Hacks and Hops: A Behind the Scenes Look

Unsecurity Podcast

Brad was quickly immersed in responses after returning from time off, so Evan and Brad discuss the projects he’s working on. The discussion also ties in two events FRSecure is a part of: Hacks and Hops and DEFCON. The guys give an update on the exciting FRSecure-run event on incident response in September and recount how the FRSecure team did at DEFCON warl0ck gam3z.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning and welcome to episode 40 of the Unsecurity podcast. My name is brad and I and I’m your host this week. I’m back again a couple weeks off but I’m ready to go joining me this week as co host is Evan Francen. You can tell I had a couple of weeks off because we uh had to redo this intro.

[00:00:42] Evan Francen: Yeah. And you seem like you have a little more energy this morning.

[00:00:46] Brad Nigh: I’m feeling good. It was, it was weird to get up that early at the last, you know, The last two Mondays got to sleep in. Well, he’s been being relative.

[00:00:56] Evan Francen: It’s good to have you back because it’s not like the last two guys weren’t awesome. Right? That would be Ben uh in quotes. I was doing air quotes and uh, and john Herman, uh you know, security studio fr secure president. It was good to have them here. But you know, we started this back in november. Yeah, november, it’s good, it’s good to have you back man.

[00:01:18] Brad Nigh: Yeah, well, it was nice. I got to actually listen to the last two episodes because you know, I don’t listen to myself. I can’t do that. But so what do you think? It was good. Yeah, it’s really good. It’s fun. It was, it was different to listen to it.

[00:01:32] Evan Francen: Well this is episode 40 and so we’ve had 39 prior episodes. I think I’ve listened to a total of maybe two minutes because of the same reason. Yeah, I don’t I can’t stand listening to myself, I can’t stand looking at myself on tv.

[00:01:46] Brad Nigh: It’s pretty bad. But you think about it, it’s 40 episodes I’ve missed two

[00:01:55] Evan Francen: the last two.

[00:01:56] Brad Nigh: This is the only to know I missed one other one. I missed three. Okay. It was all Because I was out of the office and you missed two

[00:02:05] Evan Francen: one. I think I just missed one. And it’s because you kicked me

[00:02:08] Brad Nigh: because of her vacation. That’s pretty good though. Told me I couldn’t come. It’s not bad like that.

[00:02:14] Evan Francen: Right? And then there was the one when I was in uh oh yeah, you were in san Jose or something.

[00:02:19] Brad Nigh: No, you’re in uh Anaheim, you’re right, there was that one and then we did the ones from when you were writing in february.

[00:02:25] Evan Francen: Oh yeah, that was from the Cancun Star Starbucks and we couldn’t

[00:02:30] Brad Nigh: couldn’t get good audio because the kids were playing Fortnite or whatever.

[00:02:34] Evan Francen: All right, that was my favorite place to write. I love writing. I’ve been looking for the same sort of place here in Minnesota since then I can’t find it not finding it because it was such a cool place.

[00:02:46] Brad Nigh: We got up to Duluth and up north a little bit by the lakes. Right. I did, yeah, but I got not quite the same.

[00:02:52] Evan Francen: No. Well, because I got distracted people wanted other stuff done.

[00:02:56] Brad Nigh: You know, you gotta just completely unplugged. Yeah,

[00:03:00] Evan Francen: yeah, because yeah, there’s lots of stuff going on. Security studios going well, that’s good. Getting uh investor dex done and you know, stuff like that. I’ve never done any investor deck before. So seeking investors is not something I’m, you know, an expert at. So, but I’m learning.

[00:03:20] Brad Nigh: Yeah, Yeah. It’s gonna be a totally different like thing from what you normally do.

[00:03:27] Evan Francen: I know right well, and being a security guy, you know, that’s what I’ve, that’s what I do. We have our first board of directors meeting for security studio on friday and it’s like very cool. Well, sort of, but I don’t know. What, how do you do a board of directors meeting?

[00:03:44] Brad Nigh: Well, that’s funny because I know you’ve been, you’ve presented to board of directors so many times. Like it’s, that’s second nature to you. But this is different.

[00:03:53] Evan Francen: Right? Well, now I’m like one of, yeah,

[00:03:56] Brad Nigh: we’ll figure it out. You’re one of them.

[00:03:59] Evan Francen: Yeah, I’m like chairman of the board. Funny to even say that.

[00:04:06] Brad Nigh: Yeah, I want to make some sort of a smart ass snarky comment on that, but right.

[00:04:12] Evan Francen: Well, the board meeting is here in our boardroom. So uh, nine o’clock friday morning if you want to just stop in and say something stupid,

[00:04:21] Brad Nigh: just like, is he like drawing cartoons or something? Like, does he have pants on? I

[00:04:27] Evan Francen: haven’t got a quick question for you. Yeah, brad, I’m in a board meeting chill. I’m like a real business guy here. Come on. I

[00:04:40] Brad Nigh: tried to come up with something. Okay, uh,

[00:04:44] Evan Francen: busy business ng business,

[00:04:45] Brad Nigh: the lego movie. The business business business. Is this working? Yeah, that would be Evan. That’s what I’ll just, I’ll hijack your presentation and slide that. Right? And

[00:04:56] Evan Francen: well, are all these boards, all these board members have been on boards of directors. They are on board. Okay, So they’re going to come in and and here’s this guy, you know, chairman of the board and be like, who the hell,

[00:05:08] Brad Nigh: shorts and a t shirt? Yeah, I

[00:05:11] Evan Francen: think the sandals, we’ll get, we’ll get good, good work done. I’m excited. It’ll

[00:05:15] Brad Nigh: be different more than what they’re used to.

[00:05:18] Evan Francen: Yeah, but that’s that’s us. Right? Yeah, I mean, everything we do is is sort of different.

[00:05:23] Brad Nigh: Oh, yeah, people like it, yep, I agree. All right, so we’ll jump back in here. Um, you know, I was off two weeks ago last week, I was in the office, uh, did some training. Uh, did the easy, I did, I went through the ec. Council’s certified incident handler. You know, expanding our uh, our program here. So, you know, we’ve had our standard emergency response services forever, but we’re trying to expand on that. We’ve just seen the demand. So I kind of thought is we’ll go through easy Councils and we know what the sands training is but it’s God awful expensive. Um So I went through the first one in uh Oscar who will be talking to here in a little bit.

[00:06:08] Evan Francen: Yeah he’ll be our guest

[00:06:10] Brad Nigh: next week. Uh He’s going to do there uh certified forensic investigator one and we’ll talk and see if it’s worth,

[00:06:18] Evan Francen: well he’s going to do the CF H.

