Archive for category: Podcast

In this episode, Evan and Brad conduct a mental health check-in and have a candid discussion about their own struggles. They also discuss the first foundational steps in building a cybersecurity program including less “what to do”, and more “how to do”. In the news this week, a cryptocurrency hacker returns $260 million in stolen funds, and the State Department is hit by a cyberattack amid Afghan evacuation.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: All right. Welcome listeners. Welcome to episode 144 of the unsecurity podcast. The date is August 24, 2021. And joining me as usual is my awesome friend, Brad Nigh. Hi Brad.

[00:00:36] Brad Nigh: Yeah. What’s uh does this sound like the background behind you? Yeah, it doesn’t

[00:00:43] Evan Francen: suck. Uh, I’m down, I’m down here in Mexico again. Uh Marlys came down here to do work on the house uh, to get it ready for rental and she was going to come by herself and I didn’t feel comfortable about that at the beginning. And then I was like, I didn’t make the decision until like two days before she was leaving that I’m gonna go with because I found tickets for $250.

[00:01:08] Brad Nigh: Yeah, it’s better there than here. We’ve got we had like three bad thunderstorms since the last five or six hours now. That’s different

[00:01:17] Evan Francen: when it’s rainy season here. So it rained almost all day yesterday. But I I told marla said I’m coming down for like support and I’m going to work. So I have zero. Uh, the interest me and her. I don’t have any distractions. So you know, no dogs, no cats. All right. I don’t have cats and no kids.

[00:01:38] Brad Nigh: And I mean, well, kind of a nice a way, but good for you to get away. Even if you’re still working just to change up that environment.

[00:01:47] Evan Francen: All right. And that that is a good segue because you’re going on PTO tomorrow. Yes. Much needed. Much deserved. Ah I think a lot of times my PTO is like you said it’s working in different locations. It almost doesn’t even feel like I’m working because the scenery is different,

[00:02:07] Brad Nigh: right? Yeah. You know, and and tomorrow it will be the first time I’m leaving the house since like more and more than like two nights Since April of 19 because we had our vacation are big vacation last year scheduled for the first week of April. And obviously that didn’t happen. So I tried a couple of like one night tonight, Prince, that’s it. Other than that I haven’t left the house and it definitely wears on you.

[00:02:38] Evan Francen: I’m glad you’re getting that time away. One of the things we were talking about because we all struggle with stuff and you know, we’re very pro mental health at fr secure and that security studio. Uh you’re minding, right? I mean, it’s it’s it’s not right. It can be tortured for somebody who’s suffering through those things. You’re not going to get good work done anyway. So

[00:03:01] Brad Nigh: yeah, remind first.

[00:03:03] Evan Francen: Always.

[00:03:04] Brad Nigh: Well and you know, we talked about it and I personally had an experience last week where ah Oh, so that’s not just talking to talk right. It’s it’s not going to walk Tuesday morning. Uh I was trying to work and all of a sudden just like how like an anxiety attack which I’ve never had before. So it was really really weird for me uh just hold sweat, my palms were sweating and not my stomach. I felt I was good for what like jittery. It was really really

[00:03:35] Evan Francen: bizarre.

[00:03:36] Brad Nigh: Especially I’ve never uh you know with the first time you go through something like that it is off unsettling. So I just messaged Renee and said hey I just don’t have it, I can’t do it today, I’m sorry, no client meetings, there’s no client impact. I just have to take, I have to be with. So um I went out to the living room thinking you know maybe 15 in the office and work and it was just it was too much just with the kids and the dogs and I just couldn’t handle it. So I ended up going up into our bedroom and closed all the doors and turn off the lights. So it’s kind of a blackout um situation and funny enough so my son loves the cartoon Phineas and so we’ll have that on and it’s a really funny, it’s a good wholesome cartoon um and has like adult jokes and stuff that the kids don’t get. So we have that on a lot so it’s kind of like a calming background so I put that on the road very quietly so you can just barely hear it and just Basically from about 9 30 till 4 30 stayed up there and you know, just a lot of like thinking and self reflection, which you don’t do and it kind of came to the realization that, you know, hey, I recharged by being my climate itself, right? But that when she was a time in the car, that transition, I haven’t had that for a year and a half. Um You know, it’s basically been 24/7 with somebody here with you and don’t get me wrong, I love my family, but right, kind of, it just hit me, I was like, oh wow, okay. And you know, you, you gave me a call to make sure I was okay and I really appreciate that um, a couple’s kind of issues throughout the week and I kind of realized it was they were being triggered by a being having a video call. Like I could feel yeah building throughout the fall and I had to go up and like lay down and turn everything off for our or two afterwards, like it is back down to a normal level. So it was uh you know, I thought I had been thinking pretty good care of myself mentally and you are until you realize you’re not, so you know something, I’m going to make a very concerted effort, was talking with a couple other people and uh Megan actually gave me a uh okay, relaxation privacy retreat. So you can just go and in a couple of days and all inclusive the food and everything and have activities where you can just do nothing. So uh no, my wife is very supportive and it’s like I’m gonna do this when I need to do it good for you. You know how to do it. I can’t I don’t want to go through this. I have a whole new level of respect for people that deal with that anxiety on a daily basis because it’s Exactly,

[00:06:41] Evan Francen: well, I don’t think. And it just seems like it gets worse because I don’t our minds our bodies weren’t built for constant stimulation. Like constant, right? It seems like you’re getting bombarded all the time because I can relate to two things that you said. One is Uh huh. Not being able to find place by yourself. All right, I’m the same way I’m an introvert. I’m good with people, but they exhaust me and I need to have my recharge. Yeah. And if I don’t get that recharge, I am a mess. And so where I’ve run into that problem even here somewhat Because I came here and I’ve got no dog to distract me. I’ve got my my 16 year old daughter isn’t here. It’s just me and my wife and then she’s having contractors come in. But even then it’s like she’ll walk in the room and it’s like damn it. I had, you know, I had had some alone time and it’s not that I don’t love her and I don’t want to spend time with her. I do, I do. But I also got to just find a place to get away.

[00:07:46] Brad Nigh: Well, yeah, and even if they don’t say anything, like uh it was asking you, she’s like, hey, can I come in? I’m like, is you? And I was like, no thanks. It’s not even if you don’t say anything, it’s your there, it’s not you personally, but it’s I truly need insulation at this point, right? You know, and it really worked and and it’s good to kind of, you know, do that self reflection and take care of yourself because that I mean, especially with everything that’s been going on the last year and a half, I know I’m not alone. No, you’re not. I

[00:08:26] Evan Francen: am anxiety to it’s a it’s a it’s not an unhealthy amount. I think of anxiety, I think it’s because there’s healthy and unhealthy, right? Unhealthy is when it paralyzes you, when you have those panic attacks can’t manage it and there’s nothing there’s there’s obviously something wrong with it. There’s nothing wrong with you, right? I mean, that’s you have to get help for it because that’s why we’re all here, that’s why we’re on this planet, man. But I do have small, I have anxiety turning every time I turn on my video on a video call because I see myself, But I hide self view. That helps. But my daughter, I was telling you before we started the show, my 16 year old daughter, uh you know it was remote schooling, right? So schooling from home and she would be up in her room and her and new classes. And then we got a call from the principal saying, you know, we filed essentially and there was, I’m shortening this essentially the county is being brought in for troops. My daughter my true and see what the hell’s she talked to her all the time. She says school’s going well and she says that she’s in class every day and and all this stuff. Well it turns out that she would, she wasn’t classic day, but she wouldn’t turn on her video and in class if you didn’t turn on your video, you got mark this absence. And so I went out. So I talked to her. Why why don’t you turn on your video? It was complete, I mean it was sob. She was sobbing. She’s like, I can’t, it’s so much anxiety and so uh we have to work through that. We have to work through that with the school. You know, like don’t mark her as absent when she’s actually there or you see her name, the attendee list. She’s got anxiety about this and combine that with all the crap going on in the world. She used to go to school and see her friends in person every day, and now she doesn’t get to do that. She’s isolated in her own room, scared as hell about video. Mhm.

[00:10:29] Brad Nigh: Yeah. Well, and you know, it sounds like the school is willing to work with you guys on that, which is good. You wish you would have been a moment, may be more proactive talking to you versus like, oh, by the way, right, we’ve done this, But yeah, yeah, it’s us. Well, I uh I couldn’t I don’t know if I I don’t know how people do it. It’s I’ve been it’s been exhausting last week, like you said, it builds on itself because now, like looking at my calendar or like it starts getting in your head because then you’re like, oh well, this is going to happen again if I do you know what, what’s causing it? So it’s uh you got to talk about it, you can’t hold it in, it’s not healthy.

[00:11:15] Evan Francen: Exactly. And I think that’s the first, that’s the first step right in dealing with anything is to recognize that it’s there not don’t go with this denial thing and think, you know, don’t go with the stigma, The stigma kills man stigma such bullshit. It pisses me off because people don’t talk about, you know, suicidal thoughts. So they don’t talk about depression or they don’t talk about anxiety because they’re afraid of what other people are going to think of them, or uh you know, it’s taboo. It’s like, no, it’s not. We all got we all got minds,

[00:11:51] Brad Nigh: hey, you’re I mean it doesn’t matter what you’re feeling. There’s somebody else out there that can relate and understand what you’re going through. Like you’re not alone,

[00:12:02] Evan Francen: right? I think it’s important to remember. So we’re security people and this is a security podcast. I think it’s important for us to remember as security leaders as c so that the people that were talking to maybe suffering people on our teams might be suffering. And when you think about and we said it so many times that information, security is not about information or security as much as it’s about people, people are the ones who suffer. People are the ones who, you know, typically cause a lot of our, you know, security incidents. Well, don’t you think you’re going to have more incidents if when people are suffering, when people aren’t thinking clearly there just clicking links or they’re like, what’s the use anyway? I don’t give a shit. Yes.

[00:12:46] Brad Nigh: Well, and you know, everybody, if you look at there’s advice, you know, watch for changes in employee behavior bobo. I don’t think I had any, it just hit me out of the book. I wasn’t even aware, you know, of what was going on until because you kind of the dam bro. So you know, the only thing I can say is be supportive if somebody goes through that, you know, Well you can do it. Yeah, don’t don’t eyes it even further like that’s gonna be, that’s only gonna make it worse and you’re gonna lose loyalty

[00:13:22] Evan Francen: 100% man. And you know, the fertile ground, the actual work happens well before somebody suffers or has an episode. Right? Because you’re right. A lot of times we won’t be able to tell in our interaction that you’re suffering. But if we have a culture here where we do love each other, we do care about each other. But you feel safe sharing those things, then then you will be more likely to say something when you do have an episode and not, you know what I mean? You’ll feel safe.

[00:13:53] Brad Nigh: Yeah. Yeah. And 100% support. Like there was no, no issues from sales or marketing or operations because I had to cancel meetings with internally with all those departments and didn’t really tell them why at the time. But it did go back and talk to him after the fact when I was functionally right. You know, they’re yeah, they all were like,

[00:14:21] Evan Francen: yeah, when I was grateful that Oscar X, I think you and Oscar are very close and Oscar had mentioned something to me and sometimes, you know, you’re like, well, you know, I don’t want to call him like yeah, of course I want to call because that’s part of the, as part of the Bs two is well I call that might be offended or I might make them angry with me or you know, like no call and then if they’re angry with you deal with that later because if you if you’re truly going through mental health things, you don’t wait. You

[00:14:56] Brad Nigh: know? Well, you know, you think about it from uh, and I would not say this with me. I was never like suicidal. I never had any of those sides. But my thing has always been Yeah. You might regret reaching out if they get upset with you, but that’ll in if you don’t reach out and they do kill themselves, you’ll never how do you ever forgive yourself for that? So I’d rather have than pissed and worked like you said that didn’t deal with him. Like I should have done something

[00:15:25] Evan Francen: right? So for the for the listeners, one of the things that we did as a company as a leadership team was mental health First aid. But Google Mental Health 1st aid. It was a fantastic course. I think we had we had a full class so we had to turn some people away in our own. But then I think we have another one later for others. Um what it talks about all these things, it was about four hours, was it?

[00:15:50] Brad Nigh: Yeah, like half a day. So it’s

[00:15:51] Evan Francen: Only four or 5 hours.

[00:15:54] Brad Nigh: Yeah, it was really working

[00:15:56] Evan Francen: every second.

[00:15:57] Brad Nigh: Yes, fully agree. And yeah, everyone else out there, like, like I said, mm really, really self aware. You know, I do focus on that stuff and I’ve opened up to you about some other, you know in the past. And man, they just caught me off guard so you know, going to happen.

[00:16:22] Evan Francen: Yeah, it’s caught me off guard too man when I last year when I went to Sturgis in the middle of the pandemic and so you had to deal with all the people who were judging on that regardless of whatever precautions you took, you know, because everybody seems to know whether you’re good or bad or not even knowing whether you’re good or bad. But the well it was when I came, my wife had been warning me that I just didn’t seem right and I got back jim Sturgess and I sat there, I was like, oh my God, I didn’t realize how far I had slipped mentally. I was angry, I was depressed. Uh huh. Yeah. Yeah. Getting away. I’m excited to hear you know, after you get back from, from your long weekend, how things went and how you’re feeling.

[00:17:10] Brad Nigh: Yeah, yeah, we’re going up and up north, found a Having on 40 acres cabin itself as a mile and a half off the road. So about getting away, we’re you’re getting away.

[00:17:24] Evan Francen: I love it man. All right. So the next thing uh and yeah, so and you can reach out to me and brad about these things if you feel comfortable, we can certainly play in the right resources because this is, this does apply to us, superhero security people. We have mental health issues, just like everybody else does. So get, get the help you need. The next thing is I want to talk about is you know, in our industry as security people, we do a lot of telling people what to do, lot of it do this, do that, do this. I mean that’s why we have so many damn standards. So you have so many damn frameworks, we have so many damn compliance things, Do this, do this, do this. What we don’t do a very good job in is how great I know I need an asset inventory. Tell me how Uh huh. I know I need to deal with uh roles and responsibilities. I know I need to get the ceo on board were more involved. Tell me how. So I figured we’d spend a good part of today’s show talking through some of the tips and tricks that worked for us and then and some of things that worked out. Not so good maybe.

[00:18:38] Brad Nigh: Mhm. It’s funny that you mentioned that I was shadowing on a an assessment for one of the new people just kind of being there to provide support and they came up to the you know, do you have any sort of centralized asset management and I’m like no like I don’t know. We don’t know what do we have? I don’t know what like yours. And so you know uh mentioned it and it’s a product that I’ve used to spice works right? And that’s actually, and then I was like, hey, you know, this is free, you know, depending on what information you have. There’s a cloud based on or they used to have a on prem that did cost a little bit, but nominal amount. Um, and it will centralize your hardware and software assets for you. It will go out and scan your subnets and tell you here’s what, here’s what I found. Here’s what’s on it. And they’re like, oh, okay, I’ll check that out. So, you know, I think not just saying, well you should have it, but you know, it’s like always come with a solution to the problem approach. Uh, you know, being able to not just tell them, hey, you should be doing this, but like you said, here’s how here here are some options. Look into these things. It’s not as simple as you think it probably are. You probably think it is

[00:20:01] Evan Francen: right. Yeah. But people don’t realize there’s oftentimes they’ll, because you can, you can do it manually to, I think, you know, it depends on how you want to go about like what other benefits can I get from doing asset inventories right? Let’s say I want to. Um, in terms and say maybe I’ll get interns, we want to entertain interns because interns are a great way to get staff later because you’ve already got that introduction to them. So even as something as simple and rudimentary as having an intern, you know, run around to every computer, you know what I mean? Write it down on a spreadsheet.

[00:20:42] Brad Nigh: That was my first job in I. T. Was literally going around a college campus and writing down a room and the uh serial number of the computers in that room.

[00:20:54] Evan Francen: It seems because you know, we’re so advanced that you know, bar but the but that’s one thing and nothing is you’ll find a lot of times people will have tools in their environment already that they can leverage to do asset inventories. You know, if you’re doing vulnerability standing say witnesses for instance, well all those outputs right, if you export a dot nesa smile, it’s an xml file and you can easily parse that xml file because if you’re doing an authenticated scan, I will see every single thing you’ve got running on that computer.

[00:21:27] Brad Nigh: Yeah. Yeah. And yeah, but you know, again we had an issue with an ss file that it was a scam that their firewall had been set to reply on any type which is make uh I guess odds, odds okay, easy for you to say. Uh huh. So they only had like 250 300 devices and we didn’t catch it because it didn’t throw an error And it came out with like 2300 devices and so you can’t go back and re scan it and oh my gosh clearing that out, is that you just can’t do it. So there’s a really nice PERL script that forces that necessary. I’ll into a phenomenal spreadsheet with exactly that post named software installation. Just a ton of wealth of information.

[00:22:20] Evan Francen: Did you send me that process? Crypt? Yeah. Because I think we should make that available to anybody if you’re struggling with acid inventory and you’re doing NESA scans here, run this PERL script and put it in a nice format for you. And I think another thing that people run into because I’ve heard this as excuses from other security because you do just have, I mean there are people who just don’t like to work. There’s always that right. I don’t want to asset inventory. Why and I’ll make a bunch of excuses and then we get down to the bottom of the bottom of it. You find out that you just don’t like work. You like a paycheck. You like paycheck. But my God, I didn’t know I’d have to actually do stuff.

[00:23:00] Brad Nigh: It’s hard work and they want to share the easy stuff. Yeah.

[00:23:05] Evan Francen: But you know one of the, and it’s not, sometimes it’s not an excuse it’s legitimately, I don’t know, is well as soon as I do the asset inventory, it’s changed. Yeah. And so okay, that’s fine. You’re not going to get a perfect out of the gate. You don’t go from having no asset inventory. You’re having a live updated asset inventory that’s always, you know, accurate. No, that’s a hell of a long time. Start with doing a basic asset inventory. Either manually using something like spice works using something like messes with a PERL script that will pull it out whatever you need to get that first asset inventory, right? And if you can get it into a spreadsheet, you can get it into a database, right? I mean it’s that’s another step in the maturity and start quarterly. Yeah. And then reconcile these inventories. Right? So last quarter it said I had these things, why do I have 47 new devices on my network when we haven’t hired anybody knew we haven’t made any purchases. You know, that’s an indicator. Maybe we got something bad happening Uh and vice versa, what happened to these 23 years of somebody walking out the back door with the systems? We don’t, I just don’t need because we would notice it. But that’s the beginning and you have to do that. And it’s frustrating because I don’t know how many people are trying to secure things. They don’t know they have it. Just logically that is a fallacy. You cannot protect things unless it’s by luck coincidence just, you know, I mean, you won’t be effective at protecting things. You don’t know. You have.

[00:24:45] Brad Nigh: Yeah. Yeah. And you know the me the next step or another easy win is and after the count, Right? So you know that that’s a big risk. Do you have accounts, you know, you’re expanding your exposure in your active directory that haven’t logged in and you know, same thing quarterly. I would run a our shell script that pulled the name. Ou because the user was in their departmental. Ou. And the last log in time, if it had to be greater than 90 days and every quarter started off and would send it because we tried to do it with management and never got really any buy in. So what I did is I sent it to the head of the business unit and said, can you confirm if these accounts are still needed? And you know, it was like The first time I ran it was like, I remember over 100 accounts because they hadn’t followed the process or HR hadn’t followed the process to alert. Mhm. You know, is to disable. And then to leave. And so kind of a happy compromise was, yeah. I would have preferred it if they hadn’t logged in in 30 days. But That’s the business is risk. Appetite was 90. Okay. And then we disable to put it in a ou that script all permissions for six months and then deleted it. And they were happy with that. And I was at least happy that yeah, we got that taken care of it. But it took Yeah, Probably 3/4. And then we got it. What happening? It would be one or 2 maybe. Is they got tired of being asked why they weren’t following the process.

[00:26:31] Evan Francen: Right. And so, well, so many times you see people, you know uh you know when you do assessments or you do something they want remediation immediately. Right? So you go from, let’s say you you know, An easy quantification that we use obviously is the S two square with security studio. Uh let’s see your 500. You know, you immediately want to go to 660. Okay? If that were possible, it would be cost prohibitive and it wouldn’t stick. Right? You’d be back here again very soon because it’s a maturing process and no two companies mature at the same speed. And I just got I just got a call um on sunday from one of our large very good customers and I think they called me directly because we just have um you know, I guess that kind of relationship. But she called and said you know they’re under litigation. They had a breach a while back and opposing counsel is stuck on this thing about them having to disable ssl internally on all systems and it needs to be done within the next six months. This is a very large complex environment. And so you know, they wanted my opinion so they can go back to opposing counsel to talk about it. Number one is that we could pick anything. Right. Why did you pick ssl internal? Right. I mean I get it. It’s a risk but man, you got a lot more risks that are a lot more impactful than this one. You know, what are you thinking that there’s going to be a man in the middle because somebody compromise something internally? Well there’s your problem. How do they compromise? Whatever? And number two, how can you go in this environment? You have to basically drop everything. Which means it’s always give and take right. If I take my attention off of this thing and put it onto this thing will no longer paying attention to that thing. So if I if I drop everything and say all right, we’re gonna disable or eliminate ssl in the entire environment in the next six months. It’s unreasonable. Why not show progress? Why not go first? We have an inventory of all the places SsL is running in this environment. Do we even know what the scope of this is?

