Government Information Security, Quora Data Breach, and More Security Mishaps

Unsecurity Podcast

We discuss the state of cyber security and state government information security. They also break down the recent NRCC hack, the Quora data breach, and sextortion in the U.S. military.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Here we are episode five on the summer 9th 2018 Brad. How you doing?

[00:00:29] Brad Nigh: Good time flies.

[00:00:31] Evan Francen: What, what do you mean somebody?

[00:00:33] Brad Nigh: Episode five

[00:00:34] Evan Francen: Oh, I know. Right. Eventually we’ll get good at this I think. Uh

[00:00:40] Brad Nigh: huh. Yeah.

[00:00:44] Evan Francen: You’re totally speechless.

[00:00:45] Brad Nigh: Yeah, I am blown away by that.

[00:00:47] Evan Francen: There you go. Well today we have a special guest. We have uh my state representative. Jim nash, Jim. You want to say hi hello, everybody. All right. So jim joins us. So we’re going to talk a little bit about we’ll try to bring Jim into the conversation. Jim is our first ever guest. I had to beat. I know right?

[00:01:12] Brad Nigh: I had the first announced guests. So there is that. Yeah, I booked one. You beat me to get him on.

[00:01:20] Evan Francen: so it’s like you took it to like first and goal, second goal that you never punched it in.

[00:01:26] Brad Nigh: Yeah, head in the goal line and fumbled it and just took it in the other way

[00:01:30] Jim Nash: Like you were describing a Vikings game.

[00:01:36] Evan Francen: Oh God, let’s not go there. We’ll have that pain tomorrow. Mhm. All right. So, jim a little bit about you now you work at fr secure uh your are your chief storyteller. Is that still your official title?

[00:01:54] Jim Nash: That that is the title? Yes. Okay. That’s what happens when marketing people get get too much rope.

[00:02:01] Evan Francen: Well, you know, just it’s not a bad title. I think it’s a pretty cool title.

[00:02:06] Jim Nash: No, I think it’s a good title and you know, because every every good cybersecurity story starts with a bad story of something that happened. So um I’ll take it

[00:02:18] Evan Francen: right when you go. You and I go way back. We you almost were uh Employee # two NFL are secure. Uh you took a path, you know, hydrogen company. And you know, since then, I think at that time you were the mayor of a small town in western uh western metro of Minneapolis of Laconia at the time. And then uh now you’ve been elected, you’re in your second term at uh at the state house, is that correct

[00:02:50] Jim Nash: Correent? 2nd term was just elected to my third term.

[00:02:54] Evan Francen: This Okay, so this is your third term. My

[00:02:57] Brad Nigh: Writing under the 3rd term. I was gonna say my writing of anyone, but jim please God didn’t work.

[00:03:04] Jim Nash: Um Yeah. Thanks. Thanks constituent and co worker brad. Warm, fuzzy feeling

[00:03:13] Brad Nigh: as you think. Can you feel the love? Oh yeah. Oh yeah.

[00:03:17] Evan Francen: Now brad. Are you at your in your in Jim’s district too? Right. Yes, I am. Ok, can I ask you, did you vote for Jim? I did Jim You have 2, 3 votes right here. All right.

[00:03:33] Brad Nigh: Maybe I’d never hear the end of it if I didn’t write uh

[00:03:39] Jim Nash: ballot boxes private. So you can you can vote for winning the pool and I would never know

[00:03:44] Evan Francen: that’s true. Next year. Our next now I know next election. Yeah. All right. So, uh, and one of the reasons why I wanted to have you on jim was certainly your work at fr secure is very valuable. You write a lot of articles, will talk about one of those articles today. Uh, but then also, um, you brought some really good kind of insight to me on what goes on in a state legislature around information security. So what kind of role do you play today? An information security at the state?

[00:04:22] Jim Nash: Uh huh. Yeah, that’s a good question. So, it’s the state of Minnesota legislature is a citizen legislature. So we’re not professional legislators and everybody comes from a different background. And as you had said, when we uh when even invited me to join you at fr secure about 10 years ago, I want a different path. I went down the path of the storage world and then I woke up one day and realize the folly of my ways and joins joined fr secure. But there’s only a handful of us down at the capital that really understand both computer it issues and then cybersecurity issues and in that role that I serve at the capitol. I’m really sort of the chief proponent of information security. And for the last four years, I have advocated for a various number of things. More spending on info sec, more spending generally in it across the state, more accountability and as a result of that, I’ve been named to the, the National Association of State Legislatures Cyber Security Task Force. There’s 32 legislators from across the country and I’m one of them, uh, and then was appointed to metro state men cyber program. So I’ve been very fortunate to find some traction at the state level to push the message that we preach every day at fr secure that this is a big issue that there are certified bad guys out there every day trying to get the data that we have and to compromise our networks. And um, there have been a couple of successes and there’s been a couple of failures down at the state as well.

[00:06:13] Evan Francen: Yeah, I can imagine. And uh, yeah, I’m not much of a political guy other than, I mean, you know me, but I’m not going to go there. Um, but brad, I want to talk to you too, obviously, uh, tell me about your week. How was your week? And then we’ll get back to to jim and I want to know more about the task force and kind of some of the other cool things. But how how was your week?

[00:06:35] Brad Nigh: It was good, uh, the finalizing everything for next year. I’m really excited about what’s coming up next year and, and uh, where we’re going as a company and what the plans are, there’s no shortage of work coming our way, so it’s always a good thing,

[00:06:54] Evan Francen: there’s no shortage of work today, it seems like,

[00:06:57] Brad Nigh: Yeah,

[00:06:58] Evan Francen: okay, well, and so we had our christmas party yesterday. What did both of you guys think both you guys were there with your spouses and

[00:07:07] Brad Nigh: Yeah, I mean this is my 3rd party and it, I just can’t believe how many more people there were. I mean, you know, you’re even, you can see even even more than I can, but You know, I started my first one in 2016, We had what, maybe 30-40 people at it and this one that was, I don’t even know over well over 100.

[00:07:32] Evan Francen: Yeah, it’s pretty humbling. I remember the very first one, we had six, it was me kevin. Yeah, steve and our wife. Yeah,

[00:07:44] Jim Nash: yeah, I thought I was a great party. It was very clear that the culture at fr secure is is one where we value people and that’s a really refreshing thing to see um in in today, today’s times

[00:08:03] Brad Nigh: Good. Yeah, I got that from multiple of the, of the new people. Um and I knew, I mean I’ll even go like last three months. Yeah, You know, I never got this uh I worked other places for 15 years and we never had a single party and or anything even close to this and yeah, a lot of really good feedback and and it was really appreciated.

