It's nearly Thanksgiving, which means holiday shopping is already in full force. With more online shopping coupled with the fact that most of us are more distracted than ever, attackers could have a field day. It's important to know how to protect yourself and your family while holiday shopping, so Evan provides some tips for online shopping and security in episode 107 of the UNSECURITY Podcast. Check it out and submit your comments, questions, and feedback to unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio helps information security leaders at organizations ensure they're protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: Hey there, thank you for tuning in to this episode of the Unsecurity podcast. This is episode 107. The date is november 24th 2020 and I'm your host. Evan Francen not joining me this morning is mr Brad Nigh. Brad has a few issues going on. Uh One of the things it's called um labyrinthitis, I've never heard of it before, but anyway, he's uh he's doing fine, healing up but won't be joining for the podcast. So you get me all day, all night, all day. It's only like an hour, but whatever we'll fight through it together. So uh lots of drama going on with brad on top of that. Uh this is fourth quarter and so if you're in information security or been in information security for awhile, certainly on the consulting side. Uh this is always a crazy, crazy time of year. Uh We're just busy. A lot of lot of coal put information security off until the last minute or realize they have budget left over. Um so I'm crazy busy, you know, brad is crazy busy. Uh and so is really all of the FRSecure team and all of the security studio team really running at 100%. So anyway, it's a terrible time to, to have health issue to deal with. But again, he's gonna be fine. Uh, well, that with all the craziness going on with Covid and the elections and then, you know, just your normal fourth quarter, it's, uh, it's a nuts year. Uh, thanksgiving is this week. So we're gonna talk a little bit about that, uh, last week on the security shit show if you missed it. It was, uh, it's really the only time I swear on the show. So on this show, my apologies if you're offended by that. Um, what we did last week was it did the pocky one chip challenge, allegedly these chips, you get one chip in a box. It's, uh, 78 bucks. And, you know, after shipping 15, 16 bucks for one chip, the chip tastes like crap. Uh, and it's allegedly at 1.6 million scoville units. If you know what a scoville unit is, it's essentially a measurement of heat of spiciness. So both myself and chris roberts, uh, engaged in that challenge online as well as a couple of our listeners are fans on the show. Anyway, We lived, I think, you know, going to brag a little bit. I think I lived little better than chris did. But either way life moves on, it was sort of entertaining. Had a good time. And then we talked about compliance. Uh, that's, you know, a double edged sword with, you know, the good things about compliance is it does raise awareness about some of the things we're trying to do. Uh, the other side of that sword um, is it leads to check box security and a whole bunch of, you know, unintended consequences. It was a great discussion last week. If you missed it, go check it out on Youtube. And we also got a whole bunch of new warning stickers. These are sort of cool and, and uh it's essentially a sticker that you put on a device and says this device and the list off a number of things. The warning sticker like I said, and it says this device is addictive, we'll lose your information, will steal your data. Listens to all listen to you all the time is going to be used against you is likely burn your house down. Is not your friend. Kind of a funny sticker chris uh, had a suggestion which we didn't do, which was to go to like best buy and just put stickers on all the electronics. Uh, no good thought. But no, I'm not gonna do it. So anyway, that was the security show last week. That was last thursday. Those every those are live every thursday night at 10 p.m. Central time. So it's sort of an entertaining thing. I think people belly up with her to just going to listen in to the entertainment. We do enable the live chat so you can chat, you know, while we're talking and we're watching the chat and sometimes we'll address some of the things that go on there, sort of fun. Uh other things going on, uh information security hobbies. So if you've never had been, I broke out the raspberry pi again, uh if you don't know what raspberry pi is, just google it. Uh, but it's a fun, you know, it's a great hobby I guess, but you can learn, you know, a bunch of different things. What I'm trying to build is really a home information security device. Uh and I know there are some, you know, on the market, but I'm trying to build one that's really, really cheap. Uh so I've installed raspberry pi installed raspy in which is the operating system for raspberry pi and then uh, set it up as an access point, bought a new are a second antenna for wireless and installed kismet on that uh, for listeners who don't know kismet K. I. S. M. E. T. If you look it up. Um, it's a really neat utility. It's been around for a long time, uh, used to monitor, you know, wireless connections and stuff like that and then probably be throwing essence on there. And um, what else do I get on the pie hole, I suppose. Um, so I've been working on that kind of as a side hobby thing in here in Minnesota winter comes early and so I'm not a winter guy. So during the winter is usually when I break out, you know, more hobbies and started playing around rooms. I also broke out my Arduino gonna build a uh led