[00:28:41] Brad Nigh: Yeah. Well you know already, you know, figuring that out. I’m working on a road map and I was just looking that. So when I do these roadmaps, I do like a short term, this is your immediate things. Focus on these things first. A mid term. Like hey start planning for these. There’s probably gonna be software purchases that are gonna be needed and then long term is like okay, it’s down the road, but just be aware, you know, keep that in mind as you’re moving forward. Um and so I didn’t, I just drag and drop and then exported to Excel to give them. And I have 67 items in their short term that were 41 total of 41 points. And then there a midterm was 91 items six point you’ve seen there’s a lot more, but you know, it’s maybe not going to gain them as much. I mean the long term was 108 for like 37 points. But what you’ll see because, and I didn’t do it on purpose but short term has the shortest list and the cascades out which I like to do and not pay attention to because it’s kind of a sanity check for me say, Hey, they have, I put 200 things in their short term. Well that’s not

[00:30:06] Evan Francen: right.

[00:30:07] Brad Nigh: So what are the most important things?

[00:30:11] Evan Francen: Yeah. People lose track of that a lot and then Once you figure out what those are, then how to do them. So we we talked about one his asset management, asset inventory, the keys to that are you probably already have tools in your environment to at least get you started right to get your first asset inventory two. Um And when I’m talking assets harbor software and data start with hardware and software, right? Data, we’re going to get there. It’s a maturity process, you know, but if I don’t know your your your data is running or controlled by the hardware and software. You don’t get that stuff figured out first. The data things just bigger message. So get those things going. Look for tools in your own environment mentioned Spice Works. We mentioned, uh, nexus can do the same thing with rapid seven, same thing with open vast same thing with lots of different cleaners.

[00:31:08] Brad Nigh: Yeah, there’s a ton of options. It’s just those are the ones personally that I’ve used. Right? So that’s, well, that’s what people do exactly. Well for you.

[00:31:18] Evan Francen: Right. And, and don’t worry about all the things that happened and the fact that your environment so damn dynamic and all that other stuff do it once do it again another month of the quarter if you have, you know, spare, you know, manpower, you can do more often. But eventually you build this thing where you will script it and it will be on all automatic and you will get just a report in your in box that says, hey, these five things are appeared yesterday that weren’t there before.

[00:31:49] Brad Nigh: Yeah, wow. I mean, yeah, it takes some skill to put that together and so there’s gonna be some trial and error. I mean, I know it didn’t work right the first few times that I did it or okay. It didn’t provide the information I was expecting right? You have to tweak it to get what you want. Um, yeah, it’s free. That’s the other thing. It’s not like this stuff costs you money, you can script power Shell to run daily, any new assets, any new user accounts, any new computer accounts, any changes to group membership like it, you can do these things fairly easy. Oh there are tools out there as well that you know, are inexpensive. I’ve used several of them, you know, uh managing unit has some fantastic pool, especially management, you know, it’s not terribly expensive.

[00:32:48] Evan Francen: Well I think and one of the things we lose out on two because people like this instant gratification thing, so let’s go out and buy this cool new tool. It costs us, you know, $100,000 a year to do asset inventory when you could have done it all for free. And I understand it’s more work but there’s so much value, so much training value in so much of this work that you miss out on. When you go through these steps of scripting yourself. When you actually review the asset inventory yourself, when you troubleshoot, why certain things are showing up and other things are not showing up. When you go through all these processes, you make yourself so much of a better security person. If you just bought the damn commercial tool, plugged it in and push go,

[00:33:31] Brad Nigh: well it’s along the same concepts of why we don’t right policies for people we coach then through it. If you if you do that work and you write this, you’re going to be intimately familiar with your environment, you own that environment, you just plug in a tool and let it do its thing. You don’t have that same sense of ownership. There’s not that same an activity I guess, uh, with what’s going on.

[00:33:57] Evan Francen: Well that becomes so, I mean nothing. I think people are so excited because when I have that intimate knowledge of my environment or at least a more intimate knowledge of my environment, it plays out so much better in detection. I can detect when things are off. I can detect when there’s an anomaly in the system. Computers only do what you tell them to do. Why is there more bandwidth today than yesterday? Because something is happening. Don’t just write it off, you know? So when, you know your environment more intimately you’re better protection, you’re better detection and you’re a lot better at response to because I can’t tell you how many times we do instant response and they’re like, oh, I didn’t even know I had that system. I didn’t, what does that do? I’m like, I don’t know. It’s your damn environment.

[00:34:42] Brad Nigh: Yeah. All the time. Like yeah, responses from this. I p what’s on it? I don’t know. Maybe you should go find out.

[00:34:55] Evan Francen: It’s your environment. It’s like, it’s like things in your own house, right? Like there’s this weird noise coming from the corner, you know, of this bedroom in my house, what is it? I don’t know. No, I guess it’s just the way the houses where, you know, open the door and find out what the hell is in

[00:35:13] Brad Nigh: there, right? You know, and your example of the band with you personally gone through that our network guys identified a a spike in band with, and it turned out one of the healthiest staff and it’s one of the retired computers and was running a uh like pirate Bay torrent on it and downloading stuff and we’re like, what, what, what, what is wrong with you? Um, right. You know, so, but if they hadn’t been paying attention, if they didn’t know that stuff, how long would that have gone? You know, and we think they caught it within like a week of him putting it on, which is really is pretty, pretty good.

[00:35:56] Evan Francen: Right? Well, in part of your post mortem right? That’s why we do post mortems on things, is it took a week, is a week is adequate or should we narrow that down? And if you decide again, you decide, Well, I think a lot of times you look for security people help me? How quickly should I know, you know, should I become aware of that thing? It depends. I mean, in some cases, if you have a really high security environment where you have a very low risk tolerance and you know, it’s not gonna get in the way of the business making money. Well, maybe it’s instantaneous another case is maybe it’s a monk one of the things you never one of the things you never want to be. And and again, I can’t tell you how many instant responses I’ve been in where I get notified by somebody who’s not even part of our organization that somebody external, whether it be the secret service of the F. B. I. Or law enforcement or God forbid a customer. Tell me, hey, I think you’ve got a breach going on. How freaking embarrassing is that? Right?

[00:36:57] Brad Nigh: Yeah. You know, you don’t want that.

[00:36:59] Evan Francen: It’s like my mother coming into my house and you know, telling me how to no

[00:37:04] Brad Nigh: sorry. My house. Yeah. Yeah. You know, right. And that’s going back to what we were talking about with the CSOS role. What is the organization’s risk tolerance? Do you want a daily report? You want instantaneous? You want weekly, you know what? And you know, it’s been a long time since this happened. But I think it would be caught it on a weekly report and that was, that was what the business was okay with. Okay. Also if anything happened in the past week, do you see in an all night,

[00:37:37] Evan Francen: one another, you just brought up is risk tolerance. We use that all the time. You got to figure out the businesses risked on. So let’s go there because we tell people that all the time and I think unfortunately few people actually know how to do that. So I’m gonna just go with what I do and then you can ask whatever part you want onto it. Because number one, if I’m ever going to figure out the businesses risk tolerance, I have to get the Ceo on board with me. I’ve gotten to the point where uh, if anybody were to come and ask me to be there Bc. So if I’m not reporting to the Ceo, I’m not interested. I’m not willing to play a game that I can’t win. You want me to play the game? I can win. I will report to the CEO because that’s the person who makes decisions, that’s the person who is ultimately responsible for information security in this organization. And I think one of the things we end up doing when you talk about trying to figure out risk tolerance is we don’t have these just hard truthful discussions with other executives. I’m not asking the Ceo to be in a weekly meeting with me. I’m not asking the Ceo to invest hours and hours and hours and hours with me? What I’m asking the Ceo is this is how we’re going to do security. Are you okay with this? Would you like to be communicated in a different way? So ideally what I want to and I’m going to come just like you said with a suggestion already laid out, I’m not asking them solve this problem for me. But I’m gonna say I want to give you a quantification where you’re at, where you’re going when you’re going to get there and how much it’s gonna cost you all around security risk manager and then and then we can delegate from there. Right? What’s the next layer? You know, are you going to delegate security risk decisions to me? Not a good answer. Who I want. Security risk decisions, delegated to our heads of business humans, the owners of these systems that we’re trying to secure together. The good thing is because a lot of times, oh that’s more work they don’t want to get. Well here’s the really, really cool awesome advantage is you get autonomy, you get to call the shots Mr mr or mrs head of business unit. You no longer have to hear from me telling you can or can’t do anything. You get to choose what you do. Right.

[00:40:01] Brad Nigh: Yeah. And the one I fully agree with that. And the the one thing I think I’ve run into the most is them going okay. So what does that mean? How do we determine? What is risk times? And I think the example I’ve had the best response to is uh hey happened because it was a question of like, hey how long should we how often should we have to change passwords if we have to and my response is how long are you willing to potentially have a breach if a user clicks something and gives access rest and they’re like, oh right. Some places it’s 90 days like normal others it’s like you know personally, maybe six months. Right? Yeah

[00:40:50] Evan Francen: it goes back to our job right As c so I consult you on how to make good risk decisions and give you good risk information for that and I implement those risk decisions. So your example that you just gave right there. I think it was awesome because they asked the question you consulted on the answer now if you want my opinion, How many you know I I would say 30 days 50 whatever.

[00:41:18] Brad Nigh: Yeah that’s my opinion. And the reality is to me this is going back to the consulting, what’s the sensitivity of the data? What are we talking about? Right. Even if if it’s an admin I still would 30 days. Even within FAA right. Whatever. Right? It’s somebody that has no physical or no access to sensitive information. Maybe it’s uh somebody who’s got email only. Well maybe then they can go longer.

[00:41:51] Evan Francen: Right. Well and so when you say risk tolerance. So first it starts with the ceo right? Or the board and order the board. You know, in some organizations you’ve got both, right, one holds the other accountable and all that other stuff. So but it starts there with a number, Right? That’s why we use the S two scores. All I want you to focus on is this number this is where it’s at, this is where we’re planning on making it go this is how much it’s gonna cost to make it go there. And this is when we’re going to get there. You just give them the four pieces of information right now they’re involved. And now when I come back the next quarter And I told you that by the end of this quarter we were going to be at 600. We’re only a 580. Now you can ask me and hold me accountable. Why didn’t you get to a 600? And now we can have a different discussion. Right? That’s the kind of interaction that happens. We want to happen with Ceo the business unit leader. They’ve got their own qualifications but now we get more into the details right? Give them more autonomy. The business unit leader might have their own I. T. Department they might have a business unit C. So that you work with. It takes them to the next levels, you know what I mean? It just all builds on top of itself. That’s how you figure out risk tolerance. Yeah.

[00:43:14] Brad Nigh: Uh huh. No argument from me. Right.

[00:43:18] Evan Francen: And so you can use constructs. One of the constructs we use and you can use others. You can develop your own. I’ll tell you how to develop your own. The one that we developed is you know we use what’s called nested entities. Programmatically it’s a little bit newer. Right? So we’re exploring this with for me personally in the state of Iowa state of North uh New Jersey and state of Minnesota for all. Working on how to use nested entities to distribute this risk tolerance throughout the entire state. Right? But the way it works is really, really simple, identify what units you have in an organization, give them their own assessments that are the same as or as close to the same as the same assessments. You’re using another place. So you can do apples to apples and do that. Roll up for the ceo or the governor of top.

[00:44:07] Brad Nigh: Yeah. I’m doing the same thing with an international customer. And you know, we didn’t start that way because we didn’t have that. That wasn’t really flushed out. So we’re migrating to it. But I’m gonna do, you know North America? We’re gonna do europe, we’re gonna do asia were due South America as each of those areas has different expectations different, you know, support. So let’s start at the top. Well all these different ones in there and then roll it up and Yeah. Yeah, exactly.

[00:44:44] Evan Francen: And then it also allows me to dig in deep so that the ceo his ceos are going some Ceos are going to be much more involved than others, right? They have a ton of things on their plate. They’re running an entire organization, right? So that’s why I wanted to give you four things to focus on where we’re at, where we’re going when we’re getting there and how much it’s gonna cost. That’s it. Maybe if there’s a little more time, I can tell you what the most significant risk is we’re working on right now or some significant event since last time we talked. That’s it. And then if they want to know why things are scored, if they ask and want to get more involved and now I’ve got a dashboard, I can roll it out. Here’s your 50 entities that make up our company. This is what their security looks like. And they can say, well, why is that one red? Well, let’s let’s go find out. So you know what I mean? Well, it’s red because they made these risk decisions. Okay. Do you agree or you don’t agree? Ultimately. I don’t, I do care, but I’m not going to get involved in that.

[00:45:42] Brad Nigh: Okay. Yeah. And you know, it’s like what you said, hey there, red because this is their risk tolerance. Well, maybe we have to or segment them off because there are other business units that can’t accept that level of risk and can’t be exposed to it

[00:45:59] Evan Francen: because there are

[00:46:00] Brad Nigh: consequences for those, but it is what it is.

[00:46:05] Evan Francen: Yeah. Yes Sir. In today’s podcast, we’ve already talked about the type of communication that happens with the Ceo how to get, not necessarily how to get the Ceos, there isn’t one way to get a Ceo’s attention and by in on security. Uh it depends on your relationship. In some cases you’ll have a relationship with the ceo of some in some cases you won’t have a relationship with the Ceo. I’d be very weary of any place where I didn’t have at least a relationship with the Ceo. Even if I report to the Ceo, which I wouldn’t because I just told you I won’t do that work because it’s a losing game. I’m gonna want to play it. But if if I am reporting to the Ceo that just happens to be the place I’m in. Ask for 15 minutes a month. You know ask your Ceo for 15 minutes a month. Meeting with the Ceo. Or maybe you have a relationship with the Ceo anyway. Even though you report to the C. I. O. Whatever it takes, get a relationship nice working relationship. You’ll learn what motivates them, what doesn’t motivate them. We’ll learn how bought in they are in the mission of the organization. You’ll get from them just in these conversations and then you can start using their language that will resonate and be like, hey remember that thing you talked about this is how we can help that happen with security. And they’ll be like hell yeah, I am

[00:47:37] Brad Nigh: right? And and don’t stop there, do the same thing. Business head heads of the different business units. Whoever is making those risk decisions, have a good relationship with them. Yeah. It could be in the no man could be in the know person. Yeah. We’ve talked about is the yes but approach

[00:48:00] Evan Francen: you know or I don’t know.

[00:48:02] Brad Nigh: Well, yeah. Yeah. I don’t know what we find out. Right? But get away from just saying no. This is never going to build a good relationship.

[00:48:13] Evan Francen: Well, it is funny how many times you and I because I’ve seen it happen all the time with security people that we get asked. What’s that? You know, what’s the top thing I should do? What’s the number one thing I should do? I don’t know. And I don’t know because we haven’t had that discussion. I don’t know your business. I don’t know what you do to make money. I don’t know what’s more important to you, your culture or making money out of your public company or a private company. I don’t know if you work in technology or you’re a bookstore. I mean how the hell would I know? Let’s have a talk. Oh my gosh.

[00:48:47] Brad Nigh: So many times in the pre sales process they get brought in because the customer wants to talk to an expert. Not a salesperson. Which I totally understand. And I can’t tell you how many times I’ve been asked. Okay. So what would be the first thing you would do recommend or nuts. And my I don’t know. Universe assessment. But if not let’s start there.

[00:49:09] Evan Francen: You know what we

[00:49:10] Brad Nigh: got. I don’t know what to tell you because I have no idea what you’re dealing with. Yeah.

[00:49:16] Evan Francen: And my and my answer now is that’s the first thing you would do I take out to lunch, you know, why would you take me out to lunch? I need to know you. I can’t consult you. I can’t tell you what’s good for you and what’s not good for you unless I have some time to diagnose what your problems are.

[00:49:33] Brad Nigh: Yeah. And that’s why we’ve kind of transitioned how we’re doing our B. C. So engagements right? We have been doing it where we did go into the full assessment, deliver it and then kind of really start kicking off the process. Well yeah but we’re, you know it’s it’s not, it’s not the best way. So now what we’ve done is we’re going to start with the estimated It’s what 60, 70 questions, something like that high level. Just, hey, let’s get to know each other, you know it and I’m gonna get to learn the company and then I just understand that. So that’s the first experience the customer now has is it is a two hour and a half, two hour meet and greet where I’m going to just ask you some questions, get to know how you work for the company works and then I can formulate and least put together some sort of a plan. Yeah it’s it’s kind of along those same lines because we can’t really take people out to lunch at this point. But especially when they’re, you know in different states. But it’s in concept,

[00:50:38] Evan Francen: right? And when we can take people out to lunch again or we can have that opportunity. It’s a with another thing I’ve been, I’ve been adding, which is kind of humorous, but it’s how I worked. It’s like, what’s the first thing you do? Well, thank you out to lunch and you’ll know whether I like you or not by whether I pay or not. Yeah. I mean if I bought your lunch, then I want to do more. Do you want to date? But if I I didn’t buy your lunch, I’m probably not interested in dating anymore. But just another thing too, I mean, it’s everybody, you know, when you were to compare security, like dating, everybody wants to go from like I just met you to, I want to have babies overnight versus like I want to date a little bit. I want to get to know you, I want to do some things. You know what I mean? We might get to a point where we are going to break up because, you know, maybe the business changed and whatever, but it’s a long term relationship. It’s not a transactional thanks. It’s frustrating. But anyway, it’s also good because hopefully some of our listeners got some good tidbits out of this and if you want more about this, reach out to us. You don’t work like lawyers, you’re not gonna get a bill.

[00:51:51] Brad Nigh: Yeah, that’s why we’re not allowed to be in the truly in the sales process. We really like to come in and talk about the methodology.

[00:51:59] Evan Francen: Yeah. Sometimes people skirt the process because they figured me out. And so uh uh what is it next? On Sunday? I start a three part training series uh or women’s cyber tutu. It’s 32-hour sessions and we’re going to hack ourselves. Very cool. Yes. New, new new people getting into the industry, helping them transition and learn some of the basics. I know networks. So we’re gonna start with networks. Uh huh. That’s good stuff. Right? So we got a couple of news things that I wanted to talk about quick and then we can wrap this sucker up and in about our days day one of the things I thought was interesting. So this comes from Cnet And the title is hacker returns all $610 million dollars in Cryptocurrency stolen in cyber attacks, interesting.

[00:52:57] Brad Nigh: Yeah, I saw that and I was just like, I don’t know what how,

[00:53:04] Evan Francen: Okay, right. I’m gonna go out and share the screen because I think if people actually watch uh watch this online or I think Don’t we have 800,000 people a month to listen or download, but I don’t know how many people actually watch it, but if you do watch it, I’m going to put it on the screen knocks. I always forget that we do that. We have people watching too. So I’m gonna share my whole screen. So if you want to see some security stuff maybe steal my identity or something. Feel free. But I’m on an ipad. So this is how we’re gonna roll. This is the uh the article After returns all $610 million dollars and cooper currency stolen in cyber attacks. The Attackers. Guy, the attacker’s name is mr white hat. Never heard of him. Have you? Oh

[00:53:56] Brad Nigh: but uh so weird.

[00:54:01] Evan Francen: Yeah it is weird. So this Cryptocurrency theft appeared or happens is you can see the poly network a decentralized finance platform sometimes called the defi 610 million or $600 million. Cryptocurrency stolen through a code vulnerability. So the attacker finds the vulnerability, steals Lots of money. 273 million. And the threat is real token tokens. 253 million in finance smart chain and 85 million U. S. D. C. Ah from the polygon network. Mr White hat then return them all. Almost immediately after he stole the money, he started returning the funds piecemeal. Uh Eventually all the funds were returned. I thought it was kind of his quote at the end. My actions which may be considered weird are my efforts to contribute to the security of the policy project in my personal style.

[00:55:06] Brad Nigh: Yeah I mean yes he got his message across and at the end of the day uh there was no you know lost for the the people right? The users So it works. Yeah. It is weird

[00:55:26] Evan Francen: quitting the show. He says he’s quitting the shower. I don’t know if he or she will Mr white hat I’m guessing to hear that. Ah Yeah I don’t know who this is I suppose you know you go about trying to figure out this may be but I think it’s interesting. I don’t have enough time to do that anyway. Um Yeah I don’t know would you do the same? I guess I wouldn’t I wouldn’t have taken the money to begin with because I can’t mess around with that. You know there’s just too many people that rely on me making better decisions than that.

[00:56:00] Brad Nigh: Yeah I agree. I can’t say that. I would because I wouldn’t have taken the money to start with. Yeah.

[00:56:10] Evan Francen: Yes. I think we would have never gone down this path to begin with. But in a way it’s kind of like I don’t know what to think either. I mean I don’t it’s definitely illegal, right? You don’t break into computer systems and do these things without permission regardless of whether you put it back to the fact that you were there makes it legal. Uh But it’s not really is it immoral maybe unethical? Yeah. Minutes.

[00:56:41] Brad Nigh: It’s kind of a conundrum. It’s a fine line.

[00:56:46] Evan Francen: So anyway I thought that was interesting and that just happened not that long ago in the last few days.