[00:08:30] Evan Francen: No, it’s cool. Yeah, well, the uh I mean it’s it’s so much fun hanging out with with uh with the team and in their spouses and I mean we all work so dang hard all the time and it’s, it’s really nice to just let loose a little bit and hang out and enjoy each other’s company. I I loved it. Mhm.

[00:08:51] Brad Nigh: It’s hard to stay high and talk to everyone. I feel like I was trying to get, say hi to as many people as I could just to chat him up. But man, we’re getting to the point where three hours isn’t enough time to do that.

[00:09:05] Evan Francen: I know, and I will have to figure out something. I was telling my wife that uh I don’t know where we do it next year, I mean, we’re gonna need a bigger place than at this year, yep, I guess it’s a good breaking stadium. Oh shit,

[00:09:24] Jim Nash: maybe King Stadium,

[00:09:26] Evan Francen: that’s not a bad idea. So we had a big announcement yesterday at the at the christmas party, we announced that uh john harmon is now the president of fr secure uh he had no idea that it was coming and I loved his reaction. What did you guys think?

[00:09:45] Brad Nigh: I think it’s a good call, but yeah, it was uh him being uncomfortable and caught off guard is rare, so you got to enjoy it when you can

[00:09:56] Evan Francen: well, we got it on, we got it on video.

[00:09:58] Brad Nigh: Yeah. I turned around, I saw kevin taping, I’m like, what’s what’s going on?

[00:10:04] Evan Francen: There are only a few of us can do that. It was coming. Uh But yeah, he’s uh he’s more than ready when you think about the road that he’s taken en fr secure, you know, He’s coming up on a six year anniversary. I mean, the company’s only 10 years old, right? Yeah. And there was a time where, yeah, he started in sales and uh just really struggled, I think, at the very beginning, just kind of figuring out how to how to sell because he really wanted to be like an expert, and the way sales works and information security is nobody buys from sales people. No, because you’re not credible, you people don’t trust you. I mean, it’s kind of a good thing, but he wanted so bad to be an expert in information security and couldn’t understand why people wouldn’t buy from him. And we tried and we tried and we tried and it was eight months uh into his tenure at fr secure and it was like, man, he’s just not getting it. Um So we were we were going to let him go. Uh Yeah, and so we had had uh man, it was at the time, it was, you know, other leadership at fr secure myself, kevin and another sales uh VP of sales at the time, and it was their call at the end of the day, I said I’ll support whatever we’re going to go with, I get it, you know? And so we had made the call on friday that we’re going to do it on monday when john comes in on monday morning, that’s when we’re going to let him go. And so monday morning comes and I pulled my pull up in my truck and kevin in this VP of sales are sitting outside uh you know, a couple of chairs, my god, it’s kind of waiting for me here and they, I get out of my truck and they said we’re having second thoughts like, alright, what are we doing? You know? And they decided, well let’s give them one more shot, I’d like you to have a just a heart to heart kind of a come to jesus meeting with him and so kevin, so john and I went to moca monkey and how to come to jesus. Mhm. And you know, you look back now and you’re like, thank God for not, I mean thank you for not allowing me to make that mistake, you know, do not, you know, fire him at the time, But you know, it’s kind of a cool story, right? And then you see where we’re at today and now he’s the president of fr secure 100% fully, capable totally bought in just perfect fit.

[00:12:48] Brad Nigh: Yes, that’s crazy

[00:12:50] Jim Nash: what’s it like, So that’s an awesome story.

[00:12:53] Evan Francen: Yeah. Yeah. Well, uh yeah, it’s uh, I just love the guy and, and he’s so capable. Yeah. One of the things he was saying to me yesterday is uh, you know, he was, because I had kind of been grooming him for this and he said ah he was sort of thinking it was going to happen a year from now. Yeah, well you’re ready. Well, I hope so. Come on dude, you’re completely ready for this. So hang on tight. He’s a great leader and he’s going to take us to new places, you know? And then, yeah, so hopefully hopefully you like working for him, you guys because of you. I do.

[00:13:35] Brad Nigh: Uh even if I didn’t, I was gonna say, I didn’t know uh

[00:13:39] Evan Francen: publicly right on a podcast.

[00:13:41] Brad Nigh: Right? No, I will say this. One of the things that I’ve always really liked about, john is, is a, he does take almost had hands off approach or management leadership. He expects you to come to him with not just problems, but also the expectation of solutions to those problems the same way I am. So I really like that. But the really important thing is he admits when he’s like over his head and turns to the people that know and trust he hires the right people and trust them. So I mean, what more could you ask for from the top?

[00:14:16] Evan Francen: Yeah, I agree completely. Absolutely. Well, good, that was a good party, good announcement. What else is going on? Anything else we should cover before we get in, get into the news and then Well,

[00:14:32] Brad Nigh: I think I have one thing to just kind of twist the knife on uh James a little bit. I think I’ve sold more licenses for vin defense than they have. So I’m just just saying,

[00:14:44] Evan Francen: hey, yeah, make it public man,

[00:14:50] Brad Nigh: I’m giving them a rough time about that one until they were telling us, what’s that

[00:14:57] Jim Nash: start a tally board at the office. Right?

[00:15:00] Evan Francen: Yeah, well, last week it was a really good week for Ben defense. Mhm. Had I think we’re on boarded some new clients. Um Yeah, I think a lot of it is just get out, get out of our own way. Yeah, you know, it’s a it’s a simple cell. It uh it solves definitely solves the need so we go for it, yep.

[00:15:29] Brad Nigh: I think once it starts picking up steam it’ll go, I think that’s the pressure though. Is is everybody is feeling it, but once it starts my story is a little bit of uh momentum there, just get out of the way and let it do its thing.

[00:15:44] Evan Francen: Yeah, for sure. All right, so, jim tell me about your task force a little bit.

[00:15:54] Jim Nash: Sure. So it’s called NCSL the national coalition of state legislators and it is legislators from each body in each state. So um senators and state reps from across the country are invited to be on the task force and really what that is that the legislative think tank in a way for cybersecurity and I know you hate the word cybersecurity, but that’s what it’s called.