[00:06:21] Brad Nigh: Yeah yeah whatever that. No the no no no the Ec council they have a certified incident handler and it’s a certified forensic investigator. So it’s kind of like a two tier for that. So it’s going to do that, we’re testing to see you know, does it make sense to anybody on our I. R. Team that’s just something we put them through the first month. They go through it and gets on that or is it worth it to pay the extra it’s three times as much to the sands is to do both of those. So it was it was interesting to read

[00:06:56] Evan Francen: It, read it on a scale 1-10, 10 being the best training you’ve ever taken. One being the

[00:07:01] Brad Nigh: worst. So here’s where I’m struggling. It was very foundational And so I 1 to 10 man. Honestly I’d probably give it a four or five but I don’t know if that’s because of I’ve been doing this so long, right?

[00:07:17] Evan Francen: And you’re such a nice guy. So it’s funny to it’s fun to sit here across from you and what you struggle like

[00:07:23] Brad Nigh: like there, Well, they had really they had good things in there, right? Like, you know how to look for stuff using, you know, the assist internals tools for potential malware. What I’ve done that or how to look through log files on exchange or how to look through the event logs, how to find which is really important stuff to know. But I’ve done it for so long. I’m like, yeah, I know, I know how to do this.

[00:07:48] Evan Francen: So it’s really the basics, it

[00:07:50] Brad Nigh: was really the basics. It was I was I will say this, I was disappointed. They didn’t have more around how to actually, you know, doing the recording of the stuff like the process. It was more like, yeah, here’s some how you can act launched this tool used like NJ rat for a remote access trojan. All right here, set it up, run it and then go over to the southern machine and here’s how you can find it. And here’s this indicators you can look for, which is really nice. Right? But it didn’t say anything about logging activity or any of those kind of fundamentals. Now I’m hoping that’s in that second piece with the forensic investigator. Yeah. You know, we’ll see what Oscar says, But,

[00:08:35] Evan Francen: but if you’re looking for like the base based training to just get on the team as a junior analyst, maybe it’s access for that.

[00:08:44] Brad Nigh: Well yeah we’ll see if we can do, you know, like I said we can do both those trainings, you know, at a fraction of the cost, right? At least it gets a foundation. It gives people a chance to get kind of ramped up and thinking that way because a lot of people we have coming in our I. T. Focused

[00:09:02] Evan Francen: So and there’s a pretest, right? And didn’t I heard something like tom took just 90

[00:09:08] Brad Nigh: seven. They had like an assessment on their team on their website. And I was yeah

[00:09:12] Evan Francen: it was like do I have to do the training and I just can’t get the

[00:09:15] Brad Nigh: shirt. I know I did it I was the grammar wasn’t very good on some of it. It was weird but

[00:09:23] Evan Francen: english thing is hard and

[00:09:24] Brad Nigh: it is yeah. But yeah

[00:09:27] Evan Francen: I’m an author so yeah I get it. Right.

[00:09:31] Brad Nigh: I mean you get to make things up. So I had like five editors. That’s funny. But yeah we did the 50 it was a 50 question assessment, like kind of a practice. Where are you at? Uh And yeah tom got a 96 and the other guys and we all everybody passed it would have been passing. I’m assuming the actual test will be a little bit more difficult but that’s a good sign from our team that were you know on top of this stuff. So but we did have The couple ir calls come in last week, 3, 3, 3, uh one of them, the guy, you know, they were like, yep, let’s let’s do it, said it over and then he filed a claim with his insurance and insurance said, yeah, we’ll handle all the stuff with the incident response. You just have to wait and we haven’t heard anything and he hasn’t heard any update. That was Wednesday.

[00:10:23] Evan Francen: What kind of incident was it?

[00:10:24] Brad Nigh: Uh They oh man, I’ve been trying to remember the details on that one. That’s a problem. You have three come in, They they were the ones,

[00:10:36] Evan Francen: is it ransomware or was it? Uh

[00:10:40] Brad Nigh: Yes, yes, yeah, yeah, so it was a managed service provider that had ransom where that came in. They got in, they found them, they think they got in through like the connectwise secure connect or whatever that exploit was. They think that’s how they got in, but they don’t know that was what they wanted us to help and figure out. But then, yeah, they were able to determine that the, the attacker got into their cloud backup appliance as the admin and uncheck the delete the cloud storage. They were able to catch it before the secondary cloud storage, so it’s backed up to the cloud and then replicated and they were able to catch it before the replication was deleted, so they were able to back up from secondary backups, but it was,

[00:11:34] Evan Francen: but if they had not have caught it, it would have gotten the secondary as well

[00:11:38] Brad Nigh: and they had at least 10 plus customers that would have been infected or that were affected plus their internal stuff. Oh my God. So it could have been really really bad. So he really wants to work with us but we’re waiting on insurance. So then, so

[00:11:54] Evan Francen: that’s been, how many days, what day was that? That was Wednesday

[00:11:56] Brad Nigh: Tuesday or Wednesday.

[00:11:58] Evan Francen: So here we are, five days later, six days later

[00:12:02] Brad Nigh: now they’re up. So it’s not as you know, necessarily critical. They were able to recover everything from backup but wow it is still

[00:12:12] Evan Francen: there. They want to file a claim

[00:12:14] Brad Nigh: because of the, well they were going to file one for the recovery and the cost for because their customers were impacted. So there’s damages and stuff and I guess that and then the cost for the investigation, it

[00:12:27] Evan Francen: sounds like the insurance company is probably not at all interested in attribution. You know, because walking all over whatever is there For the last 5, 6 days actually.

[00:12:40] Brad Nigh: Uh No, I know it’s it’s gonna be not necessarily good. Now they did. They were, he did say that they were able to uh pull a bunch of the logs and and do have those stored off but interesting we’ll see what we could happen there. Uh Another one. Insurance again, we had an incident that we worked on in april may ended in kind of early june Because the guy wanted to go through insurance. We finally heard back from insurance last week, two months. Oh my gosh, it was June 13 was the last communication we had because he was going through insurance and the lawyer for the insurance called us last week. Mm It’s 16. What? Really? Uh, that one was active

[00:13:32] Evan Francen: is the law firm, We don’t have to say the name, but do you know, do you remember the name of the law firm? Is it a big national?

