Municipality Security After Three Major Cities Affected

Unsecurity Podcast

Episode 33 of the UNSECURITY podcast features an in-depth breakdown from Brad and Evan about the Riveria Beach attack, and municipality security in general. This is the third major city affected by ransomware in the last 12 months or so, following Atlanta and Baltimore (who was hit twice).

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:


[00:00:23] Brad Nigh: Good morning. This is Brad Nigh. This is episode 33 of the Unsecurity Podcast. That’s a good start. Anyway, actually did my part, I got Evan’s show notes Friday at like 1:30. So I was prepared this week. I wasn’t alright. Well as always. This is Evan with me today. So good morning Evan.

[00:00:46] Evan Francen: Good morning Brad. How are you? I’m good.

[00:00:48] Brad Nigh: How was your week? Last week?

[00:00:51] Evan Francen: Good. I think I have trouble remembering. I think it’s an age thing maybe.

[00:00:57] Brad Nigh: I think it’s a business thing. It could be that. So last week I was, we’ll talk a little bit about this before we jump in. We don’t want to spend a lot of time because I think this week is going to be a, it’s gonna be a fun one said, I think we both think something we’re both pretty passionate about and I think you’ll get, I can get you riled up. But uh yeah, I had our offsite V. T. O. For the senior management last week and it’s amazing. I was telling john on the way back, I don’t know how I’m more tired after, you know, 2.5 days away. But uh, it’s recharging to

[00:01:39] Evan Francen: you guys actually work on those things where you guys from my party.

[00:01:42] Brad Nigh: There’s so much work. But really that’s cool. It was good, exciting.

[00:01:46] Evan Francen: I’m not invited to those parties. No

[00:01:50] Brad Nigh: we were able to get some like fishing in and nice yeah we got Oscar caught his first like three northern. So that was fun. He had a good time. But yeah we get a lot done. It’s nice to get away from the office and the pictures are cool. Yeah just focus on on things without being distracted. So yeah it was really good. But yeah wrapping up I was writing finishing up that I. R. Report this morning before we started this and another one came in last week that we had to do the call.

[00:02:20] Evan Francen: It sounds like Oscar’s gonna take that he’s going to do that one.

[00:02:22] Brad Nigh: Just some forensics, you know nothing like uh exposing a database to the internet that has uhh i on it and

[00:02:30] Evan Francen: unpatched database too

[00:02:32] Brad Nigh: I think. Yeah. No known vulnerabilities. Cool. And you could get into the database and or if you logged in the application you can see other people’s data. You’re supposed to don’t do that. That’s not good.

[00:02:45] Evan Francen: No thank you.

[00:02:47] Brad Nigh: So yeah.

[00:02:49] Evan Francen: Yeah. So he had it better than than us. True because I wrote a blog post. You saw it yesterday. It will be published like uh you know blasted the social media um later on this morning. But at the title of the blog post is don’t suck stop paying ransoms. We’ll talk a little bit about that today. But um as I was writing that I was like crap. It would really be ironic, wouldn’t it? If you write this thing and you’re all like kind of pissed off people and then you get hit. So I’m gonna have, I’m gonna have Jeff do uh, just double check things.

[00:03:35] Brad Nigh: I know. Well that’s the, that is definitely something that keeps you up as we say these things and talk about it and mm hmm.

[00:03:45] Evan Francen: Nothing keeps me out. I sleep so well, man. I’m like, I just think that, I don’t know, I sleep all. Do you sleep all? Yeah, yeah. Sleeping, screwed. It is, I’m good at sleeping. I’m good at eating

[00:04:02] Brad Nigh: and there was so much food last week

[00:04:05] Evan Francen: and I’m good at riding motorcycles. Went on a rally on saturday.

[00:04:08] Brad Nigh: That’s cool. Yeah. Was that? The weather was pretty Saturday was nice.

[00:04:12] Evan Francen: Yeah, we went kind of western Minnesota. Just one rally, maybe 50 bikes. It was cool.

[00:04:21] Brad Nigh: That’s not bad. Yeah. Anyway, I was gonna say food. I didn’t mention it. I think I should do one of the pictures. So here’s the bonus for the listeners when we go to these on Wednesday. I smoked a brisket at the, at the off site and ribs. It was so good.

[00:04:41] Evan Francen: I like brisket.

[00:04:42] Brad Nigh: Any excuse to be able to smoke a brisket is a good, that’s a good day.

[00:04:45] Evan Francen: It is a good day.

[00:04:47] Brad Nigh: Anyway. All right. So this week, we’re going to jump right in to the discussion because this is something both of us are pretty passionate about and we want to spend some time discussing it. So really, we’re going to talk about the river Riviera Beach city ransomware incident today. Um, for those of you that haven’t heard Riviera Beach down in florida Paid $600,000 ransom to regain data access to it. So in the show notes, there’s three stories about it. I think from what I’ve seen, a lot of it does come from that Palm Beach Post, um, initial story, but then, you know, there’s a naked security for so focused and info sec. Our info security magazine article about it has a little bit more opinion in detail on it. So you just wrote the, uh, the don’t suck uh, blog

[00:05:45] Evan Francen: is now, Hey, if I say don’t suck, that doesn’t, Is that inappropriate language? Okay. I had to ask marketing last week or the week before. Um, I wanted to make a video because I was, you know, kind of heated about something. And uh, I asked him if I could do it and say swear words and they advised me against it. Actually, one of the marketing people said, yeah, go for it to be awesome because it shows that you this is you, but then the other one was like, no, no, don’t do that. Yeah, but suck is not a swear word, is it? No. Okay, good. Because we shouldn’t. I mean you shouldn’t suck. I agree. It sucks to suck. Yes. Okay good. Well we got that out now.

