Unsecurity Podcast

Evan and Brad continued their at-home security series with episode 111 of the UNSECURITY Podcast. Coincidentally, this one is guided by a recent conversation Evan had with his mom, who is a 73-year-old woman concerned with her accounts and holiday cybersecurity in the wake of the SolarWinds attack. Evan’s mom is a metaphor for a lot of people—concerned and confused about newsworthy breaches and what to do about them. The guys also continue their conversation about home network security, including changing passwords on a home router, running an Nmap scan on your home network, hunting down systems from the Nmap scan, and doing research on the systems to secure them.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey there, thank you for turning. Thank you for tuning in to this episode of the Unsecurity podcast. This is episode 1 111. The data is december 22nd 2020. And I’m your host, Evan Francen joining me as usual, my good friend and I stress good friend uh coworker, Brad Nigh. Good morning brad. Good morning Evan. How are you?

[00:00:50] Brad Nigh: Uh exhausted.

[00:00:53] Evan Francen: Yeah, we were just talking about that uh last week. It’s funny sitting here on my desk, I’ve got two coffees. one is a large ones. Was this medium, whatever. There’s there’s the they got their fancy names, but it’s basically a medium and then I have a rain energy drink. It’s called Rain Inferno, Red Dragon. Mhm, yep. And then I’ve got another who? It’s another rain, I gotta rain. It’s called orange Dream Sickle. So to energy drinks too, Coffee’s um and then I I think I have uh what do they call that? Adrenal fatigue? Sure, heard of that? No. All right, well I’m taking adrenal cortex too, so there you go. Oh my God, All kinds of stuff I’m set for, I think I’m set until at least 10 a.m.

[00:01:55] Brad Nigh: Uh huh.

[00:01:59] Evan Francen: Oh right. Oh man. Yeah, it’s been crazy. Well this is our last episode before christmas? Yeah.

[00:02:07] Brad Nigh: Which we were talking about it. That’s it. It’s like how did we get here? Like it just kinda it’s been such a crazy years all of a sudden it’s like okay we’re here.

[00:02:17] Evan Francen: I know man. And a lot of people are using the excuse. Well, you know, chalking it up, it’s 2020 and it’s like, yeah, but It doesn’t like there’s no magic like pixie dust or poof, it’s gone in 2021. We have to deal with this stuff for a long time.

[00:02:34] Brad Nigh: Yeah.

[00:02:36] Evan Francen: Yeah, I don’t want to be Debbie Downer here, but there’s a lot of residual

[00:02:41] Brad Nigh: Yeah. And I think, well, I don’t think being it’s being Debbie Downer so much as it is being realistic, especially with the pandemic right there saying, even if we get everybody gets their first round of vaccines by let’s just say may, it’s gonna be june before you get your second round and then it’s six weeks before you get full, you know, the immunity from it. So you’re looking at august is the reality?

[00:03:10] Evan Francen: Well, I think, you know, as as people get their vaccine, I mean, one of the things that’s irritated me this whole year is just the lack of reasonableness. Yeah, I don’t know the lack of perspective just be reasonable

[00:03:25] Brad Nigh: right, Right. And I think things will start getting back to normal, right as more people get the vaccine, I think, you know, but what all this stuff says is to stop to wear your mask and still follow some of the, you know, the recommendations. But yes, I think you’ll start seeing there’s light at the end of the tunnel I guess is

[00:03:46] Evan Francen: what? Well, I think the one, you know, theme for me that’s kind of been intertwined with everything is, you know, I mentioned the word reasonableness. I think society has lost the ability to be real. They don’t reason they don’t think, you know, that’s just on the vaccine, but also in the social unrest stuff in the Yeah, politics. Just like where did reason go?

[00:04:14] Brad Nigh: Yeah, critical thinking has been neglected for a long time and it shows

[00:04:21] Evan Francen: well, that’s why I love working. You know when I do get the output most of my day is spent with people. You know like you where we are reason we do reason. That’s like soak central to our job. And so when I talked to you, it’s like okay, I’m not totally crazy because you know, you go out on the streets and you see people and you say and you talk to people and you’re like, I don’t know where the hell you’re coming from. Yeah. And then I get to talk to you and I’m like, okay, all right. I’m not crazy,

[00:04:57] Brad Nigh: totally, totally out there.

[00:04:58] Evan Francen: Yeah. And if I am crazy then. So are

[00:05:02] Brad Nigh: you, you’re not

[00:05:03] Evan Francen: alone. There you go.

[00:05:05] Brad Nigh: Yeah, It’s one way or the other. You’re you’re not, you’re in good shape.

[00:05:10] Evan Francen: Yeah, for sure. So I figured that we’d open up, you know, obviously we have this catching up thing that we do. But then I also want to read a christmas poem that fr secures just Clayman wrote, which I think is just like knocks my socks off. How just talented she is, you know? Uh so we’ll talk about that real quick though, catching up. How you doing house family, you guys safe house your head, are you back to having balance again or what?

[00:05:42] Brad Nigh: Yeah, I mean, I’ve had a couple of uh days of her better than others are not better than others, I guess, I should say. But overall it’s definitely getting better. I haven’t had any major issues are needed to take the medicine for a couple weeks now, john, okay. Yeah. Just for,

[00:06:05] Evan Francen: and for listeners who haven’t heard, you know, previous episodes, we’re talking about labyrinth Itis, right? You had this diagnosis and you’re coming on the other side of that. Hopefully.

[00:06:14] Brad Nigh: Yeah, yeah. They said 1-2 months from the initial uh, symptoms or the acute onset of it. So we’re just almost, it’s just five weeks now. It’s like something like that. So, so I have some, like weird pain issues or whatever in, in my ear where it’s kind of like, yeah, okay, still there, but I haven’t had any balance issues, so

[00:06:42] Evan Francen: good and everything else family, do anything for christmas, it’s only like two days, three days away now

[00:06:49] Brad Nigh: up smoking a ham, given the smoked ham with the spicy apricot grades.