[00:56:53] Brad Nigh: Yeah the news broke yesterday or at least that’s the first time I’ve seen it

[00:56:58] Evan Francen: show the State Department uh this is the next news thing. The State Department reportedly hit by a serious cyber attack. This happened a while back and um wasn’t reported. I don’t think anybody really even noticed that happened. Um And we don’t know anything about it. So it’s just we know that the State Department allegedly was hit by serious cyber attack. It doesn’t seem to have disrupted anything. It doesn’t seem as though they necessarily lost anything. But they’re also not there’s zero transparency on what actually took place and who’s affected. So we do know that the State department itself though in the A. B. C. D. Ratings that they do every so often that the last time they were A. D. Nothing. So I don’t know I don’t think the government is very good at protecting their stuff because it’s too damn complicated. They I think they got a big big big time ego problem. They’re still there man?

[00:58:12] Brad Nigh: You hear me? Yeah. Well sure sure it was gone.

[00:58:25] Evan Francen: I don’t know I’m going to keep talking and if you chime in you chime in

[00:58:33] Brad Nigh: is that better?

[00:58:34] Evan Francen: Little bit? Okay We’ll continue.

[00:58:37] Brad Nigh: Okay. Yeah I’ve been having issues with the technology issues with the new computer. So yeah.

[00:58:43] Evan Francen: Yeah technology. So did you have anything to say about the State Department attack?

[00:58:49] Brad Nigh: No just I mean not surprising. Yeah.

[00:58:53] Evan Francen: Yeah. Yeah And the thing that the government is on the kick that the government is on today which is I don’t know we will often do another podcast about it. Is the J. C. D. C. You know I had Swallow my vomit a little bit on that one. Um if you go with a C. D. C. Although Sort of what I’m talking about 10 minutes a partnership, a collaboration between Cisa which is the Department of Homeland Security. Uh and there there want to actually just even the the thinking that you can possibly secure everybody is so ludicrous. But that’s essentially what they’re trying to do and I don’t think that they’re trying to do it to actually secure anybody. I think they’re doing it to try to get control of things difference. You know there’s a difference there but I don’t trust the government to secure my stuff because the government can’t secure their own stuff. So. Yeah. Yeah mm. Get your house in order. The last one I thought was kind of cool because these deep fake things are going to become more and more and more uh common. So this is from Pc Mag Bruce Willis deepfake to star in Russian tv ads.

[01:00:16] Brad Nigh: That’s interesting. I saw something that val Kilmer did it uh in that jockeys memory because you has voice issues with after he had cancer I guess and he was okay with it. But yeah that’s it’s gonna be interesting to see how this ways out.

[01:00:35] Evan Francen: Yeah. But yeah I mean the pick has come so far that it’s almost, well to the naked eye. Even a trained eye it’s you can’t tell. No I mean you have to really break it down almost pixel by pixel to notice but they’ve got the ad actually there. I haven’t washed yet. Um Yeah pretty soon you’ll be your favorite celebrity. Well you know if you’re into pornography you’ll see them. I’m starring in porn films. You know when they’re not it’s not really them. We usually see all this plays out. It’s going to be weird. Yeah I agree. Once just once again you know it society adopts technology way faster than our ability to secure it and certainly way faster than our ability to use it responsibly. And this is another example of where this is heading. It’s going to get nasty. Yeah.

[01:01:36] Brad Nigh: Oh yeah. Yeah easily be weaponized.

[01:01:41] Evan Francen: Oh God and it will be for sure for human beings between a lot. All right man that’s all I got any shout outs.

[01:01:48] Brad Nigh: Yeah I’ll give a shout out to my wife for putting up with me the last week.

[01:01:52] Evan Francen: That’s gonna be a huge shout out. I mean it’s got to be like the biggest shot up shot out. Yeah

[01:01:58] Brad Nigh: and she started her new job today so that’s

[01:02:00] Evan Francen: excited about her. You do have a wonderful wife. She’s a true a true gem man. I mean she’s in the perfect job to you know being a nurse because she just yeah, she’s amazing. She’s yeah, I just do every time. Every time I see her it’s like I always feel welcome. Yeah.

[01:02:21] Brad Nigh: Yeah, just yeah, I’m not gonna argue

[01:02:25] Evan Francen: seriously man. We had, we had dinner, you know, a few weeks ago or at your place man, you walk in and it’s like, yeah, we’re like, we’re part of the family. It’s awesome. But we try. Yeah, I’m going to give a shout out to uh Kevin believe it or not, Kevin North. Uh which is weird. It almost pains me to do so. Uh but he’s been very supportive. Uh he’s been a huge help in us getting through the legal contract stuff in the state of New Jersey for security studio. And I had a really good attitude lately. All right, that’s it. So, we’ll see you next week, will you? You’ll be back what Tuesday

[01:03:05] Brad Nigh: ish.

[01:03:09] Evan Francen: Have the greatest time ever. Make memories, take your phone, crack it in half. I’ll buy your new only get back.

[01:03:16] Brad Nigh: Yeah, we’re gonna kind of lock him up and we got a bunch of board games and that some movies. It does look like it’s been a rain. So I sent super excited to watch baseball because he loves our wars and it’s one of my favorite movies. So he was wrapping up with the trailer. So we’re gonna spend some time together off electronics and yeah.

It’s finally here, the annual BlackHat and DefCon29 events are back again in Las Vegas, Nevada. What are these events? Evan & Brad unravel everything you need to know about BlackHat 2021 and DefCon 29 in this week’s UNSECURITY episode.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:20] Evan Francen: Okay. Welcome Listeners. This is the unsecurity podcast. Episode 142. That’s 42. More than 100 like 58. Less than 200. It’s a lot of podcasts. But that’s uh, that’s the number today. We’re in the middle of not in the middle sort of failure in the middle of this all this black hat defcon goody stuff happening in Vegas. We’ll talk a little bit about that. But before we do that, you know, Brad Nigh. He’s here, how you doing Brad?

[00:00:56] Brad Nigh: I’m doing well.

[00:00:59] Evan Francen: Yeah, telling you man. Good fun.

[00:01:06] Brad Nigh: We’ve had some, you know, some stuff going on with work is being, you know, it’s crazy. It’s good. It’s very busy. So that’s what you want.

[00:01:18] Evan Francen: Yeah, yeah. Yeah. There’s, there’s a good busy and they’re not so good busy, you know what I mean?

[00:01:25] Brad Nigh: Nothing good busy. Yeah.

[00:01:28] Evan Francen: Well, one of the things we talked about earlier this weekend and we won’t get into it here on the podcast is using resources I think too. Um, most appropriately, you know what I mean? Yeah. Well we all struggle with that uh, in management when you’ve got really high end resources and they’re using them maybe on tasks that they’re not best built for. So you’re kind of over engineering that and then you also go the other way, sometimes we’ve got, you know, people that just aren’t capable of doing some of the things that we asked them to do and that’s always a challenge trying to figure that stuff out and made to those waters. But you know, that happens all the time.

[00:02:12] Brad Nigh: Yeah. Well, you know, I will say that, you know, one of the nice things with my role is, you know, there when they said, hey, we’re gonna take away your HR responsibilities, but you get to keep all the security responsibilities and manage the programs. Oh yeah, Okay.

[00:02:29] Evan Francen: Right. Yeah. Well it’s always a double edged sword because you never know how one how people are communicating map, you know, like where they’re coming from, you know, because like we did that with Kevin Kevin’s, I wouldn’t have a listener so he’s going to hear this and probably getting a crap about it. But uh, we took that away from Kevin, not because we thought it was, I mean, after the same reason it happened with you for him because he sucks at managing people, I think, You know what I

[00:02:59] Brad Nigh: mean? Hi Kevin love you.

[00:03:06] Evan Francen: Right? Well, he knows, I mean, it’s not like it’s, he’s a fantastic ally is great to have on the team. I can’t imagine doing the stuff I do and us doing stuff we do without him because he does that stuff in the back end. People don’t really realize that he does. And then when you do hear him, when you guys popped his head up, you know, it’s like, oh shit, what is it now? You know

[00:03:33] Brad Nigh: you mean no go karts,

[00:03:34] Evan Francen: kevin? I know, right? Well, I would tell you about the, you know, there’s all these conversations that happen to have the scenes that I don’t think people, uh, you know, like there’s executive conversations that happen that people don’t know. And if you did, you’d be like, are you kidding me? Because that’s how I feel. You know, I get an email from Kevin and like, really? I mean, I got 10,000 things on my list. This isn’t even close to one of them. Uh, but you still gotta deal with it. Right?

[00:04:09] Brad Nigh: That’s funny.

[00:04:11] Evan Francen: Yeah. You gotta be careful for people that want to be executives and we’ve said this before for people that want to be Csos be careful what you’re asking for. Yeah, you might, you might just get it when you be like, oh, wish really? But I honestly, at the end of the day, man, I’m really grateful. I’m grateful to be, you can take a step back and look at things and you can be grateful content. You know, I mean, it’s just, I’ve been blessed. You’ve been blessed, We’ve been blessed with a lot of really good things and I think the blessings are only the beginning. There’s a lot of good stuff, a lot of good work left to do, man,

[00:04:50] Brad Nigh: uh you know, I was having a conversation with one of our newer, so uh what’s Today Tuesday? It was and she was like, we were talking about the job and she was, you know, there was an issue with one of us can from last year this year and I took care of it and we’re just talking, you know, she was on vacation. So it was like just to catch up and I just appreciate it. It’s amazing how, you know, everybody here supports each other and it doesn’t matter who you are. It was really awesome to hear because I think make good concerted effort to keep that as part of it. You know, it is who we are as an organization and it is top to bottom. So it’s always awesome to hear that, you know, new people are they recognize that they under that that is coming across, it’s still there, you know, it makes a huge difference.

[00:05:56] Evan Francen: Oh, man, totally. Well, today is dr smith and like we mentioned, kind of at the beginning of the show, you know, it uh today is the last day of black and so it’s thursday for people who have never been to black cat, you should go once. Uh I’ve been enough, I’ve been there enough times. I just have no interest in going anymore.

[00:06:20] Brad Nigh: You know, the problem is it’s gotten so marketing.

[00:06:24] Evan Francen: Oh my gosh, man, so

[00:06:27] Brad Nigh: copyright that, that market e

[00:06:30] Evan Francen: You’re right, man. I mean for people who have been, who are there, you know, in the earlier years, I mean, I don’t know how many numbers this is now. It’s gonna be 20 nine, Actually, 24 from black at its 20,

[00:06:45] Brad Nigh: 29.

[00:06:47] Evan Francen: But you know, the first black head I went to is nothing like the black hats today and teachers. All right. I’m not, I don’t want to be overly negative, but to me, black out is just too commercial, too, uh, too much foam. Oh, too much. Like, oh my God, you know, don’t miss out on this. Don’t miss out on that. And it’s like, you’re not missing out on crap because you still haven’t figured out the fundamental, so go back and work

[00:07:18] Brad Nigh: Well for us. It does. I will say. I think it still has its place. Yes, for sure. It’s not, Yeah, I’m not the target audience,

[00:07:31] Evan Francen: right? Well, the fact that it’s in Vegas for one, you know, it’s, that’s cool. You know, Vegas is cool for some people, but the, the fact that in Vegas, the fact that it’s become so commercialized, uh, the talks, you know, are nowhere near like the, what they used to be, the talks used to be much more. Um, I think it didn’t seem like there was a motive. I wish it

[00:07:59] Brad Nigh: went from like, hey, here’s what we, here’s what we’re finding here is what we’re doing to, hey, here’s why you should buy our product

[00:08:07] Evan Francen: pretty much. Yeah. So if people don’t know black at, uh, you know, this year was, you know, three days or four days of my saturday, sunday, monday, four days of training. So they call that the Black Hat trainings, which are the couple that I’ve been to in the past have been amazing. Some of the best training in the world happens. Blackout expensive as hell. But good training the, and then it’s two days of briefings. So Wednesday yesterday was the first day of the briefings and then, uh, today to wrap it up.

[00:08:43] Brad Nigh: Yeah. And to be clear yesterday today that we’re talking about, like you said, the training portion is very different.

[00:08:51] Evan Francen: Yeah, totally. So nothing. I mean there wasn’t really any breaking news yesterday. That was like, oh my God, that’s insane. Usually there’s a little bit of that, you know, but I haven’t, I haven’t seen anything that was like earth shattering, more of the

[00:09:08] Brad Nigh: same print nightmare supposed to be released during black hat and it got, yeah, so there you

[00:09:17] Evan Francen: go. Well, that’s one of things that’s frustrated me too, is, you know, people want to wait to disclose something at black hat when, why, why? No reason why you’d be waiting to disclose it and black at would be for the notoriety,

[00:09:35] Brad Nigh: Maybe 100%.

[00:09:37] Evan Francen: Yeah, so that’s a pretty selfish reason to be holding back, you know something. Um but it is what it is the sponsors, you know, they don’t know what they pay for sponsorship nowadays but holy ghost, I look at some of the sponsors and I’m like uh adam money, I’m gonna say something I shouldn’t so let’s move on man, Black black hat today ends and then we go to defcon death camp starts tomorrow. Death friends, you know if you again if you’ve never been it’s worth it’s worth a go. If I were to go to either one black hat and def con if I had if I could only go to one I would definitely go to def com.

[00:10:23] Brad Nigh: Absolutely

[00:10:25] Evan Francen: it’s more it’s more of the agriculture, it can kind of get yourself immersed into, you know what all these weird geeky people do.

[00:10:32] Brad Nigh: Oh yeah you can go on the, there’s got like the itinerary and some of the things it’s like wow.

[00:10:41] Evan Francen: Yeah

[00:10:42] Brad Nigh: and there’s like the various centric ones too, they have like a Tinfoil hat competition like they’ll give you 10 for you have to make the hat and they are gonna judge and declare a winner. It’s so funny.

[00:10:56] Evan Francen: Yeah, I think it’s a lot of it’s funny and it’s a lot of fun. I think one of the things that sometimes people do if you’re not in that culture is you may think that oh my God you may come away either being scared shitless or think oh you can do this Well then this must be happening everywhere kind of thing. No, this is a lot of one off kind of like stuff you probably will never encounter in your own business, but pretty damn cool stuff.

[00:11:29] Brad Nigh: Well, you know, it’s, I was talking with a couple of the uh my VC so clients and telling him like, hey, by the way, I’m gonna be Uh huh dan for out of pocket for the capture the flag and you know it for that for us to an incident response for the pen testers doing the red teaming stuff. It’s valuable experience.

[00:11:53] Evan Francen: Yeah, for

[00:11:55] Brad Nigh: Mhm. The people I’m working with your like that would be cool. I’ll never use it. Right? Yeah, it’s interesting to, you know. Yeah, that’s fun to do, but it’s a fairly narrow skill set or you know, that can well use it in any sort of regular wave,

[00:12:19] Evan Francen: Yep 1st. Sure, so def con 29 kicks off today, it will run through the safe. Sunday thursday sunday yeah, I can’t do the numbers, right? So it kicks off today. Today’s thursday the fifth. It will end on sunday the egg. That’s when they’ll do all their awards and give out the black badges and all that good stuff. We have a team. So you’re doing your own and we’ll talk about that, you’re doing your own like you’re going solo on the CTF to just see what the hell you can do.

[00:12:52] Brad Nigh: Uh

[00:12:53] Evan Francen: we have a team out there too. We have we have actually a team at black hat and at def con but the team is, how many, how many cts are they doing this year? Do you know?

[00:13:04] Brad Nigh: So officially we’re not disclosing what we’re doing. Well the problem is a lot of times you’ll start on some of these and be like, you know what, this is stupid and so you know, because marketing was asking like, hey, can we know because yeah, there’s a couple we’re gonna do, but what if we choker decide like, you know, a couple hours in like this is ridiculous, we’re not doing this. And so you know, so usually I’ll say this, how about this last year? Uh I know the red team did okay and they focused on one saying this is a blue team and then kind of work together on a couple like the bio hacking village and um So one other one, I

[00:13:57] Evan Francen: can’t remember the medical

[00:13:58] Brad Nigh: one. Yeah, that was bio hacking.

[00:14:00] Evan Francen: Oh yeah, yeah. What shoot, what was it was? I know an Iot

[00:14:07] Brad Nigh: yeah, it was something I don’t remember what it was, you know, so usually, but usually you don’t work, you know, the the open sock one this year is like I think it’s like noon to eight on Friday and then central and then the finals are on saturday, so there’s gonna be time to work on other stuff or you know, as you’re doing it. So it’s you know, never really just one thing you’re doing kind of doing a bunch of stuff. Yeah,

[00:14:40] Evan Francen: Yeah. The team last year, I think it was in four CTS, right?

[00:14:43] Brad Nigh: I’m like, yeah, that sounds about right.

[00:14:46] Evan Francen: I think the team

[00:14:47] Brad Nigh: final than all of them uh with I think so the command and control was I think second maybe okay, um Open sock, which last year was the first time we have done As a team and we had a bunch of relatively new people, we finished, I want to say 9th, It was like 10 minutes after the first place finisher. So are off and then we did like, we’re top 15 for the bio hacking which was a like literally like when we had time. Yeah, it wasn’t even a full time. Yeah, and I don’t remember what the other one was, but it was top 20 for sure.

[00:15:29] Evan Francen: Yeah, that’s cool. I’m excited to hear the updates from you and Oscar as you know, as things go on. I I actually stay out of the way until uh Yeah, I mean Oscar will paying me, I’m sure on sunday monday and you will, you know, hopefully you and I you and I are always kind of, you know discussing things. So

[00:15:52] Brad Nigh: it yeah, it’s fun. I’m interested because last year I was was part of the blue team piece because we’re still training up a bunch of people now and those guys have just come light years so we’re going to let them, I think Oscar is going to let them just how to do their thing. So you, how did you know? Yeah, so

[00:16:14] Evan Francen: goodbye. That’s so cool. When you talk about baby Bird, I mean true that blue team is, You know, I would say top 10 in the world and people don’t realize that because they’re in the back end and you never see them, you never really see what they’re doing, but their damn damn good man,

[00:16:38] Brad Nigh: We’ll see how they do this year. But I mean yeah, yeah, finish their last year. I mean realistically this is kind of the best way to the only real way to judge how some of these going and it’s an even playing field because you’re not using any of these customized tools or anything like that. You give you, hey, here’s, here’s the tools go. So it’s a and the

[00:17:08] Evan Francen: that’s cool man. Well I think and after maybe next week or the week after we’ll have you Oscar me, maybe pinky join us. You know, we can talk about how things went.

[00:17:21] Brad Nigh: Maybe eric just have a big party.

[00:17:23] Evan Francen: Yeah, right, because I’m excited to hear, I love, I’m like that, I’m like the dad, you know who watches his kids go out and play on the field. Holy crap, they’re so good.

[00:17:36] Brad Nigh: Oh yeah, yeah, those guys are well, we know are are renting is amazing, you know, they just, do you grow big blue is so new. Like if you think back two years ago it was like me and Oscar and we just hired

[00:17:57] Evan Francen: that I was doing crap then.

[00:17:59] Brad Nigh: Yeah, tom just two years. He was the first one. I think so. I mean, yeah, from where we were to where they’re at this guy’s man. Nothing but yeah, these for them.

[00:18:13] Evan Francen: Yeah, yeah, that’s cool man. So all right, so that’s kind of where we’re at their, I think next week we’ll have an update on, you know how things went down, you know, def con more so than black hat. I mean if you want to know what’s going on in black cat, just check the news because black, that’s a place where all the marketers are going to be spewing all this stuff, you know, that came from black hat. So it won’t be hard to find really good information on black It. I think it’s important, you know, at def con to see some of the inside stuff that happens. Our team, our team, is there not as tourists. I mean our teams are active participants that actually worked their ass off. Some of them like hardly even sleep for the entire, you know, 34 days

[00:18:59] Brad Nigh: here. It was The same thing. I started like noon on Friday. I think I went to sleep at three a.m. And was back up at eight and went so I don’t even, I don’t Yeah

[00:19:16] Evan Francen: crazy.

[00:19:16] Brad Nigh: Well into the night. Yeah. And then sunday as well I think. Gosh, we’d have to go back and work. It was like 6 40 hours over that three day window.

[00:19:32] Evan Francen: Yeah, that’s cool. All right, well let’s uh stay tuned for some updates there. Uh Other things going on around here. I’m doing a lot of work with states and local governments trying to crack that nut. That’s easier said than done. Uh I don’t know your you’ve been working here all over the place. You’re

[00:19:52] Brad Nigh: I mean my big focus is what we call program management. So taking we’ve got so much good information, but it’s all decentralized. So, you know, people don’t maybe just working to make it Standard, right? Just one voice. You know, everybody knows. Okay. I have a question about in response. Here’s where I go to find it from sales and marketing side. Or where the expectations for uh our case managers or the, you know, project manager, what are they expected to do? And where do I go to find that information? So it’s fun. It’s a lot of work.

[00:20:34] Evan Francen: But yeah, and you’re all over the place. It’s like herding cats.

[00:20:40] Brad Nigh: Yeah, it’s basically, I mean every single Mhm. Group, you know, outside of like some of the back end stuff. Yeah. Ignoring finance are about the only ones that I’m not working.

[00:20:57] Evan Francen: That’s cool man. I appreciate I appreciate all the good work. It uh it’s a big deal, otherwise you get chaos.

