The UNSECURITY podcast is back with episode 134. There’s so much going on in the world around us, so Evan and Brad thought it would be good to focus on six news articles and discuss them. The topics of discussion include a CMMC review, the FBI sharing pwnd passwords, a Walmart phishing attack, JBS Foods cyberattack, a Nobelium attack on U.S government agencies, and the Army telling remote workers to switch off IoT devices. Give this episode a listen and send comments, questions, and feedback to unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of un security podcast. This is episode 134 and the date is may know crap. It’s June
[00:00:34] Brad Nigh: I know
[00:00:35] Evan Francen: All rights June two June 1 was the day after memorial day. So today is during second. We didn’t do it yesterday, but anyway, you heard this? You heard his voice joining me is my good friend Brad Nigh. Hi Brad.
[00:00:55] Brad Nigh: Hey Evan. Here we are back at work. Yeah, I’m excited. Actually. Today is my Day 14 after the second shot. So I’m clear after today or really? Well you see Claire, I’m gonna actually go into the office tomorrow. It’s gonna be weird.
[00:01:11] Evan Francen: That is going to be weird. You know, Ryan texted me yesterday speaking of like diseases and things he said yesterday. Uh, he’s bored me. Something from NPR News. Don’t kiss your chickens. The CDC says in a salmonella warning case you were wondering? I have not been kissing my chickens.
[00:01:33] Brad Nigh: I tend to not do that anyway. I’m not sure why.
[00:01:39] Evan Francen: Okay, it’s a news thing. So some somebody somewhere must be kissing their checks in getting sick.
[00:01:45] Brad Nigh: I mean, good advice.
[00:01:49] Evan Francen: I’m telling you man, I’ve been spending time, you know, on twitter and social media? Just kind of checking out things and and just the lack of like right sense like where is your logic in any of your things that you passed.
[00:02:09] Brad Nigh: Yeah, there’s a lack of critical thinking,
[00:02:14] Evan Francen: right? And if you spend too much time, I’m sorry. You know, I realized that you spend too much time on social media. I think it makes you dumb.
[00:02:21] Brad Nigh: Yeah. Then honestly I you’ve seen my activity. I have a have accountant, just don’t really do anything with them. Right?
[00:02:34] Evan Francen: Uh we’re taking a break from uh guest again this week. So we had 956 some guests. We had Roger Grimes on 420. That’s hard to believe. Sorry. April Tyronne Warner was on 4 27 john strand an episode 1 35 4 chris roberts on episode 1 31 and 5 11. We had last week we had Gabe Freelander from Wiser on Episode 1 33. Today. It’s me and you.
[00:03:07] Brad Nigh: Yeah. Yeah. It was funny with we actually had, I didn’t one of our customers asking for exactly what they were do it like a guess what?
[00:03:21] Evan Francen: Right. When Gabe mentioned on our show to that he was grateful for all the, I guess bigger players that they abandoned the small mid size market so that he can play there and expected a great solution there.
[00:03:36] Brad Nigh: Yeah. Yeah, I mean it was they were they were asking for exactly what he’s doing. I was like, well that’s convenient.
[00:03:44] Evan Francen: Exactly. Well, I’ve got six now. I had five I figured today what we do is we talk about some news articles, we’re talking about some things that I picked out over the last week that you know, we’re hey worthy of discussion with you and then uh
[00:04:00] Brad Nigh: big things going on.
[00:04:01] Evan Francen: Oh yeah, every every day man every day. Then I also found another one last night. Somebody forwarded to me. I get people forward news meat, weird places and want to know, you know, hey, what’s your opinion on this yesterday from Merritt Talk will add sixth news thing. D. O. D. Completes. See MMC review. Senator says significant changes are coming, which is sort of interesting. So that’s uh coming from Senator Manchin out of yes Virginia. So I think hasn’t even been like fully rolled out now. They’re talking about making some significant changes. And I think one of the, we’ll start with this news article. So again, it’s a, it’s merit talk dot com. M E R I T A L K dot com. D O D complete C M C C M M C review and the senator says significant changes are coming. So for people that don’t know what’s the MMC is, it’s the cybersecurity maturity model certification. It’s issued as a Department of Defense and essentially you have to meet these security requirements. You certified by a third party that you met these security requirements before you can do business. The Department of Defense. Yeah, that sort of sums it up. Yeah. yeah, you you went through the training and you are what uh see MMC certified, what do you call yourself,
[00:05:31] Brad Nigh: registered practitioner?
[00:05:33] Evan Francen: Those practitioners, you one of the people that can help people actually get to the certification, correct? Okay. Whereas the other ones are the assessors and they can’t really help you get there. They can just assess you.
[00:05:45] Brad Nigh: Uh well they can help but they can’t help and assess. You can only do one of those two pieces. Neither help someone get there or you can assess where they’re at, but you can’t do it.
[00:05:56] Evan Francen: So this is a big deal and you know, it’s uh I kind of like the way they were going about it, you know, they put this thing out for review, you know, comment and review and you know, a couple of times before they’re finalized it and then Bill, kind of a structure, you know, to um and then and they’re not rushing into it, right? They’re sort of taking the
[00:06:23] Brad Nigh: time, only 15 contracts this year, they will have any sort of even see requirement and I just sent you another one? Uh because I hadn’t seen this, Some not sure I missed it, but it looks like because when you said, when you said that over, I was like, what? Yeah, how are they gonna, what changes are you gonna make one through three? Like level one is just not even all the fundamentals that we look at. Um But it looks like they’re going to focus on levels four and 5, which I think is there were a couple of things that I’m going, how are they gonna do this? Who’s gonna be level four and five? It’s going to have to be your Lockheed’s and Boeing’s and yeah, you know the big ones because they have requirements for uh a sock 24 7 c cert team and all kinds of stuff and there’s there’s no way that unless you’re a big company you’re going to have that stuff. Right. Right. The number, you know, of level 4s and fives or probably going to be, you know, it’s just gonna be a small fraction but we’ll see what this will be interesting to see what happens.