[00:06:34] Brad Nigh: So with the, with that um, in that article. So what happened is it looks like one of the police were was fished and clicked on a malicious link down to the malware and just shut down everything and yeah, you know when we started looking at this or when I started looking at this, it says you know that they were advised by their cybersecurity company or the security experts they were working with to pay the ransom and I can’t wait to see more come out because I want to know how bad it was. Mm and who recommended that they pay,

[00:07:15] Evan Francen: you had somebody called

[00:07:17] Brad Nigh: out, why would you say that? Like they would have had to have been, there is no way you’re recovering. You have no backups. You have no nothing. It’s the only way I would ever say you don’t have a choice and I still wouldn’t recommend it. But I guess maybe yeah, semantics on how the wording was. It may have been. Hey, you have no option but to do this,

[00:07:44] Evan Francen: right? Yeah. And then that the blog post that you mentioned that I wrote yesterday, which is on Evan francine dot com. Um, the don’t suck, stop paying ransoms. Uh highlight five options. You have when you get hit by ransomware,

[00:08:02] Brad Nigh: Number one go in the corner and cry. Well yeah, update. Remember to resume.

[00:08:07] Evan Francen: Yeah, but the first is, you know, taking chances by paying the ransom. The second is don’t pay the ransom and follow a planned and tested incident response process which is the best option. Option three, don’t pay the ransom and struggle mightily because you didn’t plan well four start over five shut down and so you know, it’s hard to say where uh you know, Riviera Beach was allegedly the attack started on May 29. That’s when the employee of the police department opened the malicious email allegedly They voted on January. I’m sorry June 20. So he had from May 29 to June 20. I don’t know what’s going on, but something is going on and then the Riviera Riviera Beach, this is in florida um, City council voted unanimously Toward the Attackers. The $600 million, I’m sorry, $600,000 uh ransom. And so by proxy really you have the Police department paying criminals.

[00:09:23] Brad Nigh: Yeah. And

[00:09:25] Evan Francen: so you have, what kind of incident response process do you have? What kind of planning do you have in place If from May 29 to June 20? I don’t know what I mean. That’s like what? three weeks. Yeah, three

[00:09:38] Brad Nigh: weeks of trying to clean up and recover and finally going guess what

[00:09:44] Evan Francen: Right. We’ve responded to a lot of ransomware attacks and it wouldn’t take three weeks to realize that this is that option two is out of the mhm

[00:09:56] Brad Nigh: Yeah, I think out of the mix. Mhm. Yeah. No, not at all. Usually you can tell

[00:10:03] Evan Francen: within about like within a day. Yeah, you can tell. Okay, you know we have an up we have a There’s a possibility we might be able to recover. I mean I remember one ransomware attack. Not that all along, not all that long ago because we respond to what 34 A week. It seems like two a week something. I mean, who knows? Yeah,

[00:10:27] Brad Nigh: at least I’d say three or four a month. One minimum one a

[00:10:31] Evan Francen: Week. Okay, minimum one a week. And I remember the one where I thought personally I thought this was a lost cause I was like mm Yeah, because the ransomware not only got the files but it also got the backups added an air gap correctly. And um Yeah, and I thought, oh jeez well see yeah, I mean these are your other options, right? Pay the ransom start over or uh closed the doors, closing the doors isn’t an option. So then it’s either pay the ransom or start over. And maybe that’s where revere beaches was, you know it’s pay the ransom or start over

[00:11:11] Brad Nigh: And you know with the information they have, you can’t really start over 911 medical stuff. They all those

[00:11:20] Evan Francen: Some critical services. So do you think that they were down because the details aren’t there? I mean were they was 911 down from May 29 until it

[00:11:29] Brad Nigh: doesn’t say but it kind of sounds like it. So what they were doing it by panned.

[00:11:36] Evan Francen: How can you do by hand?

[00:11:38] Brad Nigh: So you did 20 years ago

[00:11:41] Evan Francen: but nobody knows how to do that anymore.

[00:11:43] Brad Nigh: Yeah. Wasn’t there something

[00:11:45] Evan Francen: nowadays people don’t have to you know change the Tv channel. They have to have Alexa do it. Yeah. God can you imagine that the damage if Alexa went down

[00:11:56] Brad Nigh: globally? It wouldn’t

[00:11:57] Evan Francen: hurt me at all. No not us. But people would freak. My God I can’t figure out my T. V. All right so revere Beach voted unanimously after three weeks. Maybe they voted earlier. Maybe maybe they paid earlier and then voted later. Who knows? I don’t know how those things work in the city of Riviera Beach.

[00:12:18] Brad Nigh: So going back real quick on the so foes article it says email went down and officials had to resort To hand printed checks to pay employees. And 911 dispatcher is unable to inter calls in the computer systems. That’s all it says. But it would appear that that that was the case until they paid it the way it’s worded to me anyway.

[00:12:40] Evan Francen: All right. So you’re down. You decided to pay the ransom and then they conveniently mentioned later on. I think in one of the articles that they had insurance. So okay don’t worry about it. We had insurance. It’s like I could give two craps about the fact that you had insurance. The fact is you paid A ransom, you paid a criminal $600,000. What do you think they’re going to do with that?

[00:13:08] Brad Nigh: Well yeah, they’re going to turn around and

[00:13:09] Evan Francen: use it. Exactly. So That’s $600,000. So great to get your system is back up and running and I understand you backed yourself into a corner, you’re in this spot really because you you have poor planning, poor planning, right? You have lack of forethought, lack of skill, lack of what I mean? What’s your excuse for not planning ahead? Have you not seen that ransomware is like a thing?