[00:21:07] Brad Nigh: You know, it’s fun. It’s good to do too. It’s a good sanity check for us as an organization because you do find I did I R last quarter and we, we found some like we’re like, oh wait we’ve updated that. We need to fix that in the statement of work to make sure that it reflects the current status because I mean, let’s be honest, we’re as fast as we’re moving. It’s very easy to miss and it was, yeah. Oh yeah, no, we should change that language is, it’s not how we refer to it anymore. Yeah

[00:21:46] Evan Francen: yeah accurate, very cool. Well I have three news pieces today. Nothing, it sort of has seemed a little quieter out in the world. Yeah. Uh huh. That’s not uncommon either around this time of year. Um, All right. So first one is from bleeping computer, it’s locked bit ransomware recruiting insiders to breach corporate networks. Not the first time we’ve heard of criminal gangs using insider, so trying to find somebody on the inside who is maybe money motivated, maybe hard up on cash. They were going through a divorce, whatever. I mean there is, there is a, there is a profile of the ideal person to approach and how to essentially convince them to help you. There is a profile that Attackers used to do that and it’s all those things that people are going through life changes because if you think about it as a human being, I may not have a criminal record. So if you do the background check, you won’t see the fact that there’s nothing right because I wasn’t motivated to, but now with Covid and I’m going through some mental issues going through a divorce, my wife is gonna want a bunch of money that the lawyers are going to cost a whole bunch. Yeah.

[00:23:10] Brad Nigh: Yeah, there’s, it’s, well, you know, it’s funny when I saw this, I was like, I had to look at the date. I was like, did he send one from like did he look at the date wrong? No, that’s okay. That’s yeah, interesting. Yeah. Like you said it is not, it’s common, sadly

[00:23:29] Evan Francen: it is. Um, and and there is the ideal person. I mean they have automated this, they’ve gotten so good at this. It used to be almost spray and pray. Right? You just make all bunch of phone calls, how much of emails, who’s gonna respond. Okay? There we go. I got somebody on the hook, they still do a little bit of that. But the really good ones, they will, they will create a profile or they have a profile of who the ideal target is when they will use search engines and you know their own ascent to identify who those people are and then keep it quiet because if I do this frame pray method, you might be tipping off somebody else.

[00:24:06] Brad Nigh: Yeah. Well you know, it’s funny because in that article at the very very last sentences in august 2020 the FBI arrested in Russian national for attempting to recruit Tesla employee. So I was like, okay, I read that. It’s like, all right, okay. That’s why it felt like wait, didn’t we? Uh huh.

[00:24:26] Evan Francen: You are always people are always the best, you know, right? The best method of getting what you want so locked at 2.0, they promised millions of dollars to insider. So you come help us. You know, we will pay you through the nose. Uh, it’s locked it, you know, two dot org is a ransom as a service for people who don’t know what that is, essentially. It’s you know, we want, you know, here’s here’s what the email says. I’ll quote it. Would you like to earn millions of dollars? You know, if I’m hard up on money man and you know, you might have piqued my interest something I you know when I sit here in my normal frame of mind, when I sit here and I’m not, I’m not going through life events that require me, you know that that doesn’t pique my interest. But if you can put your put the shoes on of somebody who is, they’re desperate, they’re down on their luck there like things that they normally wouldn’t do. They do. Yeah. And if you talk about, you know, a company with 1000 employees, couple 1000 employees, you’ll find somebody who’s going through some desperate times and they haven’t told anybody either. That’s nothing at work, you know, with the culture of some organizations the way they work, you’ll never know the person who’s going through this desperate hard time, especially at home now and now we’re working at home.

[00:25:49] Brad Nigh: Yeah. Yeah. I saw it just kind of a little bit of a non sequitur bit. I saw comic like, yeah, it was like why don’t men talk about things? And it was like inside the box, I’m going through some stuff comes out was like, hey, I need some help and gets the stomach punch and then goes back in and like, nope, never doing that again. And I mean, unfortunately that is far too common.

[00:26:14] Evan Francen: Oh yeah, my son, you know, who’s a police officer in Lenexa Kansas, you know with all the things going on in law enforcement and he’s a good cop man, he’s out there to serve. I know him deeply, you know, I mean just I know he’s a good kid and uh so I was talking about, you know, what kind of support do they have for you guys in terms of mental health, you know, I mean it’s got to be hard, you know? And he’s like, well there’s a, you know, we do have a mental health, you know, doctor and everything. I’m like, have you gone to see them? He’s like, no, like why not? Is nobody goes to see them that goes on your record.

[00:26:52] Brad Nigh: Yeah, I mean how does that help?

[00:26:57] Evan Francen: Doesn’t but I know that I was talking to somebody last week. I think he was a former state patrol person but he has a lot of inside information on just different police departments and the procedures they are changing that. So there is a wave of like encouraging officers to get mental health and not holding it against them right almost in giving them awards for doing it right for stepping out

[00:27:25] Brad Nigh: definitely that like sigma Yeah, getting help. Does not mean you’re weak. Doesn’t either. Something wrong. Everybody needs it at some point.

[00:27:35] Evan Francen: 100% man. I mean show me the person who can get through this life without any help from somebody else that doesn’t exist. All right. So anyway, would you like to earn millions of dollars are company acquired good english. Yeah. Our company acquire access to networks of various companies as well as insider information that can help you steal the most valuable data of any company. We can provide us you can provide us accounting data for the access to any company. For example log in and password to rdP VPN corporate email et cetera. Are open our letter at your email launch the provided virus on any computer in your company companies pay for the for us companies pay us the foreclosure for the decryption of files and prevention of data leak. You can communicate with us through the tor messenger https slash slash talks to chat slash download dot html using talks messenger. You will never know, we will never know your real name. It means your privacy is guaranteed if you want to contact us news tour I. D. And then whatever you can trust us, your privacy is safe with us Attackers who are trying to convince you to steal millions of dollars from your company.

[00:28:58] Brad Nigh: Oh and by the way, open our letter at your email that we don’t know who you are.

[00:29:04] Evan Francen: Yeah. Yeah. Yeah just funny. Uh but it works obviously if it didn’t work then they wouldn’t do it.

[00:29:12] Brad Nigh: Which yeah it’s sad unfortunate.

[00:29:17] Evan Francen: Yeah so I think you know one of the things that as the sea so right, understanding that information security is more about people than it is about information or security keeping focused on that if you try to create an environment where people feel safe coming to you, you know they’re not going to feel judged letting you know about these things. Uh Yeah so it’s not just technology you’re not you’re not gonna stop you know these types of attacks with technology because the Attackers just finding a way around your technology.

[00:29:54] Brad Nigh: I mean how many, how long have you been saying? I’d rather go through the receptionist than your firewall. I mean

[00:30:02] Evan Francen: it’s the same man,

[00:30:04] Brad Nigh: well you look at the incidents outside of like these the last couple big like the solar winds and half the um and say where there is a major technical flaw. I would say 90 plus percent, maybe 95 plus r you know, somebody clicking something or doing something. They shouldn’t, it’s, they’re targeting people. It’s and I don’t blame

[00:30:30] Evan Francen: Yes. Right. They’re

[00:30:32] Brad Nigh: not trained and they don’t understand it. Okay.

[00:30:36] Evan Francen: And let’s either that or it’s the fundamental stuff like, oh, I didn’t even know we had that system. I didn’t know we had already p opened the internet. I didn’t know we had single factor authentication on our email.

[00:30:48] Brad Nigh: All that is open unencrypted to the internet.

[00:30:51] Evan Francen: Right? I mean it’s like those two things, Right? The people thing and the basics thing. All the other blinky light things are all just just, you know, so much distraction. Uh Yeah, but we’ll keep preaching that man. So speaking of solar wind, you mentioned solo against uh they made a motion to dismiss yesterday. I believe. Uh this is from the register. So the, the title of the article is solar winds urges us judge to toss out crap inco sex symbol. We got coned by actual Russia. Give us a break. Company says it didn’t skimp on security before everything went wrong thing. We’re gonna have two sides of this, aren’t you? Who?

[00:31:42] Brad Nigh: Yeah, I don’t man,

[00:31:46] Evan Francen: Well here’s the thing, you know, a flaw regardless of whether you should have seen it or not a flow and there are accidents too and there’s going to be interesting to see how all this gets argued out. But if your stuff purposely are an accident causes me harm. At what point do you like hold you accountable for the harm that you’ve caused me?

[00:32:17] Brad Nigh: Yeah, it’ll be, it’ll be interesting to see how this plays out because I mean mhm I’m not, I can see both sides. I don’t know. I’m not sure where to focus. Like how do you fault them for a nation state attack? We know that, that you can’t stop. Those are going to happen. We know that. But yeah, at the same time, like how do you recover as a client if you’ve been impacted And so this is, I don’t, I honestly don’t know. I think in the suit it sucks

[00:32:57] Evan Francen: just All right, well it’s important to stay. Yes. You know, keep one of the things that, that it seems like people do is they have a short memory span. So the solar winds thing happened and oh yeah, I remember something about that, you know, years down the road. Mhm. What I encourage people to do is things like this things that are impactful like solar winds continue to watch the story unfold. It’s not the end yet there’s a lot more to this, the because there’s also a case to be made that yes, this was a nation state attack, but solar winds, this was like your golden gold gold bucket of gold. This is your thing and they could have had you had it been, you know, done. They could have prevented it. Not now, I mean not them, but now,

[00:33:51] Brad Nigh: you know. Yeah. Well, and I mean it’s, this is what makes it so hard and why were, you know, being a C. So it’s, it’s kind of a, you know, sometimes it’s like a losing proposition. This was a never before seen attack. Right? So yes, could you have caught it? Absolutely. But would you have been, you never would have been looking for it right. It could have been caught if you had had stuff in the right place, but it doesn’t mean, Yeah, yeah, it’s, yeah, I want to go with everything sucks about this.

[00:34:32] Evan Francen: Well, so, and so this is the shareholders aggrieved shareholders. So this is not unlike the target breach, you know, special litigation committee stuff that I was on. I’ll read more about it. Um, but correct Yes. It will be interesting because here’s the thing that happens over and over and over again. So, you know, as a matter of Damage is done or accountability, solar winds their share price crashed, you know, from $24.93 to $14.95 shortly after the attack. Now it’s rebounded back to over $22, a share. So materially intolerance, you know, are, you know, the value of the company or whatever didn’t really change

[00:35:27] Brad Nigh: well And you know what’s interesting is have we seen anything or heard anything towards Microsoft because they’ve had a string of really like half the on the print nightmare. You have a pet a podium, the NTL n relay attack. I mean those are as bad or worse.

[00:35:47] Evan Francen: That’s the crappy thing about all this is, you know, this big powerful tech companies, nobody can really hold them accountable. So you’re like, yeah, whatever you don’t like it. You know, I stopped using windows. I can’t, everybody uses freaking windows,

[00:36:06] Brad Nigh: right? And we already know people are struggling with that. Can you imagine throwing? I mean, there are some very user friendly versions, you know, a boon to it. It’s probably the most well known. Right?

[00:36:22] Evan Francen: I mean you personally can go to something else, but if you’re

[00:36:27] Brad Nigh: an organization, Oh my gosh, that gives me like cold sweats. Thinking about it from the night. He perspective trying to deal with that.

[00:36:36] Evan Francen: Right? And so even if you went to go to Lenox or some other form, yes, I’m secure operating system. You still have to interact at some point with windows because anybody that you’re talking to. I mean there’s going to be a document, you need to open up, you know, something

[00:36:54] Brad Nigh: companies that work all on apple devices still have to do it. We’ve seen those, right? Doesn’t matter. You still have to interface at some point.

[00:37:06] Evan Francen: Yeah. So you know, I’m torn man because uh, I’m, I’m of the belief that I’ll just take my neighbor, right. If my neighbor created something I bought it and it hurt me or hurt my family. You know, there needs to be some reckoning, right? Rather than having my neighbor continued to sell that same thing to my other neighbors and it just caused me a bunch of harm. Should I step in and say, hey, uh, produced you just told me this thing and it just like burn my house down,

[00:37:42] Brad Nigh: make changes or he’s still saying that selling the same exact thing. Yeah.

[00:37:47] Evan Francen: And maybe you should pay for my house.

[00:37:50] Brad Nigh: You know what I mean? And that’s, that’s where it gets so tricky because uh, you know, do you, is there intent? Right? Or was it? And I mean we all know people make accidents, There’s bugs. There’s a, there’s a reason it’s there,

[00:38:08] Evan Francen: right. You know, I’m excited to see what the end of this is because there is, mm, we have swung for the longest time. We have swung way too far to the enable people to do reckless things and not hold them accountable for it and we’re all suffering. So the pendulum needs to swing back to, you know what? We are going to hold you accountable if you don’t do these things, these 5 10, basically whatever you need to start, if you’re not going to do these things, you are going to be held accountable and up until including, you know, jail time or something because people shouldn’t have to suffer anymore for things that we should be able to fix as an industry.

[00:38:51] Brad Nigh: Yeah, yeah, yeah. It’s gonna be tough because nobody’s gonna do anything unless you can prove negligence and that’s what is better. And they’re gonna, are you? Well, how do you? Yeah,

[00:39:07] Evan Francen: well, even the negligence piece, right? I mean, it’s a negligee, is it? Well, negligence is such a, you know, it’s the preponderance of evidence, right? It’s, you know, which way does the scale lean and uh is it reckless to not have an asset inventory?

[00:39:27] Brad Nigh: I uh Yeah, I would say so, but that doesn’t mean right right now, it’s tough.

[00:39:40] Evan Francen: Yes, Well, I sort of sometimes I sort of wish I was, I’d love to be in some of those conversations, be like, seriously, are you kidding

[00:39:50] Brad Nigh: me? Well, that’s why you would never be a lawyer because

[00:39:54] Evan Francen: I’d say that exactly get disbarred. Well, I started I’ve got and then we can go about our day because you know, I’m guessing everybody’s got a bunch of work to do. Uh Silicon angle, this is an article, it’s a bipartisan Senate report finds federal agencies continue to suffer cyber security shortcomings when I read this. I was like, no,

[00:40:16] Brad Nigh: what?

[00:40:18] Evan Francen: The federal government can’t secure their shit, I can’t believe it, you gotta be nuts. That’s true. Uh But here’s the thing, the report was released. What? Not that long ago, but it’s a follow up to an investigation and report that was done two years ago And it only includes eight federal agencies. I don’t know if you know how many federal agencies are. I don’t even know. I have no idea. I know the state of Minnesota has 87 to state agencies. I can only imagine how

[00:40:49] Brad Nigh: many. Well my question how many? Well the ones that were there? Those are pretty big. So I would assume that there’s a lot of agencies that fall under the purview of those major ones.

[00:41:03] Evan Francen: So of the eight only the Department of Homeland Security had managed to employ an effective cybersecurity regime in that time was a regime. It’s like I don’t like that word at all. I’ve never built a cybersecurity regime before built a program but not a not a regime. Uh The other seven agencies were found to still be lacking those agencies. Department of State. Yeah. Uh Department of Transportation, Housing and Urban Development, Agriculture, Health and Human Services. boy finally we haven’t had a law that we wrote in 1996 for that Education and Social Security Administration. So they’re all blacking now. I don’t know. I haven’t read this entire article so I don’t know all of the details. I will be reading it because I think it’s interesting.

[00:42:04] Brad Nigh: Yeah it was not good. The one thing I don’t like is on this article from some silicon angle is. Yeah. The chief research officer identity platform provider of iridium.

[00:42:18] Evan Francen: Right.

[00:42:19] Brad Nigh: Cannon should adopt password authentication. Gosh, guess what his company sells.

[00:42:26] Evan Francen: I yeah that stuff hit if this is me off so much because it’s like that’s the password less authentication is like that’s a little bit down the road brother. I mean what about roles and responsibilities? What about asset management? What about what the hell do you know?

[00:42:44] Brad Nigh: Well if you look at one of them shoot I just closed accidentally uh pull back up. It was the wrong window. Uh huh. Or is it Department of Transportation found 14,935 I. T. Assets belonging to the department of which there was no record. How the hell are you gonna do password list if you have 15,000 devices you didn’t know about?

[00:43:12] Evan Francen: I know. Well that’s right. You remember biden’s executive order right talking you know town and zero trust. Zero trust. Zero trust. Okay. You better understand what these 14,935 IT assets are you better put a system in place or a program in place to make sure that that doesn’t happen anymore or it happens a lot less often. Okay that’s a lot of I. T. Assets they’re like which one do I want to attack?

[00:43:39] Brad Nigh: Yeah

[00:43:40] Evan Francen: because if you don’t if there’s no record of that that probably means it’s not some of those are not in your patch cycles. Some of those are not

[00:43:51] Brad Nigh: if you don’t know about you, Do you have any sort of patch management, you would have known about them. So I’m guessing those are do they have endpoint protection? I would say no if they don’t know about them, they’re not getting patched. Yeah. Mhm.

[00:44:08] Evan Francen: Well and the reason why this continues to happen is because there’s no accountability for it. Oh yeah, it sucked two years ago. It still sucks today,

[00:44:19] Brad Nigh: let’s be honest. It’s not just the government. I mean yes, this makes a big deal but we’ve seen that in private sector where they’re like we do a scan or like what about these things and they’re like what? Okay. It’s universal now it is scary from a governmental perspective because of what they have and do and just the nature of how they operate. But

[00:44:47] Evan Francen: yeah, I love that Pimp wasn’t pip pip lasker so rajiv pin plaster from verity um says this is his, this is what was quoted as his advice right? There may be a God, I hope there was other advice along and they just picked this one but federal agencies can and should adopt password less authentication, utilizing phone as a token or Fido to security keys. Pimpin blaster added such solutions reduce the attack surface of credentials that can be exploited in a data breach making an environment impervious to such attacks further such solutions also reduce friction enabling a better user experience. Okay. Yes, that’s like step 48 yeah,

[00:45:38] Brad Nigh: yeah.

[00:45:39] Evan Francen: You know, we stopped, you know, steps 1 to 47, which are gonna take probably five years, 10 years to get to.

[00:45:46] Brad Nigh: Right? I mean, is that a bad thing to to, you know, multi factor doing this? Is that a bad thing? Absolutely not. But do when it’s approved. Yeah. How are you going to implement, you know, password, password less authentication across the board when you don’t know what you have, like? Uh

[00:46:08] Evan Francen: Okay, I hear you. I’m 100% behind. I’m not yeah, I’m just this is this is the state of the union, right? This is what our industry looks like. It’s so much pimping products, so much pimping solution so that you can make more money.

[00:46:28] Brad Nigh: Easy button.

[00:46:29] Evan Francen: Yeah. And everybody’s gonna scramble the only ones who sleep with the other ones that I think have earned the right to sleep all at night and do for those who understood did the work? Did the fundamentals enjoy your good night’s sleep? Those of you who are, you know, just buying these easy buttons and throwing this stuff in, you know, enjoy the sleep now because you’re gonna lose it later.

[00:46:56] Brad Nigh: Yeah,

[00:46:59] Evan Francen: the chicken’s do come home to roost,

[00:47:01] Brad Nigh: yep.

[00:47:04] Evan Francen: All right, so that’s that uh I got nothing else bread, getting shout outs.

[00:47:10] Brad Nigh: You know, I’m gonna give one to my wife, uh you know, just putting up with me, but also uh she’s gone through some sort of stuff as well, you know professional, but she’s uh looking like she’ll be a school nurse which is she’s so excited about and she’s gonna be amazing. So those kids will be lucky to have to and staff will be lucky to work with her.

[00:47:32] Evan Francen: Yeah. Yeah, she’s perfect for that man. Oh she’s got that, you know, calm motherly demeanor. I mean it’s awesome,

[00:47:43] Brad Nigh: nursing perspective, Nothing fazes her.

[00:47:46] Evan Francen: No, that’s cool. Well you don’t along those same lines. I’m going to give a shout out to my wife too because I asked you first, so then you’re like oh yeah I should do that because earlier this week I forgot you know uh my work as hard as we work, you know, we have to switch sometimes from work mode to personal mode and then back to work mode and personal mode, right? So we do this all day and there was a day I think it was Tuesday where I didn’t switch, so I was still in work mode and she was telling me about something and I was like so what do you want me to do about that? I was like oh I can’t believe I just said yeah shout out to her for putting up with that and giving me grace because yeah, I mean she could have kicked me right right between them. Yeah,

[00:48:43] Brad Nigh: as soon as you said that I’m like oh

[00:48:45] Evan Francen: yep, I deserved it too, but she didn’t, she showed me grace and and understood and she sets the uh huh she said to me and your wife is the same way as I’ve seen it. It uh they set the tone for how to love in the house, you know?

[00:49:04] Brad Nigh: Well, and I mean let’s be honest, they they’re the even hell dealing with article going from side to side keeping everything in track. So

[00:49:14] Evan Francen: Yeah, very true. Mhm. All right, well that’s that. Uh well, join us next week, we’ll have uh we’ll try to arrange getting some of these def con superstars yourself included brad in the show and talk about that stuff if you want to socialize with us. Don’t Well, okay, maybe I’m @EvanFrancen and Brad’s @BradNigh the companies we work FR Secure and Security Studio. You can find those @StudioSecurity if you’re on twitter folks are @FRSecure, otherwise we’re on linkedin and everywhere else you can find us.

Recently, Amazon made changes to their terms of service. This sparked a conversation between Evan and Brad about terms and conditions, privacy, and what we tend to blindly agree to. Together Evan and Brad discuss Amazon’s Conditions of Use and what happens when you are blindly agreeing to terms.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. It’s good to have you join us on this funny Tuesday something. Hey, Thanks for Tuning in to this episode of the Unsecurity Podcast. This is episode 140. The date is July 20, 2021. Running is my good friend Brad Nigh. Hey, Brad

[00:00:40] Brad Nigh:  Good to see you have a picture of what’s actually happening outdoors right now.

