Unsecurity Podcast

In Episode 2 of the UNSECURITY podcast, Brad and Evan discuss current information security breaches, events and industry news. Brad led this podcast, and he chose the following topics for discussion: • Secret Service Warns about ID Theft through USPS “Informed Delivery” Service • Google’s G Suite, Search and Analytics Taken Down in Hijacking • Internet con men ripped off Pathe NL for €19m in sophisticated fraud • Botnet pwns 100,000 routers using ancient security flaw • Employees’ Poor Security Habits Getting Worse, Survey Finds

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:21] Brad Nigh: Hi Evan, we’re back for the second insecurity podcast to two in a row, two in a row. Next week is gonna be interesting to the holiday and I’m going to be driving so hopefully we’ll be back in time. But

[00:00:35] Evan Francen: yeah, I sort of like, like recording these on Sundays because sunday afternoon, you know, I watch a little football and then, you know, it’s going to chill.

[00:00:45] Brad Nigh: Yeah, it’s a nice way to kind of wrap up the week. Yeah. And also get, get you back into the mindset for, for work tomorrow,

[00:00:53] Evan Francen: what’s, what’s to come. But tomorrow is gonna be a fun day. Had I first secured anyway.

[00:00:59] Brad Nigh: I’m excited.

[00:01:01] Evan Francen: I think we’re uh, have our kind of team dinner. I have a uh, early in the morning. I gotta be down somewhere. I can’t remember where, but southern Minnesota for Ceo group.

[00:01:13] Brad Nigh: Oh, nice.

[00:01:15] Evan Francen: Yeah, it’s uh, it’s just a white board talk. So I have no sides. I’m just going to get up in front and we’re going to talk some basic security stuff that, you know, all of them should know. I guess.

[00:01:26] Brad Nigh: So I’ll be honest, that to me is more fun than going through the slides. Just getting up there and I’m talking because they don’t have to put slides together too.

[00:01:36] Evan Francen: I know, putting together such a pain.

[00:01:38] Brad Nigh: I’m selling a just and marketing. It was like, you know, I hate doing it, I can do it for lack of a better phrase, I can do the word vomit of what I want to talk about and comes out well, but putting them onto slides in writing, it’s just not fun.

[00:01:56] Evan Francen: No one. And so I I I agree completely. And so I had I told jess, why don’t you just create every talk I give you just create the slides for me.

[00:02:06] Brad Nigh: Yeah, I like that

[00:02:08] Evan Francen: approach. Why? No, man, But it that I learned now that that’s a lot harder. What was it? Yeah, because I’m talking with somebody else’s flow. I’m not talking with how I would normally talk. Yeah, that’s a good point. So the first one I did was uh at a conference up in bismarck and it was what? Oh, the art and science of threat management. Okay. Right. And so you can imagine what I would write if I was going to write my own slides for that and then imagine what I’m marketing.

[00:02:42] Brad Nigh: Yeah, yeah. They’re gonna they’re gonna put that marketing spin on it. And yeah, that’s true.

[00:02:48] Evan Francen: I mean there are probably five, people in that room. Yeah, I even practice going through her slides like okay, this is how I would say, I tried to figure out what my flow would be and then when I got up there isis Yeah, no, I’m just gonna have to suck it up and write mountainsides next time.

[00:03:08] Brad Nigh: That’s tough. I don’t know, I’ll give her a chance and see one particular thing. Yeah, I hate writing side that much. We’ll see what happens

[00:03:17] Evan Francen: when we do the same thing when we, um, when we do the metro program. Yeah. You know, there’s like every class, their sweat, 100 slides or so.

[00:03:29] Brad Nigh: Yeah, it’s something like that.

[00:03:32] Evan Francen: Yeah. And so you know, that’s the biggest drag about doing a mentor program is going through those. You

[00:03:38] Brad Nigh: know, maybe what we do, we’re totally going into the week at a time. I’m gonna have her do the first pass and then make edits after she’s done the hard part of creating them because tweaking it’s easy afterwards. Right.

[00:03:52] Evan Francen: Well this is sort of what our podcast is anyway, even though we’re in the weeds a little bit. I mean we sort of intended, you know, the first part of our podcast to be just kind of what we’re working on what things were sort of struggling with. And then I suppose we’ll get into the recent news. So for the people listening every week we trade off leading this thing right. Last week was me. So if you didn’t like the podcast last week, I’m your guy, uh, you know, this week, this week it’s yours and then next week will be mine and I think this is going to get competitive because like I was saying to you in the office earlier this week, pretty soon, we’re going to start getting uh, guest speaker guests to join us on the show, right? And then it’s going to be like, well who’s gets the better guest and

[00:04:45] Brad Nigh: whatever, which episode gets the highest rating. And neither of us is competitive at all. So you know, God won’t escalate.