[00:13:36] Brad Nigh: Right. And we were talking about this a little bit on Friday. It’s been around for 25 plus years. 30 years. Yeah,

[00:13:45] Evan Francen: The first variant I remember was 1980 it

[00:13:48] Brad Nigh: was Yes, I know. Yeah. Anyway, we’ll get, we’ll get corrected on online for that. But uh, Even if it had only been two years five years there’s no excuse at this point not to have an IR plan not to know that this is a realistic possibility

[00:14:10] Evan Francen: you living under a rock

[00:14:13] Brad Nigh: well and it was

[00:14:15] Evan Francen: Like, and then all of a sudden after the breach or because it is a breach, I mean after the ransomware attack and you vote to pay the $600,000 ish to the Attackers then they also mentioned in one of the articles that you know there Now there are $941,000 upgrade. Systems, upgrade is now a priority. It’s like why does it take something bad to happen for people wake up the damage is done. If I was a taxpayer in that town I would be pissed And I mean seriously, $600,000 gone.

[00:14:54] Brad Nigh: And then yeah, and I mentioned like that some of these systems were over, Was it over six years old or something?

[00:15:03] Evan Francen: I think I saw that in there. But even then, I mean not having a backup,

[00:15:08] Brad Nigh: not have old systems that aren’t backed up, it was patching looked like really not very good.

[00:15:13] Evan Francen: Let me if they were, I mean if they were backed up, you know, obviously the backups weren’t protected. So cares. You remember the old days when we had tape backups? Oh yeah, take a little while

[00:15:25] spk_4: they take that. Yeah.

[00:15:27] Evan Francen: Yeah. Yeah. Right. We have to. Yeah. Well exactly. And it’s not necessarily a bad backup method. Right? And then people would store, you know, we’d say, well you need to store your backups, you know, x number of miles away from the primary site, should a tornado come or you know, wipe out the city or something. The same sort of thing happens in a logical context. If your backups are not physical, right? If you’ve got logical backups, store them in a way that a disaster wouldn’t affect those backups are the same concept applies.

[00:16:05] Brad Nigh: Yeah. Like so the last again I’ll go, but air quotes real job, we had tape, everything was tape when I got there and we got it to back up to disk. Local Replicicated to a secondary data center about 90 miles away, 75 miles away and then backed up the fools to tape once a week and ship those off site. Right? So we had local for immediate restore. I uh you know, remote backup for a disaster at the primary site and then enter gap tapes would have lost a week of data. But that was our absolute like, you know, worst case if we have to restore from tape with we’re having a bad day.

[00:16:50] Evan Francen: Yeah, I mean these things are not new. I mean it’s not like we’re this is summer, you know, crazy newfangled thing that, I mean, he’s like just good stewardship, it’s just like good. Yeah. Just don’t get it, man,

[00:17:08] Brad Nigh: you know? And what, what blew my mind on this? The quote, that’s because it’s still going back and turn it into the hole. How do you not know is one of the council that the council chairwoman? Her quote is this whole thing is so new to me and so forth and it’s almost where I can’t even believe this happens, but I’m learning that it’s not as um came into this as uncommon as we think as we would think it is. Um every day I’m learning how this even operates because it sounds so far fetched to me. This is a person in charge of city basically council city council completely unaware that this is a reality. That this happens. How do you not know? That’s one of the biggest risk to your, to your data to your city at this point?

[00:17:53] Evan Francen: Well, I mean, it’s so do I blame her or do I blame the person who’s supposed to inform her? Like I’m harder on security people than I am on what I call normal people. So part of my job is to inform you of my goodness to test,

[00:18:08] Brad Nigh: right? I would say there’s like, hey, do they even have a security person

[00:18:13] Evan Francen: gonna have an I. T. Person? I mean, somebody, somebody somebody within that.

[00:18:17] Brad Nigh: You would think somebody would say something. But also, how do you, have you not heard any news story Atlanta Baltimore? Right? Like have you not are you under Iraq? Like how do you not know? Right, that these other cities are being targeted? Right? Twice.

[00:18:35] Evan Francen: Yeah. Well, and so I don’t know. I don’t blame the Councilwoman as much as I blame whoever is in charge of security there. I mean maybe everybody’s got some culpability because I hear that as an excuse a lot. I hear the excuse of, Well, I can’t get management buy in. You know? Well, it’s your job to get management buying if you can’t get management by and look in the mirror first, right? And sometimes you just have poor management, Right? Then leave? Yeah. I mean, I’m more of a black and white, simple kind of guy. I mean, if your management won’t listen,

[00:19:11] Brad Nigh: leave. Yeah, that’s it. A great point. I mean, I don’t know. There’s definitely a lot of, I’m really gonna be interested to see how the, what the details are on this because yeah, somebody should have alerted that, hey, we’re, we’re at risk here. Mm. And then as chairwoman, almost look at that as you know, a sea level of a private, you know, business is your job to understand the risk to the organization to you start seeing these news stories come out in your industry or your sector, Right? How do you not ask those questions?

[00:19:52] Evan Francen: So it’s so foreign to her. She’s like, oh, what ransom? Who?

