In this pre-holiday episode of the UNSECURITY podcast, Evan and Brad took a look back at the biggest cybersecurity vulnerabilities that impacted the information security industry this year, and broke down some of the current events that have presented themselves in the last few weeks of the year.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: Alright here we are. Me and you again Brad. This is, It was a Sunday December 23 and this is episode seven of the insecurity podcast. And joining me as always, is Brad. How are you? Do you have your christmas shopping done?
[00:00:48] Brad Nigh: Good, good. How are you? We we we actually went out today and picked up a couple of last minute little things where we realized that we both thought the other person had gotten it and that neither of us got it. So pick up pick up last few things. It wasn’t too bad.
[00:01:04] Evan Francen: The last 2 podcasts, we had guests. I didn’t get a guest this week.
[00:01:10] Brad Nigh: I think that’s okay if we, if we lean on guests too much, you know, we lose our edge.
[00:01:15] Evan Francen: That’s true. Troy Actually from the office, one of our customers agreed to be a guest but I just thought it was too close too close together to coordinate anything. So we’ll just wait.
[00:01:31] Brad Nigh: Yeah, well you’re giving them the holidays off.
[00:01:35] Evan Francen: We don’t get holidays off,
[00:01:37] Brad Nigh: but our customers given they probably want to talk to us over the holidays.
[00:01:43] Evan Francen: Yeah, probably not. They probably want some quiet a break maybe. So we got to uh one of my highlights this week was you and I having lunch together with a big, big client, that was a lot of fun. I really enjoyed that,
[00:01:59] Brad Nigh: yep. I agree. It is fun. I like, so part of the reason I think I get to go is to make sure you stay in check what? Because you like to just do everything. So it’s gonna, you know, we got a radio and a little bit, but it’s always fun to listen and just not along and it’s a little bit of, I feel like it’s validation when I hear you saying the same things that I’m saying, it’s always good to hear somebody else.
[00:02:26] Evan Francen: Yeah. With that it totally is because sometimes it feels like, I don’t know if you feel like this, but sometimes I feel like I’m kind of out on an island. Yes. Yeah. And so when you hear somebody validate what you’re saying, it’s like, okay, I’m not crazy. I really am doing this Right. Even after 25 years, I still occasionally question myself, questioned the methodology. Make sure. Yeah, it’s just weird,
[00:02:53] Brad Nigh: yep. No, I’m totally in the same boat. It’s always, yeah, I say things that I feel like are just so common sense or people who are like whole, whoa, mind blowing to them. I’m like my, my crazy to like we’re no, no, it’s okay. Just people don’t think this way. All right, That makes sense.
[00:03:17] Evan Francen: Yeah. Well sometimes you have people that I think even within our industry who you know, I don’t know, they just don’t agree. They go about things differently and I think and and and a lot of you know me being me I think incorrectly, you know, taking shortcuts um you know, looking for technology solutions to people and process solutions and and so you know, occasionally you’ll get in this debate and you’re like man, maybe they’re right. But then you um you know you do your research, you talked to others and then like oh no, no I was I was right, you know, Yeah, I get into that sometimes.
[00:04:06] Brad Nigh: Yeah. No. Yeah exactly. It’s like oh we can use this technology and not have to worry about all this other stuff. Wait a minute. So how are you gonna ensure that technology is used correctly that is configured properly. How are you checking on it? Although like that foundational stuff that they’re trying to avoid by using the technology still applies.
[00:04:29] Evan Francen: Mhm. Right, so this uh this last week, what other sort of cool things, exciting things? Uh you know, we’re on your calendar this week
[00:04:40] Brad Nigh: I think the biggest thing right now um kind of the new thing is the next CSF maturity gap assessment, so it’s a little bit different than our fisa score assessment still covers the same things but it just looks at it from a little bit different angle. Uh I think it’s something we can we’ll be able to integrate in uh to the tool here at some point once we get this configured but had a couple of larger customers that wanted something a little different or had something that they have been doing along those lines that weren’t sure if it finds the score would satisfy, which I think it will because they do get the um you know, maturity ratings on all the different areas and stuff, but it’s been kind of fun to dig back in and work on some of that with mapping and how do we do the methodology behind it and scoring and weighting things and just kind of getting to geek out on it a little bit.
[00:05:43] Evan Francen: Yeah, speaking out is fun. I got to do a little at this week so it’s maturity. Uh So tell me one of the things that I’ve always thought about maturity is because I know that’s so popular, especially in big organizations like they like to measure things in terms of maturity and the one of the issues I have with that is information about managing risk, It’s not about managing maturity, so you still have to translate the maturity into risk at some level. Right?
[00:06:14] Brad Nigh: Yeah. Yeah. And I think that’s gonna be the challenge, you know, one of the things that that specifically got called out was, you know, looking at um I’ll try to think of the example now uh if a technology has the the ability to do work versus the actual implementation of it. So to say like, oh yeah, we’ve got this great idea s in place but it’s only installed on the core systems of the data center is not applied to endpoints or any of the remote locations. So it’s got the ability to do all this stuff from so that maybe it’s like a five on 1 to 5 scale, so it’s got that Capacity to do it, but the actual implementation of it is maybe a one.
[00:07:03] Evan Francen: So one of the things check my this is just my logic and I’m asking not because I’m trying to convince anybody, but I want to see if you think the same way I do unless um you know, risk is likelihood and impact. Right? And so if you break that down uh they’re really functions of vulnerabilities and threats. Right. Right. And so I’ve always thought of uh maturity as being a the thoroughness of the implementation of a control or something. Right? So if you had if you had a maturity level of five, I would assume then that that control is fully implemented fully optimised and uh there really isn’t weakness in that control. Right? So no vulnerability. Yeah. And so then it doesn’t matter what the threats are because no vulnerability, no weakness, no risk, whereas on the so I’ve just always viewed uh maturity as being measurement of vulnerability or weakness. Okay. And so you know what I’ve looked at maturity, maturity is one part of the equation of risk. The other part of the equation we have to take into account our threats. And then from that we can determine likelihoods and impacts and us risk. Does that make sense? No, I agree. Okay. So do you do you do you think the same way?