[00:04:54] Evan Francen: Speaking of competitive, you’re the big, you’re the big caps fan and yes, beat the crap out of my wild. Earlier this this week,

[00:05:04] Brad Nigh: I told Tyler I didn’t get to go to the game this year. I went to the first two when they came up the last two years. I was here and just didn’t work out this year and was like, well, I wanted to give the wilder chances this time I’m not gonna go. Didn’t matter. Three and oh, since I moved up here, I’m okay with that,

[00:05:21] Evan Francen: I know we can’t seem to figure that puts a lot at all

[00:05:24] Brad Nigh: bragging rights. So I was looking through this and you know what we’ve been working on this week. And one of the things that that I really was surprised about was some differences and and how given all these incident responses we have had and what the reactions and how companies react and respond after the incident is contained and cleaned up. So I started looking and went back and just Did some digging in some research and what it looks like to me is there are two two ways that a company goes about this either it’s, I don’t care what it costs, give me whatever I need and tell me what else I’m missing. How do I fix it or? Yeah, it wasn’t too bad and that won’t happen to us again. We’re good. And there doesn’t seem to be much of a middle ground. That’s just some high level observation. But to me that that second approaches, it really seems kind of head in the sand.

[00:06:29] Evan Francen: The interest surprised me. Yeah, it would surprise me too because I always thought that there’s uh three primary reasons why people invest in information security. One is you you you have to, so compliance is right, the number one driver in in security spending. And then the second reason was um, something bad happened, right? And what I used to see and, and I don’t know if if you’re thinking that this has changed because maybe it has. But what I used to see is you’re underspending for years on information security when something bad happens. And now you’re the pendulum swung the other way. Now you’re overspending, dump all the money in the world.

[00:07:21] Brad Nigh: It’s a little bit of that. Um I think that’s kind of the first approach of just like, hey, okay, what else do I not know? Tell me? Yeah, it maybe not. Well obviously haven’t seen from the organizational side, if you know, if they spent others, I’m just looking at that. Yeah. Side of it. But yeah I think that kind of more plays into that first. Just just give me everything. What do I know? What? Don’t I know Right, where what should

[00:07:51] Evan Francen: I be doing? And so if you have the wrong partner. Mhm. With that sort of mentality you’re going to get screwed, do I? Right.

[00:08:01] Brad Nigh: Right. Oh you need all this software, new hardware.

[00:08:04] Evan Francen: Okay. Okay. Okay. And then. Yeah. Well in the 11 incident response that I just that we just finished up um was the ransomware outbreak. And I think the total bill probably for that response It’s probably close to $200,000.

[00:08:27] Brad Nigh: Yeah. It’s not cheap. No and that doesn’t even include lost productivity and downtime. And how much do they pay employees for the time that they weren’t productive?

[00:08:40] Evan Francen: Right. Yeah the soft dollars are going to get. But the good thing is um I think they’re very open to, okay we need to make sure this doesn’t happen again. And so I know that uh there’s a couple of projects you know on their plate that to really help them shore things up. So hopefully they they’ve learned a lesson and this doesn’t, you know, and maybe they’ll be able to really good security program after this.

[00:09:07] Brad Nigh: Well and I think that there are a good example of what we see a lot of two of it takes an occurrence like that for it to be given priority and and to be taken seriously. Right. Hopefully they do it and do it right? And, you know, they don’t have any problems moving forward.