[00:06:55] Evan Francen: I’ll be I’ll be over about three.

[00:06:58] Brad Nigh: Uh Well, I don’t yeah, it’ll be interesting because it’s gonna be, it’s gonna be a chilly on christmas, so I’m not sure how how that’s going to affect.

[00:07:07] Evan Francen: I was smoking

[00:07:08] Brad Nigh: the smoking, it might take a little longer, but maybe four.

[00:07:14] Evan Francen: Yeah. Well, and I’m uh and I know we’re going to be released from all, I mean as much as we can, but my son is getting married in Las Vegas christmas eve. Very cool. Yeah, they decided to elope because they didn’t want to have a wedding and have a whole bunch of people come together. So it’s just it’s very few of us. Uh we’re going to Las Vegas and uh even even if he wouldn’t have invited me, I would have been that guy who showed up in what was watching through the window.

[00:07:48] Brad Nigh: Yeah, no, that’s that’s cool.

[00:07:52] Evan Francen: Yeah, so we leave tomorrow for that and I think Vegas is very strict in there, Covid and you know, social distancing and mask wearing rules. So that’s good to know.

[00:08:05] Brad Nigh: Yeah, Well, I mean they kind of have to be, they don’t want to get shut down.

[00:08:10] Evan Francen: True, very true. It will be interesting to see kind of what that tone looks like this. It’s certainly been there numerous times when it’s hustling and bustling. I wonder if it’ll be just like down or you know what, what to expect.

[00:08:24] Brad Nigh: Yeah. No, it’ll be interested. It’ll probably it’ll be different. I’m sure they’re very different.

[00:08:30] Evan Francen: All right. So Christmas three days away. Do you get your shopping done? You? Oh yeah, yeah, I do too. I got it done like it was so cool man. I mean I’m not a I’m not big in the world domination. So, but when I think of amazon it’s like, damn, that was easy. I got christmas shopping done in like two hours laying on the couch on my phone.

[00:08:56] Brad Nigh: Right? Well and we know in which all the uh postal service like slowdowns and issues and backlog. We got all our son early this year just to make sure that it would all rise. So

[00:09:16] Evan Francen: Yeah. And you know as I get older and older I become I think more and more jaded by technology because you start to realize all the bad things that people do with it and then so on the system not like a big amazon fan, but when technology makes your life that convenient, it’s hard not to like it man. I mean seriously two hours and then stuff just showed up on my door. I just done.

[00:09:42] Brad Nigh: Yeah, yeah. To try to go direct some, you know for what I can, but at the same time it’s like Get to day free shipping or pay $15 of weight a week and a half. It’s hard to. I said that’s a big convenience

[00:10:01] Evan Francen: there really is, which I think was the original purpose of technology, right? It was to make life more convenient when you look at the other areas of my life. Technology doesn’t make it more convenient. It makes my life some days a living hell to be honest, you know. But yeah, it was good. All right. Let’s get to the christmas poem. So I’m gonna read it. You haven’t even seen this? I’m gonna share. I’m gonna share the screen. You probably haven’t seen it because you haven’t email on that yet. Uh huh. I did stop video. Let’s go share screen. Someone to click. There we go. Boom. There’s the christmas uh, pull them so like it’s cool. So for listeners you’d be like, damn, that is some serious skill to put this stuff together. So twas the night before christmas when all through the internet, tons of info was flowing dataset. The dataset. The botnets were worrying with ill intent in hopes that some users minds were absent. The firewalls were active in guarding their keep while Dido’s attempts played out in their sleep and CSOs in their offices and pen testers in their layers were fighting the fight to make the board care when out of the web there arose such a mess. Those with white hats tried hard to suppress a way to patch, they hurriedly racist to reset the passwords and update cyberspace. The monitor glow on the, on the face of the hacker gave enough of a jolt to find the attacker when what to their sleep deprived eyes did appear but a brand new ransomware making its premiere with a ghastly infection so cunning and gross they knew without question it would affect the host more rapid than malware. Their response that came and they whistled and shouted and gleefully exclaimed. Now patches now patches now passwords and encryption on training on M. F. A. On software, subscription to the chair of the board to the user up the hall now hash away hash away hash away all as the reports that uh has the reports that after the incident must come when the analyst finally knows what has been done so into the documents the pen testers wrote with a virtual machine full of viruses and notes and then in a frenzy they saw on the net the Attackers rallied and changed their bets as they spun up box and start with again the pen testers searched to find the kingpin. They were dressed all in black from their heads to their feet. All their clothes had some stains from monster and treats and payload of malware they discovered and prevented. Then the network they fixed It is now segment their programs how they ran their scans, how effective the innocent they used like private detectives. The csos brow was furrowed up like a not until he realized the attacker would be caught the thickest of night guards. He clenched in his teeth and his headache. It encompassed his head like a wreath. He had a big plan and a tiny little budget that got slashed and cut when the executives judged it. We stayed hopeful and kept pushing on as he knew that this fight would never be gone. An assessment of his risks in a roadmap to boot soon gave him to know they could not refute. Soon gave him him to know. They could not refute. He spoke a word but went straight to his work and fix the vulnerabilities and sat back with a smirk and assembling his team to commend their effort or commend their project. He reminded them their efforts did not go unchecked. They went back to their socks, spirits renewed, completely content with their solitude and the I end each other. Made it concise, happy christmas to all and to all a secure device.

[00:14:18] Brad Nigh: It’s fantastic.

[00:14:19] Evan Francen: Isn’t that amazing, wow. Yeah. That lady’s got some serious talent man. I think that went out to all fr security murders uh, maybe yesterday. No. And cooled off.