[00:08:42] Brad Nigh: Yeah, I think so. And I think the challenge that I have is what you mean that we have as an organization but for this case is is they are looking for how they’ve done it. So how do we take what they’ve done and make it so that we can have it useful? That’s not the right word. But I mean it meets our definition right? I think that’s the that’s where that challenge is going to be to say, okay here’s how you’ve done it. Here’s how we’re going to do it and what those differences are and how it maps both to, you know, something that they’re comfortable with because that does play a big part of um of their decision on moving forward or not. Is does this meet what they’re what they are they understand?
[00:09:37] Evan Francen: Because if you have something like let’s say that on the other side, I’ve got something that’s a maturity level of one. Right? So really weak. However there’s no threat again. No risk. Right? And so why would I because that’s one of the challenges I have with organizations that only build our security programs or measure them on maturity.
[00:10:04] Brad Nigh: Yeah and
[00:10:06] Evan Francen: I might be building controls that don’t matter. Who cares if you’re one at this. Right, there’s no threat.
[00:10:14] Brad Nigh: Right. Right. Well that’s that’s the yeah that’s kind of a square mat, that’s the challenge.
[00:10:23] Evan Francen: Yeah. Especially big companies are so caught up in, you know the maturity everything’s cmm I everything is mature. Yeah
[00:10:33] Brad Nigh: That was my exact, yeah they’re using uh this uh using a COVID-5. Mhm.
[00:10:41] Evan Francen: Which I agree maturity shouldn’t certainly she needs to be measured. It’s one of those things and I think that’s where we try, where we try to go with Fisa score is maturity is part of it. But we need to account for threats. We’re missing some, you know, some threat data because there’s certain controls that there just isn’t much there use your best opinion I guess in in a lot of places. But anyway, good discussion because that’s fun.
[00:11:09] Brad Nigh: Yeah, I mean I’m really excited to be working on it and again it’s taking there input in there there, how they’ve done it in the past, their methodology and then try to translate that and getting them and something that I think is going to be a more useful and actionable result
[00:11:30] Evan Francen: sounds good, Good. What else? Anything else cool and exciting other than it was the week before christmas. That’s gotta be cool.
[00:11:39] Brad Nigh: Yeah that’s nice. Um No I’ve just got some time blocked off to actually dig into that and manage the r and the stuff that we’re working on. Um you know, it was just continuing to mature virtual cso product and I mean, which crazy is that if you look how far that’s come in the last year and and some of the things that I’ve got from feedback that we’ve gotten from customers and from the analysts in the last year of doing it, Where is that now, and where it’s going to be at the end of 2019? It’s gonna be crazy as well, so I’m just yeah, we train all these different offerings and more formalizing and process and procedure, which most people probably wouldn’t find exciting.
[00:12:29] Evan Francen: Well yeah, probably not the normal people probably. Yeah, I get it. Uh we’ll see what we’re writing this week. Um I had a meeting with uh Roger grimes. Mhm. Ever heard of Roger grimes?
[00:12:47] Brad Nigh: Yeah, well the name sounded really familiar when you sent the uh the notes over and I’ve read the pdf that you sent over, and I was like, oh okay, once I started seeing some of the books and stuff, I was like okay, yes, that’s that’s where I know,
[00:13:03] Evan Francen: so I never met him before. Uh for those, you know, listeners, Roger grimes is uh an executive at no before, but prior to that he has been that seemingly everywhere. Found Stone, if you remember Found Stone, that was a while ago Mcafee Microsoft written, He’s written 10 books. Um So very well respected, great following, just very wise. So I’d never met him before steve set up this meeting for us, you know, to talk on the phone. And uh man, it was just cool. It was, you know, we kind of started off this podcast a little bit talking about validation of our thoughts on how we do things. And uh so when I was talking to him, it was like, I mean, it was like kindred spirits. I mean we’re talking the same language. That’s awesome. Yeah, I know you were saying the same things. I was like, oh my gosh, this is this is a wonderful uh, you know, experience. But anyway, longer story, short or shorter or longer. I don’t know what it is. Um we had a good talk about. So I just finished, you know, my first book. This guy has written 10. So I was expecting go, you know, when did you write your first one? He said, well, you know, I don’t know, 1852 or so. No, it was a while back. And and I said, you remember, you know, kind of the struggle and you know, and we talked about that. I told him I was, you know, leaving in a few weeks to start the second book. Um he just he really likes it. Really liked our mission. Yeah. Uh because that’s one of the reasons he left Microsoft was he wanted to make more of a difference mm in the industry. And since then he’s done all this other stuff. So he’s obviously making, you know, I think great strides. But um, you know, it’s cool because I think we’re going to be able to work together. Uh, yeah, to kind of further this thing we’re trying to do, that was the highlight of my week last week. Other than having lunch with you. That was awesome. I even stopped in your office on friday and told you directly, man, I love working with you. It’s just awesome. It’s been really fun.
[00:15:33] Brad Nigh: Thank you. Yeah, it’s been 2.5 years, I guess. Yeah, 2.5 years and it still is crazy. I, I’m so happy that we both sides took the risk, right? Like I moved up here for this job on a couple of phone interviews. You guys took a risk on me on a couple of phone interviews and yeah, here we are now. It’s been, this has been fantastic.
[00:16:00] Evan Francen: Yeah. We’re becoming like a like, uh, grownups almost
[00:16:07] Brad Nigh: too
[00:16:07] Evan Francen: far. I know we’re not gonna almost
[00:16:10] Brad Nigh: like almost
[00:16:11] Evan Francen: right? Almost grown ups, you know? But to see, you know, the strides, the great strides were made on operations and with Renee and you and uh, peter and you know, and on the sales side, oh my God, what are they doing over there? They’re killing it. Yeah, it’s just been a really cool year.
