting you know about these things. Uh Yeah so it’s not just technology you’re not you’re not gonna stop you know these types of attacks with technology because the Attackers just finding a way around your technology.
[00:29:54] Brad Nigh: I mean how many, how long have you been saying? I’d rather go through the receptionist than your firewall. I mean
[00:30:02] Evan Francen: it’s the same man,
[00:30:04] Brad Nigh: well you look at the incidents outside of like these the last couple big like the solar winds and half the um and say where there is a major technical flaw. I would say 90 plus percent, maybe 95 plus r you know, somebody clicking something or doing something. They shouldn’t, it’s, they’re targeting people. It’s and I don’t blame
[00:30:30] Evan Francen: Yes. Right. They’re
[00:30:32] Brad Nigh: not trained and they don’t understand it. Okay.
[00:30:36] Evan Francen: And let’s either that or it’s the fundamental stuff like, oh, I didn’t even know we had that system. I didn’t know we had already p opened the internet. I didn’t know we had single factor authentication on our email.
[00:30:48] Brad Nigh: All that is open unencrypted to the internet.
[00:30:51] Evan Francen: Right? I mean it’s like those two things, Right? The people thing and the basics thing. All the other blinky light things are all just just, you know, so much distraction. Uh Yeah, but we’ll keep preaching that man. So speaking of solar wind, you mentioned solo against uh they made a motion to dismiss yesterday. I believe. Uh this is from the register. So the, the title of the article is solar winds urges us judge to toss out crap inco sex symbol. We got coned by actual Russia. Give us a break. Company says it didn’t skimp on security before everything went wrong thing. We’re gonna have two sides of this, aren’t you? Who?
[00:31:42] Brad Nigh: Yeah, I don’t man,
[00:31:46] Evan Francen: Well here’s the thing, you know, a flaw regardless of whether you should have seen it or not a flow and there are accidents too and there’s going to be interesting to see how all this gets argued out. But if your stuff purposely are an accident causes me harm. At what point do you like hold you accountable for the harm that you’ve caused me?
[00:32:17] Brad Nigh: Yeah, it’ll be, it’ll be interesting to see how this plays out because I mean mhm I’m not, I can see both sides. I don’t know. I’m not sure where to focus. Like how do you fault them for a nation state attack? We know that, that you can’t stop. Those are going to happen. We know that. But yeah, at the same time, like how do you recover as a client if you’ve been impacted And so this is, I don’t, I honestly don’t know. I think in the suit it sucks
[00:32:57] Evan Francen: just All right, well it’s important to stay. Yes. You know, keep one of the things that, that it seems like people do is they have a short memory span. So the solar winds thing happened and oh yeah, I remember something about that, you know, years down the road. Mhm. What I encourage people to do is things like this things that are impactful like solar winds continue to watch the story unfold. It’s not the end yet there’s a lot more to this, the because there’s also a case to be made that yes, this was a nation state attack, but solar winds, this was like your golden gold gold bucket of gold. This is your thing and they could have had you had it been, you know, done. They could have prevented it. Not now, I mean not them, but now,
[00:33:51] Brad Nigh: you know. Yeah. Well, and I mean it’s, this is what makes it so hard and why were, you know, being a C. So it’s, it’s kind of a, you know, sometimes it’s like a losing proposition. This was a never before seen attack. Right? So yes, could you have caught it? Absolutely. But would you have been, you never would have been looking for it right. It could have been caught if you had had stuff in the right place, but it doesn’t mean, Yeah, yeah, it’s, yeah, I want to go with everything sucks about this.