[00:14:37] Brad Nigh: But yeah, really good.

[00:14:40] Evan Francen: Well how much time she spent on that? I haven’t even asked her yet. But anyway, yeah, there was certainly some parts to that poem that resonated with me and like yeah, been there,

[00:14:52] Brad Nigh: yep. Yeah, I think she caught the sure be. I don’t know the attitude is, yeah, she captured it well,

[00:15:04] Evan Francen: kind of got the gist of it. Yeah. So truly to all our listeners and to all my friends to you know, just people that you know are on the fringes, whatever I do wish everybody a merry christmas and I wish you a merry christmas brad

[00:15:20] Brad Nigh: you safe and healthy. You’re gonna have a pretty good one with the with the wedding and Mhm. If all the excitement and joy it goes with that.

[00:15:32] Evan Francen: Yeah. Yeah. Last week my uh my wife bought, I don’t know, £15 of barbecue for a birthday party. And that would have been like a pound and a half per person because they just weren’t that many people here. Uh Because you know, we want to be I want to play by the rules man, I don’t want to piss people off. But uh

[00:15:56] Brad Nigh: I was gonna say, did you say where’s the rest for everyone else?

[00:16:00] Evan Francen: Oh man, it’s a lot of barbecue. We’re still in there. Yeah. Yeah, we’re still eating it. All right. So I figured uh next week about you know, information security at home. Uh two episodes ago. So we got sidetracked a little bit with the case. You didn’t hear about it. The old solar way. Uh U. S. Department of Treasury, U. S. Department of Commerce, U. S. Department of Everything, Microsoft, Cisco, other countries, you know, Hecht. So we put things on hold with the information security at home. And now we’re going to pick up where we left off in episode 109. Sounds good.

[00:16:43] Brad Nigh: Sounds good.

[00:16:46] Evan Francen: Now before we jump too far into that uh What’s our team working on now? Are we working on you said or nine incidents at present?

[00:16:54] Brad Nigh: I think 88 or nine active. I don’t think I can’t keep track a

[00:16:59] Evan Francen: lot. Yeah. We’re inundated with instant response and we found at least one customer who’s you know, affected files uh meant entity. Um Out west.

[00:17:16] Brad Nigh: Yeah. Yeah. That

[00:17:19] Evan Francen: Doesn’t that one doesn’t sound good.

[00:17:22] Brad Nigh: Uh huh. Yeah. It’s still too early to tell exactly what’s going on. Still try to get tools that deployed across the entire environment. So what check? This could be a little bit longer one than than we were hoping I think.

[00:17:42] Evan Francen: Right, you can tell that both of us both. You and I are dragon ass right now.

[00:17:47] Brad Nigh: Yes, I’m not going. I’m looking forward to the weekend, long weekend here. Yeah.

[00:17:54] Evan Francen: Yeah, I am too. Well I would be too, but I’ll be traveling now And so sort of just want to sleep. But you know, maybe I sleep on the plane or something. There you go. Right, so 109 left off, if I recall correctly is we had demonstrated logging into my home router. Mhm. Which was, which is a century link stock rot or you know, nothing changed. And I logged in, walked through, changing tax word and then uh didn’t really do much beyond that I think because that was where we both agreed. You and I that that’s where you have to start. Right. Change your default pad and charged and change it there and then go find everything else and change passwords everywhere else. Right,

[00:18:48] Brad Nigh: correct. Yeah. Yeah never leave the default.

[00:18:53] Evan Francen: So that’s what we did in episode one on 9 which was really you know simple. It took uh You know five minutes tops. um And just to recap real quick the way we found that was I had opened a command prompt. So you like that sort of an or nine to see you know how we did that Just open the command prompt at the command prompt. A typed in I. P. C. O. N. F. I. G. And got my default gateway. Right. And that was probably going to be the I. P. Address of my louder. Right So then open up a browser, put that I. P. Address in the browser uh and then hit enter the uh it automatically shifted me to an https which is probably what’s going to happen in yours too. If you get a screen that um that says you can’t connect or whatever. Try that. Just https in your browser address bar, https colon slash slash the I. P. Address then you’ll get a prompt, you’ll have a username and password. Um If you’ve never changed your password it’s probably on the bottom of your router on the sticker. If that doesn’t work then you can just google the model number of your router and it might be that password to.

[00:20:17] Brad Nigh: Yeah. And that’s the that’s why we’re going to change you want to change it. Right? Is it takes five minutes. It’s known. It’s not any sort of secret and it’s facing the Internet.

[00:20:28] Evan Francen: Exactly, Exactly. Yeah. And if it’s facing the internet and it’s well known, that means the Attackers know it too. Right. Very easy to take over your home network. And if you’re doing stuff for work on your home network that makes it even more attractive to the attacker potentially,

[00:20:47] Brad Nigh: which the vast majority of people are now

[00:20:50] Evan Francen: for. Right. Yeah. And and for knowing how attack sequences work. That’s the way they work. Right. You find a vulnerability, you compromise the vulnerability. Uh I have a foothold into the system, then it’s either elevate privileges and pivot or if you already have the privileges, next thing the attack will do will be trying to pivot into another system. That’s maybe more interesting.

[00:21:16] Brad Nigh: Right? Or established multiple command and control points and persistence points.

[00:21:22] Evan Francen: Exactly. And all this would happen, you know, without you knowing right. Um And then it’s conceivable maybe even probable to pivot from pivot into the computer you use for work and then pivot into your work network. It’s not right. It’s not inconceivable.

[00:21:45] Brad Nigh: No, no, not at all.

[00:21:47] Evan Francen: And then you’re the and then you’re that person. Mhm.