light system for my uh, 16 year old daughter. Uh, so that it'll go to the music, which is a pretty fun project to, I think we'll work on that together. So that's what's been going on. Um, those were things that I probably would have talked about with brad, had he been here for the quick catch up. Um, I'm just gonna, I've been in contact with brad all last week and like I said, he's doing, he's going to be fine. It's just uh, yeah, this time of year with everything else, I feel bad for him. All right, So this week is thanksgiving, um, happy thanksgiving to all the listeners. This is, um, this is a weird sort of thanksgiving, right? There's Uh, with lockdowns in many of our 50 states and worldwide, um, thanksgiving a lot of the traditions, you know, getting together as a family, you know, have family gatherings and uh, you know, that's going to be different for a lot of people this year. I know some people won't follow the rules and I'm not gonna get into that, but it's sad when, you know, with, coupled with everything else that's going on this year with just, you know, although it seems like the world has been flipped upside down and then, you know, you're looking forward to thanksgiving and then we have kind of, the second ways of Covid. Um, and where I live here in Minnesota, uh, you know, our governor, tim walZ issued a, uh, a four week pause, which essentially puts most of everything back in lockdown. And then the guidance to not have, um, family get togethers. So weird. Um, for sure. I don't know. Um, yeah, just weird. But regardless, you know, thanksgiving is a time of year when you can look back, hopefully take some time to reflect on the year. We've all got things. I mean, if you still got breath in your lungs, we've all got things to be thankful for. We've all got things to be grateful for. For some of us, it's been really trying year with, not only with Covid, but with the political season that was just, you know, so divided. And then, uh, personally, I lost two family pets this year. Two dogs that, you know, I love loved dearly. Uh, those difficult being sort of isolated was difficult. But then, you know, you look back at some of the other things, um, for our company for FRSecure. It was another record breaking year. Um, believe it or not, sales exceeded, you know, any, anything we've had in the past, uh, was the first time that security studio was cash flow positive. Thank God, my family, I have five Children. They're all healthy. Uh, and they're all out of the house except for the 16 year old. Um, so when you look back, there are many, many things to be thankful for and I'll choose that route. Um and then look forward to, you know, some of the hope that's uh that's on the horizon. There's that's another thing that if you look for it, you know, I believe you can find it, you can find hope. If you're having trouble finding hope, reach out to a friend that maybe can instill some hope, you know, you know, in you hope is one of those things that keeps you going sometimes. And I know we've got of vaccines that are pretty close to um you know, being released that show, you know, great promise. I know that uh the doctor who, I don't know if he's a doctor or not, but he's the person who leads operation warp speed and I don't want to get political because I know operation warp speed is a trump thing. But um you know, I think it was a couple years ago on CNN that uh we should reach herd humidity when you couple with the infection, couple the infection or list the release of vaccines at their efficacy. We might reach. Well, his prediction is that we would reach uh some level of Herd immunity 70%. But the end of May. So that's hopeful. You know, if that's true. Well then we should be coming out of lockdowns. We should be getting back to some semblance of normal, you know, and I know there's miss among us who will say well but this about that but you know we'll hold on to that especially you know this time of year. So those are things that I am grateful for. Um this thanksgiving. Uh Lots of things like I said there are way different than they've ever been and one of those things that will be different and now I'd like to sort of transition into you know some holiday shopping because holiday shopping is Usually you know the day after thanksgiving marks the official start of the holiday shopping season. Even though when you look at the statistics 30 I'm going to find it too real quick. 38% of people actually start their holiday shopping before the end of October 28% start or 20 an additional 23% start before thanksgiving. So 61% of us, according to the data from statistics to 61% of us start our holiday shopping before thanksgiving, 22% start on or after Thanksgiving 15% in December And 2% believe it or not in January talk about. Uh huh. Well they what do they call it when you're pro but why wouldn't you put things off for so long? I forgot the word. Um Yeah whatever 2% in january now if I did my holiday shopping in january I think I catch enough great I'm a december guy. So that's when I'll start my holiday shopping. Uh but the point here is, 61% of us have already started our holiday shopping. Um So when we give holiday shopping tips, hopefully the 61% of them have been finished, or maybe they have finished, but hopefully they followed some of the good tips. So I'm gonna give in the show today other things that are changing in terms of holiday shopping. Even without Covid, the trend was very strong for shopping going from brick and mortar to online shopping. That's increased year after year for the last, well since they started tracking it Last year, the number, or last year, the retail sales for holiday shopping was $730 billion, So let that sink in a little bit. 730 billion now. Uh and I would have thought this next number would have been a little higher of that, $730 billion. 