[00:13:38] Brad Nigh: You know what, I’ll be honest, I didn’t didn’t even look it up because I was, because the middle of about 10 different things I’ve worked with,

[00:13:45] Evan Francen: I don’t know, a dozen or so lawyers from different law firms that get that work with insurance companies and, but you know, this is a good topic and maybe it’s a good thing to write about or it’s a good thing to have in a future podcast is, I don’t think people understand how insurance works with what we call it. Cyber insurance. I hate that name. But um because the way you think that the insurance company works for you, I know the insurance company works for the insurance company and they don’t want to pay a claim if they don’t have to and if they can drag it out, they’ll drag it out. They don’t want answers like you do you know? So like they may not want to identify how this thing happened. Right. Right. They just want to, how do we remediate as quickly as possible and pay as little as possible. Right.

[00:14:42] Brad Nigh: And the answer, I don’t know how to remediate because I don’t know the full extent yet. You cut us off at the knees, Right?

[00:14:50] Evan Francen: So that, that’s why, you know, even if you have cyber insurance, that doesn’t mean you shouldn’t still have an incident response capability and be and there’s a time when to contact insurance companies and there’s a time when not to. And I think, you know, there’s so many things to talk about with insurance because I think the number one thing that invalidates claims is timeliness of reporting once you find out the clock doesn’t start ticking where you’re going to have to make that decision on. Do I file an insurance claim or not? So knowing that? But then also what investigation can you do before insurance maybe gets involved?

[00:15:29] Brad Nigh: Let’s actually validate that it was in fact. Right.

[00:15:34] Evan Francen: And in some cases, do you have to wait for the insurance company to call back? I mean, is it going to invalidate the claim if you do your own incident investigation waiting for insurance to come because I haven’t seen that invalidate insurance claims. I’ve seen insurance still pay out on those instances,

[00:15:57] Brad Nigh: we’ve definitely had them where they called and we got started. Now, I think it’s that third party, right. I think if you were doing it yourself, they might have some issues. But if you bring in a firm,

[00:16:10] Evan Francen: well, insurance companies have all negotiated to write preferred rates with insurance are with the incident handlers. And even then if you, if you’ve negotiated a preferred rate, which means you’re going to pay less the incident handling company um, has margins to make as well. Right. So think about what level of insurance incident handler you’re going to get assigned to your case Because you’re probably not going to get their 18.

[00:16:39] Brad Nigh: No. Well, and, and you’ve been through it where there they want you to basically find how to, how do we invalidate or not have to pay out? Right. They want to find the mistakes, not the

[00:16:52] Evan Francen: problem. Yeah. There’s, there’s many clients of ours that yes, you have a cyber insurance and yes, they have an incident handling capability but still get an incident handling capability yourself. Whether you get a third party like fr secure or get, you know, somebody else because they will work for you. We will work for you as opposed to the insurance companies working for the insurance company.

[00:17:17] Brad Nigh: Yeah. Have, have, you know that managed service have that capacity to have that incident handler involved on those calls to, you know,

[00:17:27] Evan Francen: right. Because it’s not all cut and dry. It’s not like I just call the insurance company like I do in a car, they send out an adjuster, yep, there’s a dent in the car. So

[00:17:37] Brad Nigh: funny story on that actually was talking to somebody else and they said that they had somebody call in and their insurance company when they call them file a claim said okay we’ll have an adjuster come out in a couple of days for for a cyber incident,

[00:17:54] Evan Francen: take some pictures

[00:17:55] Brad Nigh: and he was like, what are they gonna do? Right yeah, you’ve got computers to take a picture of the lock screen. I don’t yeah, I don’t know. Yeah, I was anyway,

[00:18:08] Evan Francen: so be warned to so those two, both insurance held both of those up, one for a couple of months

[00:18:14] Brad Nigh: and the other for a week at this point and then the other one was another kind of a smaller MSP and You know, I hope somebody got into the email and there’s a $75,000 wire transfer. But he had changed the passwords and didn’t really see the need to and they investigate further because you didn’t see any any rules that I was like, well That’s your call. If you can defend that to your customers after you know, they got in and got away with $75,000 and it’s lost.

[00:18:51] Evan Francen: That’s your call on the fact is they had an account. Mm. Yeah, I mean ow a might be one way in but you have a VPN with single factor authentication,

[00:19:01] Brad Nigh: Nobody, I don’t know, I didn’t really go into that detail, but it’s like that’s probably not okay. It’s done good luck.

[00:19:10] Evan Francen: Yeah yeah unfortunate.

[00:19:12] Brad Nigh: So uh and then we had another one before

[00:19:16] Evan Francen: what happened

[00:19:17] Brad Nigh: now uh we had some U. S. B. S. For malware threat

[00:19:22] Evan Francen: analysis. Did they sign

[00:19:25] Brad Nigh: uh have not signed yet? But I do have the we have the other I have the evidence

[00:19:30] Evan Francen: that is there a chain of custody? Okay?

[00:19:32] Brad Nigh: Yeah yeah chain of custody pictures and locked up and yes he was hanging tight

[00:19:38] Evan Francen: when I did. Uh So my first incident response job was at US Bank and it was back in 2000 ISH. They didn’t have an incident response capability. They even incident believe grant back then. So we started from scratch and I was like you know and I guess it’s a good quality to have but to be like ultra anal in forensic investigations. So whenever I got called to capture evidence it was I took a picture of the office. I took a picture of the you know everything exactly the way I found it because you just never know what opposing counsel is going to bring up what you have to defend.

[00:20:17] Brad Nigh: So the surface was fantastic because they’re just into my one note for the investigation. Just took the pictures of the front in the back of the bag. Perfect. And then it came in unsigned. And then we signed it and took a picture of it signed. And so it’s I know you know there’s no question about what came in or anything. But yeah, so that one that will probably be hope. I haven’t I don’t think they signed yet. But obviously there that’ll be one that will leave kind of fun to you. Play with your test out the new uh the new forensics computer we got set up. So it’ll be fun. That will be

[00:21:00] Evan Francen: fun. The uh it’s funny, I mean incident, it’s in response, you know, for somebody who’s done it for as long as we have um it just seems so second nature. But it’s amazing how when you see other people, you know make the decisions, they make that it’s just not

[00:21:19] Brad Nigh: right. They

[00:21:19] Evan Francen: don’t speak that language, man.

[00:21:21] Brad Nigh: It’s so easy, I’ll be honest. I catch myself going, oh wait, document document the times like because you just know I’m like, oh I got to do this, I gotta do this and start, you know, even if it’s just pulling logs, okay at this time I pulled these logs from this and uploaded on here, did this, that’s how I got it off of their servers to mine and you know, it’s a copy of it and all that stuff. It because yeah, you just know what to do what you’re looking for.