[00:16:24] Evan Francen: Um

[00:16:26] Jim Nash: and what we do is we come together and we will talk about best practices that are currently in the private sector and how do we get them into the public sector? And we’ll talk about what happened in take a state and how can we model that so that other people in different states can take advantage of that. So, some of what we’ll do is we’ll bring model legislation that we’ve passed and we’ll bring it to share with others and we’ll talk about what’s going on in the industry and what are things that we need to be cognizant of. So, you know, I expect to bring a lot of the stuff that that we do at fr secure to bear in various meetings As we began having them in calendar 19 to talk about what are some of the things that states need to be thinking about. Mhm. I was speaking on our behalf at a a government it symposium this past week and we talked about vendor risk management and that was something that I believe will be very important as we head into the next task force meeting because think about it a state as millions of vendors quite possibly. So that’s that’s a great carry over from private sector experience for me to public sector experience for me. But the role in my my seat will be to go there offer up information that but then also to bring things back to the state of Minnesota and try to make our info sec better because it’s not that great. It’s no different than a lot of other states that there is political infighting that gets in the way of funding in Passaic period. And then once it’s funded, how does how does the legislature have a view into it? Because so much of it is um not able to be viewed by people who don’t have a clearance because we have some very sensitive data at the state. So it’s those will be something that we get in tackling and it’s going to be a difficult situation to figure out. Oh

[00:18:43] Evan Francen: sure. So brad, have you worked with much with states?

[00:18:48] Brad Nigh: Uh I’ve had conversations with a couple of states around some services more where I’m seeing a lot of movement is with like cities and counties all over the US, we’re seeing a lot more interest. Um and really the D. C. So and the assessment section uh being there, they’re going yeah we got to do something and we can’t keep anybody employed so we need we need help somewhere. Right.

[00:19:19] Jim Nash: Yeah. And that’s been fun to be a part of since I got to fr secure, we wrote a couple of articles early and created some really good leads that folks are admitting that yeah, we don’t have budget but we recognize that we need this. How do we do this? And that that should be a pretty exciting Thing to tackle in 2019.

[00:19:40] Brad Nigh: Yeah, we had one, a pretty large, well known city that had gone through I think three CSOs in four years and basically they were just staying there to get the title for a year and then moving to private sector because they could get double or triple the salary. Yeah. And we have people to do the work. We just don’t have anybody to lead it and provide that guidance and expertise.

[00:20:07] Evan Francen: Well, there’s a lot of challenges with ST stuff, you know, because I always see and you mentioned it to uh jim water. You know, we’re trying to get funding, trying to get budget, you know, and I’m not, I’ve never been as concerned about getting budget as I have been with are we spending those dollars wisely? So when you say, you know, trying to uh you have to have the right clearance to know where those dollars are being appropriated. Um us normal people citizens. I don’t think we have any clue where the money gets spent, do we? I mean, it doesn’t seem like I do anyway.

[00:20:45] Jim Nash: Well you can, you can look at a department and look at what things were spent on, but to know truly what money was spent on, what problem requires a significant amount of clearances. Um But no an everyday citizen can say hey I’d like to see what the state budget for our our I. T. Department here in the state is called minutes and then dot I. T. And you could say I’d like to see what that is And they would deliver this 50 page book to you. Uh And you could look generally where things are spent but you would never know specifically where things were spent because that’s that’s a little more difficult. You might have to file a couple of data requests. But even if you peel back that onion there would be another level of obfuscation. That would be tough to get you. And as a legislator I find that frustrating.

[00:21:43] Evan Francen: Yeah. As

[00:21:44] Jim Nash: I said it as a citizen I would find it maddening to know that I’m taxed at the wazoo to not be able to see what things are happening.

[00:21:54] Evan Francen: Right? Yeah. I think a lot of times people Well sometimes equate a dollar amount to good security. So if I’m spending $10 million dollars in information security, well then I must have pretty good information security versus the guy who’s only spending 100,000 Right? But I can spend $10 million dollars and just piss it away on terrible controls. You know and still have worse security and even worse than that have a false sense of security

[00:22:25] Jim Nash: right? And I believe that that happens in a lot of large organizations. Yeah That have a tremendous amount of data that they need to protect. And maybe $10 million dollars to a small organization is more than enough but to a massive organization that has you know petabyte upon petabytes of data spread around the state. They have poor controls. And that’s not scratching the surface right?

[00:22:54] Evan Francen: Yeah. I think people, a lot of people struggle with information security. Yeah. Budgets. Um I know that before my last real job before you know if our secure I always had to establish a budget you know every year. Um and I always based it on risks as much as I could write because I knew that I had to defend my budget. But I wonder how I mean do I don’t really have a lot of insight into how other people maybe do their information security budgeting.

[00:23:27] Jim Nash: Yeah. Well the state of Minnesota they come before the committee that I’m the current vice chair of the state government Finance Committee and we asked a lot of tough questions but when you’ve got a budget that’s hundreds of millions of dollars um It there’s just not enough time to go into great and the and nauseating detail to fully comprehend. And I will tell you even if we did many of my colleagues would get up and leave the room because there you know they’re looking for a building to jump off of when you start talking about in Passaic and or I. T. In general. I make a joke that many of my colleagues down there can barely spell I. T. Let alone care enough to sit around and listen. And it’s true.

[00:24:12] Brad Nigh: Yeah. It’s kind of funny that how many similarities there are between government and even the private sector because it’s the same when you look at a C. Level or the board of directors, they just glaze over immediately. Same concept like how do you get this across? So obviously different mechanisms to get there. But at the end of the day it’s the same. Mhm. Problems.

[00:24:39] Evan Francen: Well, that’s the thing, right? I mean security is security. Mm It’s just where you apply it and the constraints that you need to operate within. I think uh because we play politics too much different. I mean it’s a different flavor but you know, certainly in larger companies you have to play these games is give and take this. We don’t necessarily always do the right thing. But well there’s just compromises everywhere, right? It’s hard. But that’s why we get down.

[00:25:11] Jim Nash: That happens a lot at the capitol. You know, last year I had a bill that I got to the governor’s desk that would have provided an additional 3.5% of total it spend dedicated towards info sec. I thought it was a great bill and ultimately um outgoing Governor Dayton vetoed it because of partisan issues. And you know, there there’s a blog on our web page and it’s actually the topic of the of the talk I gave this past week called navigating the politics of cybersecurity. And politics isn’t just about elected. People like myself, it’s about inter office politics and in the public sector, um politics is settled down at the capital, but in the private sector, politics could be um somebody in the boardroom doesn’t like the person bringing the proposal. So they just find a way to to take the legs out from underneath it. Or it could be, you know, they have other spending priorities for a limited amount of money and they decide to use their influence or tear someone down to chip away at their proposal to fund more inte sec. And uh you know, put more into marketing or whatever. It’s a very real issue in both public and private sector um in for a sec efforts.