[00:07:42] Evan Francen: Well Senator Manchin is quoted in in the in this article and it says see MMC is intended to be financially self sustaining with companies paying for their assessments and certifications and those companies then recouping compliance costs as part of their cost estimates. The Department of Defense. And then he goes on to say that industrial based companies, especially smaller contractors are very concerned about the cost involved in regular on site assessments
[00:08:12] Brad Nigh: six. I mean, yeah, the complexity of complying with cyber security practices that companies have difficulty understanding. Look there’s like 17 controls for level one.
[00:08:26] Evan Francen: Yeah man I’m not Yeah but you know. Yeah and yeah, I don’t know and it’s like we’re going to take this seriously or not because when you start to compromise when we start to deviate what is deviate from what is good practice, you know? What are the consequences?
[00:08:47] Brad Nigh: Yeah I mean level three which is the first one that requires uh percy y for that was it uh Class? What does it shoot confidential and classified information? Yeah it’s like look you know limit information systems, access to authorized users provide privacy and security notices in the use of portable storage devices. I mean
[00:09:17] Evan Francen: well it’s probably not the practices themselves that are you know maybe cost is really smart cos it’s engaging with an assessor.
[00:09:24] Brad Nigh: Yeah. Well I mean uh and that’s the thing we haven’t seen is what that’s actually going to be because technically there’s no official assessors at this point, they’re all pending their own certification. So how are the I’ve been able to find anybody who can or can’t tell us what the cost of an assessment is going to be. You know we know that for us to help You both can be anywhere from like 3500 or so or a level one because it is really really just the basics uh you know 12 to 15 for Level three Where there you have a significant amount of requirements and I mean I mean yeah I don’t know I’m with you don’t compromise.
[00:10:19] Evan Francen: No it will be interesting to see but there’s also a lot of money drivers too. So if some of these smaller companies have been talking to, you know, some of the assessors and the assessors are charging them really large fees, you know, that’s not good either. Right? So this I think as soon as you saw, see MMC and this happens all the time in our industry. As soon as something new comes out, there’s this big huge rush by everybody in this industry, you got to do this because it’s a big money grab, right? I’m gonna make a ton of money, open up a whole new line of business when, you know, you kind of miss the point of the reason why we’re doing it
[00:10:57] Brad Nigh: right. It’s the fundamentals like we keep talking about. I mean, Yeah, level four and 5 for sure are definitely much going to be very much more difficult to get. But again, you’re looking at companies that should be doing that stuff anyway because of what they have access to
[00:11:19] Evan Francen: after making a billion dollar plane that you’re selling to the the federal government, you can probably afford some of those controls.
[00:11:27] Brad Nigh: Right? I mean, again, you’re probably looking at, you know, the Boeing’s and Lockheed’s, the Honeywell’s big. I mean, yeah, yeah, big big companies because yeah, they they have some subcontractors that they, you know that this this manufacturing company makes this part and this other one makes this part well, They’re gonna be level three, right? So those changes are gonna be smaller and then if you do, yeah, you’re looking at farmers and Others that have contract information, they’re going to level one. And we’ve already they’ve already said critical infrastructure, which is agriculture. So if they’re not doing basics and they can have their entire, you know, systems shut down. And that will be another one of the articles we kind of we talk about, but Mhm. Yeah.
[00:12:28] Evan Francen: Right. Well, when I was talking to somebody yesterday, because they wanted to know, you know, that somebody that I wrote about the executive
[00:12:34] Brad Nigh: order,
[00:12:36] Evan Francen: they wanted to know, you know about it. So I sent it to them and then we started talking about, you know why so much in such a short period of time. And really it’s because you got so far behind, Right? Yeah. The ball keeps getting further and further from your technology continues to go faster than your ability to secure it. And you didn’t do those fundamentals at the beginning. So now it seems like it’s so much work. Whereas if you’ve been doing it right from the beginning, it wouldn’t have been much work.
[00:13:06] Brad Nigh: Oh, absolutely.
[00:13:08] Evan Francen: Right. And so now you’re at this point where it’s like, oh my God, do I want to fight this off? Well, here’s the truth. It only gets harder. The longer you wait, the harder it gets. So the ball continues to get further from
[00:13:20] Brad Nigh: Well, and here’s the other thing, What is this thing about these companies that are going, oh, we can’t do this when they are technically should have been doing the fars You know 801 71 for how many years and their self certifying and now they’re going oh well we can’t have somebody come on site
[00:13:39] Evan Francen: again. It might be the cost of having somebody coming on who knows? But it’ll be interesting to see what comes out of it. You know I will be keeping an eye on it. That was news that was just released yesterday. So we’ll see. So the other five articles I have uh one is and I’ll let you choose which one you want to talk about. Next FBI will share compromised passwords with H. I. V. P pump passwords which is you know have I been phoned? That’s one another one is beware walmart phishing attack says your package was not delivered. You know how we like our packages so that will probably catch some people as soon the big news this week. FBI food giant JBs foods and now this kind of pisses me off because I’m a meat guy right And so now their production has been shut down after a ransomware attack to talk about the basics again. Mhm The next one is Russian hacker group, you know billy um attack us, government attacks us government agencies by targeting 3000 email accounts. This is related to not directly but certainly indirectly related to the solar winds attack.
[00:14:53] Brad Nigh: It’s the same group.
[00:14:54] Evan Francen: Yeah and then U. S. Army tells remote workers to switch off their IOT devices and then withdraws that advice. Yeah shut your IOT. Okay hold on. I mean troops go in order.
[00:15:11] Brad Nigh: Yes let’s do it.
[00:15:13] Evan Francen: The first one is when I first saw this I was like okay and I was grateful that it was I found I found what I was looking for in this article because at first I was thinking have I been polling is going to be getting compromised passwords. So the FBI is going to be sharing compromised passwords that they find during their investigations with. Have I been phoned or H. I. V. P. Mhm At first I was okay but you’re going to shut up other people to or is it just going to be this exclusive sharing between the FBI and have I been poem because that’s not it’s not the way the federal government’s supposed to work. Right you don’t so a favor to to the private sector. Then I saw you know in the article. So Troy Hunt if you remember Troy Hunt is the guy who started each how I’ve been bombed. He’s here sense sold it. I believe he’s still involved but I think somebody else owns it now but he he said that he’ll be um opening the source code so that you know and an api so that people can get those same passwords so that’s kind of neat so the FBI. So this comes from if you’re looking for the article yourself the listeners security affairs and the title is FBI will share compromise passwords with H. I. V. P. Poem passwords. Poem being P W M E D. Yeah. All right. It’s kind of it’s kind of newsworthy because I don’t recall another place where this has happened before.