[00:21:49] Evan Francen: It’s better to over document. I mean that’s the rule, right? If you’re going too fast to document everything, you’re going too fast and I mean then there’s so many other pieces to it. Too many of our incident investigators investigations don’t include legal counsel but sometimes they do, right and having the discernment as an incident handler to know, you know what we might want to get legal counsel involved and you might want to work under privilege here. Um You know, novice without having experience. You just a lot of novice investigators don’t have

[00:22:27] Brad Nigh: that. We had a call three weeks ago and maybe yeah about three weeks. And they were explaining what happened and it was unauthorized access into the E. H. R. EMR system like uh contact your lawyer and then call us back because we got potential, we don’t know the scope of it. We don’t know what this is going to mean. But you probably want legal involved on this one because of hip hop and the ramifications

[00:22:58] Evan Francen: and there might be a criminal

[00:22:59] Brad Nigh: matter, right? We don’t know what’s going on here. But well I’m happy to work with them, we can do that. Uh Now when it turned out their legal counsel wanted them to check some stuff first and before they went with us but I haven’t heard anything so but I’d rather I’m okay to not get one and have it go through legal and let the lawyers defend that decision then right, go through it and then go to time out. We got a problem.

[00:23:28] Evan Francen: Yeah. Right. Yeah. Yeah. It’s yeah I like being cautious but also not I mean that’s that’s the cool thing about you know I think you and I is we’re very methodical uh you know you think things through before you do things right? It’s like Can I see five steps down the road if I do too? If I make this decision, what’s the other branches and the logic here that might lead me down to like crap, I should have done this and maybe I’ll just do that now.

[00:23:59] Brad Nigh: And like in that one they identified it and disabled to access for those accounts, there was no ongoing threat. They knew exactly kind of what the background was.

[00:24:08] Evan Francen: So you’ve taken the urgency out of

[00:24:10] Brad Nigh: it, right? Let’s let’s slow down. Let’s talk with legal and then we’re happy to help if they want to get involved.

[00:24:18] Evan Francen: Yeah, you can tell, you know, some incident investigators just go way too damn fast and they panic and they don’t bring any sense of just calm to the situation. Just slow down.

[00:24:31] Brad Nigh: It’s always get through. It’s always been one of my kind of strength is to like when it’s chaos, it’s just like all right, I got this and just slowing everything down. I can disaster recovery or incident response. So I like

[00:24:46] Evan Francen: well chances are pretty good, nobody’s gonna die. But now we’re talking defibrillators and cars and everything else being hacked. So

[00:24:54] Brad Nigh: yeah that could be able to hold true and that could be a problem. Well so that’s a you know a good segue um

[00:25:05] Evan Francen: all those things, you’re right, right. Yeah, so still different.

[00:25:10] Brad Nigh: Yeah. Uh Into the hacks and hops coming up here in september so in september 19th at the U. S. Bank Stadium at one of their big rooms and there, I don’t remember which one. Uh we’ll talk about that. So uh you know, you want to talk a little bit about the panel since you are the moderator? The

[00:25:32] Evan Francen: moderator. What does the moderator to just ask moderates? Right. That’s the easy job because you don’t have to actually like answer the questions. It’s a great ask them. Yeah.

[00:25:42] Brad Nigh: Get to make snarky comments and jokes. It’s

[00:25:45] Evan Francen: like it’s a dumb answer. Well, let’s go to the next Panelist. No, I wouldn’t do that. Yeah, so hacks and hops. This is what our fourth hacks and hops uh These are events that fr secure puts on. I think there awesome events because people can come and learn and network and drink beer and do all that stuff. And if you don’t drink beer, like I don’t drink beer, I don’t drink, but I can drink iced tea. You know, it’s cool. Can you imagine if I was drinking beer up there, what that would be like as a moderator?

[00:26:19] Brad Nigh: I would say it be more entertained, but I don’t know, you’re pretty entertaining as it is. I

[00:26:23] Evan Francen: don’t know. Yeah, but I’m really excited about the panelists and the three panelists. Uh you know, I know them two of them. I know very well. The other one I I don’t know really well I know of her but I haven’t had a great opportunity to collaborate much but JD Hansen is one of our panelists. She’s the sea. So for code 42 which is a pretty awesome company here in Minnesota. Um And I’m I’m really interested to talk to her because one we don’t have a lot of female CSOs in our industry so I have a lot of respect for her in in that. Um and I also know that she’s put together just a really good team over there at code 42. So I’d love to hear about um you know how they’ve built their incident response capabilities. If she can share you know an incident story or two that would be helpful. But being that she works as a C. Show at. Yeah there’s probably probably not going to be able to go that route.

[00:27:31] Brad Nigh: I’m going to guess that’s more going to be about how do you build a program internally and that aspect of it which is going to be really good like counter to the other guys.

[00:27:42] Evan Francen: Totally. True. Yeah so Mark Landerman. Mark is uh he’s got like a lot of kids I don’t know why they just popped in my head but he’s a super good guy. Um He when you talk about forensic investigations he is definitely an expert. I mean he does him and his company do uh instant investigations for I think most if not all of the law enforcement in this state at least B. C. A. In the bureau of Criminal apprehension I think uses him for other forensic investigations. Uh He does a lot of speaking so and he’ll be able to bring a bunch of stories. He’s a good storyteller. So I’m excited to have Mark Landrum in there and then chris roberts uh Chris roberts for you know people have been around, Chris is very well known. He scares people, I’m

[00:28:40] Brad Nigh: excited to meet him. He hacks

[00:28:41] Evan Francen: airplanes which he shouldn’t do and he knows that now so he doesn’t have airplanes anymore. Uh But he’s a he’s a character. He’s uh he’s got a beard longer than mine. Um I admire him because he does tell the truth and he doesn’t really care too much if it offends you which I like. Now he works as more of uh you know he’s not a ceo of a company so he can be a little less politically correct than I can. He’s kind of loud. He speaks the kind of he speaks the way I speaking my head, he speaks the way I want to speak but I have to like like I can’t throw Oppenheimer’s around like he can I guess I’ve got people who expect more who expect a different language from me.

[00:29:26] Brad Nigh: So so Chris Speaks how you’ll speak in like 1500 days.

[00:29:31] Evan Francen: That is very true yep. And so I have a ton of respect for chris um he’s very logical very truthful um certain he has certain triggers which is kind of fun. I do know what some of those are so maybe I’ll play a couple of those. Yeah yeah he’s flying in from Denver uh he’s got a ton of good stories too. I mean the guy’s the guy’s legit so that’s gonna be a great panel. I’m excited to hear what these guys got to have to say in one. It’s sort of like you know what you know I mean these are people I really respect so much that you’re like gosh what am I on the pant, Why am I on the stage with you guys? You know

[00:30:12] Brad Nigh: but why you’re moderating that on the panel?