[00:26:39] Brad Nigh: Uh huh. I think what you see is is, you know, I. T. And security is it’s not something that people want to see. It’s a cost center, right? They don’t want to think about it until they need it. And then typically it’s too late. Right? So well, you know,

[00:26:55] Jim Nash: it Generally not sexy. It’s not sexy. No one has a ribbon cutting for cybersecurity

[00:27:03] Brad Nigh: now. No. You know, I always joked, you know, especially I. T. Everybody’s like, what are you guys doing back there just playing games because it’s not a problem or hey, what are you guys doing back there? Because there’s a problem. But you can’t win. It’s the same thing with security. Why are we spending all this money? We haven’t had any incidents.

[00:27:23] Evan Francen: True. Yeah. Like I wish we should start doing ribbon cuttings. Yeah,

[00:27:29] Jim Nash: I’m in,

[00:27:29] Evan Francen: I’m in too.

[00:27:32] Brad Nigh: If you’re comically large pair of

[00:27:33] Evan Francen: scissors, right? Every new VC. So client, every new, uh, every face, Every new Fisa score that reaches, you know, 6 60 or 700 or higher. We’ll do a ribbon cutting something. Try to make this uh, a little more fun. A little more exciting because you can make information security a non cost center. Mm You can use information security to be a differentiator to be, you know, to a competitive advantage. I don’t know how much. So, you know, in government, but certainly in private business. Um, and you can always, you know, I always, we always have a saying that uh, complexity is the enemy of security. So simplifying things when you simplify processes and make them more secure. Mm Oftentimes save people a ton of money too because you’re no longer wasting time or steps to accomplish, you know, whatever tasks you’re trying to accomplish. Yeah.

[00:28:35] Brad Nigh: So I’m going to mention that that’s a good segway. I’m going to throw this out there. You didn’t. So full disclosure, Evan has no idea about this, but when the 13th, I’m going to be on a video meet up with spice works talking about when not to invest more on cybersecurity and it comes exactly that we’re spending more not seeing outcomes. How do you showing our oi what’s risk management approach? How do you do it? You know all that? So this is something we’re seeing out there. A lot more people struggling with it outside of even just the security realm.

[00:29:10] Evan Francen: Right? So the 13th, so you’ll be covering that in the next podcast, episode six. I’ll

[00:29:16] Brad Nigh: talk about that and I think it’ll be good.

[00:29:18] Evan Francen: Oh yeah. Yeah. Well yeah. You this is not your first time talking at this. This space works.

[00:29:28] Brad Nigh: No, I did. They actually flew down there for one In 2000 last year. It was last year. This one is just a video one, but it’s fun. This will be with uh um somebody from A T and T with their security. So it’s kind of a large A T and T. And you know, smaller company with our secure but be interesting to see the similarities and differences in approaches there.

[00:29:55] Evan Francen: Oh, from AT&T. two however secure handles things. Yeah, it will be interesting. Mhm. All right, well let’s get into some news and then, you know, if we’ve got time at the end, we’ll circle back and talk some more about stuff. I know that yesterday. I see. I mean we’re always talking work at the holiday party. I know we’re at the holiday party and brad comes up to me. I got something else for us to talk about tomorrow. I’m like all right what do we got sure about the new Australia? You know encryption law. And I was like I don’t think I’ve seen anything. And then you bring it up. I mean but we’re still talking about work even when we’re not working.

[00:30:33] Brad Nigh: All right fred you and me can you just rolled her eyes and uh she just accepts it.

[00:30:43] Evan Francen: Yeah. Well we’re passionate about our jobs obviously. Mhm. All right so the first news item so I used seen that a lot uh today or this week actually I was just following a lot of things that were going on. one of those things was the House Republican Campaign Committee the National Republican Congressional Committee. To be more exact in R. C. C. was hacked during the 2018 election cycle. It sounds like it happened 89 months ago. They waited till after the election cycle to announce anything about it. Um so on CNN the title of the article as House Republican campaign communities hacked during the 2018 election. Uh Interesting there’s not a lot of detail about this. It sounds like it was only maybe four people

[00:31:42] Jim Nash: and I’ll be getting some details. Um Actually all of, well Evan and I have a congressman named Tom Emmer. He is the incoming chair of the NRCC. And he’ll be looking into that once he takes office in that new capacity in addition to his congressional role. So I’ll be uh asking him a lot of questions and I’ve already I’ve already made fr secure available to him. So surprise. We’re going to go and help go help them out if they need it.

[00:32:12] Evan Francen: Excellent. Yeah, Tom Emmer. So he’s he’s kind of taking a charge, taking charge of the Republican, I don’t know, what do you call it, the Republican

[00:32:22] Jim Nash: election wing.

[00:32:24] Evan Francen: There you go. So he’s gonna be stepping into the role. I was not aware of that. That will be uh that would be good because I think you and you and he have a really good working relationship together.

[00:32:35] Jim Nash: We sure do. We sure do.

[00:32:39] Evan Francen: Cool. So you’ll know a lot more about what took place who is affected and all those things as much as he can share, I’m sure um, you know, in the coming weeks and months.

[00:32:49] Jim Nash: Yeah, I’m looking forward to that.

[00:32:51] Brad Nigh: The only thing that surprised me that they were able to keep it under wraps for eight months. Right?

[00:32:58] Evan Francen: Yeah, that’s pretty surprising, right? And we see that crowdstrike, you know, is is in on this um because cross strait Crowdstrike also led the investigation of the Democratic National Committee hack in 2016. Now we’ve got this one with the NRCC. Um and it’s funny how they always, we always just jumped so quickly too. It was so super sophisticated or it must be Nation state. It’s like why do we go there so quickly all the time without any evidence, without any

[00:33:38] Brad Nigh: right,

[00:33:40] Evan Francen: you know, because there’s nothing to indicate that that I can see in anything I’ve read.

[00:33:46] Brad Nigh: Yeah, well there’s no yeah, no evidence at all,

[00:33:52] Evan Francen: at least what we know, right? I mean, somebody crowdstrike, I’m sure if they’re involved in the investigation, they certainly know lot more about this attack than we do, but just to go there that quickly. Yeah, I’m always very skeptical.

[00:34:09] Jim Nash: I think that the 2016 election issues certainly lead us to believe that, you know, when the state of Illinois was was pretty much owned, um the state of Minnesota was actually probed, not breached and we’re sort of acculturated to think, oh, it must be the Russians or the romanians or the certified bad people in pick a place when it could actually just be your political enemy very easily.

[00:34:42] Evan Francen: Oh, sure. I mean, especially in today’s climate, I mean, everything is so polarized today, you know, between the left and the right and everybody’s, you know, we’re just fighting themselves so much.

