Unsecurity Podcast

A refresher on the recent ransomware attacks on government and also talk about the transfer of wealth that happens when attackers steal from our businesses and organizations. Some reports suggest that the global cost of breaches by 2021 will cause the greatest transfer of wealth in world history. Are these reports true, or are they just more scare tactics?

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:21] Evan Francen: Good morning. Hi everyone. This is Evan francine. Your host for episode 35 of the un security podcast. Welcome back from last week’s fourth of july holiday. My security bestie. I just called you my bestie, awesome. Yeah. So brad and I is here. How you doing brad? Good. I was a week.

[00:00:42] Brad Nigh: It was lighter than normal.

[00:00:45] Evan Francen: Later than normal. You got to get out a little bit. Yeah,

[00:00:48] Brad Nigh: I was off. I wasn’t in the office, but still put in about 30 hours. Damn you done? Hopefully I’m just writing the

[00:00:57] Evan Francen: report. Is it legal? Who’s driving this now?

[00:01:00] Brad Nigh: Yeah.

[00:01:02] Evan Francen: Ok. Yeah. So this which is I mean,

[00:01:04] Brad Nigh: it makes sense. It’s

[00:01:05] Evan Francen: fine. So, this is the same incident response now. That’s been what? 34 weeks? Three

[00:01:11] Brad Nigh: weeks. Yeah. Yeah. Okay. But 70 hours in. Damn.

[00:01:16] Evan Francen: You know any jokes?

[00:01:18] Brad Nigh: Not this early. Some sort of thing I

[00:01:23] Evan Francen: posted on twitter. You want to hear it? Okay? Uh, Dyslexic. Here’s a joke. Dyslexic man walks into a bra. Yeah, Good enough. That was good. Yeah. All right. So, uh yeah, I went on a big bike ride my motorcycle. Put on 2000 miles last week. Yeah. My knees, my back, my head, uh, my butt. So

[00:01:54] Brad Nigh: you’re you’re not really conditioned. You just got the bike.

[00:01:56] Evan Francen: you know, it’s a long, long ass ride. All right. So over the past couple weeks, uh, you and I, we’ve been talking about this ransomware thing, uh, primarily how it’s been affecting municipalities, been affecting, you know, local governments and, uh, but spawned this was, you know, I guess it would have been Atlanta, the Atlanta ransomware attack, the Baltimore ransomware attack. And I think Baltimore is still recovering. I don’t think Atlanta is even fully recovered yet. And then, uh, you know, there are a couple of cities in, in florida, uh, both of them paid ransom and there’s another one hit, florida. I don’t think they’ve paid the ransom. And then last week there was the Georgia court system was hit. You’re ridiculous. Yeah. So, you know, it’s obvious that our cities are under siege from, you know, ransomware attacks. So me and you being who we are, we don’t want to just sit and be victims. I don’t like playing the victim. So we decided to create, you know, ask people to, uh, do something about it, ask people to reach out to their local government officials and ask them how well they’re prepared for ransom where I sent, uh, and I still haven’t gotten a response back. So I might have to just walk into

[00:03:18] Brad Nigh: signal. I actually met with our mayor or my mayor yesterday for a good half

[00:03:22] Evan Francen: hour. Yeah. You called me yesterday to tell me about that was really good. What can you share about what your mayor, I think

[00:03:29] Brad Nigh: he had the right idea of I don’t, you know, we don’t know what we don’t know and that kind of keeps him up at night and that he’s taking action. Things are kind of moving forward being government. It’s at government speed. But I think he’s very realistic about, you know, what the situation is, what their defenses are, what they may have, where they may have some risk and taking correct or proper steps.

[00:04:02] Evan Francen: And he made the dress and he had some ideas that you guys discussed, which I thought was really cool even to assemble a dedicated information security committee to talk about helping us and

[00:04:14] Brad Nigh: yeah, yeah, I really liked it was a very, very positive, constructive conversation. So hopefully we’ll be able to talk more here in the next few weeks over about more detail but

[00:04:28] Evan Francen: and this isn’t a huge city and I mean this is a small city so for them to make the kind of commitment where they’re going to assemble some sort of a committee to talk about information security and talk about risks and talk about ransomware. That’s that’s a significant it’s really investment of time for them. Yeah. And it shows commitment. So good. I mean, that’s that shows that your call to action. You reaching out to the mayor is starting something. It may have already, you may have already been something that was going to get started. But you you accelerate, I think

[00:05:02] Brad Nigh: at least it was something that was, he mentioned when he saw the Baltimore and then the ones in florida that this started it. And then I reached out and I was like, yeah, okay, this is the right thing to do. So it kind of fueled that or encouraged

[00:05:18] Evan Francen: it, It’s really cool. So, uh, and I wrote a series, I think three blog posts and so what we’ve asked people to do is to reach out to their local cities, counties, court systems, I mean, whoever and ask them, inquire of them, how well they’re protecting ransomware and if you don’t know the right words or you don’t feel comfortable putting together a letter, uh, you can use our template, so I created a template posted on my, on my, uh, on the blog post and I, you know, I don’t know how to get more people involved. Uh, but it’s, it’s almost like you can’t have too many people, so everybody should reach out to their cities and

[00:06:05] Brad Nigh: I almost feel like once you start getting a little bit of momentum and somebody sees it, actually, there is a positive, there is some sort of traction there, you start to build on that, even if it’s not within that same locality. Right? Hopefully.