[00:09:29] Evan Francen: Let’s hope so

[00:09:31] Brad Nigh: anyway, I was just surprised it, but that that seems to be the to kind of two responses to an incident that I’ve seen that I saw out there. So um history. So, you know, one of the next ones we’re talking about is what are we excited about? And you know, it’s kind of, this is very nerdy of me, but I’m really excited that it’s uh it’s from an internal perspective for, you know, kind of for fr secure and security studio, but this virtual of the numerous management uh product we’re putting together because this is really the first that, you know, I I’ve had a lot to say about the VC. So peace. But that started before I really took over, this is the first one where been involved and really had the chance to defy and build from the ground up. So it’s kind of exciting to find, to work with the team and, you know, do what I think is right? And then learn from them as well and put something together and and put that framework out there that gives us that standard approach that we can give, you know, that good response for anyone who does it. So

[00:10:47] Evan Francen: yeah, I agree. Uh I’m really pumped about it too because every time you guys create something, you know, in my mind, it’s a, it’s just cool, right? I mean, you guys are always creating kind of cool things and this V V R M, which is what we’re calling it, the virtual vendor risk management, yep. Okay. That to me is, is pretty cool because according to some of the stats that we’ve read 60, of all breaches come directly or indirectly through vendors, Right? And I was just down in, uh, I was in des Moines last week talking to a group of hospitals and I asked them, You know, by show of hands, how many of you? There’s 15 hospitals, how many of you are doing vigorous management at all. and two of them raise their hand. One of them, I think it’s a larger hospital organization. They’ve been doing it manually for quite a while, so painful. And the other one is just getting started, you know, there very new to the whole thing. Yeah. Uh, I think not, and the way you guys are developing that service to me is like, and you’re going to solve the pain. You’re gonna make it standardized, you’re gonna make it, uh, not overly burdensome for the organization. But I can just imagine if I was a c so back in those days, I was a season and had a company that was just going to handle all of this for me. Awesome. I love it. Yeah. And I pay a pretty good penny for it because uh, you know, I think the most it depending on the size of my organization. If I want, Let’s say I have 100 vendors or maybe 200 vendors. That’s a full time employee, right minimum. That’s if I do it well, you know, manually.

[00:12:48] Brad Nigh: Right. Right. And it’s a lot of interpretation. And are you hiring somebody that, you know, and how are you gonna, It’s the same thing with a C. So how are you going to hire somebody that has the experience and knowledge and are they gonna want to do that? Can you keep on? So yeah, I think the fun, the fun part for me was, you know, kind of hearing them go well, yeah, we just then being security studio click through it and then you can just accept the risk. I’m like, no, I’m not accepting the risk for an organization. I’ll make that recommendation. But if I were that an organization, I’m I don’t want someone else accepting risk for me. Right? Exactly. We’ll give you all the recommendations and you just click a button and say, yep, okay. Sounds good Or you can overrule, but ultimately, you gotta keep your, it’s your job, your company,

[00:13:44] Evan Francen: Right? Until you, you know, take those 13 other hospitals. They’re all living in risk ignorance, right? They have they and risk ignorance is the same as risk acceptance, right? Essentially. It’s just worse.

[00:14:00] Brad Nigh: Well, and you’re seeing it, especially from health care where the fines are no longer. Well, I didn’t know was acceptable. It’s just, that doesn’t happen anymore

[00:14:11] Evan Francen: when negotiating comes. Right.

[00:14:13] Brad Nigh: Well I didn’t know my vendor had no password policy and I didn’t do background checks. Well, uh too bad for you, isn’t it? Right Anyway,

[00:14:24] Evan Francen: So you geeked out about that? That’s cool. I don’t think that’s too geeky gets,

[00:14:29] Brad Nigh: it’s fun. It’s fun, dull and stuff.

[00:14:31] Evan Francen: Security guys like us get excited about that stuff. Some

[00:14:36] Brad Nigh: All right. How about you? Anything you’re excited about?

[00:14:39] Evan Francen: Well, we had um an off site on friday with our management team. That’s that’s always fun because we’re, You just get kind of honest with each other. We’re right in the middle of 2018 planning. I love what they’re doing. I mean if you have a management team like we do. I mean yeah, my life is grand. Just a good thing.

[00:15:05] Brad Nigh: I won’t lie though as part of the, you know, the next level down of management. It’s not as much fun when the entire senior management or executive management offsite because then everybody comes to

[00:15:15] Evan Francen: you. That’s

[00:15:16] Brad Nigh: true, totally. Like why am I so bit Oh, that’s why I don’t see them here. That’s why everyone stopping in.

[00:15:23] Evan Francen: Yeah, but I’m excited about that. I think I’m really excited about 2019. I think there’s some really cool plans there. I’m excited. Uh the book is oh yeah, just so close man. And every time, you know, every, you know, every little bit. So now it’s so the time is already are the it’s already scheduled at the printer so that they hold that time for you. Um The last you go through edit after editing the need and then this last edit is the proof reader. Um so you go through, you know, kind of accept the proof leader there things and sort of like so close to being done and ready for its being typeset now. Uh huh. Yeah, so we’re gonna get, you know, 5000 copies in the first print run, which is sort of cool. So I’m excited about that.