[00:34:53] Brad Nigh: Yeah, I think well, and the the issue is that I have a, it goes against what we look at for an instant response. Everybody is already making assumptions without knowing any of the information where it leads you to have make mistakes and miss things, right?

[00:35:11] Evan Francen: Mhm. Well, in the new york times and their article about the same attack. Um these are some of the things they call out email accounts of several of its senior officials had been hacked and then analysts later concluded it was a foreign entity but just calling it. So it doesn’t make it. So

[00:35:35] Brad Nigh: yeah, I will say the one thing I saw in that New York Times article was that they’re saying it’s not as sophisticated as the GMT1 where there was actually malware implemented on the systems. This one just looks like it was strictly an email. So it’s interesting that you would think they would have done the same or tried to do the same if it was the same actors. Right? Why would they go completely female only versus only in the system?

[00:36:05] Evan Francen: Right. And if we’re going to speculate, what do we speculate? Yeah, I mean, I mean what if you were the gas uh what would you guess this? How would you guess this attack took place?

[00:36:21] Brad Nigh: They totally got fished.

[00:36:23] Evan Francen: Right.

[00:36:26] Brad Nigh: And so they and then they allowed like, oh multifactor is trying to log in. Yes, go away.

[00:36:34] Evan Francen: Right. And so how sophisticated is that? Okay.

[00:36:42] Brad Nigh: So far more sophisticated than others. But it’s not the most sophisticated attack out there by any means.

[00:36:49] Evan Francen: Well and that’s the that’s the thing. So it’s

[00:36:52] Brad Nigh: all relative right. It’s not it’s not the Nigerian prince offering you money level, but it’s not implementing malware that goes undetected for months at a time and complete control. So it’s kind of, it’s on the lower end of the sophistication of the bridge.

[00:37:13] Evan Francen: But isn’t

[00:37:14] Jim Nash: that sort of isn’t that an interesting commentary that that uh it still can be the least sophisticated attack methodology that takes, you know, that wins the day. I find that fascinating. Mhm

[00:37:31] Evan Francen: Yeah, I mean it’s it’s been that way from the very beginning, you know, I mean It’s we give people, we give Attackers so much credit and there are sophisticated attacks out there, right, 99.9% of all the attacks that take place are super non sophisticated. And just because I don’t understand something, I don’t understand how an attack maybe takes place doesn’t make it sophisticated. It just means I’m ignorant. Right? Hey talk if I don’t know how a phishing attack works, we’re going to make, we’ll claim, well jeez that sounds like really sophisticated but high schooler, you know, with a couple of hours of boredom in his, you know, can do the same thing. Yeah. Yeah. There’s, there’s no sophistication to a phishing attack and I don’t know at what point we, I mean I don’t know how it happens, but when do we no longer accept single factor authentication on anything external?

[00:38:32] Brad Nigh: I mean we start we talk about that in assessments that now that it’s starting to be like, hey, how are you going to justify this? There there’s free services, you know that google that Microsoft, there’s really cheap on duo and you be key and there’s just so many options now that it’s, it’s almost to the point where you start asking, how do you justify not doing multi factor? Right.

[00:38:59] Evan Francen: I mean, it’s so easy in any way. So we’ll learn more about this attack I think um, in time and it will be interesting, you know, jim when as you work closer with tom Emmer as he takes, you know, his uh takes on his new role of leading that committee to see what I mean. And you’ll share whatever you can share. You know, obviously you play by the rules, but Uh, it will be interesting to see more about this one when we can, but it’s funny how I didn’t even finish that. How do you think this took place before I even finish that Bradley? Like fishing?

[00:39:39] Brad Nigh: Uh, its path of least resistance. Right? It’s a lot easier to get somebody to click on an email than to hack a firewall. Just that’s the reality of it. Or hack a website to get in. Uh huh.

[00:39:55] Evan Francen: Much better. Much better return on your investment, yep. All right. Well, the next uh, news article II chose and you know, you can nowadays you can choose so many, but was the google ceo Sundar Pichai, he’ll testify in congress on Tuesday, which I think is kind of interesting because he seems like he sort of stood up, uh congress when they asked for him to appear you had Dorsey the ceo of twitter, who was their facebook was there, but the one who is absent and really just sort of ignored, it seemed like um the invitation to speak to Congress was google ceo. Um And so now he’s going to be testifying and what they’re testifying and this will get political just like anything else. But um about how maybe google and other social media and other tech companies um are biased against uh you know conservative groups and how maybe they’re suppressing are filtering out, you know certain things that were being said, you know from from the right. Um So I think that’s what he’s going to talk about, but the one thing that just makes me so nervous about google is just how much data they have, how much they know there’s no privacy. If they decide to do whatever the hell they’re going to do, they’re going to do it right? And it’s the same thing with you know, he decides to show up, I mean what are we going to do if he wasn’t gonna show up? He didn’t show up the last time. So it’s just like this, what do you call that uh bravado, nana, bravado, what’s the word when I just kind of don’t care what you think.

[00:41:42] Brad Nigh: A bit of arrogance,

[00:41:43] Evan Francen: arrogance, that’s exactly the word. So it’s

[00:41:48] Jim Nash: well I would say that I would not be surprised if congress would remind him of their subpoena power which they have Mhm. So that might have motivated him to come.

[00:42:02] Brad Nigh: Mhm. Yeah, I mean, we’ve seen it how many breaches and you’ve got companies that don’t face any real consequences. Right? I know that they’ve talked about it with um some of the different uh congress people, you know, for either Senate or the Senate or the house, they’re going to put some bills there now drafting some bills, but I am until there’s some actual teeth and there’s a, there’s incentive to actually protect the data. They’re not going to do anything. They’re gonna pay lip service go ahead.

[00:42:37] Evan Francen: Well on something like I agree. And tell me like google, it’s just, you know, you don’t, if you, if you followed google over the years, but they’ve just become so yeah, powerful and overbearing and uh, you know, how do you ever get your stuff out of google?

[00:42:53] Brad Nigh: They’ve lost that do no evil approach. They started with

[00:42:57] Evan Francen: a long time ago. Yeah,

[00:42:59] Brad Nigh: they’re wide.

[00:43:01] Evan Francen: Yeah, I think so, yeah. So I just got

[00:43:04] Jim Nash: to your initial, to your initial point though, even, you know, the, the suppression of, of opinions or articles or whatever that don’t quite meet there their own political paradigm. It is a concern and full disclosure for the listeners. I’m a Republican legislator and it is, it is something that is really a tangible thing when you post something either online or to facebook or twitter or whatever. If it doesn’t meet there, they’re, they’re personal warm, fuzzy paradigm, it may not make it all the way through. And and it is something that I, I find troubling and I think others probably do as well, but the question becomes, how do you legislate, how do you dictate that? Um and that I will tell you if we did that at the state of Minnesota that could eat up an entire legislative session and still not get it right.