[00:06:19] Evan Francen: Yeah, exactly, hopefully, and I wonder, you know, if people just, maybe we’re just used to have been conditioned, you know, just the public in, uh, just burying our heads in the sand, just thinking that this is somebody else’s problems. Somebody else will take care of it. I’m powerless. I’m not gonna do anything and go about my day

[00:06:39] Brad Nigh: maybe I think. But it’s also that what is it, the bell curve of the early adopters and you know, I think we were kind of, it’s the same thing.

[00:06:47] Evan Francen: Their theories of diffusion, diffusion of innovation.

[00:06:50] Brad Nigh: Yeah, I guess the same same thing, right? Nobody wants very few people want to be on the bleeding edge taking that first step. But when she starts seeing some traction, that’s when it starts to

[00:07:04] Evan Francen: to go. Yeah, yeah, I agree. So it’s been cool because we’ve gotten some, so people have been emailing there local governments and they have been sending us responses from their local governments, which I thought was just awesome. Keep up the good work for people who haven’t emailed, you know, do it get on it if you want to know more direction, go to Evan francine dot com. Uh, it’s E V A N F R A N C E N dot com and go to my blog and you’ll see where you can, you know, sort of get involved. Some of the responses we got to our insecurity at proton mail dot com email address. Uh, here’s one from a rural area. We are we are familiar with these attacks on cities and we utilize network security professionals to protect our systems. We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and restoring. Sorry. And storing our data offsite to protect against ransomware demands and other risks like that’s a rural city. Yeah, that’s good. Yeah, that’s a pretty good response. Uh, and then the resident followed up to gain a little more insight and offer some help, which I thought was really cool. Medium sized US county this one uh, you know, just sort of paraphrasing a little bit. The county does not have a defined policy regarding what they would do if faced with this decision. In fact, none of the metro counties have one last time I checked. But in my conversations with administration, I do not believe paying a ransom would be an option they would choose. I

[00:08:43] Brad Nigh: think if you didn’t

[00:08:44] Evan Francen: ask you would, I mean how long, how long is that acceptable?

[00:08:48] Brad Nigh: No, no. You know that they clearly had have thought of this right. They knew they had an answer and the answer was, I don’t know. I think this might happen but they didn’t ask.

[00:08:59] Evan Francen: So I think that’s okay. So that’s not acceptable.

[00:09:02] Brad Nigh: But I think that’s probably the more common.

[00:09:05] Evan Francen: I I agree. And and and and and if you are a county or a city official and this is your response don’t be embarrassed by it, Address it. Right. Right. I mean admit it and address it. This isn’t rocket science. Right? And it’s not hard to create a policy that will mandate what you do create an incident response plan. Uh Back up your data store it offsite. Start off line. Right. I mean so it’s good that they admitted the sad and I guess the troubling part here is none of the metro counties.

[00:09:43] Brad Nigh: Right. Right.

[00:09:44] Evan Francen: Boy. We got work to do but do it. You know I mean what’s your alternative? I don’t think there’s another way to go here pay the ransom. Which yeah. And hope

[00:09:57] Brad Nigh: for the best,

[00:09:58] Evan Francen: yep. Cross your fingers. Bear your head. Uh So we do have a bunch of and I did post these uh these um some of these responses on the blog uh and I did protect the names of the guilty or innocent whatever you call. So that’s that and I’m not gonna beat that up. Like you know, last year I was pretty ticked off and I think you might have been two bread a little bit uh because we really need to do something, We’re in this together. It’s my money. It’s your money, it’s my time. It’s your time, my city, it’s your city,

[00:10:35] Brad Nigh: right? That ransom goes that money comes out of something that was supposed to go towards the community, right? Yeah.

[00:10:43] Evan Francen: So if you have if you have taken up that call to action and have emailed uh let us know about it. We love to kind of cheered on. It does encourage us to but you know, we’re at least somebody’s listening and that somebody’s doing something about it. So awesome. Alright. Anything else for you to add on that? I don’t think so. Okay. What county do? Well, we live in the same county. Don’t. Do you want me to take the county or do you want me to do you want to county?

[00:11:11] Brad Nigh: I can take it. I think there’s already take the county well, and there’s been some conversation with the mayor around the county as well.

[00:11:17] Evan Francen: So hardy. That’s, that’s uh take it on three different angles. We’ll hit him.

[00:11:24] Brad Nigh: It’ll be good. Yeah, yeah. His Yeah, we’ll go into that. Never mind. All right.

[00:11:31] Evan Francen: So this weekend I was so I took the week off. You did too. I mean at least physically not here. Right? I would get up at, I got a book to write, you know, so I’ve been writing this, I got to get back on it. So I’m trying to have set a goal that I’m gonna write at least 3000 words a day towards the book. And so if the book, because you know what happened is I uh and for people who don’t know this is a book, it’s called the marketing people change it. It’s called the information security for normal people. It’s normal people. You mean normal, right? So, uh had written 35,000 words in the last draft and then ditched it. Just, which always sucks when you come to that realization like you’re down a path that you just won’t be able to get out of

[00:12:18] Brad Nigh: it. So I feel like once you at least there’s gonna be some stuff you can use from the thought process, right? So you’re not very starting from scratch, but yeah, yeah, it’s not fun.