[00:34:32] Evan Francen: Well, so, and so this is the shareholders aggrieved shareholders. So this is not unlike the target breach, you know, special litigation committee stuff that I was on. I’ll read more about it. Um, but correct Yes. It will be interesting because here’s the thing that happens over and over and over again. So, you know, as a matter of Damage is done or accountability, solar winds their share price crashed, you know, from $24.93 to $14.95 shortly after the attack. Now it’s rebounded back to over $22, a share. So materially intolerance, you know, are, you know, the value of the company or whatever didn’t really change
[00:35:27] Brad Nigh: well And you know what’s interesting is have we seen anything or heard anything towards Microsoft because they’ve had a string of really like half the on the print nightmare. You have a pet a podium, the NTL n relay attack. I mean those are as bad or worse.
[00:35:47] Evan Francen: That’s the crappy thing about all this is, you know, this big powerful tech companies, nobody can really hold them accountable. So you’re like, yeah, whatever you don’t like it. You know, I stopped using windows. I can’t, everybody uses freaking windows,
[00:36:06] Brad Nigh: right? And we already know people are struggling with that. Can you imagine throwing? I mean, there are some very user friendly versions, you know, a boon to it. It’s probably the most well known. Right?
[00:36:22] Evan Francen: I mean you personally can go to something else, but if you’re
[00:36:27] Brad Nigh: an organization, Oh my gosh, that gives me like cold sweats. Thinking about it from the night. He perspective trying to deal with that.
[00:36:36] Evan Francen: Right? And so even if you went to go to Lenox or some other form, yes, I’m secure operating system. You still have to interact at some point with windows because anybody that you’re talking to. I mean there’s going to be a document, you need to open up, you know, something
[00:36:54] Brad Nigh: companies that work all on apple devices still have to do it. We’ve seen those, right? Doesn’t matter. You still have to interface at some point.
[00:37:06] Evan Francen: Yeah. So you know, I’m torn man because uh, I’m, I’m of the belief that I’ll just take my neighbor, right. If my neighbor created something I bought it and it hurt me or hurt my family. You know, there needs to be some reckoning, right? Rather than having my neighbor continued to sell that same thing to my other neighbors and it just caused me a bunch of harm. Should I step in and say, hey, uh, produced you just told me this thing and it just like burn my house down,
[00:37:42] Brad Nigh: make changes or he’s still saying that selling the same exact thing. Yeah.
[00:37:47] Evan Francen: And maybe you should pay for my house.
[00:37:50] Brad Nigh: You know what I mean? And that’s, that’s where it gets so tricky because uh, you know, do you, is there intent? Right? Or was it? And I mean we all know people make accidents, There’s bugs. There’s a, there’s a reason it’s there,
[00:38:08] Evan Francen: right. You know, I’m excited to see what the end of this is because there is, mm, we have swung for the longest time. We have swung way too far to the enable people to do reckless things and not hold them accountable for it and we’re all suffering. So the pendulum needs to swing back to, you know what? We are going to hold you accountable if you don’t do these things, these 5 10, basically whatever you need to start, if you’re not going to do these things, you are going to be held accountable and up until including, you know, jail time or something because people shouldn’t have to suffer anymore for things that we should be able to fix as an industry.
[00:38:51] Brad Nigh: Yeah, yeah, yeah. It’s gonna be tough because nobody’s gonna do anything unless you can prove negligence and that’s what is better. And they’re gonna, are you? Well, how do you? Yeah,
[00:39:07] Evan Francen: well, even the negligence piece, right? I mean, it’s a negligee, is it? Well, negligence is such a, you know, it’s the preponderance of evidence, right? It’s, you know, which way does the scale lean and uh is it reckless to not have an asset inventory?
[00:39:27] Brad Nigh: I uh Yeah, I would say so, but that doesn’t mean right right now, it’s tough.
[00:39:40] Evan Francen: Yes, Well, I sort of sometimes I sort of wish I was, I’d love to be in some of those conversations, be like, seriously, are you kidding
[00:39:50] Brad Nigh: me? Well, that’s why you would never be a lawyer because
[00:39:54] Evan Francen: I’d say that exactly get disbarred. Well, I started I’ve got and then we can go about our day because you know, I’m guessing everybody’s got a bunch of work to do. Uh Silicon angle, this is an article, it’s a bipartisan Senate report finds federal agencies continue to suffer cyber security shortcomings when I read this. I was like, no,
[00:40:16] Brad Nigh: what?