[00:21:51] Brad Nigh: Yeah, nobody wants to be

[00:21:52] Evan Francen: that person. No, we have to flog you Sorry, that’s now the punishment for being breached victim. All right. So there’s that uh I was changing the default password on your router and then I said the next thing that I would do would be to try to identify all the systems on my home network because I can’t possibly protect the things I don’t even know I have. Right? Yeah. Now the two I chose and you can find other tools with the tool I chose was a tool called M. Map, N. M. A. P. If you google it, it will come up with uh you know, the fired fired sect tools probably uh tool was created originally by Fyodor. It’s open source, it’s free. Uh you know, make sure you get the Legitimate and map and again, it’s on episode one or 9. If you want to see what that looks like downloaded, install it uh and then run it, take that same ip address that you used to get to your home router Take the last octet or which is probably going to be a one. Right? So like on my home network I think it was 192168 01, remove the one uh replace it with the zero and put a slash 24 at the end of it and click scan,

[00:23:17] Brad Nigh: yep. That easy.

[00:23:20] Evan Francen: It really is, man. And I think a lot of people get intimidated because you know Oh my gosh, never heard heard of End map before. Seriously man, if I can, if I can do it, anybody can it’s it’s just just do it. Yeah, cheesy

[00:23:34] Brad Nigh: people would be surprised what they find to.

[00:23:37] Evan Francen: Yeah, right. And then so then we had a whole bunch of uh and some of those results, I mean I think to the layperson, a lot of those things didn’t make any sense and I’m gonna try to while we’re talking, bring up my results. But instead of doing that, let’s do this now. Did you do it to brad or you’ve probably numerous times?

[00:24:01] Brad Nigh: I can, I mean with with my setup, I can see every connection on all the different wireless. So I didn’t do it because already had it. Yeah,

[00:24:18] Evan Francen: I’m in there must share mine with you. Yeah, I am too man, I’m going to share with you my results and I know that you’re now going to see all of my internal iP addresses. I don’t really care. New Year’s. All the systems that were on my network. So you, when you look at the left side, all you see is a bunch of numbers right? There is one that’s got a host name is, you know, raspberry pi that I’ve got running with people that don’t worry about that. Uh but this is just a very simple basic network. I I purposely haven’t gone and things complicated here. I don’t have a lot of things running, but you see things like this. So if you click on the things on the left you’ll get some hints as to what these things are on, what ports are open. So you know like this is where I found my firewall. The 192168 girl one. And I connected to Port 443 when I opened the browser and I typed that IP address in it redirected me listen on port 80 but it redirected me to port 443. That’s the port that I would use To uh you know manage that router. I can also could have gone to 8080 but that would redirect to me also to 443. Not don’t worry too much. But these these ports are common ports and you’re probably gonna have the same sort of thing on your home network. If you haven’t changed things, these are common ports 80 is for that’s just http when you browse the internet without encryption, that’s the port you’re using by default. 443 is the encrypted port essentially for HTTP or web traffic https, that’s what the s means, you know, for the lay person. Uh Don’t worry so much about some of these other parts. I mean 21 sdp this is ssh or s ftp and telnet uh but the ones we really, you know when you’re looking through the results, what we’re looking for things that will tell me what this might be right and so you know you’re looking for hints like Muraki firewall. Okay, well it is a firewall and it is a version of Morocco, but that sort of gives me a hint that that’s what that thing does. If I go to this one, you know, already know this one because I set it up, it’s as break up, I can see, you know, a little bit of information about it that, you know, it’s got ssh open 53, which is DNS. Yeah, Okay, then you get into some of these other ones, so it’s like, what, what is this, right? Sage E s, digital end deck, audio monitor level meter and this is kind of the point, right? So if you’ve got stuff like this on your network and you don’t even know it, uh that’s the point here, you’re gonna go on kind of a detective fact finding hunt on your home network to find out what these things are. Uh now there’s some tip, you know, hints in there like digital index, remote audio monitor level meter, what is it that has something to do with tv amy? Uh so you’ll still find, you know, hints if you google this stuff like zero mq Z mp two dot oh, you’re not gonna find much because it’s a lot of people don’t do this stuff. We should though, we should all be doing this stuff and what you’ll find out that what this is, is this is a direct tv box, you know as you go and hunt it down. Um So this is what I had to do right? It’s running on my network. I should know what it is. It’s a direct tv. It’s one of those uh you know you have the main box usually like in your living room or something and then you have these satellite boxes throughout your home. This is one of those satellite boxes. And the way the way I found that out was honestly I couldn’t find any other information when I connected to Port 80, it actually denied my connection. So meaning when I opened up a browser and type this I. P. Address, it wouldn’t let me connect. Ah And so what I ended up doing you I could have gone deeper with these other ports but instead what I decided to do is I’m just gonna walk around my house and unplug stuff. Uh huh. Yeah,

[00:28:30] Brad Nigh: people don’t really, it is it’s that easy to figure out. Right, I’m plugging. Didn’t go

[00:28:35] Evan Francen: away.