[00:12:28] Evan Francen: No, So we’ll get back on that. Uh, and so I won’t be in the office nearly as much until that thing gets completed because you and I have a book to write as well. Yeah, and I’m excited about that one. So I better get my, come on. I know, right. It’s okay. Uh, so anyway, I was, so I got up this morning, I got up every morning while I was while we were traveling at like 6 30 I went downstairs, I would just write a little bit, get caught up in email. Uh and one of the things I was reading and I’ve read it before was some of the research from uh, cybersecurity ventures. They did their, they do their annual uh cybercrime report or whatever. I hate the word cyber crime unless you’re actually talking about cyber crime. Uh, but I was revisiting some of the research in our industry and uh, what you do a lot of that for the book anyway. And two things that I really wanted us to talk about just openly is one is this transfer of wealth. Uh, and that’s the money the Attackers are stealing from us. The second is the money grab, which is the money that we steal from each other or maybe spend would be a more politically correct word. Um And being that I didn’t want to kind of talk about both in the same uh podcast, I figured we could talk about the first one today. We can talk about the money Attackers are stealing from us and then maybe next show we can talk about the money grab. And I don’t know which one of them pisses me off more because they both do because but they both involve taking advantage of other people. Right?

[00:14:05] Brad Nigh: Yeah. Oh my

[00:14:06] Evan Francen: gosh. So hopefully I won’t get, you know, blood pressure. I took my whole crap. I didn’t I didn’t take my blood pressure medication. I know it’s in my pocket. I get up in the morning and I there see look at that. That’s that’s less certain. When you when you live a high stress life and don’t live healthy, you don’t have to take these things. Yeah. All right. So in high blood pressure. Uh So cybersecurity ventures, venture cybersecurity adventures. This is that robert her your how do you say this last name? H. E. G.

[00:14:41] Brad Nigh: E. T. R hurry up, hurry you

[00:14:43] Evan Francen: back. Yeah, he’s one of the shark guys. Um Have you ever seen that show shark?

[00:14:51] Brad Nigh: What? Shark

[00:14:52] Evan Francen: tank? Yeah, I don’t watch it either, but I do know he’s on there. Alright, so cyber security event cybersecurity ventures. According to them the study predictions. Uh cyber cyber criminal activity is one of the biggest challenges that humanity will face in the next two decades. Think about that for a second the most the biggest challenge is one of the biggest challenges that humanity will face over the next two decades.

[00:15:24] Brad Nigh: I mean it makes sense when you think about it. I mean everything is getting,

[00:15:30] Evan Francen: does that fall on deaf ears? Do you think with normal people are with anybody? I mean have we have we overplayed the fear card

[00:15:38] Brad Nigh: because people start to get numb to it? Right? Right tune it out because it’s been fud for so long.

[00:15:46] Evan Francen: So I think we’ve kind of shut ourselves. Yeah because you hear about uh uh like climate change that gets headlines all the time. That’s also one of the biggest I would assume that’s one of the biggest challenges humanity will face over the next two decades. You hear about that one all the time. But you don’t hear much about cybercrime being. It doesn’t know headlines. No.

[00:16:13] Brad Nigh: Yeah because

[00:16:14] Evan Francen: CNN’s not covering it, are

[00:16:15] Brad Nigh: they only when there’s like a big city that has that pays a big you know news grabbing number and then it’s just that they paid $600,000 in ransom. And then that’s the end of it.

[00:16:29] Evan Francen: Yeah. And then the guy then that I. T. Director lose his job to. Yeah. Yeah I’m sure it was his fault.

[00:16:34] Brad Nigh: I’m sure right? And

[00:16:35] Evan Francen: also personally it was

[00:16:36] Brad Nigh: but you know during during a major crisis what you should do is fire the one person who probably knows more about your network than anyone else. Right?

[00:16:44] Evan Francen: Yeah. But and it’s such a scapegoat play anyway. All right so cybercriminals. So there’s this thing called cyber criminal activity. It’s supposed to be the biggest challenge humanity will face over the next two decades. Our message isn’t resonating. I don’t think like if I were to ask anybody on the street, hey give me one of the what do you give me your top 10 or top five biggest challenges that humanity will face in the next two decades. They’ll say things like climate change uh something about geopolitical something something war with Iran but none. Yeah. I don’t think cybercrime will be one of those ones that most people would you know we should do that. I don’t have time. Just go out on the street and do one of those jimmy Fallon things

[00:17:36] Brad Nigh: will make uh make marketing, you do it. They’re not busy. No

[00:17:40] Evan Francen: they don’t. Exactly. Exactly. It’s all right. So here’s some other quotes. Some of the claims cybercrime is the greatest threat to every company in the world. The greatest threat to every company in the world. And one of the biggest problems with mankind. The impact on society is reflected in the numbers. So cybercrime is the greatest threat to every company in the world.

[00:18:08] Brad Nigh: I like it. It’s the one thing that can shut you down faster than anything

[00:18:13] Evan Francen: else. That’s true. Is it treated this way boards well, no, you know, it’s not. It should be. Uh huh. All right. More work to do there. In august of 2016 cybersecurity ventures predicted that cybercrime will cost the world $6 trillion by 2021. That’s like what is it 2019 still. So it’s like a year and a half, two years up from three trillion in 2000 and 15. This represents the greatest transfer of economic wealth in history. That’s a lot of money. Six trillion. What’s the U. S. Budget after that up like that. I don’t know. Why don’t you keep talking? I looked that up real quick.