[00:40:18] Evan Francen: The federal government can’t secure their shit, I can’t believe it, you gotta be nuts. That’s true. Uh But here’s the thing, the report was released. What? Not that long ago, but it’s a follow up to an investigation and report that was done two years ago And it only includes eight federal agencies. I don’t know if you know how many federal agencies are. I don’t even know. I have no idea. I know the state of Minnesota has 87 to state agencies. I can only imagine how
[00:40:49] Brad Nigh: many. Well my question how many? Well the ones that were there? Those are pretty big. So I would assume that there’s a lot of agencies that fall under the purview of those major ones.
[00:41:03] Evan Francen: So of the eight only the Department of Homeland Security had managed to employ an effective cybersecurity regime in that time was a regime. It’s like I don’t like that word at all. I’ve never built a cybersecurity regime before built a program but not a not a regime. Uh The other seven agencies were found to still be lacking those agencies. Department of State. Yeah. Uh Department of Transportation, Housing and Urban Development, Agriculture, Health and Human Services. boy finally we haven’t had a law that we wrote in 1996 for that Education and Social Security Administration. So they’re all blacking now. I don’t know. I haven’t read this entire article so I don’t know all of the details. I will be reading it because I think it’s interesting.
[00:42:04] Brad Nigh: Yeah it was not good. The one thing I don’t like is on this article from some silicon angle is. Yeah. The chief research officer identity platform provider of iridium.
[00:42:18] Evan Francen: Right.
[00:42:19] Brad Nigh: Cannon should adopt password authentication. Gosh, guess what his company sells.
[00:42:26] Evan Francen: I yeah that stuff hit if this is me off so much because it’s like that’s the password less authentication is like that’s a little bit down the road brother. I mean what about roles and responsibilities? What about asset management? What about what the hell do you know?
[00:42:44] Brad Nigh: Well if you look at one of them shoot I just closed accidentally uh pull back up. It was the wrong window. Uh huh. Or is it Department of Transportation found 14,935 I. T. Assets belonging to the department of which there was no record. How the hell are you gonna do password list if you have 15,000 devices you didn’t know about?
[00:43:12] Evan Francen: I know. Well that’s right. You remember biden’s executive order right talking you know town and zero trust. Zero trust. Zero trust. Okay. You better understand what these 14,935 IT assets are you better put a system in place or a program in place to make sure that that doesn’t happen anymore or it happens a lot less often. Okay that’s a lot of I. T. Assets they’re like which one do I want to attack?
[00:43:39] Brad Nigh: Yeah
[00:43:40] Evan Francen: because if you don’t if there’s no record of that that probably means it’s not some of those are not in your patch cycles. Some of those are not
[00:43:51] Brad Nigh: if you don’t know about you, Do you have any sort of patch management, you would have known about them. So I’m guessing those are do they have endpoint protection? I would say no if they don’t know about them, they’re not getting patched. Yeah. Mhm.
[00:44:08] Evan Francen: Well and the reason why this continues to happen is because there’s no accountability for it. Oh yeah, it sucked two years ago. It still sucks today,
[00:44:19] Brad Nigh: let’s be honest. It’s not just the government. I mean yes, this makes a big deal but we’ve seen that in private sector where they’re like we do a scan or like what about these things and they’re like what? Okay. It’s universal now it is scary from a governmental perspective because of what they have and do and just the nature of how they operate. But
[00:44:47] Evan Francen: yeah, I love that Pimp wasn’t pip pip lasker so rajiv pin plaster from verity um says this is his, this is what was quoted as his advice right? There may be a God, I hope there was other advice along and they just picked this one but federal agencies can and should adopt password less authentication, utilizing phone as a token or Fido to security keys. Pimpin blaster added such solutions reduce the attack surface of credentials that can be exploited in a data breach making an environment impervious to such attacks further such solutions also reduce friction enabling a better user experience. Okay. Yes, that’s like step 48 yeah,
[00:45:38] Brad Nigh: yeah.