[00:28:37] Brad Nigh: All right,

[00:28:38] Evan Francen: that’s exactly what I did. I just walked around the house unplug stuff and then say oh it’s gone okay. It must be this thing, right? Um And then I made a note of that in a spreadsheet so I could keep it for later. Same thing with four. You know these two these two systems that’s also another hand, if I’ve got to systems that are basically giving me the same signature that means I probably have more than one of them on my network I. E. Those little boxes. Mhm. So this is kind of it’s kind of fun because it is sort of a detective. Yeah. Election, right? You’re going around your network trying to figure out what is this, what is that? And then once you finally get that done right, once you figure out what all these systems are on your home network and start in a spreadsheet, start somewhere where you can find it easily. Um As you add new things, right christmas is right around the corner, chances are some of us are going to get some new blinky lights stuff that we can plug into our home network, maintain that inventory. It also becomes important because if you do this and map scan or a scam like this maybe once every month or two and you find something that shouldn’t be there. That’s a good indicator that you should go and investigate that. Don’t just accept it like oh look at that. You got a new thing. Right. Right. Yeah. No don’t this is my computer. So you know you can see that there’s a little bit more of a signature here. You’ve got some stuff Rpc and things like that but I would find that out if I had done that I. P. Config if you remember the I. P. Config that we did that would have come. You would have shown my I. P. Address is being that uh this one right no hint the hell is this? I don’t know. So you can go over to the end map output so you can find a little more information. This is kind of the raw output. Yeah of uh maybe what it gave you. Maybe there’s some hints there uh seven there’s really nothing at some point. It had Samsung well there you go Samsung electro mag something Thailand some kind of electronic device on my network. And I actually did go and fingerprint this one too and this was something my daughter had plugged in. It’s like an L. E. D. Light thing that she can control from the network. So that’s what that end up being. But again I had to go around and blood stuff. Uh you can see there’s 1313 there’s hands so sometimes you can find it in the raw output if you can’t find it somewhere else. Like these were These ones here like four and 3 Was the Sage Blah Blah Blah thing which end up being those satellite boxes but it ended up being the satellite boxes for 13 Which is here right here’s 13. So that’s the main box that’s the set top box that’s actually in my living room. Uh You know for my entertainment stuff. Yeah 14 Mm. I don’t know you have to go on a hunt on 14. I can’t remember off the top of my head was for uh

[00:31:55] Brad Nigh: so there you’re really cool.

[00:32:00] Evan Francen: Oh is this? Where am I missing it? Yeah, there you go. Real cool, yep, Yep, so 14 is Roku, that’s in my daughter’s room. The 18 is not all the set top boxes in 73. Uh I think this is my wife’s computer, so not a lot of stuff on my computer on my home network, but I, that’s the way I like it. I don’t like a lot of things because it’s smart things that I have to maintain. So once you go through that exercise, you identify all these systems now, you can do a little bit of research and find out how to secure these systems, you can do some google searches on uh you know, how do I secure this, Sage, whatever the hell it is. Um if there’s an interface on it, uh you can log in and change default passwords on those things, just like we did on the router, um, but do a little research and find out, you know, how you can secure these things once you get past this point, the next things are, you know, talking about a little more sophisticated stuff like maybe network segmentation, which means back into the router set up, you know, a lot more complicated than this. But if everybody just got to this point where you just identified this was on your network, changed the default passwords and secured as many of these things as you could, and then just regularly sort of monitored what goes on your network and well, you know what might be missing, that’s you’re well on your way.

[00:33:37] Brad Nigh: Absolutely great, this is my thing.

[00:33:41] Evan Francen: So that and that’s what this is the same exercise I went through and it’s not uh you know been doing this for this kind of stuff for a really long time. You you can also if you really wanted to get geeky and maybe this gets addicting for you, if you’ve never done this stuff before, you’re like, man, I kind of dig this stuff, this is sort of fun, then install yourself somewhere. Sh Yeah, start digging into, you know what packets are traversing your network and you know, traffic, you doing

[00:34:10] Brad Nigh: not just what are they doing

[00:34:13] Evan Francen: exactly, or you know, get yourself a little raspberry pie, it’s a little device cost me what you have one too, perhaps 60 bucks, you know, for everything. Yeah, uh and then you can install yourself a pie hole pile is kind of nice because it uh it allows me to do some DNS filtering, it also allows me to do some DNS monitoring so I can monitor where people are going on the internet, it also black holes a lot of add traffic, Right? Yeah,

[00:34:47] Brad Nigh: yeah, and malware known malware sites, things like that.

[00:34:52] Evan Francen: Yeah, so if you if you get a hankering for this stuff, you know, like man, I kind of like being the geek, go to the next step man and reach out to us if you want to know more about that.

[00:35:03] Brad Nigh: Yeah, I think we’ve said it over and over, you know, we can’t do this alone there. It’s just too many things out there. Too many businesses people and so yeah, the more people we can get working on towards this and being more secure the better.

[00:35:24] Evan Francen: Exactly, 100% well. And not only can we not do it, but it’s not my responsibility. Well, yeah, I mean, you know, I have that issue to where, you know, mhm. People a lot of times, you know, find out what you do for a living and they’re like, hey, we helped me secure my home network and like, yeah, I’ll help you with some things. And then it becomes like, not only will you help me, we just do it. It’s like, okay, right, you be

[00:35:52] Brad Nigh: doing their personal type support.

[00:35:55] Evan Francen: Yeah, I will, I will certainly point you in the right direction and do what I can to help you. But man, I got I got to control my own stuff. I’m not. And plus what good would it do you when you add new stuff every time and would you have to call me every time? Right. No, don’t do it. And so here’s another place you can go and we’ve talked about it on the show a few times. Ah but if you also want to know some of the other sort of best practices, you can certainly go here. This is https, you know colon slash slash as to me dot io. And you can see I have a boat load of

[00:36:34] Brad Nigh: decisions. Open tabs, open.

[00:36:36] Evan Francen: Oh, that’s only one of my browsers. But uh but this is a great place for you to go. Uh you know, you can create a new account and I already have an account so I can sign in. It’s got two factor authentication, whatever all that good stuff. When you go here, it’s basically your own personal information security risk assessment. So uh yeah, she’s not able to do this.

[00:37:02] Brad Nigh: All right. It’s what 20, minutes max.