[00:16:31] Brad Nigh: Well. And I got to say, I’ll throw a little shout out to Tyler. Even in the project management. I mean, he talked about somebody who’s just stepped it up unless, you know, little bit whenever, however long it’s been four or five months.
[00:16:45] Evan Francen: Well, he basically gave up a month of his life. Yeah. You know, sacrifice that for his team. Yeah. Okay. Yeah. Really, really cool. So, did you see the newsletter? The article I wrote for our newsletter? They were not on friday.
[00:17:01] Brad Nigh: Um, no, I should read
[00:17:05] Evan Francen: it. I should like the ceo man. I
[00:17:10] Brad Nigh: shoot I went out early enough. I totally should have.
[00:17:15] Evan Francen: It’s not like you don’t get a billion emails but read it because I think it’s, it’s important for, um, it’s truly every single thing that we did this year mattered. And it really made a big difference in the mission and couldn’t be more grateful. So I’m
[00:17:32] Brad Nigh: reading it right now.
[00:17:33] Evan Francen: Okay. Well. Better late than never. Okay,
[00:17:37] Brad Nigh: totally get got busted on the podcast.
[00:17:40] Evan Francen: Well, that’s okay. It’s just ask, man,
[00:17:43] Brad Nigh: what’s funny is a, as I got to ask if I would write a, an article for jean uh, In January for the next one. Just, yeah. Always said yes. When do you need to buy. Okay. Yeah, I can do that.
[00:17:58] Evan Francen: Okay.
[00:18:00] Brad Nigh: No, I would agree with your, the cinnamon of what you said like that.
[00:18:06] Evan Francen: Yeah, I was thinking about posting it on linkedin. Just, uh, make it no. You know how, how awesome it’s been this year. All right. That All right. Anything else this last week? Anything cool coming up this week?
[00:18:23] Brad Nigh: Um No, it’s gonna it’s gonna be interesting. I’m not sure how this week will go because it’s going to be, you know, short week and either it will be quiet, we can focus on some stuff or people will be calling and just panicking because they forgot something before the end of the year, so not sure how it’s gonna go.
[00:18:48] Evan Francen: Maybe a little bit of both. Yeah, it’s a fairly quiet week for me too, in terms of there’s white space on my calendar,
[00:19:00] Brad Nigh: right? I blocked a bunch off to work on that uh this assessment stuff, so yeah, there there isn’t white space, but it’s it’s productive time that I’m happy to work on. Yeah.
[00:19:15] Evan Francen: Well, the Yeah, I think, um, This is the one christmas christmas between christmas and New Year’s. I think this is the this is the one uh I’ve had maybe the least amount of rush on my own schedule, so I don’t know if that what that means, but um I’m not I’m not not liking it.
[00:19:39] Brad Nigh: Yeah, I guess we’re growing up as a company kind of like uh we joke or that’s just a joke. You can tell how, how we’re growing by the how what jobs kevin doesn’t have any more. Yeah, same, same thing is starting to happen for you here?
[00:19:57] Evan Francen: Yeah, well, I had a good talk on and then we’ll get into the news but I had a talk on, was it thursday thursday? Where I was when I asked Renee maybe it was thursday and maybe was friday. But I was trying to get at what do you guys want out of me? So you know, what do you guys want out of your ceo in 2000 and 18? What would you like to see me do? What would you like to see me really focus on? And uh yeah, we were so busy focusing on budgets and all this other stuff. And then I got to thinking about what, what am I doing next year?
[00:20:34] Brad Nigh: I can come up with stuff if you need it. If you’re bored,
[00:20:38] Evan Francen: we’ll add it to add it to the list. Yeah, let’s let’s see because I think I’ll spend a lot more time traveling. I think I spend a lot more time out, you know, trying to talk with people and uh probably a lot more time with the book doing stuff. I don’t know. It will be an interesting year. I got to figure that out. Yeah. All right, well, how about some, some news? I’ve got five news stories that I picked for this week. Uh Hopefully you’ve had a chance to review them. I know you sent me a message earlier before the podcast started on Hey, there’s a new, here’s another news source. Yeah, but the first one is about Nasa Uh Nasa was hacked. Yeah. And I thought one of the quotes that I thought was really funny from the story. So this is from, I have to cite you know, sightings site of the Sea. Uh One is Fox News. The other one is the Daily Mail. Now. Did you go to the Daily Mail site? Mhm. I cannot believe how many freaking ads are on that damn sight.
[00:21:45] Brad Nigh: It was funny. I have uh ghost tree and you black origins on my browser And it blocked you. block origins Block 46 and go straight bought another 15 So 61 different ad trackers. Oh my God on there. So it was not probably not as bad as as what you experience but I was still going. Good Lord.
[00:22:16] Evan Francen: Yeah. I mean it’s a legitimate news site. Right? The Daily Mail and like add add add add add, I was like holy buckets have never seen so many ads on the website before. Uh Right anyway after the ads There was some actual text. So you maybe don’t want to go to the Daily Mail one. The Fox News one. Don’t worry if you’re liberal or conservative. It’s it’s a news story. Yeah, that one has less ads. But anyway, it’s Nasa was hacked. It seems as though It may have happened in October October 23. Some servers were targeted and these servers specifically contain personally identifiable information for both current and former Nasa employees. The data included socials and other uh personally identifiable information? Yeah. What was go ahead.
[00:23:13] Brad Nigh: Was the one thing that was on both of them. There’s just not a whole lot of actual information about it yet.
[00:23:21] Evan Francen: I know that there are at least. No there’s not. But some of the things I think are interesting about this breach. One is It affected employees hired at NASA between July 2006 in October 2018. So you’re talking more than 12 years
[00:23:41] Brad Nigh: not just higher but that transfer between centers. So any new employee or if you are transferred between any Nasa uh centers, it affected you as well. Right.