[00:30:15] Evan Francen: Probably yeah probably you’re welcome. No thank you but Chris will also tell stories. So Chris will tell. Chris will be this is the cool mix. Chris will tell stories in your face that the raw truth mark will tell you stories without that.

[00:30:32] Brad Nigh: So much entertaining. Yeah

[00:30:35] Evan Francen: and J. D. Will give you the corporate perspective I think so you know it’s it’s a great

[00:30:39] Brad Nigh: panel. Yeah I think it’s gonna be really good. I think this is gonna be like we’ve had really good panels but I’m excited this one

[00:30:46] Evan Francen: and I want to take this you know so I I’ve kind of been talking with marketing, it’s time to take this on this show on the road. You know, we’ve been doing this in the Minneapolis area. It’s time to start going to other parts of the country and getting other people involved and talking to them about security. Um, so hopefully this will be a springboard for that. We still have Some seats available. September 19 at US Bank Stadium

[00:31:11] Brad Nigh: Last I heard is there was over 200 registered already? Think that sounds

[00:31:16] Evan Francen: right. Yeah. Yeah, it’s filling up quick. Um, so if you want to go there and just go to hacks and hops dot com and you’ll see your registration, they’re registered, get your tickets before they get sold out. And I think with the ticket you get like beer and stuff.

[00:31:30] Brad Nigh: Yeah, you get some beard, right? And some appetizer

[00:31:33] Evan Francen: and if you come up and ask, you know, talk to me, I’ll give you my beer

[00:31:36] Brad Nigh: tickets. I’ll give you, I’ll give mine away too.

[00:31:38] Evan Francen: So there you go and give you some extra beer for coming.

[00:31:41] Brad Nigh: There you go. Yeah, it’ll be good. I’m really excited. I think we’re still working to try and get all of our I. R. Team flown in for for the, you know, kind of that time frame and uh, could we potentially get do their training and get them at hacks and hops that week and kind of, you’re like get some exposure. Debbie Club, we’ll see what happens. Um So one of the questions that came in uh Jeff, I emailed us and said incident response, What is minutia and what is a real incident? It seems contradictory to say some companies may not use their I. R. Plan in a year and to also say that every suspected attack malware scan et cetera is an incident.

[00:32:27] Evan Francen: So this this uh so this question came in on our proton mail,

[00:32:31] Brad Nigh: yep insecurity at proton mail. So you know, that’s an interesting question. I think where your I. R. Plan comes in is where you’re defining what is an event in an incident, right? Is

[00:32:47] Evan Francen: not all events or incidents but all incidents or events.

[00:32:50] Brad Nigh: Right? So you know, you might have a lot of events and it could be an incident where you’ve got a malware installed but your antivirus catches it or it quarantines it but requires manual intervention. Well, that should be defined in the IR plant and that might be a level one helped us. We don’t need to engage the I. R. Team. I think that maybe that’s where that confusion comes in at what point do we engage the I. R. Team versus just using the plan to understand what the action should be?

[00:33:21] Evan Francen: Yeah, I think, you know, being that information security isn’t a one size fits all. Um how you define your how you define an incident in your organization might be different than the way we define an incident in our organization that’s totally fine, there’s nothing wrong with that. So looking for one universal um, definition. Yeah, I think the most important thing of those, but I don’t know how well that would fit for, you

[00:33:49] Brad Nigh: know, but well in regardless of how you define it define it, bingo. That’s the most important thing. How how do people know what’s the difference? Let’s define it and show

[00:34:00] Evan Francen: Yeah. And you want it to be, you know, because I’ve seen many organizations uh, you know, define an incident to uh kind of Gucci too soft define it as specifically as possible so that there’s no question that this is an incident and this is not because, you know, depending on where your incidents kind of get triaged, where they come in. In many cases it will be a help desk. Right? And so they’ll need to discern, is this an incident or is it not

[00:34:35] Brad Nigh: Anybody who’s worked in a helpdesk knows, you know, you’re not typically sitting around twiddling your thumbs like you got 50 things going on at any time. You’ve got to make it easy and like not logical, but just common sense to be able to go, okay, here’s the steps, Here’s what I need to do. Okay. Yes. Incident, not incident

[00:34:56] Evan Francen: exactly. And so, you know, once you’ve sort of defined these things are incidents and maybe you start with some some organizations struggle with just creating that definition. So create a series of um events, right? A malicious code attack the dDoS you know just start listing different types of attack vectors and then apply that to you know look for a commonality of defining that. This is an incident with some because you’ll have to provide that anyway. Um with your definition of an incident you also have to provide some examples. Right.

[00:35:32] Brad Nigh: Right. Yeah. And I think one of the things with our that managed services going through the plan and defining that stuff and I think with all the I. R. Playing coaching and stuff that we’ve done that is definitely an area where people struggle, right? Because they’re like uh it’s ransomware. So it’s an incident.

[00:35:53] Evan Francen: Well one Organization might. Okay but when it might

[00:35:56] Brad Nigh: not. Is it on one machine? Is it on all machines? At what point where where do you draw the line or the anti virus triggered? Well we need to have an incident, we need to you know document that. What level it could just be a ticket. It caught it it didn’t go anywhere. You got to define all that stuff and understand it.

[00:36:17] Evan Francen: Well it’s funny um because I like as much as I can I like black and white. Right? So here’s events. These are incidents. This is what an incident is. And once you’ve defined that this is in fact an incident then you go through the classification of that incident and you’ll find some incident handlers who don’t like to do classification because and they’ll give you usually they’ll give you the excuse that. But the classification changes, you know, during the incident investigation it’s like well, yeah, so then reclassify, you know what I mean? Because the classification will tell me things like Sls, how fast do I need to get this thing? Absolutely. They also tell me um who I need to get involved. Right. I don’t get I don’t get the incident response team involved. I mean the big instant response

[00:37:10] Brad Nigh: trigger like yeah, when I have a virus alarms going off and people freaking out.

[00:37:16] Evan Francen: Yeah. You know, if I have, if somebody fell for a phishing attack, is that an incident or is that an event in my traditional definition? That is an incident. But then when you go through the classification, you find that it’s a low severity incident, yep. And I may have defined in my incident response plan that low severity incidents are handled at the help desk.