[00:37:07] Evan Francen: Right? And it’s free. Yeah. Always will be for as long as I’m alive and as long as I have control over it. There you go. Yeah. So go to recap real quick um If you did what we did in episode 109, you had changed your default password on your router, you had installed and map you had run an n map scan on your local network today. We went through the results of those. You have to hunt down with those systems actually are on your home network, do a little research, find out what are your options for securing those things if they have an advantage and you can log in if they have a way to patch them, you know, you want to know that stuff and then uh if you feel comfortable and you want to go further, you know, I’d say do your s to me and uh start looking at other cool tools like pie hole or uh buyer shark. You can play around with that. I mean there’s all kinds of things. You’re not gonna break anything, right?

[00:38:11] Brad Nigh: Yeah. Not with those tools.

[00:38:15] Evan Francen: No, no, there are other things we can use to break, but we’re not gonna go into that right now. Those are things that I do

[00:38:26] Brad Nigh: That’s not to two or 3 levels down. You got a ways to go. Yeah,

[00:38:32] Evan Francen: yeah. Alright, so good stuff on that. What else to have a head? Uh I closed my window to, so I’m trying to figure out what the heck we were talking about. Um Oh my mother. Yeah, Yeah, so Saturday my mom calls me, she’s 73 years old or like yeah, she’s just the best and she says she caught wind of this whole solar winds thing and she calls me and says so and she made it really clear like overemphasized explain it to me in a way that I will understand it. Like mom, I speak english but she wanted to know about what the solar winds thing means to her. So I thought that this fits kind of nicely into this information security at saying,

[00:39:23] Brad Nigh: yeah, I agree.

[00:39:26] Evan Francen: It was really sort of frustrating. I think for the most of most of last week that solar winds was top of the news in our industry, right? If you are in an industry, you had heard the solar wind, it’s like, are you under a rock? Right? Whereas in the mainstream media, I’ve been checking, you know, almost daily on CNN MSNBC google news and Fox, almost daily I was going to see is any of this stuff making the mainstream media and it wasn’t until the latter part of last week before it even hit anywhere. Really.

[00:40:01] Brad Nigh: Yeah. Or at least I think maybe got the coverage that it should have given how big a deal this is,

[00:40:11] Evan Francen: right? Yeah. Last week we were talking about with Oscar, this is the biggest, most impactful attack I’ve ever witnessed.

[00:40:21] Brad Nigh: I mean, it’s going to take months to just fully understand it. Not even I think you close all the holes and all that. Yeah, it’s this is massive,

[00:40:34] Evan Francen: right? And so I was like telling my mom, I’m like, you know, if I’m not, you know, I really gotta shake me out on the pitch. But you know, if I were and I’m not, but if I were to panic, this would be something I’d be panicking about. It’s, you know. Yeah. And so she was like, well, what does it mean to me? And I thought, man, I’m gonna talk to brad about this, like what what would you her do you think if she would have asked that you that

[00:41:05] Brad Nigh: you know, I think that it’s a good question and you know, I think the answer is we don’t know yet. Yeah. You know, we don’t know the full scope of this. The reality is probably not going to affect your day to day. Um, you know, you might have some government services because that seems to be the biggest target was the government, state, local and federal. Um, you maybe some government services are impacted, but I think day to day you’re probably not going to see a big difference. Um, I think where we’ll start seeing the difference is as this shakes out, I think businesses will start, I hope um start transitioning to the more that deny by default, right? The least privilege don’t, you know, only allow what’s known and trusted. How does the network, you know?

[00:42:05] Evan Francen: Yeah. It’s crazy how, you know, we work our asses off yet lazy. Yeah. Right, Because that’s the right way to do it. That’s always been the right way to do it default deny has always been the right way to do things and we didn’t do it that way. I think because maybe time constraints, maybe we are lazy, but it’s easier to just plug something in and make it work, right? Yeah. That the right way to do things, but it

[00:42:39] Brad Nigh: works. I mean, how many times do we see, you know, vendors say, oh, well you have to run this as domain admin or local admin for because yeah, it works. Or how many kinds of people change things too? Open everything up because they couldn’t be bothered to trouble you

[00:43:03] Evan Francen: bridge, crew man. Very, very true. Well, that’s what I was talking with Austria yesterday, you know, we have our meetings on monday mornings and uh, you know, it’s like if people just did the basics, none of this stuff would work right? None of it. This malware or not even, I guess it is malware, it’s malicious and software, it wouldn’t it would have propagated, it would have been able to call home. You know, I read somewhere attacks would

[00:43:34] Brad Nigh: Right? Yeah, I mean, at the very least it’s going to be make, make it, you know, magnitudes harder.

[00:43:42] Evan Francen: Right? Yeah. And when you make things magnitudes harder, chances are a lot you increase your chances that the attacker is going to create some noise and you’re going to be alerted to it earlier on to

[00:43:54] Brad Nigh: write or well. And honestly, unless you’re a high profile target, right? Where you’re facing a state sponsored attack, Attackers are going to go path of least resistance if you make it hard for them, don’t. Okay, well, I’ll go hit somebody else because I know there are others out there that aren’t doing that,

[00:44:16] Evan Francen: yep. Yeah, very true. And so that’s the and that’s a great uh, smart supporting statement for? We’re supporting notion for security at home. Right. If you’ve got your default router down, if you’ve got, you know, some of these basics covered, you’re probably okay, you’re not, you’re not a really important target, but you’re important enough. Where if you’re just dangling out there, they’re gonna hit you.

[00:44:45] Brad Nigh: Right. Right. Yeah. Don’t make it easy for them. So there’s, there’s enough people that are making it really easy. Just don’t make it easy.