[00:44:14] Evan Francen: No, I agree. Well, it’s and and it doesn’t matter if you’re a republican or democrat, which side, I mean you wouldn’t want your voice suppressed, right? Uh no matter who you are, you know,

[00:44:28] Jim Nash: and I wouldn’t want my opponent’s voice suppressed either.

[00:44:31] Evan Francen: No, no, I agree yet. Yeah. Anyway, so I, I just thought it was interesting. We could talk, you know, I think an entire podcast about google too because there’s just a lot of things that, you know, for me as a security guy, I don’t feel comfortable with, you know, but what can I, what can I do? I can’t get away from google, they’re everywhere.

[00:44:52] Brad Nigh: You know, I think the other ones listed in their facebook and twitter, I don’t have a facebook account. I never have, there’s a guarantee like they have a profile on me because I’ve showed up in other people’s pictures and those things that’s a, that’s a bigger concern that if I choose to use the service that they collect that info. But yes, we could go off and on for. Yeah that could be a multi multi our discussion easily.

[00:45:19] Evan Francen: Maybe you know go ahead.

[00:45:23] Jim Nash: Oh and even if you were to uh to produce it and publish it would it actually get listed? Yeah what would it be? Would they allow you to search on being derogatory towards google? That was supposed to be a lot funnier. But you know

[00:45:37] Evan Francen: we’ll see now you’ve picked up security humor so jim the only people that are thinking that’s funnier. Maybe some security people it’s but the uh yeah so maybe you know he’s testifying on Tuesday it will be live streamed. It will be interesting to see what comes out of that and maybe it’s some good fodder for next week’s podcast. If if there’s anything cool that comes out of it.

[00:46:03] Brad Nigh: Yeah it’ll be interesting to read on

[00:46:05] Evan Francen: because I mean other things that just off the top of my head uh I know google is being accused of G. D. P. R. Violations by at least seven countries right now. Um They’re all kind of in the whole china thing. The secret china project working on. I mean there’s a lot going on with google we’ll come back to that one. There was a breach last week. What? Yeah it happens once in a while.

[00:46:31] Jim Nash: Another one

[00:46:32] Evan Francen: right? People I know who would ever be shocked so cora They had a breach I think it was last week they announced it about a week ago, 100 million users so only 100 million this time not marry at 500 million size. I mean it’s just a petty one, right?

[00:46:52] Brad Nigh: It’s barely worth reporting on at this point.

[00:46:55] Evan Francen: I know, I don’t even know why I’m wasting a blip on the radar, I don’t even know why I’m wasting our time right now. Mhm. Uh But anyway this one I thought uh was sort of interesting one. Again it’s 100 million uh users, I didn’t realize that Cora was founded, you know, as I was doing some kind of research, you know about this, I didn’t realize that quarter was actually founded by former facebook people I didn’t know for whatever that’s worth um but exposed in the breach. Uh So this is from cbs news, it’s just you know, if you want to go look for a data breach, exposes 100 million users personal information uh at risk or lost or stolen names, email addresses, encrypted passwords. Funny thing about encrypted passwords here is normally if I’ve like if I’ve used decrypt for instance, I would probably have announced that uh the fact that they didn’t it makes you wonder what hashing algorithm are they using? Um Some hashing algorithms are much more susceptible to collisions or cracking passwords so yeah, I don’t know.

[00:48:06] Brad Nigh: So they did post I read on Ars Technica that they did finally come out and say it was decrypt?

[00:48:15] Evan Francen: It was

[00:48:16] Brad Nigh: but they did it in a twitter announcement so

[00:48:21] Evan Francen: well then why the hell wouldn’t you say that are out front? That will put a lot of our security guys a little bit more of these.

[00:48:26] Brad Nigh: But yeah, it took it took over 24 hours but they said they use use decrypt with salt that varies with each user. So that that does help. But thank you exactly what why wouldn’t you immediately say that at some point they’re going to learn to companies will learn to start talking about hey we’ve done this rather than get beat up for a day.

[00:48:52] Evan Francen: Well so we have 100 million encrypted so hashed passwords with decrypt and some salt. Um That helps. That helps a little bit. Now if you’re still, how would I actually get those passwords? Because the collisions would be kind of messed up with the salt. So even if you chose easy passwords and I also in my attempt to get your password, um loading dictionary files or rainbow tables, whatever. Uh it’s going to be harder right with the salt and decrypt. So yeah, maybe the passwords are

[00:49:36] Brad Nigh: Yeah, it sounds well again I think it really comes back to and you know, this goes into the Australian encryption and security. See keeps tying itself together and coming back and loops but it’s all about implementation to write the, you know, it sounds like they’ve implemented it correctly but I think saying hey best practice if you use this password anywhere else, you should change it and change it here. It’s probably good, good advice.

[00:50:04] Evan Francen: Right. Well we’ve already talked about fishing and how easy those attacks are in this particular attack. I’ve got a correlation now, you know, even if the attacker can’t get passwords, I’ve got a correlation between the company you did business with in this case Cora I’ve got your email address and I’ve got your name so I can send an email looking like it came from cora address you directly by your name um and those

[00:50:34] Brad Nigh: questions and answers you posted.

[00:50:36] Evan Francen: Right. It makes it a lot easier. The fisher.

[00:50:40] Brad Nigh: Yeah, that’s a trove of information you

[00:50:45] Evan Francen: so even if I can’t crack your passwords, I can’t get, you know, decrypt or you can’t decrypt hash functions anyway, but I can’t find the collision or I can’t get your password that way of when I just ask people for it. Yeah. Yeah. You know, and if we know people the way like we know people, 15, 2030% of the people that that the attacker might fish. So 30 million accounts you can get passwords probably or she

[00:51:13] Brad Nigh: Yeah, yeah, we’re received 25-30% click rates.

[00:51:18] Evan Francen: So there you go. I thought there was some good tips, Lifehacker. I don’t know if you ever go to life factor much better. I like some of their tips about this breach, uh you know, that’s stuff that we’ve said, you know many, many times before using different passwords at different sites is always a good practice using a password management tool. I know that you know we use pasture management tools pretty extensively. You know that last past being one that you know sort of my favorite um two factor authentication, you know right in the middle of that article uh any account where They offer two factor authentication, use it turn it on. Yeah. And even an accounts that don’t have that option if it’s important enough to you maybe consider not using that service, finding a different service that does offer it. Yeah. Mm um and then you know dormant accounts, I wonder how many accounts, how do you find your doormat that counts? Mhm. And I must have 1000 accounts that I have no idea even have anymore. I know.