[00:23:55] Evan Francen: And then what you’d expect the ongoing excuse? This is a quote. The ongoing investigation is a top agency priority with senior leadership, you know, actively involved? Yeah. But one of the quotes I thought was funny. He says uh I’m going to read the quote. It says it’s worrying that an agency capable of transporting humans into space and allowing them to live outside Earth’s atmosphere for extended periods of time can’t secure its own servers down on the ground.
[00:24:24] Brad Nigh: Yeah. And told me, yeah. I don’t know it’s not good but I don’t until we know more like what what was it? How did they get in? Right. But yeah I agree that that’s not that’s not good.
[00:24:43] Evan Francen: No. And it comes it reminds me Tony cole you know Tony cole is have you heard of Tony cole? Oh he’s the chief technology officer at a tivo.
[00:24:55] Brad Nigh: Oh yes, yeah. What does that sound so familiar?
[00:25:00] Evan Francen: Well he’s uh he was kind enough to write an endorsement for un security the book. But he’s also on the Nasa advisory council. No wow. I should shoot him an email. Maybe not. Like he’s gonna tell me think he’s got so many things going on. Yeah. But anyway, yeah, I thought it was interesting when when it’s Nasa, it’s like man, it stinks because I like Nasa remember, you know growing up uh you know the space programs a lot more active. It was a lot more manned space missions and the shuttle. And even when I was, you know, a young child, uh you know, I think some of the Apollo missions might have still been going on in the early 70s. It’s
[00:25:52] Brad Nigh: a little before my time.
[00:25:52] Evan Francen: So I know you’re you’re still a young man,
[00:25:57] Brad Nigh: not that much farther off, but I’ll
[00:25:59] Evan Francen: take what I can get. That Nasa is such a cool organization with so many, you know, and it just it sucks to see that they were hacked. I wonder, you know, that’s a lot of details.
[00:26:11] Brad Nigh: This is one that I think I yeah, I always loved the space shuttles and watching the launches and so other pluses. I think it is that they were saying that there’s no agency missions were jeopardized its employee data. So it sounds like they at least have some segmentation in place between the different, you know, areas. So that’s a that is a positive.
[00:26:38] Evan Francen: But, but the wording set him may, didn’t it? Didn’t say it didn’t
[00:26:43] Brad Nigh: uh, gibbs confirmed, no agency missions were jeopardized. Okay. Good. Free data breach or data problem. So Okay, good.
[00:26:53] Evan Francen: Yeah, that was it. Yeah. When we’re so targeted now, Yeah. For espionage from nation state actors. Yeah. You know, that could be pretty devastating. I think if, you know, some of that data was right. All right. Well, the next, the next news one I have is hackers beat two factor protection with automated phishing attacks. And I thought this was very interesting because we’re preaching two factor authentication all the time. The good point is, is that they’re, I mean, the good, I guess the moral of the of these stories is there is no silver bullet. Yeah. Right. You can’t fully compensate for the lack of somebody’s uh, awareness, attention clicking on links. People are still people. Yeah. Um, so this news comes from, uh, again to sites that were that I put, uh, you know, supporting for this story. When is the mashable dot com Hackers beat two factor authentication. Uh, and then I think the source stories from pc magazine. Yeah. So this is an interesting piece of news. I guess it’s not surprising and conceivable. Uh, anyway, I mean, we shouldn’t be surprised by it. Yeah. And then I also sent, uh, you know, as a source for this story. Roger grimes, uh person who had alluded to earlier uh wrote that or had That presentation. Um 11 ways to defeat two factor authentication. Yeah. And when I talked to him, so if you want that, that slide deck, it’s on no before site. Um 11 ways to defeat two factor authentication. And I we were talking and uh he’s giving a talk at our esa this spring on 12 ways or 12. 12 ways to defeat two factor authentication. I was like roger you said it was 11 in your previous slide, You know, your previous presentation and now you’re going to be talking about 12 because it’s actually it’s like 23. My God, crap. Alright. But pretty good research that he’s doing on all that stuff.
[00:29:19] Brad Nigh: I thought the interesting on that one is it does seem like the majority of this was targeted against the two factor using SmS uh for that one time code. So which hasn’t been recommended for what? two or three years at this point? When did that come out for this? Don’t use it anymore.
[00:29:44] Evan Francen: Well, yeah, but that was for a different reason. I think this same attack, This attack that they talked about Would work with any two factor. Even even a token.
[00:29:54] Brad Nigh: Mm. Right? But I think they’re saying it’s harder with the token, right? It’s because it’s a change the time frame of it, right? It’s going to change every minute. So it does make it more difficult. They targeting both. But the smS was primary.
[00:30:14] Evan Francen: Yeah. Did you read the report? So both of these articles, you know, I think the original was from Amnesty International, which I’ve never actually seen a security bulletin or anything from Amnesty International. So it was like what?
[00:30:30] Brad Nigh: Yeah, that’s the exact same response I had. I had no idea. Yeah.
[00:30:36] Evan Francen: So they in their original report that both of these new sources for news sites uh used as a source, um Are there two campaigns in particular that they brought to light? One was campaign attacking uh to to to know to in proton mail, I’ve heard a proton mail but not to you know to have you heard of, you
[00:30:59] Brad Nigh: know, just proton mail?
[00:31:03] Evan Francen: Then the other campaign was targeting in their estimation hundreds of google and yahoo accounts And in both cases successfully bypassing two factor authentication. So the it looks like a simple proxy, you know, as I read the report, it looks like a simple they set up a site that looked exactly like and they were, you know using uh you know, instead of to denote a dot com, they used to do another dot org sort of proton mail. They put on proton email dot com and they created these duplicate sites and then when you and then on the back end it’s communicating with the real to, you know to and then when you type in your two factor authentication, it’s doing the same thing and then it’s requesting that you change your password. Yeah. So there are disturbing as a proxy so when you enter your two factor authentication, your token or your code, they’re just forwarding that onto the real site and intercepting the traffic
[00:32:10] Brad Nigh: back grabbing it. Yeah. Which is interesting. I sent that other article to you because I was like whoa I hadn’t seen this. So I just basically googled the two factor uh and I found that nowhere to go. I lost my uh from search F A dot com. So and they’re saying it’s the same thing, right? And they were saying it’s the charming kitten attacks out of Iranian state banks but state backed hackers and it’s the same like reading through. I am just seeing our nationals and then search for a site like Yeah it’s the same attack. Very similar approach on those two.