[00:00:45] Evan Francen: Oh, all right. Yeah. Well I’m wearing a tank top. They, you know, working from home like you are and in downstairs my wife is like, why are you wearing tank tops and everywhere? Tank tops? It’s hot outside. Oh my gosh.

[00:01:02] Brad Nigh: Yeah, ridiculous. That’s me. Even hotter next week. You see next Tuesday, the forecast is like 105.

[00:01:08] Evan Francen: Yeah. That’s nuts, man. I don’t know. I don’t even know what to do outside. We are. Yeah, we came back from Mexico yesterday. That was kind of fun. Um, I’m kind of excited to get you down there and your family. It will be fr secure south headquarters. Here we are. Yeah, yeah, you’re fine. I’ll show you. I’ll hear some pictures with you. Awesome christian and we saw get lunch together dinner because I’d like to see it.

[00:01:42] Brad Nigh: Yeah, absolutely. They were like that in a while. That was asking about his ah we need to see his girlfriend again and we’re like uh like, you know, we we went and had ice cream with her and I sat with, so you remember your daughter? It was funny.

[00:02:01] Evan Francen: That’s awesome. That’s great, Libya. By the way, my daughter, she uh got her job today. So I’m excited because that should be last dollars out of my pocket. Pay for weird things that 15 year old girls by. Yeah, tell me about it. She comes home with like uh I’m gonna go down around the whole

[00:02:23] Brad Nigh: uh

[00:02:25] Evan Francen: All right, well things are good. A couple of things, so we have a packed show today. You can easily talk all day about, you know, some of the things I’ve got, we’ve got in store, the first one is um I’ll just go through the topics. The first one I just called it, you agreed to what layman’s you about all these uh the terms of service privacy notices on and on and on. I don’t think anybody ever reads these things

[00:02:54] Brad Nigh: very, very rarely well,

[00:02:56] Evan Francen: and I did, I decided to because there’s a couple of companies that I’m just kind of shut up with in terms of what I feel like is overstepping trying to do everything for everybody. Um We’re doing a whole bunch of things. Well, but not great.

[00:03:15] Brad Nigh: Yeah, well, and and if you read through them, they’re not written in a way that’s easy to understand their, it’s pretty intentional to, you know, make this confusing. You just, you know, very complex language. Uh Oh

[00:03:32] Evan Francen: yeah, totally. So we’ll go into that and you, you identified a really cool cool website that will bring to bear here in a little bit. And then um, kind of big news I guess not surprising, but big news is Pegasus. Yeah, that cyber surveillance weapon,

[00:03:55] Brad Nigh: we knew it was out there. And yeah, we’ll talk about that when I got some good thoughts on that.

[00:04:01] Evan Francen: Yeah, not cool, not cool. And then the other uh, three topics, the layman’s view into, you know, terms of use and all that, legally legal stuff. I’m not a lawyer. You’re not a lawyer. Thank God because yeah, well yes, I’m not a lawyer. Uh, and then we’ll go into the Pegasus thing and then we’ll talk, you know, last is we’ll bring up this chinese backed hacking group, a pt 40 you’ve been in that response for a while you’ve seen that come up here and there chinese and the US indicted some of their members for whatever that’s worth.

[00:04:42] Brad Nigh: You know, at least something’s happened.

[00:04:46] Evan Francen: That’s cool. They called him up my name. I think it sends a message, the chinese like we know exactly who this is,

[00:04:53] Brad Nigh: right. Yeah, it’s, you know, are realistically if you look at it, that’s a pretty big deal to do to another country, but we’re going to that one later.

[00:05:03] Evan Francen: Yeah. You don’t see the chinese announcing our guys by name, right?

[00:05:10] Brad Nigh: Yeah, it’s fine to talk about you.

[00:05:12] Evan Francen: Yeah. So first we’ll talk with this uh sort of this legal stuff. So what kind of spread this for me was, you know, someday maybe I got an email from amazon saying, hey, our terms have changed. Mhm. Yeah. For some reason they just caught me at just the right time. I’m like, well what? Yeah. So then I clicked on there link which led me to amazon’s conditions of use. I was like, oh my God, this is a lot of stuff.

[00:05:43] Brad Nigh: So I sent you another link that will back up what I’m about to say. So here’s the thing the is it the literacy project? The average reading level of the US Is a 7th or 8th grader. And then Take that. And when you look at uh studies are showing that people skin web pages and read about 18%. So you’re writing documentation at a, you know, graduate level. How the hell you read it? Are they going to understand it?

[00:06:18] Evan Francen: Right. And even if I understand uh the sentences of the words or maybe even a paragraph, the way they write these things, it’s like one paragraph weaves into another paragraph which then we’ve back into another paragraph previously stated, we’ve got another paragraph and then click link to another document. I can understand. What I’m reading. What I can’t understand is all the lakes here, there everywhere. A

[00:06:46] Brad Nigh: Section three, Paragraph 4. I’m what that was like I’m on subsection 20 what the heck is going on?

[00:06:54] Evan Francen: Well, exactly. So you know I, so I started reading these conditions of use and it was last updated on but they isn’t, there are terms have changed and so I was thinking that was click the link brings me to the conditions of use which says it was last updated on May 3rd. And I got the email mm july 18th. Don’t know if that’s the thing that changed or not.

[00:07:21] Brad Nigh: I don’t know.

[00:07:23] Evan Francen: But it brings you to this help and customer service web page. And on the left side there’s a, you know, heading is legal policies and then you’ve got conditions of huge privacy notice, amazon group companies, non exhaustive list of applicable amazon patents, the applicable placements, patents. You’ve got non exhaustive list of which non exhausted means it’s not everything. Yeah, I know what those words mean. I was like, well where’s the list of everything? Right? You know, and that leads to all this legal mumbo jumbo. Two words may may not. Yeah, this but not limited to. Right the hell. Right. Uh, and then the last one is amazon dot com gift card, an electronic message, customization service terms. That’s what you get in this page. So I started to read it and I don’t, you know, once I started doing something stupid like that I just keep going. So um, for starts off welcome to amazon dot com. Amazon dot com services LLC and or its affiliates amazon provide amazon in quotes, provide website features and other products and services to you when you visit or shop at amazon dot com. Use amazon products or services. Use amazon applications for mobile or use software provided by amazon in conjunction or connection with any of the foregoing collectively amazon services in quotes by using the amazon services you agree on so called and all members of your household. So that means if I’m using amazon stuff, the way I read this is I’m agreeing to the same things for my wife. Mhm. My kids. Yeah, I was in my household grandma’s living with me grandma. Just bring these terms too. Right. And it doesn’t say head of household either. It just says you and all members of your household. Yeah. God,

[00:09:37] Brad Nigh: the best. Well, not the best, but the thing I like is at the end or hidden in there in addition to other limitation and exclusion conditions of use our total liability, whether in contract warranty, tort, including negligence or otherwise, will not exceed the last membership fee you paid. So there’s the same, you know what we’ll refund you your membership fee regardless of what we did to you. Right.

[00:10:05] Evan Francen: Well, and that’s that’s the opening paragraph of these conditions of use and then in a big hole. Mhm. Writing please read these conditions carefully. Mhm. Yeah,

[00:10:17] Brad Nigh: I’m looking at the other side that we’re going to talk about here in a second. It was

[00:10:21] Evan Francen: out at the bottom. Yeah, I’m excited about that one. What I think what I want to do first is just paint how using this stuff can be. And then what what’s a simple place where I can go as a consumer to break this down. And that’s the link that you’re we’re gonna talk about after we get through this. But so it says please read these conditions carefully. And then it’s a whole bunch of blah blah blah blah blah. And then you’ve got headings of privacy, electronic communications, copyright, trademarks, patents, licensing likes us, your account, reviews, comments, communications and other content, intellectual property complaints, risk of loss returns, refunds entitled product descriptions, pricing, app permissions, sanctions and export policy, other businesses. And then you have the disclaimer of warranties and limitation of liability disputes, applicable law, site policies, modification, severability. Their address, which is a P. O. Box, so not really. Right. An additional software amazon software terms because we didn’t put it in somewhere else. Mhm. How to serve a subpoena or other legal process. Okay. And then notice, notice a procedure for making claims of intellectual property regiment. That’s all in this one document. Yeah. And it doesn’t get any easier. Right if you read the doctor any of the stuff under any of these um headings, man. It’s atomic crap. Yeah. So quicken their non exhaustive list of amazon trademarks. Look at that page,

[00:12:13] Brad Nigh: is it? Let’s see, yeah. Where, Where is that 1?

[00:12:19] Evan Francen: Okay, so if you go

[00:12:21] Brad Nigh: on this is exactly it. Right,

[00:12:23] Evan Francen: right. On the conditions of use page, if you scroll down to trademarks, there’s click here to see the non exhaustive list of amazon trademarks.

[00:12:34] Brad Nigh: All right. I’m on the wrong flight. God, that

[00:12:39] Evan Francen: one way I can so I can shut down here. I feel it.

[00:12:43] Brad Nigh: Yeah, because I’m

[00:12:44] Evan Francen: much on people’s face, which is good. Nobody wants to see my face anyway, so let’s go into here.

[00:12:51] Brad Nigh: Yeah. Right. Uh Yeah, so I real quick I just through their terms of service into readable calm. And is it a D. With a great level of 12.5,

[00:13:07] Evan Francen: I think you got the big 12.5. I know Lots of high schoolers that, but not understand any of this. I don’t understand it. I’m 50

[00:13:18] Brad Nigh: that education just being able to read it. Not not understand it there. That would be the difference there.

[00:13:24] Evan Francen: Yeah, I suppose after you read it. Yeah, I get the word I c I can pronounce pronounce the words you see

[00:13:32] Brad Nigh: with them. Uh huh.

[00:13:37] Evan Francen: Mm measure

[00:13:39] Brad Nigh: correctly and I’ll see it.

[00:13:42] Evan Francen: That’s probably not using zooms terms of condition correctly. Uh huh. No, I gotta click start broadcast. That’s why. Alright, here we go. You know, sharing your screen. All right. She

[00:14:00] Brad Nigh: Okay, yep,

[00:14:02] Evan Francen: there’s our conditions of use and then. Right here trademarks. Right, so you see the non existent with a list of amazon trademarks like oh my gosh, on and on and on and on. That’s why I’m going to ace yet. There’s bees. She’s the trademark F. B. A boost Felix fox film finder’s find treated french deluxe. The trademark french locks I think coffee ab camp happy belly hawk traitor. And they don’t. No way are they trademarks? They’re used on their site somewhere. It says in addition, graphics logos, pete headers, button icon scripts and service names included in made available through any amazon service are trademarks or trade dress of amazon in the US. So these are their trademark. Well, the trademark leather architect list of bests will a Macy mad dogs nectar the trademark Neo. Yeah, they trademarked prime red wagon.

[00:15:27] Brad Nigh: The conditions. Yeah, I pulled up their conditions of use and threw it in there and in the flesh, concave grade level, it’s college level. Yeah, at least.

[00:15:40] Evan Francen: Alright, so that’s their list of three marks. Let’s go back to ah patents. Oh my god, website will look like, let’s check, check it out. Oh it’s on a page. That’s not bad. I don’t know. It looks like maybe probably at 12345, 10, maybe 90 patents they’re listed.

[00:16:08] Brad Nigh: Uh That feels seems about right.

[00:16:11] Evan Francen: Yeah, we’re not looking at amateur uh mike uh IBM List of of pens.

[00:16:17] Brad Nigh: Yeah,

[00:16:19] Evan Francen: the patent freaking everything uh that’s your account. Mhm. So that’s that if you understand any of that, right? That and that’s okay fine. It’s more like uh you know whatever you stuff, this stuff doesn’t really bother me that much. Just had a baffling how big they actually are. It’s not, I mean I know they’re a huge company but also like you must have a legal team the size of like when the population of South Dakota.

[00:16:55] Brad Nigh: Right by the way, your your ads are still

[00:16:58] Evan Francen: broadcasting. That’s all mike I don’t care about either. So you can see that I was on United Airlines. Yeah. I get it. I want to go to uh go back here or here go here. I want to go to this other one to privacy notices. This is the part that that was really interesting film. The privacy notice. And they say if I didn’t read any any of these, I guess, you know, reading the conditions of use is sort of cool I guess. Mhm. But the privacy stuff, you know like what types of information do they collect about me? Where do they use? Where do they get it? You know, they don’t go into any real detail. They just give you like general stuff. Yeah. I think they’re so big that who’s going to fight him? Right? You can the state of say the state of California says that you’re in violation of C. C. P. A. In these sections or whatever, they’ll never get through it. Right what I mean? Yeah. Oh my gosh. What personal information about customers does amazon collect? Well they’ve got information you give us automatically and this goes back, remember when we did that uh podcast about this privacy? Do you have a right to privacy? And people debate? Yeah I have a right to privacy. It’s like okay you may have it. You actually have it because saying you have it and legally you know right right. Are you you know did somebody just take it from you and you look at this stuff you know and just in amazon and I can’t imagine you know if you look at amazon Microsoft twitter facebook, you looked at linked in all these places where you’re sharing information. You realize you have no privacy. No.

[00:18:57] Brad Nigh: Yeah. Yeah. And same thing with their privacy notice college level reading You know averages seven areas grades I think 12 13 14 year olds.

[00:19:09] Evan Francen: So who who would ever do you think that’s like um let’s say the F. D. C. Do you think they could force amazon to write this in a way that the average. Right. So you mean that the average reading level of amazon customers which you know maybe it’s ninth grade for eighth grade? Yeah. How how did you possibly hold them accountable? There’s something that they don’t understand?

[00:19:40] Brad Nigh: Ah I agree but honestly we preach this with uh security policies as well. You read some of those and it’s the exact convenience college level document and that. How are people going to understand it? And I have to double check but we made our acceptable use template at late. I think it was 9th or 10th grade.

[00:20:04] Evan Francen: What? That’s the side you’re referring to if our listeners wanted to take their own policies, run them through, Is there a site that you’re

[00:20:14] Brad Nigh: uh Yeah, you can do you see, I’ll throw it in the chat and you can include it in the notes. Okay, readability formulas dot com. And then you can drop grab it in there and it shows all the different reading the score and then all the different versions of our region. And

[00:20:40] Evan Francen: next I think that’s really important like because if I am writing a policy, it’s not that and the way I’ve always used policies in my own work is I don’t expect anybody to ever read them. But what I do is people to reference them. The reference documents. Right. Mm. And so if amazon was going the same way about this policy stuff, it’s obvious that they’re not, maybe they’re writing it as a reference document because they do have headings, you know, and I can find stuff. But um yeah, I don’t I don’t understand what they’re actually seeing here.

[00:21:15] Brad Nigh: Well and there’s a huge difference in these terms of service and a security policy because with the security policy you still have a resource to go to to explain it, right? That there should be somebody who understands it. So if you look at it and don’t understand it, you you have a resource amazon, you’re just agreeing to it with no way of understanding it.

[00:21:38] Evan Francen: Right? And what about like, let’s say Microsoft or amazon? You know, they’re almost so big that you can’t avoid not using them, right? Yeah. There’s no there’s no way I cannot use a Microsoft product somewhere in my like. Mhm. Apple is playing. Yeah. You’re almost forcing me when you are forcing me. I have no option. I must have this which whatever you put in here. I don’t know. Um I guess I’m glad the lawyers fight it out. I mean, if you have an opposing counsel that wants to stand up to the team of amazon hell, I should go back and see if you know, because amazon does have their list of group of companies. I wonder if they have a group that’s called amazon? No, they don’t. I don’t have their subsidiaries listed. They did. I wonder if there’s like an amazon legal incorporated? They’ve got their own, you know, law firm.

[00:22:44] Brad Nigh: Yeah. I don’t know

[00:22:48] Evan Francen: charlie. What’s that?

[00:22:50] Brad Nigh: It’s a subsidiary that doesn’t actually have any. If you lose, that doesn’t hurt company profits,

[00:22:58] Evan Francen: man. Yeah. I mean they’re so insulated from anything that you and I could ever do. I mean your power, this is a consumer, I think unless you can somehow lobby, you know, a government entity to stand up to them. But amazon’s got lobbyists, right? Yeah. So it’s you against the lobbyists? Yeah. Forget about it. Uh And it’s not just amazon we’re picking on amazon right now because this is the email I got. But I think the same thing would apply to just about any large tech company today.

[00:23:33] Brad Nigh: I would say anything that you click the terms of service that you have to agree to. I would assume that this is the case. Yeah. And you’re probably gonna be safe one of the few times you can safely assume something.

[00:23:45] Evan Francen: Yeah. The information that amazon what what personal information about customers does? Amazon collects four types 3 types information you give us willingly or unwillingly or knowingly or unknowingly Automatic information which is stuff they get from their 3rd parties and interaction with their stuff and things. And then actually automatic information like their cookies stuff like when I track you and where you’re going and how are using product everywhere and information from other sources. So that’s where they get the information. Uh For what purposes. Well this is what they say purpose and delivery of products and services provides troubleshooting to improve amazon services, recommendations and personalization. Which is basically so you’re more crab provide voice always crap. You don’t need to by the way provide voice image and camera services comply with legal obligations, communicate with you advertising which seems a lot like recommendations and personalization and fraud prevention and credit risks. So that’s why for those purposes you know. Okay what about cookies and other identified a whole bunch of stuff there does amazon share your personal information. They do. Uh huh. Mhm. Yeah they should transactions involving third parties third party service providers, business transfers which seems kind of funky and protection the amazon and others. That’s when they release information or share information with others. So amazon. Yeah. And then we’ll collect your information. But if they need to share your information to protect amazon they really do that. Mhm yep. So anything to protect amazons behind how secure is information about me? This is a part that sort of talk to me because I’m more concerned about amazon the name about an attacker with my information. Truthful.

[00:25:57] Brad Nigh: I mean we’ve seen it with some of these recent attacks. Where is the most value? Where’s the data? Right. You want to attack 500,000 individuals or one place that has that information? Well right.

[00:26:13] Evan Francen: Yeah. So we protect it. So this is what they say. We work to protect the security of your personal information during transmission by using encryption protocols and software. We follow the payment card industry data security standard when handling credit card data to maintain physical electronic and procedural safeguards in connection with the collection storage and disclosure of customer personal information. Our security procedures mean. And we may ask you to verify your identity before we disclose personal information to. You may ask better. Damn well asked

[00:26:47] Brad Nigh: I don’t like encryption protocols. What are they using? Like triple days Like what protocol?

[00:26:54] Evan Francen: Well they probably have good stuff but yeah but they leave it open ended. Yeah

[00:26:58] Brad Nigh: at least but industry accepted at least then I have a good feeling of what what they’re using

[00:27:05] Evan Francen: you think well there’s no that stuff come on they copied in pieces with somebody else you know? Yeah. Oh

[00:27:13] Brad Nigh: it does happen. Yeah

[00:27:16] Evan Francen: our devices offer security features protect them against unauthorized access and loss of data. He can control these features and figure them based on your needs click here for more information on how to manage the security settings of your device I. E. Sidewalk when it’s enabled by default. Mhm.

[00:27:34] Brad Nigh: And you get like seven days to disable it. Right?

[00:27:39] Evan Francen: Yeah. Now last Ballpoint under house security information is important for you to protect against unauthorized access to your password and to your computers devices and applications. We recommend using a unique password for your amazon account that is not used for other online accounts. Be sure to sign off when finished using a shared computer, click here for more information of how to sign off. That’s all you get for how security information about me in this privacy. Uh huh. Notice that risk. Yeah.

[00:28:13] Brad Nigh: So I can’t wait for you to go to the other site

[00:28:16] Evan Francen: and you know

[00:28:17] Brad Nigh: it’s like whoa okay

[00:28:20] Evan Francen: well this is some of the other I’ll go through the rest of this pretty quickly and then we’ll jump over to that. So what about advertising? A whole bunch of stuff listed there about advertising, What information can I access, ideally you’d be able to access every bit of information and you sort of can. But here there’s only limited number of things that you can access, I think probably through their front end. Mhm. What choices do I have? And they give you a list of choices? But essentially if you want to use amazon services, you don’t have any of this. Just take all those words. I’m just say you don’t have any. Yeah. Are Children allowed to use amazon services such as amazon does not sell products or purchased by Children. We sell Children’s products were purchased by adults. You’re under 18, you may use Amazon services only with the involvement of a parent or Guardian. We do not knowingly collect Knowingly being the key word, collect personal personal information from Children under the age of 13 of the consent of the child’s parent or guardian. So this is the way you work that knowingly is a keyword. And the second piece there is without the consent. The child’s parent or guardian hidden in somewhere and all these agreements and various other things.

[00:29:38] Brad Nigh: Right, Well, you we mentioned it, I agreed to, this includes your family.