135.35 billion. Again, 135 billion dollars came through online sales or e commerce. So 135 billion of the 730 billion last year, 2019 was online sales, so that's considerable. Uh We also saw a significant increase last year in mobile retail sales Last year. That number was $71.3 billion. So again, just to recap $71.3 billion dollars from on mobile retail sales, $135 billion E Commerce And $730 billion what's going to be different this year? The scams, Most of the scams haven't changed the scams are we give Attackers a lot of credit for being creative. Yeah, I mean if they need to be that, if there's a good return on investment with old attacks, I. E. Fishing, they keep doing it as long as we keep making it easy for them, meaning we don't go to multifactor authentication or we don't take additional steps, create strong passwords. Follow some of the basics. As long as we keep not doing that, they don't need to get creative. We don't need to make them get creative. They're getting a good return on their investment as is. So with thanksgiving this year, lots of the things have changed and I'm going to go through some of that. Lots of things haven't they're the same, the same tips. The same advice you got last applies this year. Things haven't changed much there. So things that have changed. We expect a significant increase in online sales. There's more of factors for this one is just the trend as it was, had the trend just continued without covid without shutting down retail, you know, brick and mortar or at least making it making that riskier. Uh, we expect the projected sales to increase. And again, this isn't my data, this is from statist a and in other places that they cite. But we expected sales this year online sales this holiday season To increase by 35.8 Last year. Just to put that into perspective. Last year, the increase was about 19%. So we're expecting a significant increase in online sales. And that just makes sense. Right. I'm that's probably not a huge news flash are surprised to anybody. Um, The said that that's one thing, the second thing about this year, that's different. The nears past is the human, the person making the sales. They're different this year. We're all different. Um, one I guess easier way to be successful in your taxes to distract people. And I can't think of a time in my life, uh, where we've been more distracted during the holiday season than we are this holiday season. So we're paying less attention than we ever have. People are distracted by 1000 different things that are going on. You've got the normal busy busy nous of the holiday season couple, that anxiety of not being able to be with family and friends, worrying potentially about their health. So covid 19 has wreaked havoc here with our attention. What we're watching, what we're not watching. Uh, we have the election controversies, you know, I know that the election itself, we've already voted here in the United States, but there's still this ongoing lingering whatever and I'm not going to get political and I'm not going to take sides. But it's distracting. That's the point. We've also got the social justice issues that are still running rampant throughout the country and even throughout the world. And I'm not gonna, this is another thing I'm not going to take sides on, on the point I'm making is it's distracting. It's another thing to distract you from other things. You've only got so much attention, you know, that you can pay two things a couple that with online schooling, working from home, uh and the list goes on and on. So here's the math. The simple math, right? Uh If there's more opportunity plus um essentially your attention span uh of protection, I must say opportunity plus distraction equals except us for the attacker. So more opportunity. And if the distraction is the same, that should equal more success. It's amount of opportunity and more distraction. Again, you'd expect more success. If both of those go up, if you've got more opportunity and more attraction, Well then you just compound the issue. So we would expect more success. So sadly among this, the things that we that are changed this year, we would expect more scams. We would expect more success in the scams. And so it's up to us what we're gonna do, right? What we don't want any joy that remains. Uh hopefully, like I said, go look for it, it's there the way that you have in your life today, Don't let the scammers steal any of it, That's the that's the ultimate goal. Um I can't swear here otherwise, I'd say some swear words because scammers really ticked me off anybody who takes advantage of somebody else takes me off that activity. Uh that's a big reason why I do security to begin with. So anyway, that's the point. Hopefully that's making sense. Uh And the fact that we're a little bit late to the game, if we know that 61% of holiday shoppers have either already begun their holiday shopping and some probably have already completed their holiday shopping, um we're a little late to the game in terms of the advice for giving, um some of them may have already been scammed, you know, I don't I don't really know that, I don't know anybody personally who's been hit, but I hang out with a bunch of security people all the time, so and they're being a little more disappointed I think in that, so we would expect that this be the most scam filled holiday she's ever. So here's some tips for you. Uh Number one, and I think the thing that if you were to boil everything down one