[00:32:58] Evan Francen: Well in the amnesty international they mentioned it looks like it appears to have the Middle Eastern origin. So Iran Iran you think is that what yours?
[00:33:10] Brad Nigh: That’s what this one specifically said. They were they were seen and it was going after yahoo and gmail. So it sounds like it’s very um very similar. Okay, what they’re seeing here or maybe they are reporting the same thing. I didn’t actually look at the screenshot side by side.
[00:33:37] Evan Francen: So it uh yeah in the amnesty international report. They do mention you know um okay. Yeah, I mean the same attack would work with software tokens, ma’am hardware, hardware, security keys. I mean because you’re basically just serving as that proxy and you’re right, the timing would have to be a little bit maybe more prompt.
[00:33:59] Brad Nigh: It’s just a matter of time for that though. Right? If they if they realize that that’s the case.
[00:34:07] Evan Francen: Right. It was really kind of impressed with the detail In an Amnesty International one. If they commissioned somebody to write this report, if they did it themselves, I don’t know, it’s a good report.
[00:34:20] Brad Nigh: Yeah, I was really impressed with the technical details of that. That kind of is what maybe go look for other things because like he said, I wasn’t prepared for that out of the embassy international, but it’s really good.
[00:34:38] Evan Francen: So for the listeners it’s amnesty dot org. And the title is it’s sort of a long title that’s when best practice isn’t good enough. Large campaigns are phishing attacks in Middle East and North africa target privacy conscious users. Um and it’s it’s very well, I mean these are these are very sophisticated phishing attacks were serving as a proxy for one. They’re registering these domains and and getting certificates. So if you’re relying on the padlock on the top left or your browser that’s not going to save you the domain names look very close, you really have to pay attention any time and if you follow the rule of thumb, I mean my rule of thumb is never click on a link that goes to a log in page and log in and so if you click on the link and it goes to a log in page, don’t log in. I mean it’s it’s that simple, ideally you wouldn’t click on the link at all if you new, so you just keep going at home, right, Joanna home, drill at home, this is the easiest way to get into anything.
[00:35:47] Brad Nigh: Alright. And we’ve seen, you know, we’ve seen where multi factor was implemented and bypass because users just said yeah, prove when it wasn’t them logging in,
[00:36:00] Evan Francen: right? And I think there’s a tendency for some organizations that they put in two factor authentication or if they adopt that for the remote access users or outlook, web access or whatever. I don’t think that that’s it. I don’t think that since I’ve implemented two factor authentication, I don’t need to train the users, I don’t need to make them aware uh because it’s not a silver bullet, don’t take this as a false sense of security. Yes, two factor authentication is, you know, it should be a requirement, it’s not it you start to work. Yeah. So yeah, anyway, it should be part of your strategy. It’s not a silver bullet. Uh Yeah, that’s I think it’s a good it’s a good story to refer to when you’re talking to clients about Yeah, that’s great. You put in two factor authentication, but don’t let up on, you know, trying to get the best awareness campaigns you can for your users.
[00:36:58] Brad Nigh: Right? Yeah, means technology doesn’t solve it all. You have to do other things around it.
[00:37:04] Evan Francen: My job. Yes, we do. We have people right. You’re gonna have to keep working on people. All right. So next news, uh that’s interesting. I think the next news is uh just picked this one. I thought it was interesting. It was the five biggest security vulnerabilities of 2018 and this is written on Tech Republic. And I don’t know if Tech Republic is a real news site, but I just thought it was interesting when I when I see the five biggest vulnerabilities in 2018 and like I’m interested in that, what are they this whole, I’ll just read them off the top five and then we’ll kind of talk about each one if you want. So the number one was spectre and meltdown dominated security decisions all year. Number two, record, record breaking DDOS attacks with mm Cashed, number three Drew Apple CMS vulnerability allows Attackers to commandeer your site. Number four bdP attacks, intercept DNS servers for address hijacking, which we talked about once before. And then five, which you brought up last week Australia’s assistance and access bill undermines security. So that those are the five chosen by this author, first of all, what do you think of those five? Can you think of other vulnerabilities that might be,
[00:38:28] Brad Nigh: you know, I think overall they’re really not bad. Um The only one I was That I kind of went really was the Ddos attack one just because Uh huh. I don’t know, I guess it’s bad. Right? Yeah. Yeah, that was the only one that was really kind of going, I don’t I don’t necessarily agree with that being on the top five, but overall was in bad list. No,
[00:39:02] Evan Francen: so the first one, the spectrum meltdown, That was almost a year ago. It was January four when uh, we kind of learned of that. Uh otherwise most of the year, at least in, in in in dealing with normal people, Most of the year. Nobody, nobody talked about it anymore. No dominated. Maybe the first few weeks, maybe a month when it’s a dominated security decisions all year. I’m not sure that’s true everywhere. Maybe in some places.
[00:39:35] Brad Nigh: Maybe. How well, I guess that would be the question is what, where were they dominated? Because I guarantee you from an IT perspective, people dealing with spectrum meltdown? That’s been an ongoing discussion. Right. I think commissioners, I was so I read this and the first thing I thought was Spectrum Milton was, has there been any actual reports that that either of those who were actually exploited. Now there’s lots of proof of concept, there’s lots of, you know, there’s like 20 something variance between the two of them or something. I didn’t, I couldn’t find any stories where the cause of the of a breach or anything was either of these, which surprised me considering how much, you know, press that got for, you know january, february and it kind of died off in March. Mhm.