[00:19:59] Brad Nigh: And it’s not like the Atlanta Baltimore ones haven’t been all over the news,

[00:20:05] Evan Francen: Right? I don’t know. How, how do we get the word out? I mean, how for people like this? How do we reach them? How do you, how do you get the word to them that look, you got to take this seriously if you’re in charge of something, right? Part of being in charge of something means that you’re in charge of protecting their assets? You’re in charge of protecting the information. You’re in charge of serving your constituents or whatever. This is part of that. I mean, how to, why is it such a surprise to her? I mean, that’s the No, I don’t know. It’s the

[00:20:36] Brad Nigh: challenge. I think, you know, part of it would be you need to he if you’re in charge, you need to be asking questions. Hey, I saw this or I heard about this, what are we doing about it? You know, some of the better best people I’ve worked for from a sea level perspective have asked those questions and I know I always I loved it because then, you know, they’re bought in or they’re at least they’re they’re wanting to know and but you have to be uh who knew?

[00:21:10] Evan Francen: Well, that’s what I don’t get. I mean, how Mhm. It’s just I am frustrated with the fact that this is not, this is a preventable occurrence. You know, it’s not necessarily 100% preventable to get hit ransomware, But the recovery piece is 100% preventable. I mean, you can totally restore systems if you have one the data to if you have an incident response process or plan that would be effective. And if you don’t have those things seek help. There are tons of information, security people out there that would be willing to help you for nothing. You know, there’s tons of articles online and how to protect yourself. I mean, I just had I’ve lost patience with people that keep getting hit by ransomware.

[00:22:01] Brad Nigh: I’m with you. It’s I mean, and you know, you’ve got in your article, a bunch of other examples. There’s other ones in uh, in the Palm Beach Post. They said um two years or 2018 Palm Beach County village of Palm Springs was hit, paid the undisclosed ransom and still lost two years of data.

[00:22:28] Evan Francen: So I paid the ransom

[00:22:30] Brad Nigh: and still an undisclosed amount and still lost two years of data. So it’s a

[00:22:34] Evan Francen: city that didn’t disclose the amount. Wouldn’t it be public? It’s gonna come out of some line item budget somewhere. I

[00:22:40] Brad Nigh: don’t know how that works. Yeah. Well that’s probably the insurance. Right? So they paid well just in the last premium

[00:22:49] Evan Francen: is but just the last few weeks and then I wrote about the city of Baltimore Asco. We talked about the Asco range from our attack last week. Uh I found another article about five more healthcare providers that were hit by ransom. You have any Oh, Urology in colorado. They paid the $75,000 ransom. Youve got colorado based Stds Park Health. They paid their insurance premium and the insurance company ended up paying two separate ransoms. So not one but two. How

[00:23:20] Brad Nigh: did they not know the initial encryption was there?

[00:23:23] Evan Francen: I don’t know, boston based residents software new york based Olean medical group, Seneca Nation Health System. They all appear to not want to pay or won’t pay potentially the ransom. Then you’ve got California based shingle Springs Health and Wellness Center 21513 patients. You know, so these things are like everyday occurrences happening all over the place and people, I mean, and I think even said something bold, I can’t remember, I’m going to find it in my article because I was like, man, that kind of makes sense. But I don’t know if it, it’s going to piss people off. What did I say? Well, first of all, I, you know, I don’t understand what the excuses there is none for preparing. There just isn’t, I’m sorry. Uh, that’s the truth. And so you might have all sorts of excuses that you think are legitimate excuses, but there their Bs, right? Um, yeah, so the excuses the common ones management support. You know, that’s the classic. I can’t get management to buy in. Um, it’s kind of your job right to buy in. If you can’t do it well then find some other way. You know, it’s just an obstacle that you didn’t either get over, get through. Go under relief.

[00:24:49] Brad Nigh: Well, and that’s what we’ve talked about that in the past is how do you as part of your job? That’s one of the areas and security people struggling is, is that communication to your quote unquote normal people and how do we get that? Buy in and how do you communicate and that? Yeah, that needs to be something that across the board we need to be better

[00:25:09] Evan Francen: at right. We’ll send them to my blog post. Maybe maybe if they read that, maybe they won’t read, maybe you can wait for the movie. Maybe you can wait to be part of the news yourself. Yeah, I mean, I don’t know.

[00:25:21] Brad Nigh: Well, yeah. Yeah. It’s frustrating. Like we have another one and an active one. And uh, they use their initial group of ours and you still have active Attackers in your systems. We need keep working time out. Hold on. I need a summary report. I need to go through and decide if insurance is gonna pay or not. If they don’t pay. Am I going to pay? You have

[00:25:50] Evan Francen: an attacker

[00:25:50] Brad Nigh: actively in there? We’ve got software alerting us that they’re doing stuff. It’s blocking it for now, but it is a trial. It’s going to expire in two weeks. They haven’t done anything. No, it’s infuriating.

[00:26:07] Evan Francen: Yeah. So whatever excuses, priorities were all busy. Yeah. Right. Yeah.

[00:26:15] Brad Nigh: But I tell you, you’re gonna get a whole lot busier if this happens.

[00:26:19] Evan Francen: Oh my God, you’re not kidding. Well in priorities. I mean, where would this fit in your prior to us. So if you’ve got 1000 different things on your list of to do as a security person or ask whatever somebody’s in charge of it even, um, where would this fit? You know, meaning plan for a ransomware attack. Try to prevent it, but then plan for the eventual occurrence. Where would you fit this on your party list?

[00:26:46] Brad Nigh: It be top five, top three depending on where pretty high up where things are

[00:26:52] Evan Francen: at and some people would already just like, I mean if you’ve been around long enough, if you’ve been insecurity been in I. T long enough you’d already be like yeah. Uh I mean of course I’ve got backups and of course those backups are protected.

[00:27:08] Brad Nigh: You have to check. That’s like, yeah, I’m with you.