[00:37:36] Brad Nigh: Right. Right. Exactly. And you know, so looking at like our uh kind of examples that we use, you know, kind of a p one critical incident likely breach, you know, And you found the definition, let me go back incident affecting critical systems or information with potential to be revenue or customer impacting because application compromise system compromised denial of service, exploitative known vulnerability, privileged account compromise, unauthorized access to information. Right? Really define out now that’s just high level. What what exactly does application compromise mean? That’s that next step. And that’s part of your plan. But absolutely, you know, priority to log in attempts, brute force policy violations. Social engineering. But again, why? Yeah, we’ve classified it as a p to what exactly does that mean that we’re not covering that? That’s just sitting kind of examples from it. But then the next step, right? Exactly. It’s going through the plan and saying,

[00:38:42] Evan Francen: well, it’s like a big funnel, right? I mean at the at the top you have all these events, all these things that are happening all the time, right? Long things triggers blah blah blah. Some number probably. Hopefully a small number of those things filter into an actual incident. Right? And so when something becomes an incident, then these things happen. But you have to define what that incident is. And I think one thing that people struggle with is one. They try to use somebody else’s definition of an incident just doesn’t fit the language and culture of the organization and to um they try to get it perfect. Yeah. I mean plant, these are all plans that are meant to be revised. Right? So don’t try to get a perfect out of the gate. Start with a definition of incident and then as you start triaging events, you’ll start, you’ll start refining that definition of an incident, right? I mean there’s nothing better than a trial by fire and these things. Right? You know, you don’t want the whole plan. You don’t want to not have a plan and trial by fire that way?

[00:39:49] Brad Nigh: No, no, no. That’s that’s a bad way to do. I mean, the whole thing is that’s why we do lessons learned. That’s why we do annual review. You’re never gonna have every recovery process documented. Same with disaster recovery. Right? The thought is you get enough of them in there, the big ones. It’s something that comes in that’s not documented. You should be able to pull from those other things and then go back and fill in the blanks later.

[00:40:14] Evan Francen: Right? Yeah. No plan is meant to some no plan is meant to um I guess not

[00:40:21] Brad Nigh: the be all end. All right.

[00:40:22] Evan Francen: Right. You still have to think, you know, you’ll still have to have some thoughts. You’ll still have to think some decisions

[00:40:29] Brad Nigh: you on the right decisions, Right? So hopefully that helped.

[00:40:34] Evan Francen: Yeah, I mean, I think so. Back to the question, what is the minutia and what is a real incident define? It

[00:40:39] Brad Nigh: depends on the, depends on the organization. Right?

[00:40:42] Evan Francen: Uh we could certainly give you a definition, but you want to change it to your own. So to me, a real incident is what you said. But then we also have this this challenge of um what’s a breach. People define. You have trouble defining what a breaches. So, if you take this all the way back to our definition of information, security, right? Which here it is. Again, it’s managing risk to information confidentiality integrity and availability using administrative, physical and technical controls. Right? So there’s violations thereof, confidentiality integrity and availability, right? Which should be disclosure, alteration destruction, right? So to me, a breach is a compromise of data confidentiality because that’s usually what much of the data breach laws are written about. There not necessarily written so much about data integrity, but you can throw that in your definition to if you wanted to a violation of data confidentiality or integrity authorized.

[00:41:42] Brad Nigh: You are seeing that a little bit with hip hop now for sure, ransom where where they you’ve lost the integrity of that data. So,

[00:41:52] Evan Francen: so yeah. And then the the question also is it seems contradictory to say that some companies may not use their plan in a year and to also say that every suspected attack malware scan, et cetera is an incident. And so that’s the definition, that’s what we’re saying. You need to discern event from member because to me a scam in my definition of incident a scan wouldn’t be an incident

[00:42:19] Brad Nigh: unless it’s from the inside and you didn’t do it

[00:42:22] Evan Francen: potentially potentially. But you know, normally a scan, you know, things getting triggered like that wouldn’t define an incident malware would be an incident, a suspected attack. But again, but

[00:42:35] Brad Nigh: I think the confusion maybe is that you should be using your eye are playing for those things because it should be defined. That’s what’s driving, how you handle and respond to those now whether or not you trigger your actual IR team or not. You may not call your activate IR for a year. But you should be going to guess you’re gonna be using the plan.

[00:42:57] Evan Francen: Well that’s the thing too about you know plan testing. You know, some people think I should only test my some people don’t test at all. Most people don’t test at all. But the ones that do test think well annual testing is sufficient is it? I mean you keep testing until you’ve got it down, keep testing. So I mean even going by like well everybody else doesn’t annually. Yeah, but if your incident response team didn’t get it, if they if they, you know through the test they all like miserably failed. You need to do another damn test. You don’t wait for the next year to do this again. You do it like next month. We did until people get

[00:43:36] Brad Nigh: it. Yeah, we did for disaster recovery but same concept. We did quarterly testing. It was, it actually worked out better because it’s you know, one or two days not what’s a whole week

[00:43:48] Evan Francen: coaching in a football team, right? You can’t keep running the drill until you get it right. And you know, and so I don’t know if you guess if in a perfect world we do eight tests in a week until you guys get it right and then once we get it right then we can shelve it, you know, for maybe a quarter.

[00:44:09] Brad Nigh: Yeah,

[00:44:10] Evan Francen: but there should be no defined time. People got to get off of that mentality

[00:44:14] Brad Nigh: that annually, but that’s not, doesn’t mean only annually.

[00:44:19] Evan Francen: Right. I think instead of what I would be interested in instead of when was the last time you, you tested your incident response plan? I’d rather see show me the results of your last incident response test because you should have documented the results or should have been changes that came from the that testing. And it should also give us a good indication of whether or not your incident response team will actually function the way it’s supposed to function. Right? So if it was, you know what, I don’t, I don’t want us to get on that, that thought pattern of, Well we tested annually. Okay, great. It’s like, it’s like I spend $2 million dollars a year on my security budget. I checked the box. Okay. But so what does it work? Yeah. So we need to get everybody needs start thinking I think more like that.