[00:19:00] Brad Nigh: So you know, thanks. But do you think about it, you know, three trillion 2 to 6 and six years doubling. I think there’s a lot of places that would be very happy to have their right, their profits. Are there the revenue double every six years at that at that volume.

[00:19:21] Evan Francen: Right? So under the in to March to March 11, 2019, President trump released his budget request for fiscal year 2020. Under his proposal, the federal budget would be a record $4.746 trillion.

[00:19:34] Brad Nigh: So more than

[00:19:36] Evan Francen: the other thing. The United States GDP or at least equal to by 2021. It’s insane, man because there’s big numbers like that. I can’t put those into context.

[00:19:49] Brad Nigh: Yeah. It’s like watching like the the shows on like space and stuff with your kids. Like if you were the U. S. You know you have to have it some way to hey the earth is a golf ball and here’s how close the next one is the guy drives for seven hours to show how far right you need something like that. For sure to to make this comprehensible to understand what does this mean?

[00:20:16] Evan Francen: So $6 trillion of economic wealth. And so that comes from theft of intellectual property. It comes from theft of personally identifiable information comes from ransom where it comes from all kinds of different, you know money theft but $6 trillion by 2021. What are we doing? Uh Nothing. Well I mean security people are. Yeah I suppose a little bit we’re trying there’s 800,000 of us supposedly in the United States. And there’s 330 million people in the United States to expect. 800,000. So I do you remember that picture that I made? I made a picture and I plotted that on to put talking about context. There was a little bitty bitty bitty bitty spec uh on this big red circle, the big red circle represented the U. S. Population and the suspect that you could hardly see represented the information security people who are employed in our industry. And so if the real if the normal people think that it’s our job, it’s the information security professionals job to protect everything. That’s unrealistic. We need to do things together. That’s one of the reasons why we have the ransomware, you know, email your are the call to action, email your, you know, local government about, you know, their protections on ransomware because this isn’t just us, we’re all affected by it. Even if my security is awesome and you you’re a normal guy, my neighbor, and your security sucks, the attacker is going to take your system and attack me with it. So the fact that we expect other people to do something without doing something ourselves is just crazy.

[00:22:06] Brad Nigh: So here’s another Yeah, it is another way to put it. I was looking this up. Uh six, well, so in 2015 it was what? Three trillion? Yeah. So in 2017 walmart’s revenue was 485 billion. So 500 will round up. So,

[00:22:24] Evan Francen: so 16,

[00:22:26] Brad Nigh: 1/6 of that, and that’s the largest, highest revenue company in the world in 2017. 1/6.

[00:22:35] Evan Francen: So rather than just because I do think we’ve oversold these things, these numbers and scare tactics, but just think

[00:22:43] Brad Nigh: trying to put it into context,

[00:22:44] Evan Francen: right? And and take a take a step back and just think about this logically, and you can debate all day long whether these numbers are true or not. We do know that. I mean it’s obvious that there’s some large transfer of economic wealth, right? You just read it. So whether it’s six trillion or seven trillion or it’s two trillion, whatever, it’s a lot of money that’s being transferred from people who I think earned it honestly or you know, honestly approach to people who are stealing it. It’s costing me money, it’s costing you money, it’s costing everybody money and I work hard. You do, right? Yeah. I mean like I sort of want to keep my house, I sort of want to keep my uh, whatever, certainly cyber attacks are the fastest growing crime in the United States and they are increasing in size. Sophistication and cost. So what do we do? Uh, what do we do about this? Yeah, continue, I think continue to mobilize, treat this as a civic responsibility and I really think we have to start working on that more. And I know we have tried keep trying just because something hasn’t worked yet. Don’t give up. So I know the government has, you know, a bunch of online, you know, was that safety online or was it there’s some government websites, you know, let’s do that as research between now and next week is because there’s like cyber safety online dot org dot gov and you know, all those other sites, we should find those unless those because we do want people to get involved.

[00:24:29] Brad Nigh: Well, yeah, I think that’s the only way is to help educate everyone, not just, you know, not just the cybersecurity or info sec professionals. So the only way you can, it’s just gonna be a volume play really. I mean when you think about it,

[00:24:46] Evan Francen: right, we raise the collective awareness,

[00:24:49] Brad Nigh: herd immunity type of approach. Yeah. Yeah. I got a long ways to go

[00:24:54] Evan Francen: though and we need to really break through and just butcher this mentality that it’s somebody else’s

[00:25:00] Brad Nigh: problem. Yeah, absolutely.

[00:25:02] Evan Francen: I mean whoever, I don’t know, flog him. Can we do that? That’s not legal, is it?

[00:25:07] Brad Nigh: Probably not

[00:25:09] Evan Francen: son of a gun? Not in this country I suppose

[00:25:12] Brad Nigh: maybe who knows? I

[00:25:13] Evan Francen: don’t know. Somehow we have to get it through people’s heads. That information security is not just my problem. Right. Right. You can’t just say here’s the

[00:25:23] Brad Nigh: problem. Right. Exactly. Yeah. Yeah. Even even at work where you may have a dedicated team or person working on, it is still an individual responsibility to help be aware. Take part. Yeah. Be active in this.