[00:27:13] Evan Francen: So then uh yeah, how

[00:27:16] Brad Nigh: about you? Where would your priority, where would you put it?

[00:27:19] Evan Francen: Mm It’s hard to say number one because you know, every company has got something weird. But yeah, I’d be top five for sure.

[00:27:28] Brad Nigh: It kind of depends on, I mean, hey, our firewalls any any well

[00:27:32] Evan Francen: crap. One of the things I’m going to do, you know, actually today let’s go talk to Jeff um, here and have him do our ransom were writing this assessment, the one that I cited in the article.

[00:27:45] Brad Nigh: Um, it’ll be good for, I’ll be interested to see how is what his take is on. Yeah,

[00:27:50] Evan Francen: Yeah. Because in 2017 I put together that the ransom are reading this assessment and nothing’s really changed. This isn’t like this isn’t rocket science. This is nothing innovative here. It’s ransomware. Right. And so and you know what’s innovative is maybe adding a worm component or you know, yeah, a different encryption algorithm, a different hacking group, whatever. I mean it’s

[00:28:15] Brad Nigh: crazy how many of these? It doesn’t. It all comes back to the people to write something clicked on an email

[00:28:23] Evan Francen: or sometimes, I mean I’ve seen I saw one attack where it was an RdP server. It

[00:28:28] Brad Nigh: does configured but yeah, more often than not it feels like it’s and again then that’s a failure, how did that email get through and all that? But

[00:28:38] Evan Francen: anyway, well that one, it was a bus company, it was a pretty good size bus company and they were hit once and then restored from backup and they were hit again and then they called and they’re like, yeah we can’t figure this out what’s going on. Yeah, I’m like, well there’s obviously there either is still there or they keep getting in there, it turns out they had already p open on their exchange server and that’s

[00:29:06] Brad Nigh: no that’s not ideal.

[00:29:09] Evan Francen: No, makes it easy to admin when Attackers aren’t admitting with you. Yeah. Uh Yeah. So anyway, the thing that really ticks me off about paying ransoms, um I’m a competitive guy and I know you are, I hate losing. Oh yeah, I mean giving $600,000

[00:29:32] Brad Nigh: giving to $600 pisses me off to that,

[00:29:36] Evan Francen: you know, some jack wagon, I mean, Right, so, you know, one, we were to talk a little bit about it, You fund future attacks. Right. Right. So the money that what’s the Riviera Beach just gave to the Attackers some portion of that money is going to be diverted to attacking somebody else. Right.

[00:30:00] Brad Nigh: And where does that money come out of from Riviera Beach who suffers education, the police, Somebody’s gonna

[00:30:07] Evan Francen: someone’s going to be on either end of that. And the fact that, well, you have insurance,

[00:30:13] Brad Nigh: but it doesn’t pay all of it

[00:30:14] Evan Francen: well. And even then insurance companies are in business to lose money.

[00:30:17] Brad Nigh: Right? And guess what? Their premiums are gonna, it’s gonna happen to them,

[00:30:22] Evan Francen: Right? Everybody, if they didn’t get

[00:30:25] Brad Nigh: get it at

[00:30:25] Evan Francen: this point. So it’s just, you know, that’s selfish. Uh, definitely not a good steward of information. The Attackers win, which ticks me off. That’s money too. I mean, if you’re the city of if I if I’m a resident of that city, actually, I’m gonna go to my city. I’m gonna go talk to City Hall. I think we should all do that. What city do you live in your living chan victoria, victoria. I live in a Laconia. I’m going to go to the Laconia City Hall. And I’m going to say, uh yeah, I read this thing about Riviera Beach. Can you tell me how you’re protected from this as a resident? I should be able to

[00:31:04] Brad Nigh: get that. Absolutely have that right to have that answer. I feel like you should,

[00:31:08] Evan Francen: will you make a pact with me and you do it do it. You go to your city. I’m gonna go to my city. And then next week we’re gonna actually, next week will report on what we were told.

[00:31:17] Brad Nigh: Okay, if we hear anything back,

[00:31:20] Evan Francen: what the hell? I’m not leaving until I do.

[00:31:23] spk_4: Well it’s my

[00:31:24] Brad Nigh: city. I paid for the holiday coming up. That’s that’s the only thing.

[00:31:27] Evan Francen: But they don’t know this week. That’s true. This week. I mean like I’m talking like tomorrow

[00:31:33] Brad Nigh: I want to reach at home today and see what happens.

[00:31:36] Evan Francen: Drive in and I’m gonna be there in person. I’m going to go there in person have to look at my account. But I really do want to know because as a as a resident we needed to start demanding answers of people and even companies that we share information with. We need to start demanding answers. Yeah. Because If you’re not protecting my information, if you’re not protecting the city and you’re expecting to raise my taxes to pay for a $600,000 ransomware payment because you suck at your job.

[00:32:06] Brad Nigh: And then 900,000 for systems where you know. Well

[00:32:11] Evan Francen: yeah, that I would expect, I mean that’s maintenance. That was it.

[00:32:14] Brad Nigh: I would have expected to have already already

[00:32:16] Evan Francen: paid that Because you can justify that with me. What you can’t justify is paying $600,000 to somebody because you suck at your job. Yeah. I’m with you. I mean you just, you know, Carver County, that’s where we live to. Yeah, you have to climb on one system. I’m gonna go ahead and come to

[00:32:34] Brad Nigh: you because I don’t think my city council doesn’t, we don’t have uh, it’s all counter Carver County.