[00:16:24] Brad Nigh: That’d be good. I’m looking forward to seeing that that printed know how much work you put into it.

[00:16:31] Evan Francen: Oh my God, someday you’re gonna have to write a book.

[00:16:36] Brad Nigh: I know. Well I keep telling you, I’m writing a picture book for kids because I’ve learned, Yeah,

[00:16:45] Evan Francen: it’s such a good experience. I I’ve learned so much about what I’m capable of and what my boundaries are. That’s just a great experience for anybody ever. Any of the listeners get a chance to write a book. You’ve been thinking about write a book. I highly encourage it. Who cares if nobody reads it. Just go to exercise. It’s so rewarding.

[00:17:05] Brad Nigh: Yeah, I think I know it’s been it’s been fun watching you because it is, you know, you’ve kind of got the security thing down and this is something that really challenged you and it was, it was fun to watch you work through that a little bit. I’ll say it’s fun to watch you struggle with it.

[00:17:24] Evan Francen: I appreciate it. But I really am looking forward to, you know, anybody else that, you know, if our secure any of my friends, anybody who wants to go through this, I’m, I’m hoping that, you know, there’s one thing that you write the book and you did it great. But if it inspires anybody else to do the same thing or you know, that’s the stuff I’m really looking forward to because I’m really trying to, um, you know, mentor and create our next, uh, our next crop of information security leaders starting with you. And so I’m hoping it becomes like bigger than, you know that, But we’ll see.

[00:18:07] Brad Nigh: Yeah, I think no pressure. Yeah. Right. Right. Just, just live up to that and I have to write one that sells faster than yours. Right. Well,

[00:18:19] Evan Francen: so I was trying to figure that out too. I was like, well, what are the expectations? What should a new author expect in their book? And I read online, it’s like You should be happy to sell 500 copies. All right. I’ll be happy with myself having a copy son.

[00:18:34] Brad Nigh: Yeah, I’d be ecstatic if anyone outside of my immediate family and coworkers bought a

[00:18:43] Evan Francen: copy. That’s good expectations. I was thinking, I told the measurement team on friday. I think I did whatever your expectations of me are lower them so I can get over that bar

[00:18:58] Brad Nigh: right, right. Always said low, start loading, set the bar too high, right? Yeah,

[00:19:05] Evan Francen: that’s good stuff man. I’m excited about that stuff.

[00:19:09] Brad Nigh: Yeah, yeah man. Okay. Yes, someday, someday I will.

[00:19:15] Evan Francen: Well, and if, and if it’s not in your seat in your car, there’s nothing wrong with that. But if you do want to go down that route, man, I’d love to help.

[00:19:22] Brad Nigh: I think, you know, I think I would be the same boat you’re in right where it’s okay. I need that. I’m ready for that next challenge. What is that? That’s something that I really haven’t done and I’m not, I don’t think I’m quite to that point yet. So working on a lot of, you know, growth and stuff with within ever secure

[00:19:42] Evan Francen: dude, I’m so pumped about what you’re doing with your team. I mean holy crap, you got a bunch of like the best.

[00:19:49] Brad Nigh: I saw someone, I don’t remember who it was. I was like, man, it’s so great that the people who have because I think my job so easy. I don’t, I don’t have to worry about them. They just do the right thing and if there is a problem they come to me and there’s, you know, there’s no micromanaging, I don’t have to worry about if there, you know, doing their job right or not, just they’ve proven themselves. It makes it so easy,

[00:20:17] Evan Francen: right? Then they have great attitude, they’re doing it the right way there. You know, like we’ve talked about before, they have exceeded their numbers, you know, their expectations for the year. I mean just yeah, eight plus

[00:20:31] Brad Nigh: makes it a lot easier for sure.

[00:20:34] Evan Francen: Which is good because that’s something truly that I don’t think I was ever capable of doing for whatever reason. I mean, I think kids, it’s like, it’s like your kids, right? I mean it’s not like you’re my kid, but the sort of is, but like my kids, when I, when I raised my Children, I wanted them to be better than me. I don’t want to put pressure on them, I didn’t want to like, but I just wanted them to be better people than I was right. And so I look at them now and I’ve got, you know, There’s only one left in the house, but the other four at their stage of life are all tons better than I was at that stage of life. I’m just so proud of them and that’s kind of the same thing I’m seeing with you and your team. It’s like you guys are all better than I was, then, you know, it’s so cool to see it happen because if you’re better than I was then then how much better you’re gonna be than I am now.