[00:25:43] Evan Francen: Yeah. And have these just have these regular discussions, you know, so it’s not like you need to be a super security sleuth. You don’t have to have no, also awesome skills. But I’ll give you two examples of just this past week when I saw things play out in my own house. Right? I’m the security person in our house, my wife, you know, she, she does her best, but we were at a hotel and we were changing our payment card because I had my business card under my Hilton account. And so I was changing to our personal card. Right? And so the, it was, we got there kind of late at night and the lady says, well here, I just need you to fill this out and it’s a piece of paper and on the piece of paper it’s asking for your credit card information. Now. I wasn’t gonna say anything. I just wanted to see what my wife didn’t. She goes, uh, yeah, I don’t feel comfortable at all writing this down for you. She said, can I come down tomorrow morning and just put it into the computer and the ladies like, oh yeah, you can do that too. No, yes, it’s just enquiring a little bit more.

[00:26:51] Brad Nigh: Exactly. It doesn’t have to be, yeah, it’s not big, no, it’s little things. Just being aware. Right?

[00:27:00] Evan Francen: My daughter, my daughter, I think it was yesterday, she was talking about instagram and uh one of her friends wanted my daughter to talk to this boy for her. And so yeah, I know, I know it’s just the crazy stuff though. So my, my daughter’s friend wanted to give my daughter her account information to log in. Cool. And uh and then so my daughter came in and asked me, she goes, dad, I don’t feel comfortable about this. I’m like, yes, awesome. You shouldn’t never,

[00:27:41] Brad Nigh: yeah,

[00:27:41] Evan Francen: don’t go smack it smack your friend? You don’t give out account information and it was a great opportunity to, to go that extra step and talk about internet safety. This boy that you think you’re talking to or that your friend is talking to. You may not really be that boy.

[00:27:59] Brad Nigh: I mean there’s been some pretty big cases in the news last

[00:28:02] Evan Francen: week, man. Yeah, it breaks my heart. The sex trafficking. Unreal. What do they have? 11 arrests in the Minnesota? The B. C.

[00:28:12] Brad Nigh: A. And then the Epstein thing. That’s gonna be a big one.

[00:28:16] Evan Francen: But I just can’t imagine

[00:28:18] Brad Nigh: being you’re right though. It’s just those small things like, you know from our side, we bought a new dishwasher. Do you know how hard it is to find one that doesn’t have Wifi on it. You can’t, not with any of the nicer, you know, feature. So it’s like, all right, we bought a dishwasher that has wifi that will never get connected. Why do I need Wifi? Right? I know how hard to

[00:28:51] Evan Francen: tell what it is, what you do

[00:28:52] Brad Nigh: with wifi. It’ll alert you that your dishes are done. There’s some other stuff too, but it’s like really why I can I can look and see at the front of it in the kitchen all the

[00:29:03] Evan Francen: time. There’s that or how about the magnet we used to use. Remember the magazines that you flip it around when it’s clean

[00:29:10] Brad Nigh: and come in. You come in, we’re clean and yeah, sorry, we’re dirty or whatever. Yeah, just

[00:29:15] Evan Francen: it’s like, what do

[00:29:16] Brad Nigh: you

[00:29:17] Evan Francen: were too enamored. Well that’s another thing. So you bring up another good point. So one, it’s just awareness and and having these discussions with your family just, you don’t have to read tons of books. Obviously you want to read my book when it’s released later this year or early next year. But yeah, you don’t have to, you don’t have to do a ton.

[00:29:37] Brad Nigh: Yeah, so going on that, but my wife, same thing, we were looking online at all of them and she’s like, I really like this one but in his wifi and so she’s at least, you know, she’s coming back from, from her wanting her wifi enabled a washer and dryer earlier this year. She is for her. But she’s like, yeah, she knows, but I love the fact that she was, I really like this one but it has a life. I know,

[00:30:08] Evan Francen: I really like just people just to slow down a little bit and ask themselves why we’re doing some of this stuff like, you know, I know people just love Alexa and love google home and these things but like why seriously? I don’t need Alexa to look stuff up for me. I have my phone sitting right next to me, my ipad, sitting on the coffee table, my

[00:30:29] Brad Nigh: laptop where I did towards Wally?

[00:30:32] Evan Francen: Oh man. So,

[00:30:34] Brad Nigh: but yeah, I’m with you, I don’t have Alexa or any of those right, you know my kids, we turn on and off Syria for for the youngest to play with like because it’s kind of funny to watch him try to talk to her, but by default is off, we don’t need that

[00:30:55] Evan Francen: on there. No, no. So what can you do? You know, what can we do collectively as a as a normal person or as a security person one is just don’t be intimidated, get get aware a little bit, ask yourself these things if if things seem a little bit off, you know, they may be are a little bit off. You ask yourself do you really need this feature or that feature this app for that app? I mean just take some time to think about things and then I think another thing you can do is kind of what we’re starting or trying to start more with this call to action. Ask people what you’re doing, Ask your local government, ask you know what you’re doing to protect my information or protect our information against ransomware. Yeah. Ask a company,

[00:31:40] Brad Nigh: start the conversation right? You know what’s the worst case exactly they don’t answer you

[00:31:48] Evan Francen: right? And and then you can go like like you said in the last podcast then you can go to a city hall meeting and ask it there and then you can go to, you know I mean there’s all kinds of things you can do to try to social media, you can post some things. But you know, if playing nice, I guess that’s all, it should all be playing nice right? I can go nicely to a city hall meeting and asked the question nicely and not being jerk

[00:32:15] Brad Nigh: and that should be the be your motivation to write. You shouldn’t if you’re going in and trying to do that gotcha moment or that ah ha whatever you’re approaching it wrong, totally wrong. It needs to be its education. I’m concerned. What are we doing?