[00:32:41] Evan Francen: Mm I just added something to my task list. I am checking that out. Everybody should listeners. I’ll ask your city

[00:32:49] Brad Nigh: county, what are you guys doing for this to prevent the next Atlanta Baltimore Revere

[00:32:53] Evan Francen: Beach? Yeah. And if you need help um, there’s lots of places you can get help, point them to my blog post, there’s a free ransom. All readiness assessment they can take

[00:33:04] Brad Nigh: these chief done. It’s more defensible than heading this. And

[00:33:09] Evan Francen: oh my God, Yeah, if my city comes out like Riviera Beach, I don’t know. I mean you really have no recourse. I guess I just have to

[00:33:18] Brad Nigh: you have to run for city council and change things.

[00:33:21] Evan Francen: Nobody would ever vote for me man. I tell the truth. You never know. The only politician I know who tells the truth is the honourable Jim, nash, most of time. No. Yeah, that’s true. Nobody tells the truth all the time. But anyway, stop sucking, Stop paying ransoms, prepare and then you don’t have to pay the ransom. Yeah, because you’re taking a chance on that too. I mean, I know that the ransomware I think the last I saw was about 93, ish percent of the time. The key you get back from the attacker does actually unlock the ransomware. But what happens if I pay the ransom and then they don’t give me the key. Their criminal what recourse do I have? Yeah, you

[00:34:09] Brad Nigh: don’t have none.

[00:34:12] Evan Francen: Exactly. Or what happens if you know if I pay once, Don’t you think the the Attackers know that why they paid once? Why wouldn’t they pay again? Let’s just hit him again. Right.

[00:34:25] Brad Nigh: No. Yeah.

[00:34:29] Evan Francen: So just stop it. It’s so preventable in it. So frustrating. We got so many other things to work on. Just get back ups air gap them start there, you know

[00:34:44] Brad Nigh: just Yeah. Yeah. What was interesting to me on this is so the FBI was asked about it because they said they were investigating

[00:34:55] Evan Francen: The Riviera Beach one. Yeah. Why? I wonder why they’re investigating government. It was an attack on the government? S maybe

[00:35:04] Brad Nigh: But the their comment was last year 1,493 ransomware attacks were reported With victims paying 3.6 million. So $2400 per attack. But that’s also including individuals. And how many of these go completely unreported? The I guess 97

[00:35:26] Evan Francen: huge percent. Don’t you ever get reported.

[00:35:28] Brad Nigh: Right? So, I mean, even if you said all right, 60% 50% 3000 attacks last year.

[00:35:38] Evan Francen: Yeah, that’s way low. I would just like to look at our little corner of the world. Right? I mean, we get This year the boost one a week

[00:35:48] Brad Nigh: ransom. Where this year I would say cash. Okay. Trying to think Probably six or 7. Mm Okay. And that’s well and no you know what it’s probably low because we’ll get in and catch it and find the indicators before they actually launched the encryption It’s probably closer to God. Yeah 10 or 15. And that’s just I mean we’re

[00:36:21] Evan Francen: yeah or small

[00:36:23] Brad Nigh: from that side you know relatively speaking I can’t imagine what you know the Ciscos and at and t and wasn’t Mandiant and all them their pricing a lot more.

[00:36:34] Evan Francen: Well they’re they’re they’re saying bigger scale ones because they’re expensive as help True. Yeah I mean they’re not cheap. No that’s another thing too. I mean if you haven’t planned well get out your checkbook man. I mean it’s you either gonna pay if you haven’t planned. Well you’re either gonna pay security consultants in quotes tons of money and or pay ransom where you pay the ransom right? Or yeah pay your insurance deductible and then insurance company can pay uh Which just takes me into I don’t think they should even be covered to tell you the truth.

[00:37:16] Brad Nigh: Well and that’s you know that’s the question is alright. It’s kind of surprising. They did cover it. I wonder how long this happens before insurance companies really start knuckling down and say nope. You were negligent. No we’re not covering it.

[00:37:32] Evan Francen: Well I mean if you think about it doesn’t seem sort of negligent that you wouldn’t back up your data and protect your data adequately

[00:37:39] Brad Nigh: I’m not arguing. I’m just wondering how long before the insurance companies catch up with that.

[00:37:46] Evan Francen: Well, I know they don’t like paying, they don’t like paying no claims just in general because again they’re in business to make money not to, not to Yeah, you know, actually cover stuff

[00:38:00] Brad Nigh: and one more time I just keep, there’s so many, there’s so much about this was interesting on uh so when on me 30th The day after the infection, The ransomware was 540,765 At Bitcoin’s closing price. And then when they paid it June 20 it was 619,000. They ended up paying 80,000 more because they waited those three weeks. Mhm. That’s anyway.

[00:38:35] Evan Francen: Did you see my advice? If you didn’t plan? Uh you should slap yourself

[00:38:40] Brad Nigh: hard? I didn’t miss

[00:38:42] Evan Francen: that. You should slap yourself hard, update your resume and maybe find another line of work people suffered and or will suffer because of your poor choices. Yeah. See I’m sure I’m gonna piss somebody off at that.

[00:38:55] Brad Nigh: You know what though? I was thinking about this and I I almost posted in my reply to your, when you posted the show notes, it’s like there’s a higher than uh you know, there’s a good chance we’re going to piss off a lot of people in this podcast and Oh yeah. Mhm. I think so. There’s a lot of people that are going to agree with it as well. Maybe they should be pissed off. But to some extent, I think at some point you got to say enough is enough and and start calling people out, right? It’s not we’re not at a spot where you can say, I don’t know how you can justify not knowing that this is a legitimate risk to your organization. Right?