[00:45:39] Evan Francen: You know, we stopped, you know, steps 1 to 47, which are gonna take probably five years, 10 years to get to.
[00:45:46] Brad Nigh: Right? I mean, is that a bad thing to to, you know, multi factor doing this? Is that a bad thing? Absolutely not. But do when it’s approved. Yeah. How are you going to implement, you know, password, password less authentication across the board when you don’t know what you have, like? Uh
[00:46:08] Evan Francen: Okay, I hear you. I’m 100% behind. I’m not yeah, I’m just this is this is the state of the union, right? This is what our industry looks like. It’s so much pimping products, so much pimping solution so that you can make more money.
[00:46:28] Brad Nigh: Easy button.
[00:46:29] Evan Francen: Yeah. And everybody’s gonna scramble the only ones who sleep with the other ones that I think have earned the right to sleep all at night and do for those who understood did the work? Did the fundamentals enjoy your good night’s sleep? Those of you who are, you know, just buying these easy buttons and throwing this stuff in, you know, enjoy the sleep now because you’re gonna lose it later.
[00:46:56] Brad Nigh: Yeah,
[00:46:59] Evan Francen: the chicken’s do come home to roost,
[00:47:01] Brad Nigh: yep.
[00:47:04] Evan Francen: All right, so that’s that uh I got nothing else bread, getting shout outs.
[00:47:10] Brad Nigh: You know, I’m gonna give one to my wife, uh you know, just putting up with me, but also uh she’s gone through some sort of stuff as well, you know professional, but she’s uh looking like she’ll be a school nurse which is she’s so excited about and she’s gonna be amazing. So those kids will be lucky to have to and staff will be lucky to work with her.
[00:47:32] Evan Francen: Yeah. Yeah, she’s perfect for that man. Oh she’s got that, you know, calm motherly demeanor. I mean it’s awesome,
[00:47:43] Brad Nigh: nursing perspective, Nothing fazes her.
[00:47:46] Evan Francen: No, that’s cool. Well you don’t along those same lines. I’m going to give a shout out to my wife too because I asked you first, so then you’re like oh yeah I should do that because earlier this week I forgot you know uh my work as hard as we work, you know, we have to switch sometimes from work mode to personal mode and then back to work mode and personal mode, right? So we do this all day and there was a day I think it was Tuesday where I didn’t switch, so I was still in work mode and she was telling me about something and I was like so what do you want me to do about that? I was like oh I can’t believe I just said yeah shout out to her for putting up with that and giving me grace because yeah, I mean she could have kicked me right right between them. Yeah,
[00:48:43] Brad Nigh: as soon as you said that I’m like oh
[00:48:45] Evan Francen: yep, I deserved it too, but she didn’t, she showed me grace and and understood and she sets the uh huh she said to me and your wife is the same way as I’ve seen it. It uh they set the tone for how to love in the house, you know?
[00:49:04] Brad Nigh: Well, and I mean let’s be honest, they they’re the even hell dealing with article going from side to side keeping everything in track. So
[00:49:14] Evan Francen: Yeah, very true. Mhm. All right, well that’s that. Uh well, join us next week, we’ll have uh we’ll try to arrange getting some of these def con superstars yourself included brad in the show and talk about that stuff if you want to socialize with us. Don’t Well, okay, maybe I’m @EvanFrancen and Brad’s @BradNigh the companies we work FR Secure and Security Studio. You can find those @StudioSecurity if you’re on twitter folks are @FRSecure, otherwise we’re on linkedin and everywhere else you can find us.