thing, it be maintain situational awareness. So let me say that again, maintain situational awareness and what that means is be in this situation you're in slow down a little bit before you start clicking and clicking and thinking of all the things that you need to go out and buy and all the things you need to install and all that and everything else slow down. Think about where you're at right now, you're about ready to buy something, okay, take your time, be aware of the situation, be aware of clicking the links, be aware of that took a little longer than I thought it would or something popped up that I didn't expect to see, maintain that situational awareness. If something seems out of place, it's probably out of place, right? We can really reduce the distraction factor just by maintaining situational awareness, right? And I'll take this to like the physical world, you see it all happen all the time. People have their heads down on their phone while they're walking down the street, that's not situational awareness. You're not aware of your surroundings, you're not aware of the situation you're in, That's why you see people, I mean you've seen the videos of people walking into um traffic, people walking into uh you know, big fountains, things like that. Um So maintain your situational awareness. If that was if I had 11 thing to give you, it would be that and that same thing, you can take everywhere with you, you always maintain situational awareness. It's something that you can learn. So if you think that this is while some people you know they're just helpless in this area that it's not true, you can't teach and you can learn situational awareness. Alright, so that's number one. Number two, when you think things online ship the things to a secure location, uh we expect and you've seen it happen that people are stealing packages off of doorsteps, They're stealing packages, um, you know, all over the place, so shape to secure location. Uh number one, and these aren't in any particular order, these are just things and you can make a checklist. Actually, maybe I'll do that. I'll create a checklist of these things that when you buy something follow this list. Uh so if you follow up later, we'll probably publish that at, on my blog Evan francine dot com. We'll probably publish it to FRSecure and Security Studio as well. I'll try to get that done today. So ship to secure location to use official retailer apps to shop. So uh, there are so many apps on the app store, especially, you know, and google play, I think google play is up to or google app stores Up to 2.5 million apps. I think Apple's app stores one point probably about half of that. Uh the ecosystems are different. It's a little easier to get apps in into Google. But the point here is if you're going to purchase something, use the app using a fish bowl retailer app first and use like there's a black friday application on that I have on my phone rather than buying something through that black friday application or another application like it, you know, say for instance Target right? If I go to this black friday application and it shows me all the black friday ads and all the black friday sale. And so I can click on target and see oh right targets got this ad and that ad rather than and I see something I'm interested. I'm going through the app, the black friday app. I would close that app and go to the target app. Let's spur to what I'm saying. Um Use those official retailer apps don't save your credit card information on your accounts. So a lot of times when you're going through the shopping card online you have the option to save your credit card information and it's a nice convenience but fight that don't do it. Um Yeah. You know when you saw your credit card information online, your you're hoping that the retailer has good security and is following proper security best practices. Amazon actually is pretty good with, you know if you save your card information there. Uh But beyond amazon, I wouldn't personally I wouldn't share my credit or save my credit card information on any accounts. Um It's convenient but how hard is it to pull my wallet out. Uh you know put my credit card information in again uh which leads to the next one. Consider using Apple Pay or google pain uh instead of credit cards, uh which is more secure because what's actually being transferred between you and the retailer isn't credit card information, it's, you know, tokenized credit card information. So if the retailer gets preached and you paid with Apple Pay, your account Is probably not also compromised. So using Apple pay or Google pay is a is a good thing. And I know that app, version 14.2, which I think is the latest version of uh my on my phone. Uh you really will keep bugging you if you haven't set up Apple Pay, which is sort of a nuisance, but um from online shopping use Apple Pay or google pay, so so far ship to secure location, use only official retailer apps. Don't save your credit card information on your accounts. Use Apple Pay or google pay if you know how to use them and your retailer supports that most of them probably do. Mhm. The next one is don't buy from unfamiliar retailers without confirming that the retailer is legitimate. Um You know, going to amazon, you know, some of the big box stores amazon walmart best buy uh target, you know, we know those retailers right? We're familiar with them, but there's a ton of different places online. I mean there are millions and millions of shopping carts in online retailers, some of those are scammers, some of those don't have good security best practices, you know, implemented. So if you're not familiar with the retailer