[00:52:31] Brad Nigh: Yeah, probably yeah, geez I

[00:52:37] Evan Francen: can find those.

[00:52:40] Brad Nigh: Your old Myspace account is no longer active is what I’m hearing.

[00:52:45] Evan Francen: Oh God, what? I hope No. Yeah, I’m sure there’s some accounts out there that yeah, I don’t know

[00:52:55] Jim Nash: all those pictures of Evan and a mullet are gone.

[00:52:59] Evan Francen: Oh no, I got those. Oh okay. Yeah I had all those digitized. I got him on my friends. I can I can send them to you.

[00:53:07] Brad Nigh: It’s on this digital digital picture frame on this desk. It work cycles.

[00:53:13] Evan Francen: Glory

[00:53:14] Brad Nigh: days.

[00:53:17] Evan Francen: All right, well we had some fallout this last week about which we would expect, you know, from mary out breach that, that one, You know, it’s good to see that, I guess, uh, people have such short term memories, you know? Um, but there’s a lot of stuff, so Marriott, one of the things is, I know, uh, there’s push for new privacy laws. Uh, Senator john Kennedy Louisiana told The Hill that’s the name of the website. If you’ve never been there before, It’s a political website called The Hill, um, that he’s crafting some privacy legislation to address these kinds of attacks, meaning the Marriott breach. Um, okay, the, and I get it, But the one problem I have with just people and trying to legislate information security is people will take the shortest path. They will, they will only do the letter of the law and they won’t do the intent of the law.

[00:54:25] Jim Nash: You know, and that’s everyday Evan, that’s, we pass laws all the time down in the capital and people will abide by the letter of the law or they may not even do that. I just think it’s, I think it’s interesting, we can’t legislate laziness or, you know, poor quality, you know, so you can have a new law and everyone will think that’s great and they’ll say, oh, it’s marvellous, we love it. So visionary. Um, if you don’t practice this, if you don’t carry it out? It doesn’t mean anything right. And

[00:55:05] Brad Nigh: how many of these laws, especially on cybersecurity are being written by people that I have no idea what they’re actually talking about.

[00:55:15] Jim Nash: Almost all of them.

[00:55:17] Brad Nigh: Uh huh. We stayed from the general. So here

[00:55:21] Jim Nash: here’s how a law is created by somebody who doesn’t really know what they’re talking about. They’ll they’ll hear about something that piques their interest. And let’s say it’s cybersecurity and you go to whatever body that you happen to uh represent in so a congressman or in this case the senator, senator Kennedy um says, oh, I’d like to do the following blah blah blah. And then they have a policy analyst and a lawyer look at what could be done without consulting people who are truly experts. Now, many people do consult experts and get a better law, but it still comes down to will the new law actually force change if there is no enforcement activity on the back end. So if someone has to make an investment of X number of dollars to become compliant with whatever the new law is, but the penalty is much less than the investment. Why do it?

[00:56:30] Evan Francen: No. Yeah, exactly. Well, and it’s funny, not funny, but in the same article, uh from the Hill, it’s bipartisan, not necessarily a single bill because God forbid we agree on that. Uh but both sides of the aisle are calling for, you know stricter penalties, you know? And at the end of the day, I mean, I think these things help to win votes, Let’s show that were tough and we’re in it for the, the consumer and you know, I mean, that’s good stuff. Um, but I’m just not all that impressed with whatever law, you know, it’s going to come out because if I’m doing security, I think the right way which is managing risk. Well, whatever law you come up with is just, I may have to change a few more things I may have to head. You know, I may have some more added expenses to just check a few more boxes, but I’m still running a good security program. I’m not the target for that thing anyway for that bill necessarily. Um, but we also have to be reasonable here. Um, the way risk works, no matter what I do, I cannot prevent all bad things from happening. So there will be a breach at any organization of any size that has anything that’s of any value. Uh, it’s just a function of time. That’s just how it works. You know, and that’s how risky is right. It’s likelihood and impact. So they to bash mary out for this. Okay. Maybe. I mean, were they negligent, I don’t know. Uh, that will come out in civil lawsuits and everything like that, but I just get, I get a little fearful when we, when we jump to what we’ve got to create more legislation, we gotta be tougher. Um, yeah. And some people,

[00:58:22] Brad Nigh: but I think, I think it’s, it’s that adding complexity fortune. Right? So we now have additional things that we have to follow to make sure it’s like we talked about last week where people are saying, well, gprs can lead to more breaches because it’s more complex and there should be more mistakes made and people are worried about, it’s the same thing here, Right?

[00:58:45] Evan Francen: Right. It would be nice if you could just legislate somehow just do the right thing. You could just have, you just have, you just have 11 law and then it just takes care of everything,

[00:58:57] Brad Nigh: quit being lazy and do the right thing,

[00:58:59] Evan Francen: Right? But wow, that’s Nirvana. All right. Well, anyway, also from Marriott, so we expect something, you know, going on on Capitol Hill and you know, they’ll figure out some whatever and then we’ll deal with it. Uh, the Marriott breach also has some multibillion dollar lawsuits. It’s always funny. It’s like as soon as one of these, you know, big breaches is announced, I’m sure that there’s this big rush to get, be the first one to get a lawsuit filed, right? So they have this class action and you can get, if you do win the case, you’re going to get who makes all the money.

[00:59:38] Brad Nigh: Look, It’s not the people that get a year of credit monitoring in like $3.17,

[00:59:44] Evan Francen: right? Yeah.

[00:59:47] Jim Nash: You won’t even get a free stay out of this whole deal

[00:59:50] Evan Francen: I know, man, and it’s so frustrating because on the one hand, if if in fact, I mean, I have a lot of faith, you know, whether I should or not in our court system, in our in our system of justice, that in in a civil suit, you know, it’s the proponents of evidence, right? It’s tipping the scale one way more than the other way. And if you can show that Marriott was negligent in this breach, well then fine, they should there should be some penalties they should pay. So, part of me wants to see that happen if in fact they were negligent. But the other part of me is like, I don’t want you because who gets all the money? The lawyers. Mhm. Not the people who actually suffered assuming anybody did suffer. I mean, who knows? But

[01:00:38] Brad Nigh: right, uh I think that’s gonna be there. That’s gonna be the tough part is How do you show? But there were there was a harm, Yeah, they suffered loss when most of us have made, I guess the passport information, those people probably have a pretty good standing, but

[01:00:56] Evan Francen: well, there’s different types of penalties to in civil law. I think I’m not a lawyer, I’ve just, you know, as you know, been around enough of them through enough of these cases, um you know, there’s punitive damages as well. Right? So I don’t have to show, I don’t think I don’t have to show any harm because punitive damages is to punish the company. So it’s not compensatory type damages where you’re actually going to compensate me for losses that are incurred, It’s um I’m gonna punish you because you were negligent and you know, whatever but uh yeah, I don’t know, I don’t know what’s gonna happen. You know, most of these cases uh end up not uh result in what’s the right way to set the plaintiff, meaning the class action typically doesn’t win. I think in a lot of these speeches.