[00:16:57] Brad Nigh: No it yeah. Yeah a billion requests a month. But that’s nuts.
[00:17:11] Evan Francen: Yeah. Yeah. The quote is feeding these passwords into HIV. P gives the FBI the opportunity to do this almost one billion times per month. It’s good leverage leverage for what?
[00:17:26] Brad Nigh: Well against hopefully protecting people. Yeah.
[00:17:31] Evan Francen: Yeah. Yeah hopefully. So they’re going to provide passwords as shot one and Nt LM hash pairs ah Yeah we’ll see. In fact I think new like this is I mean I’m skeptical.
[00:17:53] Brad Nigh: Yeah, I don’t know I think mhm. You know, opening the source code and he announced that the source code thing like in august right. So that’s just you know, it’s not like it’s well they’re going to do this so I have to do it. You know, that was already in the works which makes me feel a little bit better. Okay. I mean personally I think it will be a positive. All right. We know that the FBI is getting this stuff take advantage of this information that’s out there and use a service that that is and has been very good and make it better. So I’m I’m excited I think and I like the fact that he’s working on a P. S. To make it available and we can do integrations that’s going to be as we talked about it for an industry that quote data driven. We have crap data won’t let’s get better data out there. And this is a good way to start.
[00:18:56] Evan Francen: No, I agree. And it yeah I just look forward to the day when you know people will choose stronger passwords. It’ll never happen.
[00:19:08] Brad Nigh: I was I was reading a uh doing a vendor review for a customer and ah they have in there I’m gonna copy this into the chat for you so you can chuckle at it that they have a funny example of a pass phrase in their policy. Mhm. And it’s like you know it’s a good example are good like definition and it’s like for example use the traffic on the 101 was explicit this morning.
[00:19:43] Evan Francen: Yes. Yeah.
[00:19:46] Brad Nigh: Yeah. Anyway it just reminded me of that. I want to tell you about that. But uh yeah. Yeah it’s a good start
[00:19:57] Evan Francen: what is and I don’t know and I’m not I’m not against it by any means. I like when the federal government shares things with the private sector and actually vice versa but I don’t like is how people abuse it. You know now I don’t think have I been Poland is going to abuse it. But this does start to set a precedent. So you’re going to see other companies that you abuse things like this approach from the federal government and saying, well you do it with, have I been poem? Why don’t you do with us?
[00:20:26] Brad Nigh: Yeah. I think if there are opening the source code with, you know, the dot net, which is a 51 sees a nonprofit, you know, there there’s that does take a little bit of that.
[00:20:39] Evan Francen: I don’t know, nonprofits make a profit. Yeah,
[00:20:43] Brad Nigh: true. But
[00:20:47] Evan Francen: I don’t know. And yeah, I think this one minute since it’s it’s definitely good, you know, and it’s sad that we’re at this state of Affairs with our industry that I think actually within our industry, there are more destructive forces than there are outside of our industry, meaning the Attackers that come that come from wherever they come from, I think are sometimes not as bad as the people inside our industry who are taking advantage of other people. Oh,
[00:21:19] Brad Nigh: I mean the difference is when you come across as saying, we’re helping you and you’re actually taking advantage, that’s what is the problem. You know, the Attackers are even cause all kinds of problems. We’ve seen a financial estimates of what it costs for these attacks. But I mean, you look at how much has been on the second day in a year, is it what is like a trillion or something like that or how much of that is actually necessary?
[00:21:52] Evan Francen: Well, exactly. And so yesterday it’s funny I was writing an article about last week the C. S. A. R. C. Sisa, C. S. A actually Department of Homeland Security and the Transportation Security Administration T. S. A initial uh issued a new directive and if you saw it last week and in that directive it was aimed at pipeline owners and operators, critical pipeline owners and operators really. The things that were I think three things really that were there one was you need to report all suspected and confirmed cybersecurity incidents or events to the federal bench to caesar. Right, alright. Seems legit, don’t know why it took us until now to figure out that that was a good idea but Okay. And the second thing is you need to need to need to appoint um I can’t remember the exact name but basically a cyber incident manager who’s available 24-7365. You know, again legit The 3rd 1 which was sort of nebulous, which I think is going to lead to some confusion unless there’s additional direction is you need to do basically I think a risk assessment. Uh huh. You know, they’re not clear about the scope. I mean you’ve seen this happen so many times in our industry. We have the letter of the law and the intent of the law, the intent might be great but the letter is like all kinds of wiggle room on this one. Yeah. Well so in doing research for that article, I was like I figured out 3006 days that’s the number of days between when President Obama issued executive order 13636 which was but eventually led to the N. I. S. T C. S. F. Critical infrastructure, yep. And it’s funny how when you read the quotes in there about why we’re doing this And then 3006 days later we’ve got this directive that comes out and it’s like nothing really changed. At least not enough. It’s crazy how this is critical infrastructure to mind you. It’s not like
[00:24:16] Brad Nigh: oh yeah
[00:24:17] Evan Francen: well it’s not like retail. I mean this is critical infrastructure and
[00:24:23] Brad Nigh: yeah when you look at the colonial thing that like a lot of it was they were like uh shut down, we don’t know what to do what yeah. They shut down the pipeline because the building system was impacted by the I. T. System.
[00:24:40] Evan Francen: Yeah. And and and that’s a pipeline and you mentioned you just mentioned, you know earlier in this podcast about you know, agriculture also being a critical infrastructure, which it is and what kind of shape do you think that you
[00:24:55] Brad Nigh: oh it’s not good. I can tell you that for a fact
[00:25:00] Evan Francen: right then you read about, you know like it wasn’t all that long ago when they had the water treatment facility attack Oldsmar florida.