[00:39:45] Evan Francen: All right. Well, and sometimes fears of motivators, Sometimes anger as a motivator, just get motivated. Just just do something right at the, at the end of my article, it’s the moral of the story is one prepare and plan to do not pay ransoms and three. We’re all in this

[00:40:00] Brad Nigh: together.

[00:40:01] Evan Francen: Yeah, I’ll help. I mean, I don’t work like a lawyer. If you call me, I’m not going to send you a bill. You

[00:40:06] Brad Nigh: know, if you call this, we’ll do that initial triage to let you know what’s going on.

[00:40:11] Evan Francen: Lots assuming you already been hit. Oh yeah. I mean, we’ll give you all free articles, free advice tools. Did you

[00:40:19] Brad Nigh: planning? We’ve got all kinds of on the rest of our readiness. The um, I are categorization tool. Those are both free downloads off of fr secure dot com.

[00:40:34] Evan Francen: Yeah, I have those two things to even make you register for that. I think

[00:40:39] Brad Nigh: you just need a name and email address. So

[00:40:43] Evan Francen: here’s a, here’s an insider tip. If you go to my blog, you don’t have to do that. You can just grab it. You don’t have to give any information. Just I just want you to get your stuff together man. Just do something right? I mean I’m not looking to make any money because we make plenty on the people who don’t plan. So just plan ahead. Yeah

[00:41:06] Brad Nigh: and I’ll tell you this it is a whole lot cheaper to do the planning and work ahead of time then to recover afterwards. I mean when you look at at Ir recovery 500 to $1000 an hour. It’s not uncommon right? It’s just it is what it is. That’s the industry that’s out there. Mhm. So yeah doing that work ahead of time. Doing the it’s not fun. It’s not

[00:41:36] Evan Francen: easy. This is where I had it. Yeah so to my two second reason for not paying the ransom was it shows that you’re not a good steward somebody and trusted you with information and they deserve better. The information in most cases isn’t yours belongs to someone else. If you can’t take good care of it you shouldn’t have it. If you need it to run your business then maybe you shouldn’t be in business. I mean that’s just the facts man. You can’t take care of stuff

[00:42:04] Brad Nigh: and if there’s a tv wheeling by the the studio here we were.

[00:42:12] Evan Francen: No they can’t see it though.

[00:42:14] Brad Nigh: That’s why we suddenly both stopped and looked not think it’s yet. But yeah I don’t know.

[00:42:23] Evan Francen: Alright I’m done ranting now. My blood pressure is high, I gotta take my medication. And

[00:42:29] Brad Nigh: so based on that I didn’t do a whole lot of extra natives there, there’s so much out there um that we could just go on and on and on. Well just security news, just the latest firefox had a zero day so make sure you update firefox uh if it doesn’t you know, you know make sure that it’s updating itself.

[00:42:51] Evan Francen: Uh patch everything. That’s another one of those like good general housekeeping things.

[00:42:58] Brad Nigh: So I found an interesting article, data breaches by state. So it was comparatively dot com uh data breaches by state and it was a number of reported breaches by state which pull it up here. Uh this was published on June 20 Um and it was interesting that it was so it was from 2008 through 2019 in California had like by far the most um it was interesting to see, you know, you know, I want to kind of go in and understand why but I think maybe part of it is like I said uh there’s such a huge amount of tech companies based out of California so when you have uh

[00:43:51] Evan Francen: have really strict breach notification

[00:43:54] Brad Nigh: well and that’s part of it as well right? So I think between the two things, that’s why. But yeah they had almost 1500 for 1493 breaches, new york was second at 729 texas is 6 61. And then Oregon at 100 and 52. Oh it’s based but um yeah it was interesting. So California had Almost 1500 breaches with 5.6 billion records exposed. But then Oregon had a 152 and 1.37 billion records. So there’s not a direct correlation between the two. But uh it was interesting I like digging into the to those numbers. It was pretty pretty cool to see that.

[00:44:36] Evan Francen: So the title is which states have the most data breaches. Data breaches by US? State on compare compare A tech. Yeah. C. O. M. P. A. R. I. T. E. C. H. Come. Yeah it’s interesting.

[00:44:52] Brad Nigh: Yeah it’s definitely I would there’s there’s probably a lot more behind it.

[00:44:56] Evan Francen: Yeah. Where did that, what’s their source did they say

[00:44:59] Brad Nigh: it was? Um Because I saw yeah I thought I thought in

[00:45:07] Evan Francen: there so I thought let’s assume they have one. Yeah there’s a spreadsheet they made their data available in the spreadsheet. That’s nice.

[00:45:16] Brad Nigh: So uh they’ve got their methodology in

[00:45:18] Evan Francen: there. That’s cool. Good stuff.

[00:45:21] Brad Nigh: And they’ve got all their sources but basically privacy rights, clearinghouse and identity theft. Resource center collate information for data breaches across the US and use those as their primary sources. Double checking and removing duplicates. Cool so all right. That’s pretty cool creatures. There’s a lot of really good resources in there as well. So it was there’s that’ll be a fun one, I’m sure people, we’ll play around with those numbers and dig into that. Um the other one I had was uh, the lab corps quest breaches the collections firms that was behind both of those uh, filed for bankruptcy. So there’s some interesting comments on there and

[00:46:12] Evan Francen: they try to protect themselves

[00:46:14] Brad Nigh: from, well, that’s the, that’s kind of the um, the thought Krebs puts in there, they’re already facing three class action lawsuits from plaintiffs in new york and California and, you know, to me, uh, and that’s kind of crappy if they can go bankruptcy and

[00:46:37] Evan Francen: it happens in construction all the time. Yeah, yeah. Construction companies will shut down bill. They’ll create, open up another one the same day.