[00:40:34] Evan Francen: Yeah and there’s like a uh there’s sort of an undercurrent of some weirdness, you know, sort of happening uh you know, how do you say that the chinese don’t even have to say like the name correctly, but the chinese computer manufacturers that huawei highway.
[00:40:51] Brad Nigh: Yeah, yeah, I don’t know, I messed it up to, I’m sure
[00:40:55] Evan Francen: okay, we’re just going to call it highway. There you go, because that’s the word I can say easy. Uh but the CFO was arrested in Canada in his waiting extradition to the United States. And since then there’s been a lot of backlash and a lot of stories written about how highway is really just is really a spy organization or an intelligence gathering organization for the chinese government and just some interesting things. So when you look at spectre and meltdown and all the hardware hacks and other things that are kind of happening. It’s like it’s I was just thinking this morning like man, I’m certainly kind of feel like a conspiracy theorist.
[00:41:41] Brad Nigh: Yeah, that was my thought is I couldn’t find any news on any of this being exploited and with had to be Nation state if it was because otherwise you’d hear about it,
[00:41:54] Evan Francen: right? And even this morning, the president of fr secure who you know, send me an email uh or send me a text this morning about um from business insider dot com. He sent me a text that said uh with a quote. It’s a matter of time because it’s really easy and it’s talking about entire countries being taken offline uh interesting story. But then, you know, you start reading more and more of these things. You know, maybe it’s not a bad idea to be a prepper. You know, maybe I should get a bunker in the backyard. You know what I mean? It’s like, so when I think a spectre and meltdown and the things that are happening kind of at this higher level with the Russians and chinese and you know, you’ve got this CFO from highway being arrested and being extradited to the United States and you’ve got these Iranian attacks. They I don’t know man, maybe maybe I’m just weak right now, but it just seems like a lot of weird things.
[00:42:52] Brad Nigh: So I will say so that we don’t get yelled at. I looked it up and it says it’s pronounced well wei W A H W A
[00:43:00] Evan Francen: Y wall way away way,
[00:43:04] Brad Nigh: that’s what that’s what kids moto says. So if I got it wrong, I’m gonna blame Cagnotto.
[00:43:10] Evan Francen: Well thank you Mr moto. All right. So anyway, I don’t even know if most people know how to check their systems to see if they’re protected from meltdown inspector. Uh But there’s one place that, you know has some good tools once in a while and sometimes I don’t like their tools. But Gibson Research corporation inspector tool, it’s I N S P E C T R E. Uh It’s a small to 126K. That will tell you um if you’re protected. Uh huh. Yeah, and I think it’s I think it’s I don’t know, I think it’s pretty legit. I ran it.
[00:43:48] Brad Nigh: What’s interesting was that for all of the grief that google gets about, you know, kind of changing it? They actually had and release the tool. That’s from what I could tell one of the better uh techniques out there to prevent sector read full line. Mhm. But yeah, but they just released it and deployed it in limerick. So let’s that’s pretty nice to them. Yeah, it’s good
[00:44:20] Evan Francen: to see that we need more things that we can pronounce. I know it’s like the because the second one, you know the amplification attacks that uh which were the record breaking DDOS attacks uh with me in cash, but it’s spelled meme cast how how do you say it mm? Castro podcast?
[00:44:40] Brad Nigh: It was how it’s spelled uh
[00:44:43] Evan Francen: Men cash. We’re security guys do and we’re like I don’t know.
[00:44:49] Brad Nigh: I see that and think memory so min
[00:44:51] Evan Francen: cashed. All right. We’re going to go with them cash because I think you’re smarter than I am anyway. We’re going, we’re going with it. All right. So this particular attack or this these attacks, I guess they were amplification attacks using flaws in meme, cashed so many caches an application, um, heights of 1.7 terabytes per second.
[00:45:15] Brad Nigh: It’s a lot of data.
[00:45:18] Evan Francen: That’s a lot of bits. Yeah. Uh, anyway, there’s good information about that attack, but to your point, um, I don’t know if it was the biggest vulnerability of, you know, I don’t know. It would have made my list of the top five biggest vulnerabilities for 2000.
[00:45:40] Brad Nigh: Yeah. Well, and it says right there, it’s possible to stop them right here turned the udP off. Okay.
[00:45:52] Evan Francen: Yeah. So I don’t know if it’s Yeah. Anyway, it made the list this list anyway. Of the Top Top five. Number three was the Triple CMS vulnerability allowing Attackers to come and hear your site. Obviously this isn’t a big deal. If you’re not running Drew paul. Uh, if you are running triple then I’m assuming you probably patched.
[00:46:14] Brad Nigh: Well, well, it says on there though, you know, as of June there are still 115,000 sites vulnerable. That’s all. Hey? Yeah, who knows what those are actually doing. But if you still got them out there.
[00:46:30] Evan Francen: Right. And so, and I wonder how many of those sites, those of those 115 triple sites are still vulnerable. Uh, really not all that significant sites, you know what I mean? Yeah, I mean it’s uh maybe a sole proprietor or even test sites, blog sites, other things like that, that maybe like okay, is when you take even 100 and 15,000, it seems like a really big number. But how many computers and how many websites on the internet? I mean when you take it into context, Yeah, probably doesn’t make my top I would just make my top five.
[00:47:11] Brad Nigh: Yeah. Yeah. The biggest thing is, is they’re saying that you’ve got button, it’s using that vulnerability for crypto jacking malware. So you now have another 115,000 sites that are infected sites and then, you know, it just increases the footprint. Yeah.
[00:47:34] Evan Francen: Anyway, more on the story. Don’t run triple or patch,
[00:47:38] Brad Nigh: I would say just patch, I don’t care what you run. Patch. Patch,
[00:47:43] Evan Francen: Yeah. And do vulnerability scanning on a regular basis. And web application testing every time you make a change, do that regularly and maybe what the heck do a pen test once in a while
[00:47:55] Brad Nigh: now? That’s crazy.