before going and purchasing anything before typing anything like your credit card information or even your name, do some, uh, investigation about it. Uh, you know, your search engine, use google to look up things about the retailer, try to find out where they're physically located. Do they have, uh, contact information? Um, Most legitimate retailers will have contact information, including a phone number, somebody that you can maybe even talk to. Uh, those things would all make me more comfortable with a retailer I've never done business with. Um, yeah, so do that. Don't buy from unfamiliar retailers without confirming it's legit. I don't want to say, don't buy from unfamiliar retailers altogether because, you know, you're kind of hurting small business and there are some good deals out there, but just confirm it's legit. If you don't know how to do that, reach out to somebody asked you certainly asked me, um, I don't know how if I'll be able to respond or not, but ask a friend maybe who's in information security or knows how to, you know, look these things up, Which leaves it to the next one. Don't automatically, just go after the lowest price, right? The lowest price. Yeah, that seems awesome. But at what cost, there's always a cost. So you find something with the lowest price and uh, you find out it's a scam site where you find out that it is one of those retailers that doesn't have good security practices in place. So lowest price isn't always the best thing. And the key word here is jump, don't jump slow down. Think about it. Plan out if it feels uncomfortable, it feels uncomfortable. There's a reason for that. Listen to it. Think about it. Uh, the next piece of advice is never make purpose on public wifi. Uh, so I wouldn't go make purchase bill now. You probably are on lockdown. So you may not have access to public wifi like you did before, but you know, you see a lot of people buying things at least in previous years, uh, sitting at a Starbucks are sitting at a coffee shop or in the airport on public wifi. That's dangerous. Public wifi is fairly easy in lots of cases to compromise. I mean, a simple ARP poisoning attack would replicate the traffic you're sending to the router to me as an attacker as well. Or you could always set up. Uh, I mean, from Attackers point of view, you can always set up an access point that looks like happened. Um, other times we don't, we don't even realize what wifi were attacked actually attached to. Uh, you know, uh, many of our computers have an automatic uh, yeah, automatic association with wifi that had seen before. Turn that off. So that's always a good idea. Uh, but the key here is don't make purchases on public wifi. Now if you have to make purchases on public wifi five meaning you forgot buy stuff and you're at the airport or something. If you have to make purchases on public wifi. Use a V. P. M. There's lots and lots of good vpns out there. The one um that I use, you know myself, if you want to check it out, I don't endorse it or not endorse it but I use proton V. P. M. Uh but there's lots of good VPN, you know um apps out there that you can song song, your ipad and so on your laptop. Yeah. Uh so use a VPN now if you're more on the security side, you know you maybe a little uh a lot of us security people are sort of paranoid if you're that kind of person use VPN for all your purchasing even at home, even when you're not on public wifi uh you know, it's just an additional layer of security so so far and I'll go and I'll recap this whole list again. I'll recap it real quick afterwards afterwards through another tip. Use strong passwords. Have you ever heard that before But like seriously use strong passwords? Use a password manager. If you don't have a password manager, I can tell you the one that I use I use last pass. All pretty good, you know plaice pass dash line, there's a number of them out there. Uh use a password manager for crying out loud if you're not using a password manager, I don't know how you're doing it, I'm guessing. Well, I'm almost guaranteeing you're not doing it securely. But password managers make using strong passwords easier. Not easy but easier. So use strong passwords and password management. Sure. Uh if you've got the time, the thing you could do is check the policies, you know, on your retailers. So a lot of them should have, well, they're supposed to have front policies published on their website. No, I don't like reading policies necessarily. I like reading my policies, but I don't like reading other people's policies because they're long and wordy. But it into that. Check it out if they don't have a privacy policy on their site. Or usually if you scroll down to the bottom of the page, you'll see a privacy policy or a link to it. Something like that. If it's not there, that should be a sign. So maybe even just checking that they have one. It would be a good idea if they do have one and you like reading such things, you know, feel free to do that. Uh, important thing here is another important thing. Never will retailer ask for your social security number. No retailer asks for social security numbers, so don't ever give out social security numbers, retailers also don't take payments through gift. Uh they do take payments to gift cards, but they Trying to think what I was going to go on that one anyway. Don't you don't give out your social security number anywhere. Another tip. Buy with credit cards says buying with debit cards. Credit cards have additional protections in place. They have a different additional um fraud reimbursement sort of protections in place, misuse protections in place. Plus you get your money back. Uh It doesn't