[00:29:44] Evan Francen: There you go. So higher household. Yeah. Alright, California. Consumer privacy actually haven’t section here, but all they have is a sentence and then click on the link to read about disclosures required there. EU and swiss us privacy shield remarks are listed here. No G D P R uh practices and information a whole bunch of stuff there. But this is where I thought was information. So I’m gonna read through this quick and then we’ll get to the thing because I think when you realize how much information they actually collect about you, it’s what what did they miss? Right? So here here’s what we got information you give to us. You give us when you use amazon services, uh you provide information to us when you search or shop for products or services in our stores. When you add or remove an item from your cart or place an order through uh or use amazon services when you download stream view or use content on the device or through a service or application on a device. When you provide information in your account, you might have more than one if you’ve used more than one email address from mobile number when shopping with us or your profile when you talk to or otherwise interact with our Alexa voice service when you upload your context. Uh Configure your settings on provide data access permissions or we’re interact with an amazon device for service. When you provide information in your seller account. Kindle direct publishing account, developer or any other account we make available that allows you develop or offer software goods or services damage on customers when you offer your products and services on or through amazon services when you communicate with us by phone, email or otherwise. When you complete a questionnaire, you support again contest entry form when you upload our screen images, videos or other files to prime photos, amazon drive or other amazon services when you use our services such as prime video. When you compile playlist, watch those wish lists or other gift registries when you participate in discussion boards. Other community features when you provide and rape reviews, when you specify a special occasion reminder or new employer employee product availability alerts such as available to order notifications. That’s how we get information from you.

[00:32:22] Brad Nigh: Right to be clear. This isn’t just amazon, this is going to be anywhere and you’ll see that you know like you said we’re not taking on amazon. It just happened to be the one that popped up. This is

[00:32:35] Evan Francen: she entered No. This is what goes back to my point when I say you have no privacy. Yeah. So then it says as a result of those actions, you might supply us with such information as name at identifying information such as your name, address and phone numbers. Amen information, your age, your location information, your I. P address, people addresses and phone numbers listed in your addresses, email addresses of your friends and other people, content or reviews and emails to us, personal description and photograph in your profile meaning, pictures of you and things such as that voice recordings when you speak to Alexis. Now you’ve got voice patterns about me, images and videos collected or stored in connection with amazon services information and documents regarding identity including social security and driver’s license numbers, corporate and financial information, credit history information and vice log files and configurations including credentials. You choose to you automatically synchronize them with your other amazon devices. That is the information amazon has. Yeah. Out of you essentially. What did you miss? D. N. A. Is that in there yet?

[00:33:58] Brad Nigh: Yeah. What did they collect? Yes, exactly. Yeah.

[00:34:03] Evan Francen: So they haven’t got my D. N. A. Happened. Trust me they’re working on it. Uh an automatic information. So this is examples. So that’s just information you gave them. Right are they you as you giving them information that they collect and analyze automatically meaning using their things where they get it in a protocol address used to connect your computer to the internet, log in email address and password. The location of your device or computer content interaction information such as content, download, streams, playback details including duration and number of simultaneous streams and downloads and network details for streaming and download quality. Including information about your internet service provider device metrics such as when it devices and use application usage, connectivity data in many years or event failures amazon services metrics. Examples the currencies of technical errors, your interactions and features and content. You’re selling settings, preferences and backup information, location of your device running an application information about uploaded images and files such as file named dates, times and location of your images version and time zone settings purchasing content use history which we sometimes aggregate a similar information from other customers to create features like top sellers. The full U. R. L. Extreme to through and from our websites including date and time products and content reviewed or search for page response times, download errors, length of visits to certain pages and page interaction information. So just going clicks and mouse overs. Phone numbers used to call our customer service number and images or videos when you shop in our stores or stores using amazon services.

[00:35:54] Brad Nigh: Yeah. Yes.

[00:35:56] Evan Francen: Right. And that’s only two ways. Right. We’ve also got the information from other sources. Um I mean it’s all there right now. People people probably yeah thought this anyway. But when you actually read through the list of all these things, it really starts to hit home like oh my God you have everything. Mhm. You own you. Basic amazon basically owns me owns you. No. So crazy. Crazy man. All right. So I just want to bring that out. I don’t know what we do about it. Be honest. I think we’re so deep in this whole right now. Yeah. I don’t really know how to get out of it, but here’s I’m going to bring up very for our listeners. Right. So basically I mean, I think we just kind of painted the picture that you’re screwed. I don’t know, did we?

[00:36:59] Brad Nigh: I think, yeah, I think so. Right. There’s a way you can make it a little easier,

[00:37:06] Evan Francen: a little easier to understand how you’re being scooped. Right? So, uh, yeah, here’s a page now. Uh, people that are that listen or see it on youtube, you can see what I’m showing on the screen. But um, there’s a cool website that brad brought to bear its https Poland slash slash p O S D R dot org. Yeah.

[00:37:32] Brad Nigh: For, for terms of service didn’t read. Yeah,

[00:37:36] Evan Francen: this is really, really cool. This person I saw it, you know, when you bring it up to me. Yes. You money with them in the search and breaks it down nicely for us

[00:37:48] Brad Nigh: and it shows the different services to and so great. A best terms of service treat you fairly. The terms of service are fair, but user could be our towards the user but could be improved. Red Sea is, they’re okay. But some issues you need to consider brady terms of service are very uneven or they’re important issues that need your attention and a great E is in terms of service raise very serious concerns

[00:38:12] Evan Francen: help. So amazon itself gets a grade e amazon AWS E and amazon prime video gets a D. So nothing in amazon is created force the consumer. It’s all like,

[00:38:26] Brad Nigh: which if you click on amazon uh there like the logo. It will take you to the page and then if you hover over it. I mean it brings it down into uh, you know, human understandable language, but if you click over it it’ll actually show you the, the exact language within the terms of service

[00:38:47] Evan Francen: which when I do it on an ipad,

[00:38:49] Brad Nigh: it took me.

[00:38:51] Evan Francen: But it uh yeah, I mean this is a great, I’m going to spend time here. I think it’s really interesting now. Uh it’s kind of, this is an unbiased sort of review of the documentation without me having to read the entire documentation, yep.

[00:39:10] Brad Nigh: Yeah. And you know, it’s funny if you put in, put in, you know the major browsers. So we’ve got chrome and idiot dogs are

[00:39:19] Evan Francen: amazing.

[00:39:20] Brad Nigh: They’re protecting me from that. Horribly mean ups draft. Um Right. Uh I’ve been in like Chrome and Firefox and Brave and yeah. Mm Yeah, I took that first secured to but uh oh internet work though. Yeah, the the big ones score poorly. Firefox and Brave. Both score A B. No, yeah, things to keep in mind within your browsing.

[00:39:56] Evan Francen: Yeah, zooms courses. Yeah. What about twitter? Yeah, he still read uh I’ll link in Lincoln’s on my maximum now. Right.

[00:40:12] Brad Nigh: Uh Exactly. I would stop their own terms.

[00:40:15] Evan Francen: Any of the big tech, Not great any what’s that does any of the big tech not grade and eat

[00:40:23] Brad Nigh: what? Oh I believe. Well

[00:40:27] Evan Francen: IBM doesn’t have agreed

[00:40:31] Brad Nigh: Mozilla dot org. It has A B.

[00:40:36] Evan Francen: Subscribe to D.

[00:40:39] Brad Nigh: So let me why don’t I share my screen second show what I was talking about with the click over. All right. Yes. All right.

[00:40:54] Evan Francen: Yeah. And find my zoom.

[00:41:02] Brad Nigh: So here we go. So when you look at it, you know your day that whether you have an account or not so are over it and it actually shows and explains exactly what they’re doing. Yeah, deleted content. Not really deleted it is here and I’m not proud. You can review off facebook activities, but facebook can view your browser history.

[00:41:33] Evan Francen: Yeah,

[00:41:34] Brad Nigh: but your identity is used in ads that are shown to other users.

[00:41:40] Evan Francen: Oh, this this place in terms of service didn’t read. Yeah. I love the, love their mission for their quote at the top. I have read the I’ve read and agree to the terms. End quote. It’s the biggest is the biggest eye on the web. Yeah, we fix that

[00:41:58] Brad Nigh: this here. So it lays out differently on my screen than your I’ve had did. But uh, if you look there are a couple here Wikipedia gets to be that’s pretty good Doctor to say. That’s fantastic. Um Start page is A B and that’s about it. Everything else is pretty much an e interest. Apol Blizzard Khan Academy which surprised

[00:42:25] Evan Francen: even have porn hub on here.

[00:42:27] Brad Nigh: Youtube talking credit. You know, if nothing else. Maybe it’s a good thing. Good idea to kind of understand what services you’re using and what then then what services are out there. What are the options? And when does it work? Like they said, I use either uh, these duck duck go or start page and then Firefox or Brave Now does that at the end of the day. Does it matter if they’re doing all this other stuff? Maybe? Maybe not. But you know it do what you can,

[00:43:04] Evan Francen: you know when there’s so much. Well, I think a lot of people don’t realize how much power there is an information.

[00:43:10] Brad Nigh: Oh, that’s where they make their money.

[00:43:13] Evan Francen: How much? Yeah. But it’s a, I mean as a consumer is just like an everyday person like they give you this drug, right? The blinky light game, the, the interaction, the video, whatever they give you that really resonates with you. And then they just, I mean my God, it feels like we’re being rape.

[00:43:42] Brad Nigh: Well, and that’s why you know, the other thing is install something like privacy badger, right? It’s gonna block whose tracking pixels that are all over the place and at least give you a little bit of control over your privacy again.

[00:43:58] Evan Francen: Yeah. Mom and a bookmark this page for sure. Use it often. I quickly about us. Really interesting people I think, you know, you can follow him maybe interact with its got time. Um, you know we’re doing, I was talking earlier today with a friend of mine Can be starting a nonprofit and I told you about the Great Matter society will start that one in earnest. Right? It’s, it’s moving, it’s moving slowly. Nobody’s got enough time because everybody’s busy as hell. But whenever They retire, which is now, uh, 700 move on there 707 days it will probably be devoting most of my time to that. Hopefully we can bring these things together. You know, these pieces like what, what these guys in terms of service didn’t read what they’re doing and some of the other really cool nonprofit like take cybercrime support network, you know, christian josh, he’s doing over there and it’s gonna bring these things together because I think if you get these things together, maybe we can affect some change. Yeah. The only way we’re ever gonna get your privacy back is to change it, meaning you have to change whatever characteristics about you that you can change right. You won’t be able to change your DNA will change your facial structure without, you know, serious money, your fingerprints, stuff like that. But we can change things like social security numbers, Travis license numbers, uh, you know, and the lake. So pain in the butt man. Yeah. Again, if you missed it, listeners pos D R dot org someplace to go. It’s really interesting stuff. We also have some additional links that were put in the show notes. People can hopefully find some useful stuff. They’re kind of an eye opener. Yes. Well, being that we spend so much time there was going to go through these other two, Like pretty quickly, you’ve got probably more to share on the Pegasus stuff. But you gotta, I’ll bring up one article in particular, won’t bring it up on the, on the screen here. But I first thought in the Guardian and it was because what’s his face, who’s uh Snowden? Snowden posted on week then are not linked in on twitter sunday. This is gonna be the biggest news story of the year. And it was a link to the Guardian. The title is revealed, colon leak, undercover leak uncovers global abuse of cyber surveillance weapon is called Pegasus. Not surprising, but I’m definitely troubling, man. Well, I mean, yeah, privacy, right? No privacy with all this stuff. And then you get your own government. Well,

[00:46:51] Brad Nigh: if you don’t know if you saw that, there was some updates that I was reading earlier today that uh let me see, there was like Prime ministers, ah was 14 Heads of State. So three presidents and prime ministers and a king. So you’ve got the President of France Iraq and South Africa. And then the Prime Minister’s that our current of Pakistan Egypt and Morocco. And then the king of Morocco and easier. I mean, if you are that Guardian article as a thing about the freelance mexican reporter 60 leo in yet. Uh so I apologize if I watch that. Right?

[00:47:39] Evan Francen: I mean it’s

[00:47:40] Brad Nigh: terrifying, right? Yeah, he’s dead. He apparently was of interest to a mexican client in the weeks leading up to his murder. And the killers were able to locate him at a car wash coincidence. Maybe not like me. You know the amount of was the other thing that I think that this close up is the whole encryption backdoor. They don’t they clearly don’t need it. All it’s doing is weakening again our privacy and our security. So they already clearly already have the ability they got android and IOS what what else do you need? Like you’ve got the software just you don’t get to weaken my protections already ruin. That’s over.

[00:48:32] Evan Francen: Right. And so this is hacking essentially hacking software sold by the company called the NSO group. Right? Which is an Israeli company. They claim that they only sell to legitimate mara vetted government bodies. But how the hell? Who is that?

[00:48:51] Brad Nigh: Well and none of it, but users agreed to not only use it for specific purposes. Uh Great wink wink.

[00:49:00] Evan Francen: It’s insane man. So who they sell it to 51% the intelligence agencies, 38% of law enforcement agencies and 11% of the military. Ah yeah, this is just the expanse of it. And you’re right man that the mexican mexican client. Well who runs Mexico? The cartels run Mexico. Mhm. You know, maybe you could say, well the president. Okay. Sure. Right. But it’s crazy man. The attack vectors. Sms. WhatsApp. I message any number of God knows how many unknown vulnerabilities those the attack vectors. Once it gets there, things that can read malls. What type WhatsApp chats. If you thought that was a secure app, photos and videos, activate the microphone remotely. So while you’re not you don’t even know it’s being turned on and they’re listening to everything you’re saying, activating the camera, recording phone calls. Gps, data, calendar, context book, you name it right? It’s rooted.

[00:50:08] Brad Nigh: You know what bananas is? A factory reset doesn’t appear to get rid of it on at least some android phones. But the recommendation is until we know more. If you find out you’ve been affected. Get a new phone.

[00:50:26] Evan Francen: Yeah. Yeah. one. And how long was that 1? You know like the true right. Just being targeted that get you right, there was just only do anyway. But when it’s like right in front of you like this.

[00:50:44] Brad Nigh: Yeah. There was a Oh I’m trying to find it now. That was really cool. Think you could actually install to see if it was affected.

[00:50:56] Evan Francen: Mm. Uh We’ll work around it.

[00:51:01] Brad Nigh: Yeah. Yeah. I’ll put this in there. Well it’s not the analysis. You can if you are concerned, you can actually at least find out.

[00:51:15] Evan Francen: Yeah. Find out if you’re going to die next week. Yeah. Give credit to, Does it? I think 16 is a 16 journalists. They’re working on exposing this more 16. Okay, Uh investigation. My Guardian and 16 other media organizations. Yeah. You gotta have some serious uh gumption. Yeah, be going here because you’re talking about some pretty shady, very powerful people,

[00:51:50] Brad Nigh: yep. Yeah. You know, it’s always I just uh a link on how to uh well if your phone is affected but it’s amnesty international that’s putting out these indicators of compromise and kind of running this, which is, makes me feel at least a little bit better about, you know, is calling and testing to a lot of stuff.

[00:52:11] Evan Francen: Well, it’s good there. Yeah, I mean, I’m not, I’m not like a I’m not like tighten any, I always healthy uh skepticism I think about everybody, you know. But this speaks very highly of amnesty ah

[00:52:30] Brad Nigh: which they got to be on usd are so there you

[00:52:36] Evan Francen: go. He’s not been true. So really interesting. It will be interesting to follow that as it continues and see what the reaction is going to be, what’s going to happen.

[00:52:48] Brad Nigh: Yeah. All out on this.

[00:52:52] Evan Francen: Why? Because you know that the United States is multiple, you know, agencies and or multiple agencies prefer and the military, our customers.

[00:53:04] Brad Nigh: Mhm. Oh, 100%.

[00:53:06] Evan Francen: So the crackdown on themselves.

[00:53:10] Brad Nigh: I know it’s nuts.

[00:53:15] Evan Francen: So that’s gonna be uh yeah, will be a movie for sure and some other things, but it’s sad to that. And then the only way to really protect yourself at all your text and even then you know, whatever. But you can’t really get away from tech anywhere. Get away from my home. I can’t get away from it on the streets. There’s camera surveillance everywhere. There’s God knows I’m an electronic signals doing what, you know when I set up just a simple um, hello wireless. Uh, the band isn’t working today. It is man, I set up a set up a simple kid on a, on a raspberry pi. I live in a small town main street. I caught like 30,000 signals but then like week just different communications going on, whether it be weakening or what have you crazy. Alright. So that’s that keep keep a look out for that. We could cover that for days. But that’s uh, interesting. The other one, the last one that we’re at this thing up us invites members of the chinese backed hacking group MPT 40. I quoted that one from bleeping computer dot com but it’s all over the news essentially. Uh, we’ve indicted some hackers from china for their chinese. Everything is chinese government. So you think that there’s a private company and private entity in china? Mm No, no. And a man you say their names but interesting pictures that I have a picture of king green men that have a picture of him but they are being usually italian and wolf the wrong and zoo in men.

[00:55:11] Brad Nigh: Yeah. What, what I think is

[00:55:13] Evan Francen: looking folks

[00:55:14] Brad Nigh: big about this is the fact that they named him right like there. This is definitely an escalation in cybersecurity.

[00:55:26] Evan Francen: Yeah, for sure. And yeah, because you don’t I don’t recall. I’m sure not nothing. I thought my head uh resonates when china has called out a U. S. Analysts by the name of it that they may do things now. They do do things quite a bit different. Ah Yeah, you should see what comes with that too. And I wonder if china you talk about the customers of you know the NSO group. I want to china is also a customer. No, I’m sure. Well, but Nso is an Israeli company. Mhm mm. Yeah, that I would think that enemies of Israel made, there’s anything that comes out of Israel to is pretty tightly controlled.

[00:56:20] Brad Nigh: Yeah. Really interesting because if you the Guardian is gonna send it, if you read it that they’re going to start uh linking and naming the people and they started naming some of them. So and and it shows who the country of interest was. So that’s going to get that’ll be fun.

[00:56:43] Evan Francen: We’ll be your son. All right. Well, good stuff uh will turn out yet, but I’ll get them hopefully I can’t do it tomorrow tonight because I got have to talks to give tomorrow and I haven’t even started yet. Uh Yeah, but we’ll post the show notes here, Evan francine dot com will be an episode 1 40 show notes when I get those things. Family posted. We’ll talk, we’ll outline. We’ll have all the links to the things that we talked about in today’s show. Uh And if you have things that you’d like to add, like if you found a good resources, do you think other people would benefit from related to any of the stuff we talked about? Ah you know, today in today’s show? You know, send it our way 5%. Are you ready? Um

[00:57:33] Brad Nigh: You know, I’m gonna give a shout out to the exact because he’s been going on and stuff and he’s still man. He makes me smile. Just such a great attitude. It’s very, it’s nice to yeah, it makes you feel better as a parent.

[00:57:48] Evan Francen: That’s cool. That’s cool. I’m gonna get, this is a person who is never going to listen to podcast. Probably. I’m gonna get a shout out to Rudy. Rudy was our house, our house manager down in Mexico this week and we had a really good conversation. I’m one of those guys where I don’t, I’d like to know everybody, you know, there’s not like this. Uh I’m better than you think so. Getting to know Rudy was a lot of fun this week. He’s a hell of a worker works two jobs. Mm I got to give it to every mexican that I met down there has a really incredible work ethic. You know, there’s no, there’s no welfare, anything down there.

[00:58:34] Brad Nigh: So it’s if you want to eat you work. That was cool.

[00:58:37] Evan Francen: So I like Rudy and I’m looking forward to getting to know him more remedios now. Mhm. All right, well thank you to our listeners. Thank you brad again man. Good conversation to see your face. It’s good to see your health yet. Didn’t catch any drama out of your yeah, this past week. So knock on wood. Let’s keep that going

[00:58:57] Brad Nigh: brother.

[00:58:59] Evan Francen: Uh, if you have something you’d like to tell us. This is for the listeners. Feel free to email the show at un security. Pro com mail dot com. Your social social people twitter. I’m @EvanFrancen. It’s just my name and that is @BradNigh, it’s just his name. The companies we work for. If you want to learn more@FRSecure. Got a brand new website, check it out @StudioSecurity is uh, the other place. So that’s it. Have a great week. Talk to you later.

Kaseya VSA, a remote management software, experienced a breach over the holiday weekend that is already impacting a number of clients. It appears that this Kaseya VSA ransomware attack is connected to the Russian hacker gang known as REvil—but it has not been determined whether or not it is the work of REvil itself or an affiliate in their Ransomware as a Service (RaaS) program (and yes, that’s a thing). Evan and Brad break down the attack on this week’s UNSECURITY episode. Additionally, and flying under the radar because of Kaseya, news broke on June 30th about an impressive and potentially very damaging vulnerability in the Microsoft Print Spooler service. This has actually impacted a larger number of customers than Kaseya (millions of servers) and likely would have been bigger news had it not been for Kaseya.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. It’s good to have you join us. Thanks for tuning in to this episode of the Unsecurity podcast. This is episode 138 and the date is July six 2021. Joining me is my good friend. Mr Brad Nigh. Good morning Brad.

[00:00:38] Brad Nigh: Good morning Evan.

[00:00:40] Evan Francen: You have did we have yesterday off? We did, yeah. Yeah. So Independence Day, Happy Birthday America 245 years old. Yeah, lot of years old. Yeah. Mhm Good. Yeah, it’s good. I think it was nice to see people out this year. You know celebrating after last year. Yeah.

[00:01:01] Brad Nigh: Yeah. It was the only unfortunate part. It was so freaking hot here.