[00:25:07] Brad Nigh: Well there have been multiple too.
[00:25:09] Evan Francen: Yeah exactly. So in the interactive this was from the President of the United States, essentially the ceo of the country. Yeah. Hey, do the 2013 issued this corrective that said, Hey, we have these intrusions into our critical infrastructure. We need to get our crap together. And where are
[00:25:31] Brad Nigh: And well in the water one, you know, you’ve got uh was it the American water ah shoot, hang on. A W. W. A. And it was or is there is the american Water Works Association which helps with? Oh shoot, there’s a, there’s a, there’s a law for, you know, anybody, any water Treatment facility that serves over 3500 people has to do these things. And the, you know, the A W. W. A. Put it out a a free school to do it. They’re like self assess. And obviously I start being used
[00:26:17] Evan Francen: well. And so if you look for a common thread in all of this, which you have, I think in my opinion is a lack of accountability. Well, I mean, even the N I S. T. C S. F. Right? When that came out, were again, I’m talking critical infrastructure, right? Look at the meaning of the word critical. And you made it and you made it volunteers,
[00:26:39] Brad Nigh: right? And then you try to make it, hey, we’re gonna do this with C. M. M. C. You have to do this and everybody freaks out. It’s gonna be too expensive. We can’t do this. Um I can tell you right now it’s a hell of a lot cheaper to do this now and deal with a ransomware attack,
[00:26:57] Evan Francen: right? And you know that where this leads, right? Use logic And we opened up talking about social media now, it seems like there’s a lack of logic. If you use logic, where does this lead? Right? Eventually it’s gonna be a matter of survival of your organization or you’re going to be forced to do it. We’re eventually going to have to bite the bullet now or later. It gets harder the longer it goes, yep. You know, and here we are. You know, 3,006 days later and we’re talking about the same crap we were talking about 3006 days ago.
[00:27:33] Brad Nigh: Yeah, yeah. And you know, it’s not just government, right? Like if you’re company, I’m working with somebody right now, mm had a huge contract suspended until they get talked to and to their credit. They are, they really did. Do you want to do the right thing and are, you know, busting their butts? But This is like a six figure a month contract that is suspended until they get talk to and it was a lot of, you know, hey, yeah, we’re doing it, we’re not documenting or you know, it’s not formalized for the majority of it. There were some things they weren’t doing. But yeah, they were doing a lot of good things, but if you don’t do it right, you’re is painful.
[00:28:24] Evan Francen: Well, that’s another frustrating thing too, is you have people say we need to get a sock too, like that’s some sort of rubber stamp that you’re doing the right things to protect information, right?
[00:28:34] Brad Nigh: You know, they were asking about it. It’s like, do we have to do this? This is No, no. Here’s the thing with the site to you’re going to tell them what you’re doing. They don’t they’re not gonna judge.
[00:28:48] Evan Francen: But that’s the right thing, right?
[00:28:50] Brad Nigh: Yeah. They’re going to look and say, okay. You say you’re doing X, Y and Z. Show me you’re doing X, Y and Z. His excellency the right thing to do. Mhm.
[00:29:00] Evan Francen: Yeah. They don’t
[00:29:01] Brad Nigh: care. They’re just playing and that Oh,
[00:29:05] Evan Francen: I’ve seen so many abuse. I’ve seen so many abuses of sac to. It’s not even funny.
[00:29:10] Brad Nigh: Yeah. Well, I mean, yeah,
[00:29:14] Evan Francen: I mean flock to and then and then it’s like, okay, well, did you read a sock too? No, No. Why would I do that? Right. Because that’s like the thing that you’re okay. Forget it. Yeah. All right, let’s go to the next uh article. It’s um this one is from Bleeping Computer. And the article title is beware walmart. Machine attacks says your package was not delivered. Ain’t nobody messing with my packages. Dog.
[00:29:44] Brad Nigh: You know what’s crazy? Is this isn’t new by any means, right? Just now instead of it being amazon it’s walmart, right, like we’ve seen that. I mean, I know I’ve used the amazon fishing since At least 2017 that earlier in our training where it says hey your order of the X. Y. Z. T. V. For $500 is in stock and ready to ship. You will be billed on this date. Look here if you have you know to view the order it’s it’s the same thing. Oh yeah
[00:30:28] Evan Francen: I am for sure. So in this one it’s uh yeah the same thing. It’s essentially the campaign pretends to be from walmart subject line is your package delivery problem notification I. D. Number. And then essentially unfortunately we’re not able to deliver your postal package in time because your address is not correct. Please reply us. Please reply us with the correct fishing or shipping address and then you know obviously you click on the update address button and then yeah type in your information and where you go. So the same truth has always been the same truth in any in any communication that you did not originate yourself be leery of it. Right. Never click on a link in an email or text or anything else that takes you to a log in page in them again. Yeah.
[00:31:28] Brad Nigh: Yeah. Yeah. Now I will say I did. I did. Yeah unfortunate but amusing if you look at the related articles there’s one at walmart apologized for offensive racist registration emails and they said what looks like somebody it is. They took a list of email addresses and created fraudulent accounts with racist user names. There was like no sort of checks in place. And so all these people got this. It’s offensive. Hey, I’m saying, hey, you’re registered, Which I mean, come on. But
[00:32:15] Evan Francen: now
[00:32:15] Brad Nigh: it’s kind of, it is amusing that, that not the racist is obviously that just that, that was something that could be done. Right, okay. Do you not have checks? Why are you allowing thousands of user has to be created from the same ip
[00:32:38] Evan Francen: a six brother.