come right out of like a debit debit account comes right out of your checking account or your savings account which that's probably money you used to pay bills and live on and all that other good stuff. Tax money money. Whereas credit cards there's it's not money money, it will become money money but there's that time in between. Um Banks are really variable on how long it takes to get debit funds back. Uh So the key areas by with credit cards uh you can also purchase things with prepaid debit cards. What that does is limits your loss. So if I have, you know $100 prepaid debit cards and you know one of those debit card numbers gets scammed. Um I'm limited in that loss to whatever that card held. So if it held 100 bucks, that's that's my loss. Uh The last one is after purchasing things and get into the habit of doing this. Check your accounts regularly detection is really important no matter what you do, no matter what you do, you will not be able to prevent uh uh all bad things. Um Sometimes you can follow all the good practices and do all the right things and still find yourself a victim. I was scared. Uh So the next thing, the things you can't prevent, you need to be able to detect right. And the best way to detect the bad things is by watching your accounts, reviewing your bank statement regularly. Um In our household, we do this daily. My wife just, it's a daily habit for her. Uh which is awesome because I know almost immediately when there's some on that account there shouldn't be right and then we can attend to it right away. Uh Yeah limit the loss. Right? And also, you know, get our money back a little bit quicker. So that's uh those are my tips for safe say for thanksgiving shopping and I'll go through them just real quick one more time. Number one is kind of an overarching umbrella for everything else is to maintain situational awareness. That means slow down. Uh Number two shipped to a secure location. Number three used only an official retail are used only official retailer apps. Number four don't save your credit card information on your accounts. Number five use Apple Pay or google pay. Uh It's just more secure number six. Don't buy from unfamiliar retailers without confirmation. I can't remember the number I'm on now but next one don't jump at the lowest price. If you see the lowest price. That should be an indicator to do a little more research. Never make purchases on public wifi. Try shopping with VPN. Use a VPN if you don't have a V. P. M. Uh find one VPNS are always good to have, especially you know, when you're using public resources. The next is use strong passwords in these word manager. If you're so inclined to check the policies on your retailers, especially those ones maybe that are there are unfamiliar retailers. A good tip would be uh to check their policies, you know, do they have a privacy policy? Is it look legit, does it look like something just can't? Uh no retailers again, we'll ask for your social security numbers. So don't ever ever give it out by with credit cards just buying with debit cards and if you want to use limit loss, use your user prepaid debit card. Uh and then the last is you know, keep an eye on your accounts after purchasing anything actually regularly just check your accounts. So again, I'll put that into uh into a list and make it available for people. It's just a good checklist. Maybe before you shop, you know, if you have a friend, you want to print this out for them, um put it next to your computer and before you shop just review the list. Okay, shipped to a secure location. Use only retailer. You know, official retailer apps. Don't save my credit card, you know, just go through the list real quick before you shop and maybe that will help you. Especially, uh, some of the people that are newer to online shopping that they could probably use just a little bit more, a little bit more help in that area. All right. So I'm hoping that that helped some people out. I have no brad to bounce things off of so I just didn't you to keep talking. Now. We'll get into the news and again from us from me. And I think I speak for brad to and I speak for both of the companies that I represent. We really don't want to wish you a safe, happy, healthy. Um, thanksgiving. So it's very important right onto the news. Uh, first one I thought that was kind of interesting was, you know, Tesla, Tesla got hacked. So the Tesla Model X was stolen. So yeah, I'll just tell you that the article title this is from Zd net and the the title of the article is Tesla Model X hacked and stolen in minutes using new key fob heck. So Tesla has already responded to it and they are rolling out uh, software updates to prevent the attack. So if you are driving a Tesla Model X, you may already be patched for this. But I think what was important note is everything is hackable, everything and it doesn't, if you, especially if you have physical access to it. It's just a matter of time. Anything with code as errors has mistakes. It was written by humans. Uh, so your Tesla Model X was this came from a Belgian security researcher who actually overwrote the firmware on the Model X key fobs and that allowed him or maybe it was a her, I don't even know it allowed the researcher to steal any car that wasn't, it isn't running the latest software update. Now. I know some people try to disable, you know, software updates on automatic software updates if you did that on the Model X, which I don't even know how to do, but if you if it is possible and you did do that, turn that sucker back home again. Uh, and the the attack is really not that. So, I was talking earlier about raspberry pi, the attacker. Uh, the