[00:21:31] Brad Nigh: Yeah, yeah, I think that’s why we, I think we have a very similar approach that it’s like hey I’m gonna give you the opportunity to you know prove yourself and go and do it and you know prove me wrong. But they don’t, they just keep it just beaten every expectation you could possibly imagine.

[00:21:52] Evan Francen: Yeah, pretty much one of the coolest things ever.

[00:21:55] Brad Nigh: It’s fun. Yeah. All right to talk about some news.

[00:22:00] Evan Francen: Sure let’s talk about some security stuff.

[00:22:02] Brad Nigh: So the first story sent this over was from uh represent security was the Secret Service warning about I. D. Thieves abusing the postal services. Mail scanning service for that informed delivery. Um It was interesting that the post office doesn’t require any sort of verification just as the address that you sign up for. And then there’s you know sending pictures of the scanned mail to whoever whoever signed up and I thieves are using it for credit cards. So what they found is you know, people are getting bills for thousands of dollars for credit cards. They never even knew about. God. And so what the postal service did was they started alerting households by mail whenever anyone signed up to receive the scan notification of mail delivered to the address. So they would email or send email saying hey you’ve been signed up. So what the postal there with the kids. He did was they turned around and got the credit cards and wait until they were about to be shipped and then signed up for the informed delivery. And so they were being delivered. The credit cards were being delivered and stolen before the informed delivery and notification was being said.

[00:23:24] Evan Francen: So

[00:23:25] Brad Nigh: they’re they’re just it’s to say you know whack a mole there always just a game ahead or a step

[00:23:33] Evan Francen: ahead. Right. Well it’s funny when you sent me this or when you know because we do exchange this email just on things that we might talk about you know during uh during the podcast. And so you chose the news stories this you know for this week. And then so I hadn’t I hadn’t even heard of informed delivery before you sent me the low down for today. I was like informed delivery. What the hell is that? So I you know I do the research you know what you sent and yeah and Krebs online and this is actually a story from october uh I don’t know like a while ago and so I was like there’s no way this thing is happy actually true. So because I never even heard of it and they said according to the U. S. P. S. 6.3 million accounts have been created then that was back then. So when I went online and you know it’s informed delivery that USPS dot com like what if I should sign up for this thing? I didn’t because I’m kind of fine with the way the mail is delivered today. I don’t really trust the most office to do anything more than more than that.

[00:24:49] Brad Nigh: I’m such I guess they’re trying to give you the ability to track your build better. I don’t that’s the thing I don’t I guess I don’t know I’m not sure what the benefit is. But yeah it started last october was the informed delivery. They said I think they’re saying 20,000 accounts a day signing up for it wow. And yeah like september earlier in september they had uh seven people were arrested for Buying using those credit card accounts to buy gift cards and merchandise around $400,000. This was in september of this year.

[00:25:29] Evan Francen: Okay.

[00:25:31] Brad Nigh: Yeah there was the mail theft for using this informed delivery And they bought credit or gift cards and merchandise. Just just about $400,000 worth.

[00:25:42] Evan Francen: Now. Do you do inform delivery?

[00:25:44] Brad Nigh: I don’t

[00:25:46] Evan Francen: do you know anybody who does it?

[00:25:48] Brad Nigh: You know I don’t actually I didn’t ask but I’m not hurting anyone. Nobody’s talked to me about it or asked about it. So doesn’t

[00:25:57] Evan Francen: yeah I’ve never done that popular. I’m debating whether or not I want to do it. Let’s see if it’s available in my area.

[00:26:04] Brad Nigh: Well the other thing is that they use the knowledge based authentication to authenticate when you sign up and most of that is you know it’s readily available out there on the internet. Whether it’s you know

[00:26:18] Evan Francen: that’s like the famous Hillary Clinton. No no no. Who the hell was it? Hillary Clinton. Who is the um, Alaska, former Alaska Governor Palin. Oh right. Didn’t her yahoo account get uh compromised years ago from somebody guessing her password recovery questions. Is that what you’re talking about, that kind of thing?