[00:32:41] Brad Nigh: But
[00:32:42] Evan Francen: again, I think it’s a lot of it comes down to accountability, right? I mean if you’re not going to hold me accountable for it, it’s like raising kids. Yeah. Any of these people raised kids before because like you don’t hold your kids accountable, they become little hellions. Sometimes they still become little hellions, but you hold them accountable. You know, why did you break your toy? You’re not getting another toy,
[00:33:08] Brad Nigh: right? Yeah. You had a temper tantrum. You broke it and now you want to replace it. No,
[00:33:14] Evan Francen: there are consequences. Yeah, you hit your sister. You are now going to be punished. You know what? It’s like fundamental things. But then when, when we apply it to one more, when we’re adults, maybe like, oh, another breach there. All right. Move on. Yeah. Yeah. So this one, the next one is also from bleeping computer and this one actually does talk me because I’m a big meat eater. I love me too. And the cost of bacon is probably going to go up, which does not make me happy. I can try. I guess I’ll buy from a local butcher and maybe save myself a little bit. But this one is from bleeding computer food giant JBs foods shuts down production after cyberattack. Yeah. Now I hate Russians, Russians that Russians, I hate the Russian government. Are these Attackers?
[00:34:11] Brad Nigh: Well, I mean, yeah, yeah, that’s such as they weren’t walking such a fine line where you’re not officially sponsoring them. So it’s not a state, but they cut, you know, they look the other way as long as they don’t do anything to them, right? Like do whatever. But if you mess with us, your, that’s it,
[00:34:37] Evan Francen: Right? And I wonder like I was thinking about this last night, you know, I wonder what kind of communications go on behind the scenes. You know what I mean? Like if if I was the President of the United States and this happened, I’d be on the phone to well, Putin Putin and saying like, hey, stop messing with her shit.
[00:34:59] Brad Nigh: Yeah. Well, and, and they did confirm Russia’s Deputy Foreign Minister told local media biden administration had been in contact with Moscow to discuss the attack. So what, Yeah, I’m with you there, definitely reaching out to them. I would love to hear at least. Yeah. Right. Hey, here’s a summary of what was discussed
[00:35:23] Evan Francen: because it goes back to the accountability. If you’re not going to do something about it, then just what I mean, you just continue to accept it. Mhm. I mean, we have the solar winds attack. We have and these are just ones that, you know, it was top of mind that we heard about that came from foreign adversaries. You know, ie Russia, you know, you have the solar events attack. That was a big, big deal. And then you had, you know, colonial pipeline and I have GPS foods and then all the things in between. At what point do you put a stop to it and say, hey, stop messing around? Yeah, I mean, or do or do we not have the capabilities? I mean, I suppose there’s that too. If we’re like crap Russia would pretty much kick our ass online. So I
[00:36:09] Brad Nigh: thought, I mean, I think the it goes back to what we were talking about with the mm sees these people, companies haven’t done anything and now it’s like, oh, hey, that’s gonna, you know, take down your business. Well, that’s too much work. It doesn’t happen to us yet.
[00:36:31] Evan Francen: On the thing that tipped towards me too, is like, ok, he took down the business, but like with the pipeline and with this actually I have no other alternative. Me as a consumer, as a citizen. I now pay more for gas because of your mistake.
[00:36:49] Brad Nigh: Well, yeah, and it’s not just cyberattacks to it’s it’s the business continuity planning, disaster recovery. Look at what happened to texas when they had that, you know, old weather. The prices here in Minnesota went up. But I mean hello, we’ve for cold weather. Why are we paying more your failure to plan? It’s costing me more.
[00:37:16] Evan Francen: Exactly. And it’s not like I won’t may I will survive with I don’t have to drive as much as I do and I don’t need to eat as much meat as I do. But I mean some people are in a position either to afford things like I can afford things right? I get paid more than you know the base, you know, average pay in America. You know, I’m not living in poverty, right? But what about the people that are affected like that? The people who are in poverty, the people who do struggle to put anything on their plate, What’s this going to do to them?
[00:37:55] Brad Nigh: Right. Well yeah, it comes back to yo with these companies that are using them. What are their options? That’s the problem
[00:38:07] Evan Francen: when GPS is like the world’s largest I think right meat supplier, who who where else can I go
[00:38:16] Brad Nigh: right, that’s not, you know, it’s going to take, you know, they they look here that they’re saying that swift pilgrims fried here in my part chemo. And You know, 190 customers for 180 countries on six continents. Uh huh these customers should probably start, you know, they need to put some pressure on them.
[00:38:41] Evan Francen: The
[00:38:41] Brad Nigh: problem is like you said there was BBS going to say, well good luck go somewhere else.
[00:38:49] Evan Francen: That’s what I’m saying man. I mean that’s the part that frustrates me so much because if you’re crappy business decisions because you made poor choices, it goes back to the accountability thing to. I’ve always taught my kids, I’m talking about kids at least like kids. It’s like you make poor choices. There are consequences for your poor choices. If you don’t like it and quit making poor choices.
[00:39:17] Brad Nigh: Yeah. I mean I think it’s gonna come down to at some point the government’s going to have to step in and say hey, you know, and start issuing fines or doing something because
[00:39:30] Evan Francen: that’s what I think you need to go right because yeah, we’re not stop going down the route of like creating another standard, creating more best practices. We’ve got all the best practices I could regurgitate in a lifetime. What you need to do is start enforcing some of this crap, right? Yeah. Here is a here are the basic baseline security controls that every company in the United States must have in place by X date
[00:39:59] Brad Nigh: well and going back to the first thing we were talking about. I think what we’ll see is well what I thought we’ll see what happens with the changes but I think CMC will become adopted across the entire U. S. Government. I wouldn’t be surprised in any way, especially when you start seeing this type of thing.
[00:40:18] Evan Francen: Yeah, maybe. But you know what about companies that are working in with the federal government? You know, they don’t have those contracts.
[00:40:26] Brad Nigh: True, but I mean if you can take out, you know, and get 40% of the companies that are somehow related, you know, because, but I guarantee JBs has some federal contracts, the minimum they would be a C. M. M. C. Level one,
[00:40:45] Evan Francen: you know, So I think a lot of things that we do to like you take, you know, I keep going back and thinking about the old smart attack and another attack on critical other attacks on critical infrastructure, you know, and Obama in 2013, you know, it was a fantastic executive order. You come up with the stc SF, which I think is a fairly good. I like the way they went about it regardless of whether I like the actual framework itself and then what you do is you say, hey, you know, a water treatment plant manager person, you got to do the NST CSF thing. We actually don’t have to, it’s voluntary. But here I want you to get security, take this man, take this manual and you know, and you know, this is a water treatment, they fixed water pumps and things, things that I could never do be like giving me a manual for a water pump. It So here build a water pump, I don’t know how to do that, the same sort of thing we give them rather than saying, hey, here’s like two things just do these two things You have to do. The 200 things here are the two most critical things I want you to take care of right now.