[00:01:06] Evan Francen: Oh God, yeah. Yeah, there was a ton of, lot of fireworks in our neighborhood and then around here and it was probably until was later. I mean more fireworks than usual and later than usual I think.

[00:01:21] Brad Nigh: Yeah. What school is? We can see our house faces the back of the house faces almost due south And we’re kind of on top of the hill. So we can see, we could watch the fireworks go from east to west, across the horizon over the like the tree line. So we got to watch fireworks from about 945 till 1030 just across the back of the house was kind of cool.

[00:01:44] Evan Francen: It is cool. That’s very cool. Also, another thing happened this weekend. It was friday I think second and news broke about casa. So I I don’t think there’s, you know, we can talk about a lot of things, but I mean it’s hard to not talk about cassia with, you know, kind of everything that’s been going on the last few days. Yeah. So you were mentioning before we got on line uh ri our team at fr secure is gotten hit as well, right? With incident response calls? Yeah,

[00:02:16] Brad Nigh: looks like there’s a, there’s been a couple there that have come in there looks like donkey, they’ll be busy here for a little bit.

[00:02:25] Evan Francen: Yeah. What’s good to keep them busy. It’s bad that here we are again talking about something really impactful I think across the globe. But then, you know, as your reports start to come in more and you start to dissect what actually took place, you know, it is a big deal, but I’m not sure it’s as big a deal as maybe we’re making it out to be. Yeah, I mean, I hate to minimize stuff that affects people personally, but when you look at the numbers, it’s

[00:02:56] Brad Nigh: like it could have been way worse, right

[00:03:01] Evan Francen: one. And when you first heard about it, did you think, Oh my God, here we are, another solo rents.

[00:03:06] Brad Nigh: Yeah, I was like, well I was like my, my initial thought was, oh this is going to be worse.

[00:03:13] Evan Francen: Yeah. Yeah, because that’s what I thought, you know, at first when I heard about it on friday was probably mid day and uh, you know, my first thought was I hope it’s not another solar winds attack. And thankfully it’s not right. This isn’t your traditional supply chain type, not like that, right? Because he has code based wasn’t affected.

[00:03:36] Brad Nigh: No, this was more that traditional attack, the zero day that out of law. And it just so happens that the software they found the flying is used by MSP s and is in installed in, you know, hundreds of thousands of businesses. So it wasn’t like, yeah, they they got the source code and compromise that it was what I would consider a more traditional attack.

[00:04:09] Evan Francen: Yeah, exactly. So the attack, you know, for listeners this was, you know, the essay servers and these were on premise, the essay servers, right, allegedly cassius still holding to the story that, you know, their cloud based servers were not affected by this. And there’s really no indication to questionnaire right now. But the B. S. A. Servers, these are things, you know, traditionally used well in mostly used by M. S. P. S. Managed service providers. And yesterday I was on the Here 11 News and I didn’t realize that uh, even in the news guy was talking to didn’t know what MSP stood for.

[00:04:51] Brad Nigh: I think that’s crazy because we just take so much of this for granted, we’ve talked about that how many times, you know? So wow.

[00:05:01] Evan Francen: Yeah, she was like well what’s an MSP? And I’m like, okay, if you’re, you know, usually a smaller company or you know, maybe a larger company that needs help with managing it, you know, you might engage with a managed service provider so they just provide these services that maybe you can’t afford or they don’t make sense for you to buy. Okay, so in this case the servers are used to remotely manage other systems to do patching to do monitoring, you know, do all that kind of stuff. And these Vanessa servers were on premise at MSP. S and they were also accessible from the internet. That’s not like you don’t want to rush to judgment and say, well how dare you make these servers accessible from the internet? It was

[00:05:51] Brad Nigh: common really. And I’ll be honest, is I don’t know enough about the software, Is was that necessary? Right? Like I don’t know when I don’t think we shouldn’t have it, but

[00:06:07] Evan Francen: yeah, I don’t think it was. I don’t think it was. I mean, I think you could have put this probably behind a VPN, you know, with multifactor. Maybe that’s where MSP s are going to go next with this. But I have done a lot of work with M. S. P. S. And you know, from an I. T perspective, keeping systems running, maintaining systems, you know from an I. T. Perspective they’re pretty good at that but honestly most MSP. S. Oh are not going to security at all.

[00:06:36] Brad Nigh: Uh Yeah are from experiencing some of the stuff we’ve seen. Uh No

[00:06:45] Evan Francen: but you know I know I think they want to and I think they want to get better. I was down at connectwise conference and Orlando I think a week before last on a panel and and and it’s all in this piece right connectwise is all MSP. S. Two. And we were talking about security stuff and the impression I got was there’s an admission that they don’t no lot about security but they want to they’re committed to it.

[00:07:15] Brad Nigh: I’ll say this there we worked with several bits. Oh yeah the one I think that’s the big thing is is if you don’t know don’t pretend right it’s okay to say I don’t know I’m not the expert in that right? And we worked with several that have said okay let’s do this. How can we do this? Right. And and honestly I’ve been really impressed with those and we get asked all the time for you know hey do you have any recommendations? Well I’m going to recommend the ones that we know are working to do things correctly and care right like there’s plenty that are not that way we’ll just believe it at that.

[00:07:58] Evan Francen: Well yeah and I sort of get it to write it. You see the same thing play out when you got your own internal IT department and you have security reporting up to I. T. All right yep this isn’t an I. T. Issue and sometimes I. T. And security are at odds with each other. So then it’s just another case for breaking that thing out. Breaking it out another group.

[00:08:20] Brad Nigh: Yeah and then and that’s a good point. No you know trying to put anybody down right? You know it’s not their thing but don’t pretend that it is because we do see that that’s those are the ones that bother me

[00:08:35] Evan Francen: when they’re dangerous. Right? I mean those MSP. S who think they’re more capable of more capable than they are or they’re trying to do kind of everything.

[00:08:45] Brad Nigh: Uh

[00:08:46] Evan Francen: You know you see a lot of these issues right now uh that are happening I think in our industry with companies who want to do everything right? I mean Cosio wants to do everything right? So you put all this trust into this Bs a. Server or this you know or something else right? And then when there’s a compromise on that thing that controls so many other things it becomes a really really big issue.

[00:09:13] Brad Nigh: Yeah. Yeah. Uh huh. Yeah it’s like I know how many how often do we have to if he feels like we just keep talking about the same things.

[00:09:27] Evan Francen: Oh yeah man for 25 30 years.

[00:09:30] Brad Nigh: Nice like uh

[00:09:32] Evan Francen: Well it’s funny like you know you’re you’re wise grandfather, grandmother or whatever on the farm. You know and they said don’t put all your eggs in one basket. I mean there was wisdom there and I think we’re just like whatever I can do that. The software and well maybe I mean you do you do run this risk right? You do gain some efficiencies by only having to pay one bill and everything in one place. And it’s really nice convenient. But it also comes with this other side of risk. And I don’t think we often think all the way through. Right. Right. Tell something like this happens. Yeah. So the thing that this happened. So this wasn’t a Solomon cyberattack. Nobody broke into the CIA in this attack. I’m not going to say nobody’s broken into cassia. But um This was a zero day uh C. B. E. 2021-30116. Is the vulnerability is given by an SD three. And in this case uh the the company that was actually found it was I think a company

[00:10:38] Brad Nigh: from

[00:10:43] Evan Francen: touch right? D. I. D. D. I believe is the researcher victor givers. I’m not mistaking uh

[00:10:53] Brad Nigh: her vulnerability disclosure.

[00:10:56] Evan Francen: Yeah. So D. I. V. D. Researcher uh week I must say it wrong wheat. See Boonstra. So W. I. E. T. S. E Boonstra. Um They are the ones who discovered the vulnerability. And then they reported it as you know as good citizens to cassia it seems like our sounds like cassia according to, you know, dived very amenable to patching with very responsive work. Yeah.

[00:11:27] Brad Nigh: Yeah. It’s just bad luck.

[00:11:31] Evan Francen: Well, you know, and it will be used to see what else comes out about that because it was really, they already had the patch. They were testing it. I think I’m ready getting really close to the appointment and then you know, our level are evil or an affiliate. We don’t even know if it’s our evil directly. It might be an affiliate. They run a whole ransomware as a service operation. Right?

[00:11:53] Brad Nigh: Yeah, nuts.

[00:11:55] Evan Francen: Yeah. You know, Prior to that, you know July two right? That that nation and you wonder part of me that’s not clear yet. Is did they have inside knowledge that this patch was coming or was it truly coincidence or luck Because I don’t think it was. I actually think they have some inside information that this was coming?

[00:12:22] Brad Nigh: Yeah. It’ll be interesting to see. I wonder they yeah, that’ll be an interesting thing, you know, where were they testing it? Did they push it out to like a beta group and they whatever the packers ended up being. I saw that when I’m to execute right like there’s there, it’s interesting this will be interesting to see the details

[00:12:41] Evan Francen: right? Or was there or is there an actual actual leak or an attacker within cassia Yeah. You know, sharing information or you know, they’re monitoring communications. But anyway, that’s that’s all speculation. So the attack vector and it wasn’t until I would say maybe 24 hours later when you know, I became aware that this wasn’t a solar winds attack. That this was an attack directly at the esa servers that are accessible from the internet and D I P D D. I think that a great job, you know, they scanned for the servers And prior to the announcement there were about 2200 the servers that were accessible from the internet. Yeah. And within, I don’t know, a day or two, it was down to 140. I don’t know what, I don’t know what the current number is. So it was good to see such a quick reaction, especially over a holiday weekend.

[00:13:42] Brad Nigh: Oh my gosh. Yeah. Yeah. Well, and you know that me that act is part of why I’m like, maybe it was just timing because you do have a holiday here in the US Now, Brandon this was a worldwide, you know, there’s companies all over the the world that got hit by this. But was that part of it? Hey, it’s the whole it’s the holiday weekend. People aren’t paying attention with, they’ve been cooped up for a year.

[00:14:15] Evan Francen: All right. Well, and so that makes me think of another thing too. We are, we’ve kind of, I don’t know if in our industry we’ve we’ve blown things out of proportion. I think sometimes where, you know we use here to sell more stuff. So so far, you know what we know in terms of numbers of organizations that were affected and this is worldwide 60 MSP s And 1500 downstream businesses. So we put that into context, I mean, how put that in the context of the number of cassia customers and you know, obviously that’s pretty significant, but but in the context of like the world, You’re more, you know, 1500 downstream businesses, how many businesses are there just in the United States alone? Mhm. So kind of know, it’s a big deal. Yes, it’s something that needs to be accounted for and address, but I don’t think it’s, you know, because I’ve heard some people say, well this is the biggest attack ever. Mm I don’t know,

[00:15:21] Brad Nigh: it could have been, but I think we got lucky.

[00:15:26] Evan Francen: Well there’s that too, we may have gotten lucky. So it was a direct attack against the V. S. A. Servers and then once you exploited the zero day and there’s a bunch of good IOC data out there.

[00:15:38] Brad Nigh: Oh, and and I’ll say this say, did you see they put out a tool that you can run like all things considered, it looks like they’re handling this correctly, you know, being very open, Their communication has been fantastic. Um yeah, putting out tools, but yes, so forth, I think you had it in the length has a really good write up of technical write up of what exactly it does, which, you know, from an incident response standpoint. It makes life a lot easier.

[00:16:13] Evan Francen: No, for sure. Yeah, that was good to see to it. You know how our community, you really got at it. And I think we had good IOC s like almost immediate. Seems like yeah,

[00:16:28] Brad Nigh: you know, and so just kind of going off topic a little bit. What’s funny is this has been so dominating that the whole thing, I was thinking we were gonna talk Windows principle or for remote code

[00:16:39] Evan Francen: execution too.

[00:16:41] Brad Nigh: That is like not even on anybody’s radar at this point. And I saw that last week on when that came out, Wednesday said that over the team and we were like, uh huh. So you can not friend or uh that this could be ugly. And then to see it happen, it’s just like good wars.

[00:17:02] Evan Francen: Well maybe we’ll talk about that too briefly, you know, in today’s show because that is really important and we can kind of, you know, we always go off topic anyway, so that’s easy enough for us to address that it’s

[00:17:15] Brad Nigh: still in the same vein. Right?

[00:17:17] Evan Francen: Right, for sure. For sure. So it’s funny that so they this hits and really, you know, one of the first thing that happened, it drops, you know, through a power Shell script, you know, drops the script and defense. Uh sorry disables Excellent defender for endpoint protection, which is so common, uh, uses certain util to decode malicious. You know, it’s malicious execute herbal uh, agent dot E x E. That’s a legitimate binary. Uh, M S M P E N G dot T X C, which is an older version of Microsoft defender and a malicious library and sort of sort of goes, you know, from there. The the attack vector is similar. We’ve seen this before. It’s not.

[00:18:13] Brad Nigh: Oh yeah,

[00:18:14] Evan Francen: that was another thing that I heard, you know, at the very beginning, I think we rush to judgment. Too many people rush to judgment because we heard from the very beginning. Oh, this was ultra super sophisticated. Mm No,

[00:18:25] Brad Nigh: no. This is almost like when you look at the attacks, we think we see they’re running encoded power shell that Exactly. Well, I mean not exactly this, but basically this is what you see. This is a fairly standard attack, which, you know, I don’t want to set downplayed or this time defensive, but it’s what you see.

[00:18:53] Evan Francen: Right? Well, that’s what makes me think too because we haven’t, you know, we haven’t determined whether it was art evil themselves or where there was, you know, a an affiliate because like I said, are evil runs a ransomware as a service. Yeah. You know, I can go rent right now. Yeah. Go ransom somebody because it doesn’t look, but I’m not, you know, I’m not in the weeds with authority incident response team or the incident response team, you know, fire I or anybody else. But it doesn’t seem all that ultra sophisticated I think especially if you had insider information on this vulnerability, ah, you know, if you knew this vulnerability was there or you know,

[00:19:37] Brad Nigh: well and the researchers that found it said it wasn’t hard to find, it was pretty easy to, to just attacked and yeah, okay. Not surprising that

[00:19:50] Evan Francen: Right. Well, yeah, because that was one of the questions I think posted on twitter was the question is how are evil got their hands on it or perhaps more accurately how the affiliate did That was from July three and then victor givers, You know, the researchers have found it and if I show you the PLC, you would know how and why instantly. I mean, I guess it’s like

[00:20:18] Brad Nigh: sounds pretty, it’s pretty obvious. So I’m gonna throw this in the chat. I don’t know if you’ve seen it, but this is why we preach turn on power Shell logging. We’ve been, I’ve been saying that everybody for a long time and Uh, actually if you just turn off, if you just Google power shell logging, there’s a fire I blog from 2016.

[00:20:40] Evan Francen: Also that’s not new. No,

[00:20:42] Brad Nigh: it’s been out for five years, 5.5 years. Turn it on because that’s what they’re using for a cat. And if you want to know what happened, you need to have that logging turned on. If you don’t have it turned on, it’s you’re going to be blind, you’re just not going to see what happens.

[00:21:02] Evan Francen: Well it’s it’s you know, and it’s easy to play Monday morning quarterback. It’s speculated all kinds of things, you know, like because as I’m sitting here, I’m thinking, you know, if these Visa servers, I don’t know, like I said, I don’t want to say a Visa either. But if these things are accessible from the internet, you know, how hardened are they? You know, would you have things like, you know, as part of the standard deployment to turn on power, shell script, you know, logging uh do these things have to be accessible from the internet or is it possible to put them behind a Bpm with multifactor authentication? So I’m guessing if the nature of the V. S. A. Server is for remote administration and all those other things. The only reason why I have it accessible from the internet and was so my technicians could potentially log into it and conduct, you know, some of their tasks which

[00:21:51] Brad Nigh: Okay, VPN.

[00:21:53] Evan Francen: Exactly. So yeah, and I don’t want to, like I said, it’s easy to play uh you know, monday morning quarterback, but I wonder and because I saw the guide institute that came from, you know, C. S. A. I’m sorry Sisa. And in the FBI. And as I was reading and I was like, okay, here’s what they recommend for MSP s enable and enforce multifactor authentication on every single account that is under the control of the organization. Okay it seems I mean enabling enforcing MFA for every single account that’s going to be hard that kind of exceed it’s a best practice and I’m for it but it sort of exceeds what we would normally suggest as a best practice because it is very destructive to do that.

[00:22:41] Brad Nigh: Yeah. Yeah so I just while you were talking about google to see and he says uh process server requires access to the internet for the following functions. Patch management reaches out to Microsoft, it’s patch information and then reaches out to cassia to get ancillary tiles and then hot fixes for the casino server. So downloading those so from a yeah sounds like from like a day to day perspective no it just needs to be able to reach out to Microsoft and cassia for the most part

[00:23:14] Evan Francen: and thats egress right? So yeah I need anything ingress.

[00:23:18] Brad Nigh: No that doesn’t sound like it because the question was I’m setting it up in an environment that doesn’t have internet connectivity. Well here’s what you need so worry that it no it doesn’t.

[00:23:30] Evan Francen: Huh interesting that was one of my big beats about solar mens says you know it was so super uh sophisticated and it was sophisticated that there was no way to mitigate it that’s like okay there’s always a way to mitigate things, right?

[00:23:47] Brad Nigh: So we saw it the I. R. S. Didn’t have their solar winds and they didn’t get hit, you know, they didn’t have it accessible from the internet. I mean, it kind of proves the concept, like it’s our that’s seriously Yes.

[00:24:03] Evan Francen: Yeah, it’s interesting the this is kind of for somebody reminded me of a talk I’m giving in Israel at cyber week on, I don’t know With its six today, uh 21st I think, but this is what it’s about, right? This is what the talk is and this is a worldwide audience really. The talk is it’s titled they’re winning, right? And the reason why they’re winning, if you look at like sports, you and I both played sports right? If there’s one thing I noticed about the best players, it was how hard they practiced and mastered the fundamentals

[00:24:47] Brad Nigh: 100%

[00:24:49] Evan Francen: right, whether it be footwork, whether it be uh you know, positioning uh head, whatever it was, you, it got drilled into every practice after, you know, it’s like I’ve done this same drill 250 billion times and here I am doing it again, and the reason why it’s business, the fundamentals, that’s what makes you, I mean there’s gifts and all those other things, but if you don’t have the fundamentals of your crap, if you’re in a position, if your footwork sucks, if your body position ain’t right? Yeah, forget about it. And so when you talk about their winning and the reason why they’re winning because we’re not doing the fundamental stuff. We’re going too damn fast. We’re um adopting technology much faster than we can secure it. And uh

[00:25:38] Brad Nigh: mm hmm. Yeah. So yeah, I agree. I mean, and we’ve been, This is what episode 138 I think we said fundamentals probably every single episode like it’s not going away. And you know, I, I would say the companies that make me feel good. Like I just had a call last week with somebody who’s going from exchange on prim oh 3 65 and they were migrating and they said, but the whole thing was, can you guys help us secure that as we move so that it’s done properly. We want to make sure because we don’t know. And a little yes, thank you. Yeah. That’s awesome to hear.

[00:26:23] Evan Francen: Well it is, man. I mean, I think, yeah, and you can see where we’re suffering in so many different places because we’re not doing the fundamental. So when you look at like President biden’s executive order, the reason why that’s so much stuff in there so fast so soon is because it’s almost like you got to start over a lot of places right? Because you didn’t do it right from the beginning and sometimes you do need to do a rip and replace we do that an incident response sometimes.

[00:26:49] Brad Nigh: Yeah. Well you mean, yeah, you see it. People, how many times have you seen or heard from the software company like you go in why is this this service account running is administrator. Well that’s how we could get it to work or the company the software company the vendor says well it just needs to be no explaining why because we couldn’t get it to work the other way or it was too much work. It was slowing things down. Well okay I guess that’s your risk tolerance and you’re willing to take that as long as you know. But this is stupid

[00:27:32] Evan Francen: this shit. Well that’s the thing with you know like you know when you plot one it’s I. T. Right? So I. T. Folks they are motivated to get things working once you know book I may not put in the extra effort to secure it. I just need to get to work

[00:27:49] Brad Nigh: well and I mean I’ve been in I. T. Like I totally get it. Your ideas is almost usually a thankless job right? You’re typically thought of as a cost center if you don’t if the company doesn’t see you doing anything you know that things are working. They’re like well what are they what are those guys doing? And then if something goes wrong it’s we’ll get it fixed right. It’s a very not like no win situation a lot of times. So yeah

[00:28:17] Evan Francen: there that’s for I. T. It’s even worse for security people

[00:28:20] Brad Nigh: for sure. Yeah I went from I. T. Security. So that says a lot about

[00:28:26] Evan Francen: you like paying

[00:28:28] Brad Nigh: right? Uh I like the challenge but yeah I mean I totally understand it because that’s the bit their job is to keep things up and running for the business. And that sometimes means you know not doing things securely but that’s again that’s not that shouldn’t be its job necessarily. It’s a mess. We’re at least we got we don’t have to worry about not having work.

[00:28:59] Evan Francen: Right one. And so like to see a, right I mean when you set up the CIA you allow listed right or white listed as the traditional you know so that it can talk to everything or you know you at least certain directories because it’s going to act like malware. Right. Yeah and that’s what happens when you install this system and that’s when you look at the technical details and so forth. That’s exactly what you know how you install it. And so that’s naturally where the attacker is going to go. Right going after systems like the esa. Perfect. Right Because under the esa promise or you know replace binaries whatever I’m doing uh I have free reign.