[01:01:54] Jim Nash: Mhm.

[01:01:56] Brad Nigh: It’s hard to show, you know, negligence on that too.

[01:02:00] Evan Francen: Well, yeah, it really is.

[01:02:03] Brad Nigh: It’s tricky

[01:02:04] Evan Francen: when I always think like is negligence, where because negligence is there’s that reasonable or that prudent man rule, I think it’s what they call it. And so if somebody with the same information, would they have made a similar decision or similar decisions? And if not well then, you know, it’s the prudent man think and if I didn’t do what a prudent man does, then that’s uh you know, I could potentially be found negligent. Well, how much of the herd plays a role in that, right, if everybody else is sucking at security and eye socket security too. Well then I’m not negligent, right? Uh huh. I don’t know, it will be interesting to see but it’s also uh in that article, this is an article from money watch uh you know mary at breach sparks multibillion dollar suits with more to come um supposedly under GDP are they could go up to $912 million dollars in fines for the breach.

[01:03:03] Jim Nash: Good luck collecting that.

[01:03:05] Evan Francen: Yeah. Right. I’m not sure what I’ll Yeah, I’m not sure. There’s also the suit. One of the lawsuits seeks $12.5 billion dollars in damages.

[01:03:15] Brad Nigh: That sounds like uh that attention grabbing headline suit there.

[01:03:21] Evan Francen: Well, they came up with that No. for each customer who was affected. Uh

[01:03:27] Brad Nigh: huh. That’s all. Yeah.

[01:03:30] Evan Francen: Well, so you’re gonna give me $25.

[01:03:32] Brad Nigh: Well, that’s before the attorneys get their part.

[01:03:35] Evan Francen: Right. Right. The attorneys get there many millions. And then here’s your $25. Thank you very much. All right, So, we’ll see what happens from that. I just think it’s a you know, we’ll keep keep kind of keep an eye on what’s happening with mary at the last news article I had was This will be a short one. I just think it’s interesting. Um I don’t know where I came across it either, but this article is from Military Times and it’s um sextortion, sex store, sextortion. That’s what I said. The U. S. Military’s Dirty Little Secret is a growing national security concern. And then the same story is also on are similar stories on Cnet um troops who thought that they were talking with women online. Instead. It was prison inmates looking to make a quick buck. Yeah.

[01:04:33] Jim Nash: Well, they got the fucking into that lollipop,

[01:04:36] Evan Francen: Right? So the way this works is, and the concern here, there’s a lot of military folks have, um, well, one there are strict rules, Right? So if I’m, uh, you know, sharing nude pictures or, you know, whatever, um, online, um, with somebody else and then that somebody else says, hey, I’m going to share this. I’m going to post it. You know, I’m going to let all your friends let your employer know which would be the government and all these things. Unless you pay me money, uh, the the military person, right, would be more likely to probably pay that ransom as opposed to facing whatever sanctions are going to have. Yeah, that’s one thing. But then another thing is some of these military personnel have clearance, they have access to really sensitive information. So this is a, a good way for you think foreign, uh, our enemies to potentially get secrets.

[01:05:43] Jim Nash: Well, this goes back to the 1950s style spycraft that the Russians and the americans would would utilize by finding compromising information or compromising pictures in order to turn somebody to become an agent of a foreign government. Despite against your own government. Yeah, just a new application.

[01:06:06] Evan Francen: Yeah. But yeah, I think the application here is it could be much more widespread to write because I don’t have to leave. I don’t have to be physically near you or with you in order to do this type of direct attack. So, so I think it’s interesting. So the army Criminal Investigation command says it’s seen a handful of these cases according to what the Military Times Reporter um said. But they didn’t have precise figures. All three agencies N. C. I. S. Army C. I. D. In the Air Force O. S. I. They’re all crafting a bigger broader strategy for the Defense Department to deal with this sextortion problem. So I thought it was interesting. I don’t know we’ll probably see more about that in the future. Mhm. That’s all I mean I’ve got more news too but we’re running out of time.

[01:07:03] Jim Nash: Do you see the link I sent you on Dunkin Donuts?

[01:07:06] Evan Francen: I did

[01:07:07] Jim Nash: yeah and and I’ll keep this quick for the listeners but it’s a Dunkin Donuts reward program D. D. Perks was breached. Um And it came through a password stuffing approach. So they had uh you know they were breached because somebody uses the same password and email for other sites and they just were able to get in and they haven’t shared how much or how many accounts were impacted. But you know I just thought it was kind of humorous and there’s a blog on our web page about this talking about how important it is is I think brad you said earlier to make sure that you’re not utilizing the same password and and email for multiple sites but we know because we hear it from clients all the time that they do and it’s it’s it’s laziness on behalf of the user. Um But it’s an easy way to get into something for the bad actor. Uh huh.

[01:08:14] Evan Francen: Yeah, absolutely. Yeah. And that blog post written by Jim I have to say yours truly, but it is yours truly not me. Yours truly. But you yours truly. Uh That’s why I got stuck with what I was going to say. Anyway. Common passwords can defy your security. It’s a good article written by jim just posted last week if you’re interested on the f are secure site. Do we want to mention anything quickly about the Australian encryption law bread that we talked about yesterday at the christmas party or

[01:08:49] Brad Nigh: uh we can we can we can focus on that maybe next week. Although we’ll have another guest.

[01:08:56] Evan Francen: Yeah. I’m guessing you’re gonna raise my ire

[01:09:00] Brad Nigh: a little bit. That’s not going to be a quick one. Uh

[01:09:03] Evan Francen: huh. All right, Well then that’s it for episode five. Thank you Jim for for coming and joining us. Hopefully you had a pretty good time.

[01:09:13] Jim Nash: Absolutely. I’d love to come back anytime. Cool

[01:09:16] Evan Francen: and brad as always. It’s always good. You know, having you uh talking security together.

[01:09:23] Brad Nigh: Thank you. Yeah, these are fun to do.

[01:09:26] Evan Francen: Cool. We’ll have a great week and we’ll we’ll talk next week