[00:32:33] Evan Francen: Right? And the same thing should happen with anybody. I do business with even a private sector organization. If I’m doing business with you, if I am a consumer, I’m a customer of yours. Do I not have the right to ask you certain questions about how you’re protecting my information. I mean that’s the whole premise around a lot of the G. D. P. R. Stuff in the California. Yeah, privacy wise, I have a right to know what you’re doing with my stuff,

[00:33:02] Brad Nigh: right? It’s not a bad idea.

[00:33:06] Evan Francen: No. And in the meantime, I mean if you’re going to wait for a regulation, I’m not a big fan of regulation, I hate being told what to do. I’d rather just do the right thing. Uh but there’s nothing to stop you as a as a consumer as a customer to asking questions and I think you need to do that. I think you need to hold people accountable more now and then to put all of this into context to, to expect zero breaches. Is it serious? Exactly what I’m saying is instead of $6 trillion annually by 2021 Why not to

[00:33:41] Brad Nigh: write, write trend in the

[00:33:43] Evan Francen: other direction? Yeah. Right. Let’s go from six to maybe 5 to 4 to 3 to 2. And maybe we can really get our hands around and make it less than a trillion dollars at some point and then it’s just a cost of living.

[00:33:55] Brad Nigh: Really? Right. Right. Yeah. It’s like a car accident, do everything you can, but occasionally it’s gonna happen. There’s going to be something that happens is out of your control, but you can do a lot of things to, you can prevent that from happening.

[00:34:12] Evan Francen: So anyway, we have this, sometimes we look at these big news things and see this largest transfer of economic wealth ever in the history of mankind and we get overwhelmed where we tune out, don’t tune out, tune in, think about it. Ask yourself what you can do, you can always email myself and you un security at podcast and security of proton mail dot com. Uh would love to answer questions. I’d love to hear things that you’re doing to try to make this problem.

[00:34:49] Brad Nigh: Oh, absolutely anything or that’s one of the things right? Where we’ve got ideas, but that doesn’t mean there are the only ideas are the right ones, right? I mean, we’ve talked to people that were like that’s a really good idea. Which I thought of that. Yes. Let’s do it. So it don’t don’t be afraid to email us.

[00:35:07] Evan Francen: No, no, no. Because Yeah, exactly. Because your ideas, if they’re good, we’ll share them for sure. I mean, even if they’re not good, maybe they are still good. We just didn’t understand it. I mean, yeah, because we’re all in this together for for us to think that we need to have all the answers for you is

[00:35:26] Brad Nigh: no ludicrous. Yeah, It’d be very arrogant. Yeah, it’s not. There’s no way anyone person has all the answers you have to you have to crowdsource, so to

[00:35:36] Evan Francen: speak. You really do you have different perspectives on the same problem? So anyway, that’s why I wanted to talk about first next week. I think we’ll talk about uh the other transfer as well. Which which I call the money grab. The money grab is where we really end up stealing from each other. Uh, We sell uh snake oil. Uh, we cause people to spend money that maybe they don’t have or spend money on information, security controls that aren’t the best controls to be spending money on. That’s a whole another issue and that’s that kind of, you know, the analogy or the vision I kind of see and that it’s like the the wolf in sheep’s clothing. Mm hmm. Just, you know, hanging, hanging around the flock and just kind of picking them off. Yeah. Well, it takes

[00:36:31] Brad Nigh: me off. I still I like your analogy with to a customer about the pack of zebras. You want to be the herd? You’re the one struggling in the back. Don’t be them anymore, Right.

[00:36:48] Evan Francen: Yeah, exactly. Well, I’m not a big fan of the herd mentality either. It be different would be different if the herd was in the right spot.

[00:36:57] Brad Nigh: That’s the problem. But they’re not.

[00:36:59] Evan Francen: So the herd mentality and information, security just doesn’t work. No, unfortunately. But it will eventually just stay patient and do your part to make things better. Uh All right. So, um, that was are you have any other opinions on that? The transfer of wealth?

[00:37:20] Brad Nigh: Yeah. No, I think it’s just it’s frustrating. You know, I don’t know. It’s just gonna be reaching more people getting, getting more community involvement. It really is. And you know, there’s not an easy way to do

[00:37:36] Evan Francen: it. No, it becomes. And that’s a that’s a thing about security as we try to put it into this neat little bucket. But security will never fit into a neat little bucket because it permeates all the other buckets. And so I think that’s one of the challenges that people have in just understanding how security, they can’t make it neat. They can’t put it in a box because it it’s in many boxes, right? It’s almost like salt. Just put, you know, seasoning on every meal. Not just one.

[00:38:07] Brad Nigh: It’s a good way to look at it. Yeah, it should be spread out.

[00:38:12] Evan Francen: Yeah. So All right. Just to newsy things this week, uh we’ll cover them quick. The two stories dirt. The DDOS attack to that brought down E. A Sony and Stream was jailed for 24 months. Yeah, that’s good. It’s 24 months long enough. 27 months. I’m

[00:38:33] Brad Nigh: sorry. I mean, so 27 months and 95,000 in restitution. Yeah. Yeah, most likely. Yeah. Who knows what his job right prospects will look like after that.