[00:29:42] Brad Nigh: Oh yeah I mean well it’s yeah and again this is what we see right the Attackers will take a valid process and inject the power shell into it and then it’s running under a valid process. Well in this case it was even worse because it’s not just like caliper note pad or whatever it is, which you wouldn’t traditionally like exclude from scans. Right. Right. Right. This is a software that you would tip me to exclude or because of its actual behavior and yeah, it’s not, yeah, it’s a mess.

[00:30:25] Evan Francen: Yeah, one in this case. So it hit on Tuesday. I’m sorry friday. Ah This the expanse of the attack 60, 60 casa well, they are aware of You were than 60 cassia customers have been affected. They were all Visa on premise servers. So there’s probably, I’m guessing well today some people get back to work today. Right. Some people had the fifth off because you know it was a holiday because the fourth, so sunday uh so that number might go up a little bit, you know, some people believe it or not won’t know until they come into the office like, hey My stuff is not working. Um but fewer than 60 casino customers known so far, all of whom, all of them were using psA on premise products. Um they were directly compromised by the attack. Right? So all those things had to be true. The customers downstream that were affected. You were then 1500 and this is all according to Cassia in one of their last updates. Right? When they have done a good job, I think in communicating uh when you put that into perspective, we’ve had much bigger attacks before. Yeah,

[00:31:45] Brad Nigh: I think the issue is the the number of companies. Right. Yeah, I think uh, are evil put out a million individual in points have been affected, which is a lot overall, but we’ve seen bigger impact. But it’s the number of companies that got it.

[00:32:09] Evan Francen: Well, they’re motivated, they’re motivated to inflate that number because they’re seeking a $70 million, You know, ransom. And I think they dropped that out of 50 million and basically stated they’re willing to uh, negotiate. Which is like, it’s always awesome when you have people that these guys are good coders and all that other stuff, but they’re not very good at negotiation because dropped from 70 to 50 you named to higher price probably at the beginning and now you’ve dropped it to 50 and then said you were willing to negotiate. Well that shows you’re desperate because you’re probably not going to get anywhere near that because we have our hands around it and you know that.

[00:32:49] Brad Nigh: Yeah. Yeah. It’ll be interesting. I don’t, yeah, it’ll be interesting to see what happens. I saw one article that was saying that they put out that one price for the universal unlock her because they were banking on insurance companies to say, well, it will be cheaper to just pay once and well, let’s all just split the cost. Right? Right. You know, we’re seeing more and more where insurance isn’t willing to pay that and they’re getting a little bit, I think they’re finally realizing. Oh,

[00:33:24] Evan Francen: right. When I wonder if, you know, yeah, Insurance eventually may not cover these at all anymore. And if you haven’t done certain things,

[00:33:32] Brad Nigh: we’re definitely seeing that we’re, I’m actually working on putting together a list of requirements. And you know, we’re seeing if you don’t have an M. F. A. On everything external. A lot of times they’re just not, I’m not going to cover you

[00:33:45] Evan Francen: period. Thank God. I mean we’ve been yelling and screaming that. Seriously. It is, it is absolutely. It’s negligence you to have something sitting on the internet without multifactor authentication.

[00:34:00] Brad Nigh: Yeah. Yeah. And you know, the other thing we’re seeing is uh, mm hmm. Critical systems internally, uh, will lower premiums. And then we had one customer that was going through the process and they said, okay. So they filled out the questionnaire and it’s one of them was, you know, around the incident response and playbooks and they came back and said, okay. You have, you say you have them show this one right now like immediate. Like you’ve got to produce this

[00:34:31] Evan Francen: nice yeah. People and lives because I don’t want that. There’s nothing that irritates the crap out of me, man. When people don’t tell the truth. Uh, there’s two different kinds of lies next. So there’s so many times. This is our number one core value at first you’re right. Tell the truth. Two different types. There’s omission and commission the old mission ones are things I didn’t tell you that I should have told you. And then the Commissioner when I the commission ones are the ones where I straight out tell you something. That’s not true. Yeah. And they’re both eyes and torch me, man. Because you know, we’re talking about doing business together, becoming partners, right? Use these big, you know, we’re going to be a partner and you tell me the truth, right?

[00:35:15] Brad Nigh: I can’t. Yeah. And that’s, you know, when we do the risk assessment, it’s, hey look, don’t try to make yourself look better. Just let’s, let’s be honest, I know what’s going on. So if we can help you, like if you’re going to tell us, you know, Oh yeah, we’ve got that. You don’t, you’re not helping yourself.

[00:35:38] Evan Francen: I don’t think anybody.

[00:35:39] Brad Nigh: Right? So yeah.

[00:35:43] Evan Francen: Yeah. People people have lots of reasons they do that, I suppose. Um Alright. So no other casino products were compromised. Yeah. Which is good. Which also is another indicator that this was a direct attack at the affected B. S. A. Servers themselves and not the code. So that just reinforces that Uh cassia has developed the patch for customers running VSE on their own servers. A patch should be available within 24 hours. I thought

[00:36:13] Brad Nigh: that their afternoon, the online version will be available today and the on their side bringing the on prim tomorrow.

[00:36:25] Evan Francen: Yeah, Customers should have the patches between two and 5 eastern today maybe.

[00:36:32] Brad Nigh: Yeah. Well, you know, we’ll see how that goes. But I think the fact that You’re looking at less than what four or 5 days. And they had the patch, they were they were on top of it. In terms of like already working through this, you can tell that they had been doing something. You don’t just turns out around that fast. Right?

[00:36:54] Evan Francen: Exactly. Yeah. They well, they like they said, you know, it reinforces what they were saying to that they already had a patch.

[00:37:02] Brad Nigh: Yeah.

[00:37:02] Evan Francen: Yeah. They were still testing it before they released it when this thing went down. Yeah, interesting, interesting story. I think we will survive. We will move forward. You know, I’m looking forward to the lessons learned. I’m guessing uh the lessons learned aren’t going to be all that different than the best practices we’ve been preaching from the get go. I don’t I don’t want to rush to judgment and start condemning people on this because I don’t have enough details. But believe me, when we do have enough details, if there’s something to condemn all condemn it.

[00:37:38] Brad Nigh: Mhm. Yeah. He said at this point, we know, I mean, what is the a lot of the number of bugs per, you know how many lines of code you have per bug or whatever it is. It’s going to happen, right? But it will be interesting to see what it was and truly have been something that was caught in the test QA process. How did it get this, But how they responded. I mean, I’m like the sandy, it’s textbook correct way to respond, right, controlling the communication being open and you know, not trying to hide behind, you know, like you said was omission type. You know, hey, this is what happened here, is what you need to do. Thank you sir, robert. Hey, turn them off or get them off line, right, get them off the internet.

[00:38:35] Evan Francen: And my bigger concern is, you know, the MSP s and the MSP deployments, you know, I’m not right. How do you, like if I was working at an MSP, you know, being a security guy and you told me you were going to bring this server thing online and it was going to do these things, would I have secured it different? I don’t know, you know what I put it behind a VPN, could it operate behind a VPN with multifactor authentication versus just let it kind of dangle. Could I harden this server or does it have to be a default sort of installation the way it is. You know, those are the questions that I’m looking at. Two because there are so many MSP s and there are so many customers who trust these MSP s and the third Timpson things we can do to improve their service ultimately, you know, protecting their customers because that’s the part that pisses me off, I think the most right now is you have small to mid sized businesses, you know, dentist’s office and you know, small retailers who Won’t recover, they will be put out of business out of that 1500 customers downstream that were affected, some percentage of those will be out of business. You destroyed their business. Either the MSP or Kazan, it doesn’t really matter who you want to blame. The fact of the matter is they’re out of business. So, you know, it, if the MSP can do things better to make sure that that happens less often, that’s kind of the stuff I’m looking for, you know?

[00:40:05] Brad Nigh: Yeah. Yeah, it’ll be yeah,

[00:40:09] Evan Francen: that’ll be interesting because I think because he is not going to suffer from this to say I will hardly suffer and and neither will probably the MSP and if I’m that small business and I’m like sitting there going, oh, great amount of business or recourse do you have, you know what I mean?

[00:40:26] Brad Nigh: Yeah, Yeah. And that’s what, and a lot of times that’s who gets hit, right? That’s who’s using these NSPS are those small mid sized companies that don’t have their own IT staff and yeah, that’s what sucks. Right?

[00:40:44] Evan Francen: So we’ll see what comes of it, you know, once things kind of settle down a little bit and we get started getting more details about, maybe I’ll do some research and find out more details about the NSA server product and how MSP s might be able to deploy that better.

[00:40:57] Brad Nigh: Yeah. Just reading more and more, it’s really interesting to see uh it was really looking at Hunter’s has a right up and it looks like there was a screenshot dot jpeg that was part of the attack chain that’s actually execute. Herbal does a bunch of cleanup, but looks like it may maybe a simple injection as a final vector for code execution, not strictly, but another form. So and they’ve got the actual code that is run, so yeah, it could have been just getting in and that’s how they they got in. Yeah, it’ll be interesting to read.

[00:41:39] Evan Francen: It will be, yeah. And I think my conclusion at this point is it’s not it’s a big deal. I’m not going to minimize it that much, but it’s not a big as big a deal as we made it out to be at the beginning. I think we jumped to a lot of conclusions just in the,

[00:41:55] Brad Nigh: well, I mean, like I said, it could have been a really big deal if I M S P s hadn’t responded and taken all those servers offline that quickly. Right. You know, this could have been exponentially worse. Yeah,

[00:42:13] Evan Francen: acquisition If the IDD 2200 servers And only and we only know about 60 that got hit. Yeah, it could have been much worse, yep.

[00:42:27] Brad Nigh: Yeah,

[00:42:27] Evan Francen: but I’m also not sure about the timing of their scans, these scans, that

[00:42:32] Brad Nigh: will be, I’m not I don’t have enough detail on that to know either. But

[00:42:37] Evan Francen: I wonder if they did these scans, you know when they were working on the patch and before any kind of detonation or anything or if this was after that. Yeah, we’ll figure that out too. Yeah, there’s a lot. There’s

[00:42:53] Brad Nigh: a lot that I mean this is still so new. Right? We still I mean you said it it typically takes, you know, a couple weeks to fully understand what do you do all the forensics and understand what exactly what happened. So

[00:43:13] Evan Francen: And and according to the governor’s quote in his tweet, the last, he said during the last 48 hours Number of the ece instances that are reachable from the Internet has dropped from 200 to less than 140. So that would have been Till June July two. Would have been the 48 hours. So yeah, would have been really close to the time that the ransomware hit. So it went from 2200 or less than 140. That’s quick. Yeah, that’s good.

[00:43:44] Brad Nigh: Yeah. I think the yeah. Yeah. I feel bad. The biggest one that I’ve seen is that the Swedish grocery grocery chain That most 800 stores will be closed for a second day because the cash register software supplier was crippled.

[00:44:02] Evan Francen: So the Swedes are resilient there. Was that where the Vikings come from.

[00:44:05] Brad Nigh: I think so up in that area. But I mean the dad shows right that here’s a grocery store. It has 800 locations closed because their supplier got hit by this. So it’s not just like that, that down stream impact is going to be, you know, that’s going to take a while to understand as well. Yeah.

[00:44:29] Evan Francen: Mhm. Yeah. That’s the part that ticks me off more than anything is the the people who suffer, you know, I mean, that’s what motivates me every day is trying to help people not suffer right to say it’s big enough that they’re not going to suffer too much. Actually. They’ll probably come out well in the end because of their good response. They did do a good job responding. And that’s that shows the importance of having a good incident response plan, strategy and getting ahead of the communications so that you can control and craft the message. They did, they did a wonderful job on that.

[00:45:06] Brad Nigh: Yeah. And again, it’s not just, it doesn’t seem to be just lip service either. Right. They’ve they’ve actually given tools and and you know, similar what we were seeing with with solar winds in terms of the communication and being open and you know, it’s what we need. Yeah, true.

[00:45:30] Evan Francen: All right. Well, good. I think we’re going to live through that most of us, um, and we’ll provide an update next maybe next week if there’s something to update. Otherwise we probably won’t talk much about CAssie anymore.

[00:45:43] Brad Nigh: Yeah. Just whenever we hear more like it’ll be probably a couple months from now when we finally get that report and see what happened.

[00:45:54] Evan Francen: Yeah, yeah, certainly there’s a Senate Intelligence Committee meeting. I’ll definitely tune into that. I love watching those. I’m weird like that. Yeah. All right. So the other one, yeah, that you mentioned and then this was this, you mentioned it it was Wednesday ish of last week. Uh, Microsoft had an pretty neat announcement about zero. Really is your day? It was, but it’s a vulnerability in the Prince cooler remote, what’s called? Windows permit, Windows Print Schooler, remote code execution vulnerability. Cbe 2021 345-7 released July one. That would have been Thursday. We might have heard about it on Wednesday.

[00:46:41] Brad Nigh: What’s what’s interesting on this one is they actually uh, put a release out in june and it apparently didn’t fix the issue.

[00:46:54] Evan Francen: Right groups.

[00:46:55] Brad Nigh: And then this was uh, what I’ve seen, it was accidentally disclosed to because the researchers that disclosed that we’re planning on doing a presentation at Black Hat and it got out or I’m not sure exactly what they did, but it was not intended to be released. But yeah, the biggest thing is, you know, there’s a whole list of uh, Bruce that basically would allow anyone in the domain if to exploit the domain controller. Right? And I mean, it’s a big list of recruits, uh, you know, admin, domain controller read only. Domain controller enterprises read only Domain controllers. Third admin schema. Admins group policy, admin power user system operator, print operator, Eco operator. Ah yeah, it’s that’s and uh yeah, I’m surprised we haven’t heard of this actually because there’s proof of concept that we’re out on Wednesday,

[00:48:04] Evan Francen: right? Oh, somebody’s been hit multiple people, I’m sure have been hit because it’s explainable from the network, right? I don’t so that’s fairly easy. The complexity is very low. Mhm. I don’t really need, I just need basic user privileges in order to run this. So how hard is it to get a user account? You just need to authenticate? You don’t need to have privileged authentication or to exploit. So

[00:48:32] Brad Nigh: I will say that the name of this was that on print, Nightmare. Yeah, I read that and I was like, oh, this is gonna be a nightmare. Oh, it’s pretty nightmare. Cool.

[00:48:42] Evan Francen: Alright. Yeah, totally.

[00:48:45] Brad Nigh: Yeah. All Windows versions.

[00:48:48] Evan Francen: Yeah. And when I had friends last week, I was talking to somebody and yeah, I was like, oh man, how you doing, what’s going on? He’s like, I got my whole team right now disabled principle or you know, throughout the entire environment. I’m like, oh because I hadn’t heard about it yet. I’m like, oh well it’s good to disable principle or if you’re not printing. So that’s that’s a good thing. He’s like, no, there’s a bad vulnerability. And like, again,

[00:49:13] Brad Nigh: Exactly.

[00:49:15] Evan Francen: But then you said, yeah, this is the one from, you know before, I’m like, oh, okay.

[00:49:20] Brad Nigh: Yeah. Yeah. Again, you know it sucks. We know in software there’s gonna be bugs. It just happens. It just seems like we’ve had some pretty high profile on our abilities lately.

[00:49:39] Evan Francen: Yeah. Yeah, for sure. We’ll put the post, I’ll put the post in the in the show notes for the, you know, Microsoft security update guide which labels this vulnerability and kind of tells you more about, you know how it operates. But if you google print nightmare, you’ll you’ll find plenty of good stuff about it. The sad thing is right now there is no patch and it’s not clear when Microsoft will have a patch. So for now it’s just disabled principle or that’s your isolate isolate the systems that actually need to have printing but Well who prints anymore?

[00:50:15] Brad Nigh: The nice thing is that they did put out a work around where you can disable the inbound remote printing through group policy. Right? So yeah, the server is no longer a print server but you can see that would allow people to still print locally if needed. Yeah, there are some don’t work around but yeah, I’m glad I’m not 90 right now.

[00:50:42] Evan Francen: Right. Especially in a company that is heavy print like like law offices, legal firms uh others but thanks health care. Oh my God. Yeah.

[00:50:56] Brad Nigh: Mhm.

[00:50:56] Evan Francen: Alright. Well there you go. So as soon as the patch was released and I haven’t heard when Microsoft we’ll be issuing a patch.

[00:51:06] Brad Nigh: Uh as far as I know, see I’m looking at their actual I don’t know. I don’t think I haven’t seen a date. Yeah, no dates at this point. It says they just say apply the security updates released uni and review the work around sections for how to protect.

[00:51:29] Evan Francen: That’s how you get.

[00:51:32] Brad Nigh: Yeah. Yeah. They don’t have an export yet.

[00:51:36] Evan Francen: There are exploits in the wild. Yeah. Yeah. Okay. Right. Well there’s that uh this was always going to farming go, you know, it seems well that’s that’s wrong. Probably more rewarding and probably more healthy.

[00:51:58] Brad Nigh: Yeah, that’s probably the last one. For sure.

[00:52:02] Evan Francen: Yeah.

[00:52:02] Brad Nigh: A lot more moving. I wouldn’t be sitting at my desk for and realizing that I haven’t moved for six hours.

[00:52:10] Evan Francen: Yeah. Exactly. All right, so just summarize today’s show uh you say uh that attack at not gonna die?

[00:52:23] Brad Nigh: Probably. No, it could have been much worse

[00:52:26] Evan Francen: have been much worse. Yeah. And I think lots of good things came of it and I’m excited, you know that you can do a little bit more and find out what else we can learn from it. It’s not like most most attacks, you know, you look at them and you’re like I’m really angry because you missed this. That and the other thing at this point I think I’m not angry with me. Say I think I’m probably going to have some anger about M. S. P. S. When we started digging in on that a little bit. Mhm. Uh But even then so far, I mean the way they responded quickly if they did indeed shut down that many servers that quickly. That’s pretty damn cool.

[00:53:02] Brad Nigh: Yeah, maybe this is the wake up call for MSP s who haven’t been taking it seriously because you know this again, this could have been really bad. And those ones that got hit, what do you what happens when you have that have you know, affect you. Every one of your competitors is going to be calling your customers and saying didn’t happen to us.

[00:53:23] Evan Francen: Yeah. We were running the same software. Funny.

[00:53:26] Brad Nigh: Yeah, our customers weren’t ransom.

[00:53:29] Evan Francen: Yeah, exactly. So there’s that. And then the other summary is just uh Yeah, they have the next soft principal. Er We’ll put the link in a if you google it, print nightmare, you’ll find it. But we’ll put the link in the show notes. Not much you can do about it other than uh mitigate the risk. You can’t catch it yet. Both the one make soft issues something. Yeah. Alright, that’s that’s all I got the shout out for you.

[00:53:58] Brad Nigh: Ah you know it’s funny. I know we’re gonna do this every week and I never think about it but I don’t right now um shout out to my family for putting up with me hobbling around all weekend on a broken toe and complaining.

[00:54:15] Evan Francen: There you go. I’m gonna give a shout out to a sales guy, believe or not. But it’s a safe. Yeah, I’m going to give a shout out to juve. Okay. Uh I got the sit in for uh john harmon Last week on some sales calls for three days and was fun to hang out with them. And I love the fact that our, our sales people do it right. They don’t compromise our mission or value. They believe it, it was amazing. So shout out to him and the whole sales, you know.

[00:54:49] Brad Nigh: I will say I’ve said that before too. But uh yeah, brought me in on calls where they’re, they’re like, hey, the customer just wants to clarify or understand this better. Can you, can you jump on a call with them? I love it there. They do that vs just tell the customer what they want to hear, right? Like, and it’s not always in the best interests of the sale necessarily, but it’s the right thing to do.

[00:55:17] Evan Francen: That’s it. I mean they take it to heart man and it’s so rare to find that with salesman because they do get held to of accountable to a number, just like anybody else in sales. You have to sell a quota and all that other stuff. But they do it right.

[00:55:34] Brad Nigh: Well, and honestly that the fact that they do it right is why they’re doing so well. I mean, you get a reputation and that’s good thing. People talk, Yeah, totally. These guys did the right thing.

[00:55:49] Evan Francen: So totally yeah, gives me a lot of trust in the management team, you know, all the way down to you and to Drew and Oscar it’s just it’s really cool. They have so many people with real integrity, you know, working beside you.

[00:56:07] Brad Nigh: It’s the no a horrible and it it is from top to bottom.

[00:56:13] Evan Francen: Yeah, that’s cool. I love it. All right, thank you to our listeners. Thank you brad. It’s good to see you man. And we’ll catch up some more. Uh if you have something like to tell us if you email us at the show on security of proton mail dot com. I think this might be the last time I announced that because nobody really emails us because wants to talk to us.

[00:56:33] Brad Nigh: I mean they just reach out directly. Yeah. You don’t go to the

[00:56:37] Evan Francen: podcast. If you have a social type socialize with us on twitter, I’m working on some cool projects so you’ll see some stuff coming eventually from that. But I’m @EvanFrancen Brad you’re @BradNigh twitter handles handles that. Don’t really matter. But they do matter, but you don’t have to follow them insecurity is @UnsecurityP security studios @StudioSecurity and that FRSecure @FRSecure. There’s a lot of good stuff there. But that’s also like I just gave you five twitter handles. I’m like two minutes. So that’s a lot of all right. That’s it, man. We’ll talk to you next week.