[00:26:44] Brad Nigh: Yeah, exactly. Right. It’s uh

[00:26:49] Evan Francen: like what high school did you go to and what was your address as a child or whatever? And it’s like why? You know somebody with some ascent can figure that out,

[00:26:59] Brad Nigh: yep. Yeah, it was like there’s four knowledge based authentication questions. So you have to sign up. I don’t know what they are off the top of my head, but the article says that they’re mostly available on sites like Spokeo or Zillow or via social networking profiles. So I’d assume it be exactly uh that, you know, when did you buy the house or when did you move in or something like that or

[00:27:23] Evan Francen: good news bread? It’s available in my zip code. What what we’re talking about? We’re talking show sent him for it. Why not? I’m doing it like I’m not waiting for your answer.

[00:27:36] Brad Nigh: I go go for it.

[00:27:37] Evan Francen: Yeah, we keep talking about security stuff and I’m going to sign up for this.

[00:27:42] Brad Nigh: You can sign up for that. So the next article, our new story was gonna talk about was the google’s g suite and search and analytics being taken down by a hijacking and it was, this was going back to last week when I talk about a little bit of the sensationalism on the article. Yeah it was definitely a downtime. Um but it turns out from what I’ve seen and it’s interesting looking at the articles and who writes it and how it comes across. Uh it was basically a B. G. P. Uh miscommunication. Um

[00:28:19] Evan Francen: All right. B. G. P.

[00:28:20] Brad Nigh: It was a Nigerian. I. S. P. Had they made a rowdy mistake. It was accepted by a chinese I. S. P. And then they just propagated from there

[00:28:32] Evan Francen: 74 minutes. Is that how long,

[00:28:34] Brad Nigh: 74 minutes?

[00:28:36] Evan Francen: That’s how long the googles traffic was routed to somewhere else

[00:28:40] Brad Nigh: yep. Offline between one PM and 2 23 PM pacific time in the western half of the U. S.

[00:28:48] Evan Francen: So and google has Cloudflare. Mm I don’t think it’s coming closer. I I saw something about class later in that news.

[00:28:58] Brad Nigh: I think I saw that. Mm But you know what’s interesting is so I read on both threat post and then on cell phones. Z naked security you know uh the question is you know, was this malicious or not? Yeah that’s a great name for they’re

[00:29:20] Evan Francen: having trouble getting past that. I’m

[00:29:21] Brad Nigh: sorry. I know.

[00:29:23] Evan Francen: Hey I met my security question. Sorry to interrupt you. Which question should I choose first? The city where you were born? That would be hard to figure out right. It’s philadelphia. No I just told you crap. Can’t choose that one. What is the name of your pet? What is your favorite food to eat? Anybody who knows me knows all these things.

[00:29:44] Brad Nigh: See here’s where this

[00:29:47] Evan Francen: mother’s maiden name. That’s a classic. I’m gonna choose that one.

[00:29:50] Brad Nigh: That’s a good one. So what I do is, you know, he’s a password manager and I make a note for the site and I put the question and then I make up just a totally it doesn’t fit. So like the security questions I’ve I’ve done that where I’m frustrated with the company. So I put in like when you have to put in your online pin that you give them your voice pin, that’s maybe not always super politically correct. But like, you know who companies services? The worst is my pin by pin or

[00:30:24] Evan Francen: something. When have we ever been politically correct? Right.

[00:30:27] Brad Nigh: I’ve done selling that are definitely not. I didn’t know. I would have to uh say it back. But it was fun, Very interesting to listen to the person be very awkward about listening to me to say that the company can you think themselves

[00:30:45] Evan Francen: could be can suck it. All right. So, I chose my my questions. So you one of your tips is when you choose your security questions to choose a bogus answers. So if somebody did find out, you know, did some open source intelligence on you. It wouldn’t matter. Right, because that would be the information. Anyway.

[00:31:05] Brad Nigh: Now, if my password manager gets compromised, I’m totally out of lock. But you know, I’ve got multi factor and hopefully a secure password.