[00:47:57] Evan Francen: Talk right, don’t know if you’re going to put something out there on the internet, maybe you would just make
[00:48:03] Brad Nigh: that part of a minimum vulnerable vulnerability scanning and you know, on against the web application and your deployment, just just check for the blatant things.
[00:48:15] Evan Francen: Just do it. Yeah, Yeah, it’s the fourth one was BDP attacks, intercept DNS servers for address hijacking. Very interesting, I think this one. Mhm. Uh it’s sort of scary. You can take over autonomous systems and move traffic,
[00:48:39] Brad Nigh: Yep, that one I definitely agree being on this list. I mean we talked with shoot since we started this with was a google that was down and had all their stuff routed through Nigeria to china.
[00:48:56] Evan Francen: Yeah, an amazon to I think
[00:48:58] Brad Nigh: it was an amazon maybe both I think
[00:49:02] Evan Francen: um that’s a big deal because B G P is, you know, especially you mean even I mean for you and I mean it’s out of our hands run GGP, we don’t uh people listeners be GPS the routing protocol for the internet. Right. It gets traffic from autonomous system. Two autonomous system which is inside those autonomous systems are bunches and bunches of routers that at the end of the day gets your traffic here to their maybe across the world but that routing protocol GgP, if you control that if you can find vulnerabilities in it or in the implementation of it, you can you can move track where you want to. Yeah, it’s bad.
[00:49:46] Brad Nigh: I was I did like that they put um that we all witnessed is working on with a secure inter domain routing as a replacement for PGP. PGP is great. It’s fast. It works well but it’s very vulnerable. Right? So yes, and it’s
[00:50:07] Evan Francen: super old man. It’s like TCP IP version for anyway, I mean yeah, security was never built into it. So we’ve been trying and trying and trying to secure it Ever since. And at some point we just need to go to IP version six where at least security is built into the protocol.
[00:50:24] Brad Nigh: So here’s the question. So that that missed this that well, here’s how do you pronounce S I. D. R. Because Well, but then you have cider C I D E R. So now we’ve got confusion there.
[00:50:39] Evan Francen: Yeah, that’s that’s decided that I drink where I dropped the E.
[00:50:42] Brad Nigh: Right? There you go. But the It’s has missed sp 1800-14 and public comment closed October 15 of this year. So how long before it’s actually anything that comes from that is going to be at least another year. Right.
[00:50:58] Evan Francen: Yeah. I don’t know that at all. Yeah, probably.
[00:51:04] Brad Nigh: Mhm. So there’s things in the works, but yeah, I mean a year for it to get released officially and then what, 2-3 years minimum before it starts getting adopted? We’re stuck with B G B for probably another five years.
[00:51:19] Evan Francen: Right? But hopefully um you know, they can manage to be manage mhm manage B G B enough, you know, because it’s it’s all like all routing. It’s built on trust. Right? And build on trusting my trusting my peers, you know, in the routing and so you can control some of that in the propagation of routes and things. So I am where I think two.
[00:51:47] Brad Nigh: Well, again it’s images in there. the government abuse where the G. P. Has been and I don’t think that won’t stop until there’s something more secure in place. Right? You have rogue nations
[00:52:02] Evan Francen: just wouldn’t trust anything from any anyone. We’re not china and Russia probably. I mean we don’t have any business interests there anyway so. Uh huh. Alright. The 5th 1 was Australia’s assistance and access bill undermined security. We talked about this last week and we need to beat this one up anymore. No. uh yeah so if you want to know more about what we said in that one uh listen to episode six. Yeah. All right so we’re coming up on time. I’m gonna do the next story then I’ll just mention the last one. We don’t even have to comment much on it I don’t think. Uh but this story is from Forbes written by uh contributor to Forbes Breaking down 5 2018 breaches. And what they mean for security in 2019. So the breaches the author talked about in this. Uh and one of a couple things are interesting. One the comments made about the breaches but two is just I forgot some of these. I mean there’s so many things going on. Oh my gosh yeah It’s like oh yeah that that did happen this year. So the one was the Facebook breach with 50 billion users compromised. This was a weakness in uh some of facebook’s code at the end of the day. Uh Anyway that was one of them. The other one was Marianne which just happened, you know? Not that long ago. Hopefully we haven’t forgot forgotten about that one yet. 500 million customers. No one’s gained a lot of press lately cora. So Coric sort of happened about the same time or at least around the same time as as Marriott. So I’m I’m not sure many people talked about the core a breach but that was 100 million users. We talked about it I think an episode five or four, another breach he brought up was the british airways breach and that’s when I forgotten about even though I work with a big travel company.
[00:54:08] Brad Nigh: I know we haven’t talked about this when we talked about this one at the office before we started the podcast because I remember talking about it.
[00:54:17] Evan Francen: Yeah there’s a credit card skimming Campaign. More
[00:54:23] Brad Nigh: Customers worried about this one.
[00:54:24] Evan Francen: Which is weird because It appears as though it only affected less than 400,000 transactions. Not even People or customer accounts per se. It was 400,380,000 booking transactions. Yeah, I mean that’s it seems like a lot and I think it is a lot but it’s not like a lot a lot plus the british airways, you know, not many of us here and true. This nickel woods. Yeah,
[00:54:56] Brad Nigh: No I I thought the interesting part on that one was just 22 lines of code. Yeah no disruption and they got all the information. That’s crazy.
[00:55:06] Evan Francen: Yeah the simple things man. Yeah ticketmaster attack and this one I thought you know I don’t even know if I heard of that.
[00:55:18] Brad Nigh: I didn’t I could not remember seeing this one.
[00:56:44] Brad Nigh: Yeah, I think we talked about that a little bit with when we’re talking about the Australian 12 weeks ago, three weeks ago when it first came out that that was kind of the you’re seeing G. D. P. R. And some of the concerns around it is exactly what he’s saying to. So it’s interesting say multiple people talk about exactly that
[00:57:10] Evan Francen: from the GDP our bounty hunting, which we’ve seen this in other types of attacks not around GDP are, but it’s essentially the attacker says, hey I’ve got your protected data, pay me or I’m gonna release it. And so this just happens to be with, you know, and maybe targeting GDP are. So I don’t necessarily think it’s a new form of attack. The new name of an attack that we’ve seen before, maybe focused on GDP are uh but yeah, protect your data may be. Yeah. All right then the last one I’ve got is uh comes from holly holly rood. Have you ever know, have you ever been to holly rude dot com before?