hardware for doing this hack is a raspberry pi a canfield a modified key fob, Niecy you, that's the controller unit from a salvaged vehicle, which you can find on Ebay for 100 bucks and a battery. So, you know, one of the cool things about raspberry pi is, it's actually can make it do just about anything. That's uh, one of the things that was used here. So, anyway, Model X hacked poor Model X drivers. He'll be okay. Next thing is uh, which I thought was sort of interesting was, and we knew this already. So it's not really a newsflash, but it's neat to see somebody actually published something a little more substantial here. Zd net. Again, the title has botnets been silently asked, scanning the internet for Unsecured IAN V files, E N V files are environment files and they're used by uh, frameworks like dr no Js symphony to Django, whatever and they store environment variables. So it's kind of a big deal. If you leave any NV file the wrong end the file in the wrong place, we haven't secured it. Well, the thing here is Attackers have assembled there botnets and have been sort of silently, that's the keyword, silently standing. The entire internet looking for unsecured IAN V files. Um, and when it's silent, it means that they're not aggressively scanning, so it's not huge, you know, huge influx of traffic, you know, to tip people off. And it's, and it also means that they haven't used a lot of them yet, probably, uh, because that would also be another tip off. So this is more of an information gathering exercise, you know, I think for Attackers who are using these Spotnitz. Um, so I would expect results from the Attackers at some point results meaning they they actually used them, I think I thought was interesting this week. And uh, and I won't spend too much time on it, but last week, November 19. Yeah, that was last week, the senate asked an IOT cybersecurity Improvement Act, so that's sort of cool. Maybe I haven't actually read the act yet, but it's neat to see that our government is starting to be a little more active in helping us secure stuff. So here's IOT cybersecurity improvement act. It really just is about IOT so internet of things. Um there's approved by the House of Representatives on in september mid september passed the senate now it needs a signature uh before it becomes law. So if you are part of IOT or you know an IOT manufacturer, whatever you probably already aware, if you're not already aware uh go go become aware of. It's just one of the I think the key players or at least somebody who's influential in this area is brad re brad works at the I. O. X. T. Alliance which security studio is a partner of. Uh and he was quoted in the article, it's pretty cool to see his quote was it was great to see american leadership in IOT security as the largest economy in the world. We cannot be passive in securing our networks. So it's cool that he was involved because um it's probably a better law for it. So good stuff. Last one which you know kind of took everybody. Oh a lot of people were ticked off maybe in our industry was it comes from wired magazine and the title is Faring Christopher Krebs crosses the line even for trump. So Christopher crabs no relation to brian Krebs but Christopher Krebs led the led sisa uh cyber security agency that's part of the Department of Homeland Security and through you know two crabs is credit. I think he did a really good job. Anything you're doing in the federal government. Um That's a it's a pain in the butt. So the fact that he was able to get done as much as he got done I think is a testament to his abilities and skills. Um and nobody's without faults. So and and and and anybody who claims to know the whole story dozen. Uh but he was he was fired. Now don't feel bad for chris because he will definitely find another job. And I don't know what it means necessarily for our government either. Uh We have a new administration coming in uh eventually to see what happens. But I'm guessing Krebs can probably find a better paying job with more influence with less headache in the private sector. So I don't feel so bad for him. Um I don't know what to feel for the country yet. You know what you have to see, you know what what happened since. But anyway, that was big news last week. That's and that's all the news I've got. I think uh now we'll transition into just kind of closing out the show. We'll wrap up with some shout outs. I'm gonna give a shout out to brad. You know, I know he's uh you know struggling and uh not probably as much today. That's tough. You know, when you go through some health issues especially with everything else and he still keeping things together. So shout out to him, shout out also to uh FRSecure leadership team there. They're pretty damn amazing. Led by uh john harmon, the president of FRSsecure uh, just so bought into the mission serving what's in the best interests of customers over us, which is great. And then uh his two leaders, uh Renee rudder and DNA Pearson. Just awesome. So, shout outs to those guys too. All right, thank you to our listeners. Send things to us by email. We sort of think that meeting, email, uh, whatever we'll get to get to it eventually. Our email addresses, un security at proton mail dot com. Uh If you're the social type and you like to socialize, I'm a little more active than brad is. Uh but I'm @EvanFrancen on twitter, brad's @BradNigh uh the companies we represent, which are pretty cool companies because we're called people uh security studio is @StudioSecurity and FRSecure @FRSecure. Uh let us know what we can do for you. Uh Yeah, well, the good stuff. That's it. Happy thanksgiving. And we'll talk to you all next week.