[00:46:45] Brad Nigh: Yeah, they create a subsidiary or new company to build a development and then when it’s done, they shut it down. Anything’s wrong too bad, they’re gone,

[00:46:53] Evan Francen: it’s a loophole for sure.

[00:46:56] Brad Nigh: And I think, you know, to me that some of that could be, well, if you maybe you start going after the, you know, sea levels of those people of those. Right.

[00:47:06] Evan Francen: Well, we have, we have such a litigious society in general. I mean, it’s crazy. Just thought the lawyers, I mean, they’re like, I mean, not all of them, but some of them seem like they’re just bloodsuckers, you know, because in the class action lawsuits assume if one of them wins, who makes all the money, the people getting up and it’s just another form of ambulance chasing

[00:47:32] Brad Nigh: but there’s got to be something like until there’s some actual

[00:47:37] Evan Francen: if you want to hold him accountable.

[00:47:39] Brad Nigh: Excuse me, accountability. Yeah there’s nothing, there’s nothing to stop them from closing shopping. Opening it again is another under another name.

[00:47:48] Evan Francen: So the name of the company is american. What retrieval masters credit bureau american medical collection agency. That’s the company that yeah

[00:47:59] Brad Nigh: bankruptcy. AMC A. Yeah

[00:48:02] Evan Francen: AMC A. It was the Labcorp yeah diagnostics breach

[00:48:08] Brad Nigh: Quest was 11.9 million records and live score was 7.7 million. And both of them stopped sending business after the breach disclosure as did their other two biggest customers. So

[00:48:24] Evan Francen: interesting story. So on Krebs site he’s also got a link to the bankruptcy filing. I wonder if what would happen. I don’t know how bankruptcy works. Uh But can the judge like two did not filing?

[00:48:42] Brad Nigh: I think they can mm That’d be cool. You know just because your file doesn’t mean you automatically you’re like clear and free.

[00:48:49] Evan Francen: Yeah like here’s our strategy we’re going to declare bankruptcy and the judge like no sorry that that happened. You know it’s interesting

[00:48:59] Brad Nigh: in the Krebs article they said The expenses were more than 3.8 million Spent mailing more than the seven million individual notices and then that the Ceo personally left the company 2.5 million for this.

[00:49:13] Evan Francen: The ceo

[00:49:13] Brad Nigh: personally to me I don’t have any sympathy. Alright. Yeah. It’s expensive when you screw up

[00:49:22] Evan Francen: Ceo Russell H. Fucks if you C. H. S. Personally lent the company $2.5 million to help pay for those mailings

[00:49:33] Brad Nigh: It and consultants had been had spent $400,000. They’ve spent 400,000

[00:49:39] Evan Francen: dollars just f y I if we have a breach here I don’t have $2.5 million to give you guys to get this company. We’re

[00:49:45] Brad Nigh: just declaring bankruptcy and starting up. There’s something else. I

[00:49:48] Evan Francen: know I probably I probably face the music. I don’t know. I have to sleep well at night knowing I was kidding. I do sleep well we started that podcast off with that. Yeah I do sleep all I sleep up because I think you know just kind of a piece with and if you stuff you did you know if you

[00:50:05] Brad Nigh: yeah do the right thing and it’s easy but

[00:50:09] Evan Francen: interesting. All right.

[00:50:11] Brad Nigh: Yeah. I don’t know. I again I don’t really have a whole lot of sympathy when they’re not doing basic stuff.

[00:50:23] Evan Francen: Yeah. I don’t even know how the beach took place. It’s not one that I really looked into deeply. So I don’t know originally took place. I

[00:50:31] Brad Nigh: forgot I’d looked into it. Like just

[00:50:33] Evan Francen: so I do know that no matter what you do. Right? I mean that’s the facts is no matter what you do you can’t prevent all bad things from happening. So breach will occur Just you sort of have to except that right. It’s how you react to it. It’s when you detected it, how you reacted to it, how you responded. All those things kind of taken into context I think is going to make me mad or not mad.

[00:50:56] Brad Nigh: Yeah. So the that breach was uh our to go just they learned of the breach after receiving notices saying a high number of credit cards tied to its web portal were connected to fraudulent charges and that they that was so they had probably some Something unsecured on their website and they were taking payments and I don’t know. And then they had done to that they had slashed staff from 113 to 25 at the end of 2018.

[00:51:31] Evan Francen: So, so don’t have a breach.

[00:51:33] Brad Nigh: Yeah. No, it’s

[00:51:35] Evan Francen: really expensive or if you do just have a good plan in place. Yeah. I mean Yeah, because if I had a good plan in place and I am being sued, I mean I’m still gonna have the legal expenses, you always have, his lawyers gotta get paid obviously. Um But at least I wouldn’t be found negligent because I’ve got a defensible position and I think,

[00:51:57] Brad Nigh: yeah, you’re probably going to have less legal expenses if you have hey, here’s everything we’ve done here is everything and you provide all of that rather than having to dig through things and try and figure it out.

[00:52:09] Evan Francen: I don’t know. Alright. Any good showman?

[00:52:15] Brad Nigh: Yeah this is fun. All right. So with that we will wrap it up. Um thank you again to all of our listeners. Don’t forget to reach out to us and email us either uh insecurity at proton mail dot com or you can Evan or myself on twitter. I’m at at @BradNigh and Evan is @EvanFrancen. Thank you Evan. And yeah, thank you, man. Everyone have a great week.