[00:38:50] Evan Francen: I don’t know where sometimes, I mean we’re kind of dumb in this industry with some of that stuff. I mean we hire people, you know, it’s not it’s dumb but not done because people do deserve a second chance.

[00:39:01] Brad Nigh: It depends on on where he’s at now. Right? Did he learn, can he, can you come back from, I think, you know, uh Mitnick is a good example of somebody who, you know, I don’t I don’t the

[00:39:16] Evan Francen: world’s most famous hacker

[00:39:17] Brad Nigh: exactly, but that he was hacking and now what you know before, so that is doing Yeah, doing good, putting putting that knowledge to use

[00:39:27] Evan Francen: and I think of like kevin Poulsen who did uh doxed. Yeah, that that pissed me off. Yeah. Alright, so that anyway for this news article, it’s uh hot for security is where you find it? That’s a bit defenders blog and it’s the title is dirt, Dida’s attacker who brought down e a Sony in steam, jailed for 27 months, 23 year old, 23 years old. Did asked these big companies, Austin Thompson is his name, who called himself dirt trolling online, launched a series of ddos attacks against all these uh gaming sites um for the lulls.

[00:40:15] Brad Nigh: Yeah, and the fact it’s kind of because yeah, his reasoning and and the reason for doing it, that kind of makes me wonder why what his job prospects will be

[00:40:26] Evan Francen: well. And when he did it for the laws, I mean that was this the attacks took place back in 2014, the beginning of 2014. So Austin Thompson would have been 18, yeah, 17, 18 at the time, so maybe it was lulls then now hopefully it’s matured a little bit and yeah, this isn’t so much

[00:40:48] Brad Nigh: love two years in prison

[00:40:50] Evan Francen: all probably

[00:40:51] Brad Nigh: change things.

[00:40:51] Evan Francen: Yeah, I wonder if you get to do hard time. Probably not. But then he bragged about it on the at the patrolling twitter account where he was uh you know, bragged about the success of his attacks, gave a phone number for people to call the invitation of followers to send their suggestions for other sites. He like, you know, they like to be attacked. Oh yeah, so this was pretty immature all the way through. Yeah. Then his true identity was doxed by one of his twitter followers in january 2014, so that it wasn’t very long after that he started his escapades that he was doxed

[00:41:30] Brad Nigh: and it looks like I’m reading the

[00:41:33] Evan Francen: 2018 before he was arrested.

[00:41:36] Brad Nigh: So. Well, yeah, but you gotta figure it takes time to build the the case, right? But he’s got the 27 months in prison and three years of probation after that. So, I mean, okay. Yeah, it’s it’s a pretty good. It wouldn’t make me think twice if I were considering.

[00:41:58] Evan Francen: Well, that’s because you’re a 30 something mature human being,

[00:42:02] Brad Nigh: I appreciate 30 something,

[00:42:04] Evan Francen: right? Isn’t that what you are? Are you 40 something? Yes. Holy crap. We’re both old. I know it’s depressing. Yeah, I mean, you’ve got responsibility, so Yeah, I would, but even q off

[00:42:13] Brad Nigh: even at 23 if I was like, oh wait, I might have to pay $100,000 and spent two years in prison. You’re probably not worth it for the walls.

[00:42:24] Evan Francen: You don’t even want to know what I was doing at 23 I spent, yeah, we’re not going to go there because then everybody’s gonna be nothing like me. All right. So anyway, that was that. I think it’s good. It’s good that he’s hopefully, I don’t know because we do have this generation of kids growing up that do need direction. There was this gap between my generation uh in this new generation where I didn’t grow up with cell phones. I didn’t grow up with smartphones. I didn’t grow up with instagram facebook twitter. I didn’t grow up with any of this stuff and so if I’m a parent I mean that’s different because I’m in this industry now but for all those parents who are, how do you relate to what your kids are doing well and how do you give

[00:43:12] Brad Nigh: them direction? Yeah. Well in my my daughters are 13 and 11 11 year old was like yeah my friends have cell phones with instagram and Snapchat and what are their parents? Yeah we’re going to go off on our old man yelling at the clouds moment again.

[00:43:29] Evan Francen: Well yeah but that’s part of the book to this book is writing for that.

[00:43:34] Brad Nigh: I think that’s a big problem right? They, the parents don’t understand it. They’re like, oh yeah I use it it’s fun. Huh? Yeah we do funny filters not understanding the true

[00:43:49] Evan Francen: risk. Absolutely. Alright. The next news article I have and then we can wrap this thing up and I think well you know, yeah we’re open up uh this is from naked security by so foes it’s the title of the article is IOT vendor or vivo gives away treasure trove of user and device data, two billion items of log data from devices sold by chinese china based smart IOT manufacturer or vivo was found by researchers at web privacy review service VPN mentor who discovered the data and an exposed elasticsearch server online, two billion items of log data and china based IOT manufacturer.

[00:44:43] Brad Nigh: Yes. A VPN minter seems to be doing some pretty good work. I keep seeing them come up over and over again on some of these things. Yeah,

[00:44:51] Evan Francen: I agree with that. Um,

[00:44:53] Brad Nigh: yeah. Yeah. Right. I mean what do you think that easy and assault? I’m using MD five. Okay.

[00:45:10] Evan Francen: Okay. But the thing is I think that really sucks as a, as a consumer. You have no idea.