[00:41:56] Brad Nigh: Yeah, well, and, and You know, that’s one of the things I do like about seeing them see like level one, it’s like 17 things. I have an asset inventory, have packed management, you know, how important protection it’s
[00:42:12] Evan Francen: basics, man,
[00:42:12] Brad Nigh: basics. Yeah, I’m
[00:42:15] Evan Francen: with you. So anyway, JBs it really talks me because You think a company of this size, 245,000 employees around the world, you would think a company of this size would have their stuff together a little bit better. It says that the backup servers were not affected and it’s actively working on an incident response with an incident response firm to restore it systems as soon as possible. I would love to have seen that preparation work ahead of time in terms of what their incident response plan look like, what their disaster recovery plan looks like all of those things. Because I think if you were to do a thorough investigation here or even if it’s not in this one, but Take the top 10 attacks and your to do an investigation and table, you weren’t following these best practices, they can find it almost every one of them. And then what are you gonna do about it? But yeah, because otherwise it’s just if you’re not gonna enforce, if you’re not going to have accountability, then just Yeah, buckle up. It’s just the beginning
[00:43:26] Brad Nigh: and what, you know, if you look, there’s uh, PC I for example, were credit cards, like the government is going to happen. If we don’t do something, we’re going to do something that I don’t think you’ll see that here because it’s so there’s not a single thread, right? Like with, with BC. I Yeah. Mm. Parts. There’s a very definitive scope. Spirits just all over the place. I mean, that is going to take government intervention and enforcement. Like, you know, we’ve got the requirements and let’s enforce it.
[00:44:01] Evan Francen: Yeah. It’s sad because I really feel like our industry failed. Well, you have to have the federal government step in to do the things that you should have been doing from the beginning. You know, it’s just irresponsibility on the part of so many people that play in our industry, so many people that work in our industry and so many people that we serve, right? It’s just like, yeah, whatever. Shut up. It’s always more painful to when somebody has to tell you what to do versus you are forcing you to do something you should have been doing to begin with. Yeah. Right. Well, that’s that JBs expect to pay more for your meat, which just not happy bob at all. Now if you did this to my energy drink some coffee too. Oh quick, yep. Even retires. The next one is from G. B. Hackers, G. B. Hackers on security. Uh Russian hacker group. No belly um attack us government agencies by targeting 3000 email accounts. Now that may not seem like a big deal. 3000 email accounts. But yeah, these are targeted accounts. These aren’t like public, you know, just like anybody. You’re right. It took like my neighbors if you got his password, it’s not that big a deal. But if you’re some of these accounts it’s a big deal.
[00:45:29] Brad Nigh: Yeah. Well and you’re looking at 150 organizations, so you’re looking at roughly 28 counts or organization on average. Right? That’s a targeted attack. And they use constant contact. Yo so they got uh use the constant contact account of the U. S. Agency for International Development or US Aid. So they’re using a legitimate account, real legitimate service.
[00:46:01] Evan Francen: Yeah. Yeah. So this was, you know, Microsoft cyber threat detection team, Mystic. Which when you talk about, gosh, I’m gonna Okay, I was gonna well, you know, problem players, their industry Microsoft I think is one of them, you know, it’s all about money. Money. Money for some of the big players in our industry, you got to wonder how much these big players in our industry actually contribute to the problems in our industry, right? We make things so damn complex the enemy. I mean, of security which keep having more. Um, yeah, but anyway, they claim that large scale malicious email campaign operated by Nobel liam. The same hacker group behind solar winds, yep. Like to Russia.
[00:46:57] Brad Nigh: Yeah, you’re having some in with issues here breaking
[00:47:01] Evan Francen: out great. Am I again
[00:47:03] Brad Nigh: okay there? You’re back. Okay. Um, yeah, I’m torn with, you know, with Microsoft is they do their threat intelligence center? They do a lot of good stuff right? At the same time, it’s like, well, yeah, but you needed, so like you said complex, like I’m torn and I think you almost feel like It’s almost like two different, How do you separate those out? Right? There’s Microsoft operating system and you know, office and stuff and then you’ve got their threat intelligence center which has done a lot of really good stuff. But yeah,
[00:47:50] Evan Francen: yeah, it’s frustrating man. Ah so this is no bellion someone’s behind the solar winds attack linked to Russia. Again, uh, large scale malicious email campaign, four tools, the infection chain and the scout boombox Native zone and paper age. Have you seen any of those in our instant responses?
[00:48:15] Brad Nigh: I haven’t,
[00:48:18] Evan Francen: speaking of the incident response yesterday, ah, you might know about this. Um, Oscar called me yesterday afternoon about, I don’t know how to put it without because we’re gonna have to go the responsible, responsible disclosure out. but it was essentially vulnerable. I was mm Okay do you know anything about that?
[00:48:47] Brad Nigh: I haven’t I was okay
[00:48:51] Evan Francen: about it and get it straight. Okay.
[00:48:56] Brad Nigh: Oh no you broke up again.
[00:48:59] Evan Francen: Am I sleeping bag? Records shoes.
[00:49:01] Brad Nigh: Yeah a little bit. Yeah.
[00:49:05] Evan Francen: Are you you take you take it on from here while I figure out my band with issues.
[00:49:10] Brad Nigh: Yeah it might be good to just maybe we stop the video.
[00:49:16] Evan Francen: Stop video. Yeah it was not that that’s
[00:49:18] Brad Nigh: that that’s better unfortunately people people don’t get to look at us now.
[00:49:25] Evan Francen: That’s a good thing man. Well I’ve been having bad with issues uh me because I look. Yeah yeah options.
[00:49:40] Brad Nigh: Yeah it’s still breaking up a little bit. So I guess I’ll go and take and well I’ll go through the last article and then wrap it up here.
[00:49:49] Evan Francen: Yeah I’ll try to figure out my band with this year.