[00:45:09] Brad Nigh: A degree. All right. Moving on. You got me going again. I know it’s fun. Uh, last week was the hacker summer camp in Vegas with black hat and def con neither of us went for for many reasons and yeah, there were others, but uh, yeah. Besides Vegas was there out there a couple others, but We sent 10 people from fr secure combined between um black hat and def con um And our our own guys team ambush were competing in warlock games. CTF at def con. So two years, third place last year’s second place this year. I said winter don’t come home and I haven’t seen any of them today. No, I don’t think any of them were going to be in today. Um, The last, I don’t, I actually don’t know how they finished. The last update we got is they were tied for first with 16 hours left I think. I don’t know something like that like

[00:46:10] Evan Francen: so I don’t bend had given us a Things saying that they were tied for first even with like four

[00:46:17] Brad Nigh: hours like okay. Yeah, I don’t know. Uh Stay tuned. Right? No, it’s really, you know, it’s great. I’m impressed with him. I did. I did actually was joking with Oscar and told him if he didn’t get first that threaten the guys that I would be going with him next year. So that was their motivation to capture first. Um, So we’ll find out, we’ll have to have an update. Um We’ll get one from Oscar next week. We’ll be here. So he’s out there. So that’ll be good. All right. Um We’ll see what they did. Uh Only one news item this week. Just a minor little thing.

[00:46:54] Evan Francen: Yeah, this one’s interesting.

[00:46:56] Brad Nigh: Yeah. So the security incident or incidents that a T. And T announced. So uh for those of you that have not seen it um A T. And T. Workers took over a million dollars in bribes to unlock. $2 million are two million phones. Uh There’s you know Ars Technica has an article Forbes I think has one. NPR has one. Those are all on the uh in the blog. But okay, you know it was interesting because at first when I first read it, I was like wow they’re claiming $9.5 million in Los Los A T. And T. Is And I was like how in the world are they doing that? Well, so the whole thing is like if you purchase a phone and finance it for you know the 0% interest through your carrier, it’s locked until you finish paying it off. So what they were doing is unlocking phones prior to then being paid off. And then people could just switch carriers or those phones could be resold and gone elsewhere. So you might have a $700 phone, $1000 phone and only paid off a couple 100 of it if that and then they would. So I think that’s part of how their accounting kind of that lost. But uh yeah it was it was interesting

[00:48:16] Evan Francen: because I could buy a phone on craigslist right? For you locked locked one, You know, I’m just hypothetically for, you know 400 bucks And then sell it unlocked for 800,

[00:48:29] Brad Nigh: right? Because you can go anywhere. It doesn’t matter. Right. Right. So it was interesting how they got in. So it was Pakistani guy uh and with a co conspirator,

[00:48:40] Evan Francen: Mohammad

[00:48:40] Brad Nigh: Fahad. Yeah. And they reached out and they got I think it was three three or was it 3 80 M. T. Employees so far

[00:48:51] Evan Francen: so far everyone’s have pled

[00:48:53] Brad Nigh: pled guilty. Um So short of it is they basically use their accounts. And then The interesting part to me, I mean yeah you can get I get people getting bribed and one of the people got like almost $500,000 and another 100, or whatever it was. Um what was interesting is they installed malware on a T. And T. S. Internal servers and had access using these people’s credentials through malware so they could remote in And do it for like five years. Excuse me. How in the world did they not notice the malware for five years?

[00:49:39] Evan Francen: Right. When these were call center employees to write call center employees had access to install things. So we’ve got some kind of an issue there. Right. Why would it call centre employee have an admin access to install things on their computer and I can understand having admin access maybe do a specific function, you know in the unlocking software or something because that’s part of their job responsibility but have the ability to install malware. Yeah. And he also paid, they also put access points. I mean they they had gotten so bold that they brought in access points into the network. Yeah, implanted malware. I mean it’s just like what the hell?

[00:50:23] Brad Nigh: Yeah. It was in April of 2013. It was four years from when they actually planted malware on internal protected computers for the purpose of gathering confidential proprietary information on how A T. And T. S. Computer network and software applications functioned

[00:50:41] Evan Francen: Says 2013.

[00:50:43] Brad Nigh: That’s in the arts. So the the scheme was started in April of 2012 but the malware was installed in April of 2013. So they have been doing it for a year and then said all right, let’s let’s do this. So you got remote access

[00:50:57] Evan Francen: that’s upper game.

[00:50:59] Brad Nigh: So

[00:51:00] Evan Francen: you know what access. And I assume that I don’t know that Mohammed Fahd was in Pakistan or Hong kong or somewhere overseas at the time that he was so sugar locking phones remotely through this malware.

[00:51:16] Brad Nigh: Well, but if you think so, my thought was well, how did they not notice that he was coming in? But obviously they didn’t, he was getting into this malware. They didn’t know. And so the unlocks were coming from the internal network. My question is how I’m I want to know how many people ended up being on it. How many unlocks did these people commit and what’s the average how when that stand out, don’t you look at those metrics to say hey this you know why is Evan unlocked four times as many phones as anyone else. Right. Right. If its automated like that if it’s two million

[00:51:52] Evan Francen: from where so many of these accounts being unlocked from this Pakistan I. P. Address.

[00:51:57] Brad Nigh: But see I don’t think they caught that. No, they didn’t. They didn’t catch anything. So

[00:52:02] Evan Francen: I mean I wonder how they finally did get caught. I haven’t read the indictment but

[00:52:05] Brad Nigh: no, I didn’t I didn’t read it either. But

[00:52:08] Evan Francen: because it’s crazy that on a big corporate network like at and T. But this is a call center. So it’s probably something you know like most call centers, it’s not at corporate headquarters. Right? It’s right somewhere. But that you could, I mean they’re just a bunch of I think bad practices here. The fact that call center employees have the ability to install software on their systems is an issue. The fact that they can bring in access points, plug them into your network without anybody knowing is also an issue. I mean there’s a lot of issues here.

[00:52:45] Brad Nigh: Yeah. Yeah. It was interesting that reading through some of the comments and yeah, there’s a lot of how in the world do these did the call centre employees have access to do this? How did people from Hong kong get ahold of people in Washington state. Yeah. It’s you know

[00:53:04] Evan Francen: that’s a cross strait, it’s obviously something that a. T. And T. It was completely blind to. I mean they weren’t they weren’t watching. No.

[00:53:12] Brad Nigh: Yeah, it’ll be interesting because they have a huge cyber security service offering to.

[00:53:20] Evan Francen: Oh yeah, that’s right. Yeah. Good

[00:53:22] Brad Nigh: point. And they didn’t catch their own stuff.

[00:53:25] Evan Francen: 18 T. is a big Yeah. Yeah. And prayers no close. Yeah. So food faces 14 charges in the US District Court conspiracy to commit wire fraud, conspiracy to violate the travel act and computer fraud and abuse act. Four counts of wire fraud, two counts of accessing a protected computer in furtherance of a fraud. Two counts of internet intentional damage to a protected computer and four counts of violating the travel act.