[00:57:52] Brad Nigh: No, this is uh I was like, do I need to run this through a, now we’re checker with, oh yeah you do that. I’m kidding.
[00:57:59] Evan Francen: Every link I give you should do one of those. So holly route was a holy rood. I don’t know. H. O. L. Y. R. 00. D. This is Scotland’s award winning current affairs magazine brad. So if you ever want to know about current affairs in Scotland you go to Hollywood dot com.
[00:58:21] Brad Nigh: Uh And the more you know wa la. Yeah.
[00:58:26] Evan Francen: All right. So the title of this article is new cybersecurity standards for manufacturers of self driving cars. And there are other news uh outlets I could have chosen for this, but I wanted to choose holly route. So there you go.
[00:58:43] Brad Nigh: I appreciate it.
[00:58:44] Evan Francen: Right. Well one of the predictions I had made in 2000 at the beginning of this year was the concern I have about physical safety more than ever because you’ve got planes, you’ve got cars, you’ve got pacemakers, you’ve got everything it seems connected to something else connecting to the internet or something. And so it’s not different. You would. Mhm. Conceivably you would think it’s not all that outlandish to think that an attacker can drive a car into a brick wall.
[00:59:21] Brad Nigh: Well I mean there’s been stories about it for a couple of years at least. Another was one around uh jeeps where they could take over and kill the jeep. Yeah it was three or 4 years ago.
[00:59:35] Evan Francen: Kill switch, you’re talking about that that I. T. Guy that got fired from the dealership. That one
[00:59:41] Brad Nigh: I don’t remember the deep, yeah it might have been
[00:59:44] Evan Francen: so he left the back door the into the into their computer systems turned off all their cars
[00:59:51] Brad Nigh: there was no this was a different one. This is when the car was actually driving, they were able to drive along and and shut it down, like using the bluetooth and there’s ones about a couple of years ago where model s from Tesla, they were able to remotely get into it, um Getting into the control controller area, network bus.
[01:00:18] Evan Francen: So do you have a well, I mean, we’re getting to the point now, it’s difficult to get a car that isn’t smart, smart in some way. Right, Yep. They all have controller system, they’ll have controllers. Now, even my F250, which I have a base model, you know, I’m a pickup truck guy. I don’t want all the bells and whistles. I don’t want everything, just a straight truck. Right? Yeah, It’s kinda they’ve all got computer systems in them. You have a choice. Yeah.
[01:00:48] Brad Nigh: I mean, my cars are a little older with an 09 and 2013, but they still have Bluetooth and all that stuff in them. Right.
[01:01:00] Evan Francen: Well, anyway, there’s some from the National cybersecurity Center. Mhm. Yeah. And a range of automotive industry form firms, Sorry, including ford Bentley, jaguar land rover, Funding a project by the Department of Transportation, 56 page document uh intended to set benchmarks, set a benchmark for security requirements. Mhm. Good. Yeah, Hopefully. Hopefully. The the manufacturers will uh go by the intent of these requirements instead of the letter. Right.
[01:01:42] Brad Nigh: Yeah. Well, you think it reduces their exposure if they can show that there, you know, protecting things and your car isn’t gonna suddenly shut down on the highway because they didn’t implement security.
[01:01:57] Evan Francen: Well, somebody doesn’t die. Right. Right. Because now what we’re getting into is if a car many. Okay. So I sell a car because car manufacturers are held liable now for safety things in their vehicles, like seatbelts or airbags or whatever something malfunctions in the car, they get held liable oftentimes for that have to do the recall and all that other stuff. Okay? So at what point? Because the things that make these things work, its software written by developers the same types. I mean software is software, we run software on our computer systems. I run a word processor, I run a browser, I run all these different applications. I think we’re starting to make this at some point. You know, we’re going to hold all software developers, which is kind of, I mean, it sort of sucks because from an innovation standpoint and being a capitalist guy like I am, you don’t want to see things get stifled getting things to market new things to market, but you also don’t want people to suffer because you didn’t do it. Right. Right. So, I think, you know, if you see cars start going off the road and everything, people are gonna be held maybe even criminally liable
[01:03:19] Brad Nigh: well, and, and I think, Right. Exactly. And it’s going to take a couple from what I’ve seen. You know, I don’t have a Tesla that they have the way to actually push out updates. I’ve never gotten any sort of update on my car. It’s, you know, six years old. If there was a vulnerability, how in the world are they gonna address it? So I think you’re going to see a couple of car companies actually take the lead on this and tout it from a marketing standpoint and force the issue.
[01:03:50] Evan Francen: Yeah, I agree. And I wonder if it will bleed over into other parts of yes, smartness. You know, whether it be IOT devices or whether so I sort of do too, but I sort of, I’m a little nervous about it because I mean does that mean I’m gonna have to pay a bunch more? I mean, does that mean, I mean, what kind of disruption is it going to create for the economy and for doing business in general? You know, it’s, I don’t know, it’s gonna be interesting to see how that plays
[01:04:22] Brad Nigh: out. There is definitely a balance
[01:04:24] Evan Francen: there. Yeah. All right. Well that’s all I had for news this week. I mean he could have chosen another 100 stories, but we’re already past an hour.
[01:04:33] Brad Nigh: Yeah, it’s so easy to know. We keep watching the clock and it’s like, oh holy cow. I know.
[01:04:39] Evan Francen: Well like like last like every week though, man, I really, really like talking to you. That was one of the big reasons for doing the podcast is get you and I a chance to visit once a week. Yeah, so uh you have yourself a very merry christmas. All the listeners have a great christmas and we’ll catch you next week.