[00:44:55] Evan Francen: Exactly. Well, so what you say is, is similar to what I told my mother too. Um, I don’t see how I said, where I think you’re, you could eventually get something would be, you know, you’ll be collateral damage just like me where, like you said, you know, government services that you need or might use, might not be available for some period of time. Um, at the end of the day, we don’t know what the full extent of this is or will, I don’t know the United States is going to retaliate or if they have or if they will. Right. Um, there’s just a lot of uncertainty now. And so, you know, essentially I told her, don’t worry about it. Be aware of it. Great. Pay attention. Yeah. But don’t worry. And, uh, and protect the things that I’ve always taught you to protect yourself. And, you know, the things that you can, right? Yeah. Now she’s 73 years old. And so she, uh, you know, she’s fixed income, right? She’s retired? And she says, well, what about my money? I don’t like, well, I think it’s probably, I mean it’s safe now, I don’t know the endgame here, I don’t know where that goes. But um, I did advise her, I said, you know, I don’t know if you’ve heard of Cryptocurrency before or you know, if your financial advisor has, you know, but it might make sense to diversify some of your money into Cryptocurrency because you don’t have a centralized authority for it like you do here in the US or you know, the chinese yen or whatever. Yeah, whatever the hell they have over there. And she’s like, well that’s not real. You know, maybe like tangible. And I said, well, either either as your dollar, Yeah, we went off the gold standard awhile back. It’s not worth anything more than bits on a computer.

[00:47:07] Brad Nigh: It’s worth what the government says, it’s worth.

[00:47:11] Evan Francen: Yeah. Oh, uh but I think it would make sense, you know, uh, if I were on a fixed income that I would be asking my advisor, I would always go with my advisor because they, you know, they get paid to be experts in this, but I want to ask about it.

[00:47:32] Brad Nigh: Oh yeah, at the end of day, it’s really not a whole lot different than putting money in the stock market, right? Like it’s a risk either way,

[00:47:42] Evan Francen: shit one. And I think, you know, over the years, over the last few years, you know the fact that big banks and big financial institutions have legitimized Cryptocurrency by having their own you know business units operate there. Um It’s worth exploring because if the dollar would say the dollar did the stock market did go did tank and you know the U. S. Financial system took a huge hit 1st reason you know crypto might be a safer place for a while. Yeah. Oh puppy on that. I thought about it. But I was so proud of her man. He was 73 old lady. You know calling me. I wish I do. I said give everything to your son. Uh huh. Get send all of your money to your son. Yeah but they cut the grandkids out. They’re not worth it, give it to your son. I’m an only son. So she would like that. Yeah. Uh But I’m really proud of her. And then we talked about passwords. No and I said we’re talking about something about passwords. I said well you know I use you know a password manager happened. She goes well I don’t use one of those. And I’m like why don’t you use one? And she’s like well because I don’t trust him like all right so where you’re keeping your passwords? And she says well I keep my write them down like well that’s probably safer to be honest. You know I mean somebody have to break into your house steal. You don’t

[00:49:31] Brad Nigh: need that paper list.

[00:49:33] Evan Francen: Yeah well and she lives on a she lives kind of on a farm, you know? So it’s it’s a rural area where there’s just not a lot of, you know, property crime. So like yeah, you know, I guess when you think about it from a risk perspective that’s yeah, much better against.

[00:49:53] Brad Nigh: I mean as long as they’re good passwords then, you know, it’s all about, you know that risk assessment, right? Like we keep saying it. Yeah, she’s aware she’s made the decision and that’s fine.

[00:50:12] Evan Francen: Yeah. Well she monitors all her accounts and everything because she was she was telling me castle nine different accounts of mine. Uh We’re in the breach list. And so I had to go and change all those passwords. So it took me half a day and I’m like, good for you. Yeah. Again, I’m proud of you because she takes out seriously which she should. And I wish more people would be be like my mom please. And she’s not attacking man. I mean honestly she gets confused. Opening her email. Yeah. You know, But just on top of this stuff.

[00:50:53] Brad Nigh: Yeah, I mean that’s all. So we need that’s all we are asking. Stay on top of it. Just do the basics.

[00:51:04] Evan Francen: 100%, man. You do not have to be a geek to do the Basics. Trust me. Okay. All right. On some news uh do you have anything else to say about information, security at home. I figured next week what we will do is let’s do an end of the year recap, let’s do like, let’s look at this year, like the shit show that it was. I saw a lot of things to be grateful for, man.

[00:51:29] Brad Nigh: Yeah. Oh yeah. Like I was thinking about it. I mean think about that, that net Scaler issue. And what was that february? That feels like I was like, oh my gosh, that was this year. It feels like so long. So yeah, there’s a lot to talk about.

[00:51:46] Evan Francen: That’ll be fun. Right? So the news items, the first one I have is from TechCrunch. Com. The title of the article is dozens of journalists, iphones hacked with NSO zero click. Spyware says lab. We’ve talked on this show once or twice about this. Zero click Spyware. Uh well here you go. It’s it’s been used. The Spyware was silently silently delivered, likely over I message. So this is a little bit scary because it’s zero click. I don’t actually have to do anything. Right? I just have to get the message. And and like we said before, I mean Apple has patched this, I believe so if you’re running the latest version of the IOS, you’re probably okay.

[00:52:41] Brad Nigh: Yeah. Well this goes back to why do we patch this? There’s a reason to stay up to date on your patches

[00:52:50] Evan Francen: actually. Yes. Great. Uh you bring up another good thing. Maybe we do that too. And another information security at home is just stress the importance of patching. Yeah, management, you know, using, you know, non administrator accounts, things like that. But yeah, everything every bit of software ever made by anybody anywhere needs to be patched,

[00:53:17] Brad Nigh: right? I mean we talk about it as part of the mentor program and repeatedly like software is being made by people. Well, there’s gonna be mistakes. It doesn’t matter how much you try, it’s just it happens. Yeah. Nothing is foolproof,

[00:53:41] Evan Francen: Right? And I think to the normal, you know, to the layperson, you know, iphones are more secure than Androids, but that doesn’t mean don’t be lulled into this false sense of security thinking you don’t have to maintain it. You still have to patch it.