[00:53:54] Brad Nigh: Not good

[00:53:55] Evan Francen: for hundreds. Yeah. It’s crazy. And then these three who played I was, it was interesting because now they’re named Kyra Evans Devon Woods and Mark say Putin And supporting agreed to pay $441,000 in the plea agreement. Evans agreed to pay $280,000 in woods, agreed to pay $155,000. Did they just save the money because they’re not they’re not going to have a job anymore. So if they had

[00:54:28] Brad Nigh: Yeah, that’s gonna be my guess is right they’re going to make payments. Yeah, they’re going to be a dollar

[00:54:34] Evan Francen: A year for the next 400,000 years.

[00:54:37] Brad Nigh: Well and they’re going to go to jail and they’re gonna get out and how employable are they going to be. So my guess is that A T and T. Doesnt probably doesn’t see much of any of of that,

[00:54:51] Evan Francen: Of the restitution. Well, I mean what’s 9.5 million? I mean, what’s $9.5 million to them?

[00:54:57] Brad Nigh: Yeah, they don’t care. There’s that’s that’s that oh my gosh, I just went blank uh cost doing well. No, the uh making them pay back is to the constitution is to keep other people don’t do this. Right, right. And said, well, whatever it is.

[00:55:17] Evan Francen: Yeah. And and it’s funny because ours are ars technica, the the author Jon Brodkin Did reach out to AT&T and ask for comments on, did you did you do anything to stop this in the future then 80? And he didn’t respond, which isn’t surprising. Uh but I’d really like to see a good case study on this on how how do you miss this? Yeah. Because everybody is susceptible to bribes. Right. Every they there’s that saying everybody’s got a price. Right.

[00:55:52] Brad Nigh: Right. Good. Yeah. I’d love to know. Yeah. How did they finally catch it? How did it, how did what malware was that was going? How did they not catch it for for four years? Like that’s nuts.

[00:56:10] Evan Francen: Especially call centres to man. I mean usually call centers have such a high turnover rate. Usually you are hiring people that are younger that you know are a little more money hungry, you know, and I don’t know if that’s un politically correct to say, but

[00:56:28] Brad Nigh: typically call centers don’t pay real well. Right?

[00:56:31] Evan Francen: So I mean of all places where you really want to watch and surveil, its the call centre,

[00:56:37] Brad Nigh: right? Because they do have access to a lot of stuff for obvious legit business purposes. But it sounds like there were some issues there too.

[00:56:46] Evan Francen: Yeah. So, I mean of all the places you want to surveil, it’s going to be call centers and then why wouldn’t you? And I don’t know much about at and t but there’s culture things like, because I know in law firms, right, You make a recommendation that they put a camera surveillance in a law firm. Like hell no privacy privacy privacy privacy. It’s like, well, legally though, I don’t think there’s a privacy problem. I think it’s just a culture problem.

[00:57:14] Brad Nigh: Right? Well, the one I’ve heard for sure is we don’t want our our clientele to be identified or be able to be identified. Um, It’s public court violence.

[00:57:28] Evan Francen: Right? Well, yeah, I mean, there’s definitely that, but then it’s like, yeah, we’re not publishing your surveillance,

[00:57:35] Brad Nigh: right? That’s the other thing. It’s investigative tweeting it, right?

[00:57:39] Evan Francen: Want to. And so call centers, you know, I’m surprised that they didn’t have better. Maybe they did, you know, uh just not key logging, but you know, employee monitoring software because there’s a lot of that out there now. That’s pretty good. Um Yeah. It’s just weird that they wouldn’t have thrown up some red flag somewhere because they had gotten so bold bringing in access points. They set up shell companies to get their payments and these guys were like seriously doing some serious stuff.

[00:58:09] Brad Nigh: Yeah. That’s a

[00:58:10] Evan Francen: And you unlocked two million phones.

[00:58:12] Brad Nigh: How many phones does? Yeah man. I want to know. I want to know the details.

[00:58:19] Evan Francen: Yeah. I wonder if we’ll ever find out. I guess if it continues going down the criminal path, you know? But it did take them. I mean this was He was indicted in 2017 and only became unsealed this

[00:58:32] Brad Nigh: year. Yeah. He was arrested in what like Oh in 2018 in Hong Kong. And you didn’t get moved to the us until like this month.

[00:58:45] Evan Francen: Yeah. So the indictment against him was found in November of 2017. And like you said he was arrested in February 2018 and it was just unsealed last week. Yeah. So yeah, I think it’s gonna be a while before we find out if ever, you know,

[00:59:02] Brad Nigh: I’m going to have to read the actual indictment.

[00:59:05] Evan Francen: Yeah. Yeah that’s there. So anyway I read about that. If you have and that’s like in every every organization with a high employee turnover you have to increase monitoring. It’s just that’s just how it works.

[00:59:22] Brad Nigh: It’s only a 21 page indictment. Oh second superseding

[00:59:27] Evan Francen: indictment. Is there an audiobook? Yeah. Wait for the movie. Yeah.

[00:59:32] Brad Nigh: All right. Well I’ll read that because I don’t have anything else going

[00:59:36] Evan Francen: on. All right. All

[00:59:38] Brad Nigh: right so there you go. That’s how it is. Uh It was great to be back. Thank you. Evan.

[00:59:44] Evan Francen: Thank you man. It’s good. It’s good that you’re back.

[00:59:47] Brad Nigh: It is fun. I really do enjoy doing this every week. Uh and I want to give a special thank you to the listeners. It it really does blow my mind that that we have that many people and it’s still really really weird to me that people walk up and be like, hey yeah I listen to you all the time. It’s like why

[01:00:08] Evan Francen: why do you listen to me?

[01:00:10] Brad Nigh: But yeah really thank you for everyone for listening. And everyone who contacts us and interacts with the show. So it is really you know it’s humbling and really enjoy it. So um

[01:00:23] Evan Francen: yeah and unfortunately we can’t take everybody’s feedback. We do read it all. But there are some people who give us feedback that want us to talk about something uh in a show and it’s on a list or eventually get to it. It’s just uh we can talk about everything

[01:00:40] Brad Nigh: every week. No. So but we do yeah like you said love getting feedback. Please do keep it coming. Best way to reach out to us. Um by email at insecurity at proton mail dot com. And uh if you like to be a guest on the show or nominate someone. Yeah, please send us that. We’re always open to.

[01:00:59] Evan Francen: We like talking to people, man. It’s fun. People are more interesting than we are. Yeah, that’s not true. You know, we’re very interesting. We just like

[01:01:08] Brad Nigh: it has a different dynamic. It totally does. So all right as always, you can find uh, myself for Evan on twitter. I’m @BradNigh and Evan is @EvanFrancen and we will talk to you again next week. Thanks.