[00:45:17] Brad Nigh: No, no. And I think part of this one, it was interesting towards the bottom around elastic with some of the security things that they had turned off that you had to pay for. Yeah, like teal us and native authentication used to be premium features you have to pay for

[00:45:38] Evan Francen: right? You have to pay for security

[00:45:43] Brad Nigh: like that’s ridiculous. Right? I get, you know, you need to make money but to some extent I feel yeah. Anyway,

[00:45:52] Evan Francen: why would you even make things like

[00:45:54] Brad Nigh: that feature? Right. That’s your standard baked in.

[00:45:58] Evan Francen: Right. I mean this is 2019. It’s not like the eighties or like, well maybe we should do some encryption encryption. What the hell is that? I mean this is like pace and stuff. Well there’s been a lot, you know, we could do a whole series of shows two on china based technologies and whether or not we should actually worry about some of these things because I’m, I’m of the belief that there’s a much larger, larger game being played here than what we typically are affected day today, there is a cyberwar going on between Russia Iran north Korea china and the United States, UK Canada brazil, they’re all players. And the one thing that that scares me the most about china is china, there is no privacy in china china is a communist country where even the private companies aren’t really private, right? They work for the government. So you know this or vivo or or video, I don’t know this company but it wouldn’t be inconceivable at all for this company to be operating under the auspices of the chinese government

[00:47:18] Brad Nigh: or even to say even if they weren’t directly that the government doesn’t have full access. Exactly right. Even if we’re just, I’m going to take the positive here and say, you know what, they weren’t intentionally malicious guarantee the government has

[00:47:34] Evan Francen: access to it have actually, well they were they got caught last week’s installing malware on people’s phones right? When they entered the country.

[00:47:43] Brad Nigh: I think the other thing with this one is as of monday, the database was still publicly available even though like that was july 1st they’ve been trying to reach him from for weeks so you know, maybe not completely. Um thanks without fault there. But yeah, it’s

[00:48:07] Evan Francen: frustrating as hell. So another reason for me not to install IOT and if I was going to install, you know, we could spend days and days writing all kinds of articles about this stuff. But how do you source the right IOT device? You know, make sure that your data is staying in the U. S. Or you know,

[00:48:29] Brad Nigh: well, you know we we does, the only real IOT you have was is the camera have the same system. I think I was impressed with with my Arlo Arlo. Yeah, I was impressed with some of the stuff they have around it, you know, timeouts for the log in. Can log in with the account in one place at a time and it will alert you if someone else plugs in. You know, they’ve got some good things, but unfortunately so many or not.

[00:48:57] Evan Francen: Well and and then you’ve got the like for me my camera placement is in a place where I don’t really care if somebody sees those images. It’s an image of essentially coming. You have the comings and goings on my front door. Well you can sit across the street and watch that if you wanted to. I just have public. Right? So I mean I’m not like, excuse me, I’m not like um I don’t have a camera in my daughter’s

[00:49:25] Brad Nigh: bedroom and there’s nothing in the house.

[00:49:27] Evan Francen: Right? Not one in the bathroom. You know, I mean stuff that I really wouldn’t want people to see. Um So yeah even then, but that’s that that’s that security kind of mentality that you and I have that we need more people to be thinking about.

[00:49:42] Brad Nigh: Yeah. The risk assessments all the time. Just exactly all these little things. Just Yeah. And it is

[00:49:49] Evan Francen: it is possible because we think this way you and I do and I think many security people do. We just do risk assessments all the time in our minds that are different than normal people. So it’s just teaching normal people how to do those same types of risk assessments. Because they already do, like when you come up to a red light or I’m sorry, a yellow light, you calculate a risk assessment really quickly, right? You look around for traffic. What are the threats? Is their cop? Is there cross traffic? Is there whatever. How fast am I going? How was the distance between you do this stuff well and subconsciously just Yeah. So it’s possible.

[00:50:27] Brad Nigh: And it doesn’t take long to get people to to realize it right. Like I’ve done the safe and secure online stuff and they did that mom’s one. I’ve had people reach out since and there you can, it was an hour, 90 minutes with Q and A at the end and it changes. They just don’t realize it. Right? It’s not hard to do. You just don’t realize it.

[00:50:51] Evan Francen: Yeah, exactly. Exactly. All right. So that’s that’s that that’s the news next week. I’m sorry. Next week. We’re going to talk about now next week is your show, this one was supposed to be. But like I said before the show started, I did not want to bother you because I knew you were working your butt off during your time off. So I just wrote the show notes because I had a little more time on my hands, I think, than you did at least a little more less pressing time. You

[00:51:19] Brad Nigh: had to get this stuff done incident kind of takes drops everything down

[00:51:22] Evan Francen: on a level. So next week will be your show. And what I’d like to talk about if you’re, if you’re cool with it is the money grab piece, just how much money we’re spending on security and where it’s going and all that stuff. All right, well, that’s how it is. Uh thanks again to our listeners and thank you brad. Have a great week, everybody. Don’t forget you can follow me or brad on twitter. I’m @EvanFrancen. That’s me. Brad’s @BradNigh. Email us on the show at Unsecurity@protonmail.com. We’ve been getting a lot more email lately and it’s been really cool to see. We do respond to everything. It sometimes it takes 48 hours, but we’ll respond and it’s good stuff. That’s it. Thanks