[00:53:55] Brad Nigh: Right well, and put some sort of security software on there. There’s a there’s good antivirus import protection for your phones,

[00:54:07] Evan Francen: right? And since we’re doing security at home thing in my job. Mhm. If you want to set up automatic updates, you go into general, so open up your settings, go into scroll down to general. A two Down From That Is Software Update, Go to Software Update. Two down from that is automatic updates. Turn on, download, I update and on install IOS updates. And boom. Yeah, there you go. That’s how easy it is. And then you’re going to get a little indicator that hey, you know, there’s an update, you know, schedule the install and if you put it off long enough, it’s just gonna do it. Mhm.

[00:54:51] Brad Nigh: Yeah. and you know, for uh android, it’s under settings and system easy. Yeah,

[00:55:04] Evan Francen: it really is. So no real excuse, you can’t claim ignorance because we just told you the next uh news I got is from bit defenders hot for security. Uh This is actually an article written by Graham Chloe. I believe the title ransom where Attackers are making threatening phone calls to their victims, warns the FBI. Yeah, I kind of take this as a good sign because uh it shows a little bit more desperation, like maybe people are catching up so they have to go to the next level. But you know, it can be really unsettling if you’re getting a phone call from somebody in a foreign country who is threatening you. Yeah, no, I don’t know either get comfortable with that or even to the phone, you know? But either way I would I would report it, you know, to uh to the FBI so the authorities can track it,

[00:56:11] Brad Nigh: yep, they probably won’t do anything specific for years, but it is good to reports, they can start seeing those patterns. Mhm.

[00:56:20] Evan Francen: Yeah, and he’s referring to in his article double pear double Paymer. I’m sorry, ransomware victims are being called by Attackers Attackers post infection. Family members have also called as threats are made to visit victims homes. So the threatening like him when I come in to something to at your house. Mhm. Uh This is why I carry guns, you know I don’t carry guns because I want to threaten anybody carry guns because I want to protect people. Uh So if an attacker shows up at my door just yeah there’s a guy I’m waiting. Yeah uh and then the last one is from the register this one is the title is passwords be gone. Git hub will ban them next year for authenticating. Get operations,

[00:57:16] Brad Nigh: get the good step. Yeah

[00:57:19] Evan Francen: so I don’t know if people knew this but Microsoft on skid hub,

[00:57:24] Brad Nigh: the body in the last couple of years. Yeah

[00:57:28] Evan Francen: so they’re gonna stop accepting passwords as a way to authenticate. Uh So you’re going to have to authenticate through a different authentication factor, like a passcode to a mobile device or a time based one time code uh something like that. But yeah it looks like

[00:57:51] Brad Nigh: token based authentication is going to be the requirement or but from the end. Uh huh man like that

[00:58:01] Evan Francen: and they’re saying prepare for two brownouts in july when things get tested properly so maybe mid year next year. Be interesting how that plays out, you know Microsoft obviously is a really player uh and they get to push their weight around a little bit. Yeah

[00:58:21] Brad Nigh: that’s I mean it’s a good step I think

[00:58:24] Evan Francen: yeah I do too man, I hate passwords, just like everybody else, you mean you don’t have to be a geek or not get to hate passwords, we just hate them but they’re they’re necessary because right, it’s authentication, yep, We could just trust everybody and just tear word we will need authentication.

[00:58:45] Brad Nigh: But I thought we were supposed to go with zero Trust.

[00:58:48] Evan Francen: Oh God, don’t go, don’t get me started. Yeah. Just think I’m a much more stuff we could self, we were zero trust ai Blockchain bra.

[00:58:59] Brad Nigh: Next gen. Yeah,

[00:59:03] Evan Francen: yeah, seventh gen. Okay. Yeah. All right. That’s it for episode 1, 1, 1, uh brad. It’s always a pleasure, man. It’s been This last 111 episodes have been a lot of fun hanging out with you. If you think about the hours, that’s 111 hours of you and I have spent together.

[00:59:23] Brad Nigh: Yeah, that’s a lot of time.

[00:59:27] Evan Francen: It is a lot of time any shout outs for you.

[00:59:31] Brad Nigh: Um That’s just I just gonna say everybody stay safe over the holidays. Yeah. You know everybody that’s doing the right thing and staying safe and just continue to do that.

[00:59:49] Evan Francen: Yeah, I like, I I like that notion. I was thinking of somebody in particular, but then when you said that I’m like, yeah, thank you, shout out to our industry, we’re all fighting most of some of the jerks, but We’re really fighting hard. You know, we’re putting in long hours, you know, the last thing we needed at the end of 2020 was you know, solar Winston. Um, but shout out, you know, keep, keep the faith, keep pushing, keep trying. You know, reach out for support. You need it. Uh, yeah, I really appreciate a lot of people in this industry. Yeah. Yeah. All right, well thank you to our listeners. Send us things by email at Unsecurity@protonmail.com. I’m guessing at some point brad or I will might might actually check that mail account. Yeah, whatever we know it’s there. I mean, we’ll get to it, it might be months, but it’s there. Uh, if you’re the social type supplies with on twitter Brad is @BradNigh and I am @EvanFrancen lately. I’ve been on a kick of posting pictures of my dog. So if you want to see cooper’s of he the dog, that’s that’s kind of what I’ve been on right now. Uh, and lastly be sure to follow our companies. Uh we do a lot of free stuff. We do want to help. We want to know the things that we’re doing well and the things we’re not doing so well. So please, you know, follow us, let us know, become our fans and will become yours too. Uh Security studio is @StudioSecurity and FRSecure @FRSecure. That’s it. So merry Christmas and we’ll talk to you next week.