[00:49:52] Brad Nigh: So the last one is the U. S. Army tells remote workers to switch off their IOT devices and then takes it back. So uh you know are the army issued a new policy requiring uh military civilian and contractors who were approved to telework to remove or cut off all IOT devices in their workplaces. Ah I mean yeah anytime smart IOT devices are powered on and constantly listen and collect data by recording audio transcripts or even video. My better now hey there we go.
[00:50:30] Evan Francen: I better now I just switched to another. Yeah, I’m still in my neighbors now.
[00:50:36] Brad Nigh: The,
[00:50:38] Evan Francen: I mean, if there’s no accountability, what the hell? No, I’m saying. I didn’t,
[00:50:43] Brad Nigh: Well, I mean, hey, I am not, I don’t know like, yeah, okay. Dannell Iot Well, I mean maybe we should have some security at home, have it on a separate network. You know, I don’t, I don’t, yeah. Go well that’s not doable. Well, yeah, it is just, it’s going to be work be bad. Right.
[00:51:18] Evan Francen: Well that’s so, it’s just trying to find a more creative solution to rather than Okay. First of all, why would I not want IOT in some of these conversations? Well, but I will not not want ot around my office. Well, it’s because they’re listening, right? It’s because they’re traditionally not very secure and you know, a number of other things. So it’s easier to eavesdrop into a conversation. Some of these conversations are probably, oh, really sensitive.
[00:51:47] Brad Nigh: Right. Right. For sure. Yeah.
[00:51:49] Evan Francen: And so if, if an attacker were to get some of these communications and probably, I mean it could lead to loss of life. Right. Right. And so because of, because of the fact that it’s inconvenient because you know, my phone might be listening to me that I might have my phone in another room while I work in this room when I was, when I was like Wells Fargo, we couldn’t work from home unless we had a dedicated physically secure office. Uh,
[00:52:21] Brad Nigh: you know, obviously that’s kind of changed here in the last year, but at the same time, like I think maybe the, I think maybe the issue is you can’t have anything at home, right? Maybe it should have been, you cannot work in an area that has smart device. So if you’re going to work, you have to unplug your smart tv because you’re in the living room or you know, like I have a luckily, you know, have an office, I don’t have any IOT in here.
[00:52:57] Evan Francen: So maybe it was that just, it was, it was crappy and not clear guidance because I don’t think you’d see like you wouldn’t get nearly as much pushback if you were clear. Uh, this is the reason why right? The same thing again with kids, right? It’s like when my kids understand why I’m telling you to do something, I get much better compliance than if I just order them around, Right? So if the reason is because I don’t want any eavesdropping into the communications that we’re having online and like you said, just say no, all of that and within listening distance or something.
[00:53:36] Brad Nigh: Well actually, you know, I’m looking at it now and it does say remove all IOT devices with listening functions from the work area, turn off personal mobile devices in your work area. So I mean is I don’t know,
[00:53:57] Evan Francen: maybe maybe there’s a misinterpretation then in the news article itself because in the news article, it says, wow, no IOT devices, question mark, presumably that goes beyond smart speakers and TVs and smartphones that would include fitness trackers, fridges, gaming councils, and internet enabled home security systems.
[00:54:17] Brad Nigh: Right? I mean it’s saying uh yeah, I think the with listening function,
[00:54:26] Evan Francen: but that’s the truth. Well then it’s maybe not the best reporting on this article because this article is going the other way. It’s like, well now you’re telling me I can’t have any our devices at home at all. And if that’s not what the guidance said, Well then what are we complaining about?
[00:54:42] Brad Nigh: Yeah. And what’s surprising this is from the defender to it’s not like it’s some unknown. Mhm The source, it’s been years pretty well known,
[00:54:54] Evan Francen: but when Graham and Graham Cluley wrote the articles so he knows, you know, you’re all cited. So yeah, I don’t know. And the guidance now, I mean, well there’s a copy of the google cache optical review this a little bit more.
[00:55:09] Brad Nigh: Yeah, I think his, I think, you know, reading it and looking at the google cache mhm It’s I mean, the title of it was requirements for cybersecurity requirements for teleworkers in the vicinity of smart internet of things, applications and devices. So I think he took it from all you edict banning this is from Graham clearly edict banning all IOT devices from the homes working utterly are working remotely sounds utterly unrealistic Well, but that’s not what they said.
[00:55:44] Evan Francen: Yeah, there’s definitely a disconnect here.
[00:55:46] Brad Nigh: Yeah. How much? I don’t know honestly I don’t I don’t have a problem with mm with that requirement. Just because of the like you said what what kind of information is being?
[00:56:03] Evan Francen: Right. Yeah I don’t have a I don’t have a problem in my own office having no IOT devices with listening functions and it doesn’t mean I can’t have my phone either. Right? It just means turn off Siri right. I mean and he asks you could say well there’s still be you know it still could be listening. Well okay that’s it. What we’re going for is like what’s the most significant risk here? Not the nuances and the you know
[00:56:33] Brad Nigh: you don’t have a left that don’t have I don’t have the google if this dinner whatever enabled.
[00:56:40] Evan Francen: Right? And this is mind you like army and these are like the people that fight worse for us. Yeah Canada want them being eavesdropped on. Yeah. And then you know I think it’s a funny thing too because you hear people complain it’s like again it’s like a I would tell my kids they can complain about their job. It’s like well then get another job. Yeah.
[00:57:08] Brad Nigh: Well you know again there’s three things that army said and this is straight off of the new cat remove all IOT devices with listening functions from the work area. Okay. Turned off or removed all personal mobile devices smart phones and tablets in the work area. Okay. That I can see that, you know a pain but not unrealistic
[00:57:33] Evan Francen: because these are personal mobile devices. So a lot of times there’s government issued ones for these types of communications,
[00:57:41] Brad Nigh: yep. And then disable audio access functions on personal assistant applications and devices. Yes, that’s what they said. Here’s my question. If you’re complaining about that at home. Right, were you allowed to do any of that when you had to go in? Most likely know you probably, you know, you’ve seen it, you have to check your personal advice when you get to work. You can’t bring it into the, you know, highly classified area. Well, you know what you’re still doing the same work.
[00:58:14] Evan Francen: It’s just funny to how easy we make it for the Attackers, right? You know, and then we complain about being a victim. It’s like, mm, okay. I don’t know where I know what you’re expecting. Well, I also in the government, you know, the the army’s uh website. I thought this was an interesting, I don’t know where they got their data. Yes, I agree. Those three things seem fully reasonable to me. I would not have any issue at all. And these aren’t just like uh, you know, these are sensitive communications And then they go on to say on average a typical home may have 70 Iot devices,
[00:58:57] Brad Nigh: you know, if I was I saw that I was like what if you think about it, you know how many TVs that are smart TVs that are
[00:59:05] Evan Francen: his on average.
[00:59:07] Brad Nigh: Well yeah no well I think that’s probably high but you know I’ve got and I guess and that would be the question is what’s the what’s the definition? Right is a Fitbit that doesn’t have any sort of listening device is that considered? You know I o t. Well you might have five of those right four of
[00:59:26] Evan Francen: Those in the 70’s
[00:59:28] Brad Nigh: I’m just trying to think through
[00:59:30] Evan Francen: it I’m trying to figure
[00:59:32] Brad Nigh: Out how they came up with it so let’s say you have a family of four You have four fitbits or whatever you’ve got four phones you got four tablet you know 16 you’ve got
[00:59:48] Evan Francen: The Type of Man 70 is like hell of a lot. What?
[00:59:52] Brad Nigh: I don’t know how they can do it I’m just trying to figure out I would say 20. Oh for sure that wouldn’t work. Yeah. Yeah I was just trying to figure out how they came up with that. Don’t know.
[01:00:05] Evan Francen: Well like it’s funny how you know going back to the logical thinking thing you know they were talking about you know social media like average, do people know what on average means? It means like if you had seven homes in the population and total of 490 IOT devices in those seven homes on average that would be 70 right I wonder how much people even understand what average means or they just taking like yeah, I don’t know but Yeah, no that’s 70, 70 Iot devices I’m trying to think of if I know anybody And if I know anybody with 70 Iot devices
[01:00:47] Brad Nigh: 16, so maybe you have word five TVs Your dishwasher, Washington, uh you know, washer and dryer clothes, washer dryer Yeah.
[01:01:01] Evan Francen: Your nest. I
[01:01:03] Brad Nigh: don’t know how they can.
[01:01:06] Evan Francen: Yeah. 70s a lot. There’s no doubt that there are. I mean I think in my own house, you know, and this is the thing that people don’t do, which I wish they would do is you know, we say all the time, you know, you can’t protect the things you don’t know you have, you know taking those inventories. Um I do an inventory of my home network constantly. Right, I’ve got active. Mhm. But then I also do a kind of a And I’m not weird, I mean it takes like less than five minutes. Ah Yeah I’ll do a reconciliation of my inventory at home, right? And I have a total of eight. Not out of I mean they’re sort of IOT devices. I’m a dish network guy. So I got this stupid Joey’s all over the place.
[01:01:57] Brad Nigh: Yeah, well and I have my own IOT network And I’ve got three or so. I put my rock you on that? Yeah, there’s four.
[01:02:11] Evan Francen: Yeah protect people supposedly.
[01:02:14] Brad Nigh: Yeah, now again that’s not counting, you know the kids ipads and things like that, but those are all on their own networks anyway.
[01:02:25] Evan Francen: Yeah exactly. You’re talking about viruses. Those kids are little walking viruses with their things that they do on computers. I don’t know how they get infected like they do. Yeah. Mhm. No. All right. So that’s our news articles. Just to recap it’ll quick we have the C. M. M. C. Expect an update of some sort. I don’t know what that updates going to look like and you know, we’ll just have to wait and see. I guess the FBI is sharing our you know, sharing compromised passwords with have I been phoned? So that was the second article, walmart phishing attacks stopped clicking. Thanks,
[01:03:03] Brad Nigh: yep.
[01:03:04] Evan Francen: If you didn’t order anything from walmart getting a message saying that your walmart package is delayed in shipment, obviously that should be a red flag for you. Yeah, if you do if you did order something from walmart and the package already arrived, the nationals will be a radar.
[01:03:23] Brad Nigh: I’m not I’m not we’ve got to wrap up that you have a meeting here coming up. But yeah, we could go down a rabbit hole on that
[01:03:31] Evan Francen: for sure. Alright. Food giant JBs going to pay more for your meat. Russian hackers are still very very busy in the know Valium attack. So that comes from solar winds and the army says uh you know I have devices and says okay go ahead and do it anyway. Uh He shot us for this week.
[01:03:47] Brad Nigh: Patrick. Yeah, I’m going to give a shout out to my middle daughter of the seventh grader. She got nominated or a awarded middle school by a teacher for like a, basically like she did a really good job and a special acknowledgement. So always cool to see your kids do way better than you ever did.
[01:04:09] Evan Francen: You honestly brother as a friend and I’m not blowing smoke. I mean as a friend, I watched the way you raise your kids, you’re an amazing father. Your wife is an amazing mother. Just seeing the kids, you know, flourish in your house is amazing.
[01:04:25] Brad Nigh: It blows my mind. My the ninth grader took a E. P spanish exam. What thanks please. You know, like the youngest is yeah, they, there’s so much, they luckily got my wife study habits because I was very much wing it and wait to the last minute and they are not like that thankfully.
[01:04:46] Evan Francen: Yeah, good parenting though, man, that’s good parenting usually usually produces good results. So good for you. I’m gonna give a shout out to eric blake. He’s a guy that works um in banking and just a guy who regularly kind of text me and tells me, hey, I’m listening to, you know the podcast. I’m loving this, Loving that. Just a really good guy who has his heart in the right place and I’m gonna make a difference in the world. So shout out to eric like all right, if you have something to tell us something I like to share with us. You can email the show at Unsecurity@protonmail.com. To the social type. You can socialize with us on twitter. Uh, we might troll you, but whatever. I’m @EvanFrancen and Brad’s @BradNigh That’s it. We’ll talk to you again next week, enjoy the safe.