[00:31:17] Evan Francen: I just signed up completed the sign up process. You you’ve created an informed delivery account with the user name I should tell you. Yeah because I’m going to cancel any way francine. Yeah I’m not actually I mean I already did it but I’m just going to cancel the day and count. Okay? Because like I said, I don’t mail delivery the way it works is fine anyway. I mean sort of I don’t care. All right. Anyway, sorry I interrupted you

[00:31:45] Brad Nigh: know, you guys. Um Anyway, so back to B. G. P. So the sofas page. I thought I had a really good um analogy that, you know, I think not everyone understands B. G. P. Well and how the how this attack worked or how this, you know, miss configuration caused the problem. So yeah it’s so intermittently diverted traffic to china uh instead of going to google. So they uh for example, is to envision it uh B. G. People under the driving terms imagine you’re cruising on the freeway but receive the satellite alert that the road ahead is closed just after the next exit due to an accident. So you take that next exit to get off the freeway only to find out what the bulletin or drum, it’s the next on ramp as close not the freeway itself. So in other words you’ve needlessly left the fast lane freeway can’t make it back on again without diverting to a nearby town and everybody else who heard the bolt ended the very same thing, making a bad situation worse and clogging up the town centre. So I thought that was a pretty good analogy to.

[00:32:52] Evan Francen: That’s a great analogy. Right, So have you ever had the pleasure of working with PGP?

[00:32:58] Brad Nigh: No, I luckily I guess I got out of networking fairly early. I did a lot of like the C. C. N. A. Or yeah, it was a C. C. N. A. And Pete one and 2 way back in the day and then started working at places that had a dedicated network admin. So I know enough about networking that I could be dangerous, but I’ve never really got too deep into the weeds. Been a long time.

[00:33:26] Evan Francen: My first ever foray into PGP was back at Jazz software in 2090 I don’t know, late nineties probably. We had an old Cisco 72 oh six router and I don’t I don’t know how long it’s been now since we actually had a pair of them. Uh And we were we were trying to figure out so one of the reasons why we would use BdP back then was uh have redundancy and uh you know, getting to us basically. So uh we accepted back back in that day, we couldn’t we couldn’t accept the full bdp table routing table. He only had two options. Either accept the full table or accept a partial table. Well the partial table was 128 MB back then and that’s how that’s how much memory are 72 6 Router. So it was like, well okay, we can’t even do B G P if we wanted to but otherwise, you know, I did a little bit of GDP then, but you know, beyond that it’s a nice p thing. Right, I understand how BdP works. I understand uh you know, it’s the routing between autonomous systems on the internet. Uh But what could I possibly do if I was a business if PGP gets mucked up like this?

[00:34:53] Brad Nigh: There’s really not, not much.

[00:34:58] Evan Francen: Yeah, I wonder how so I wonder when google when they I mean I wonder who, because there wasn’t any information in the article at least I didn’t see it on who responded to it and who fixed it.

[00:35:13] Brad Nigh: Yeah. Yeah, I think there was a link in the sofas, one to an arse uh Technica and it had a little bit more that’s so much more um techy Mhm. Like that he’s got a bunch of graphs and it actually shows it actually shows like the routing happening happening. Okay. So um yeah, I don’t remember. Uh huh

[00:35:48] Evan Francen: because it was about it was between the BdP peering relationship between Main one cable that’s the Nigerian ice P and their parent I speak china telecom. Right?

[00:36:01] Brad Nigh: Yeah that ah it says in there that they Main one said that they the advertisement was administrative error. So it sounds like google probably reached out to them pretty quickly. Yeah.

[00:36:17] Evan Francen: What would you what if I speak china telecom was like so I guess you could black black hole about or something. I don’t know how you yes I don’t know enough about GDP anymore to know how like what if what if sp china telecom was like yes there you go. Well if they don’t like you.

[00:36:38] Brad Nigh: Yeah I think yeah that would be interesting. I don’t know how that would play out

[00:36:44] Evan Francen: would be a fight out of a whole different

[00:36:47] Brad Nigh: I guess you could just basically blacklist that offending I. S. P. And just not listen to its um advertisements advertisements.

[00:37:00] Evan Francen: Yeah it would take some serious there will be some serious routing changes you know portions of the internet would be inaccessible for a while. Huh interesting.

[00:37:14] Brad Nigh: Uh huh. Yeah I mean yeah I don’t I don’t know enough about about it to really go into it. I just thought it was interesting that a simple mistake like that could really could take it you know cause that much problems.

[00:37:30] Evan Francen: Right. And this is a it is super interesting and in my mind too because even if you don’t know B. G. P. Very well you’re talking

[00:37:38] Brad Nigh: google

[00:37:40] Evan Francen: you know one of if not the most powerful company on the planet.

[00:37:45] Brad Nigh: They’re still completely reliant on a Nigerian I. S. P. Configuring RBG tables correctly.

[00:37:51] Evan Francen: Right and there Down for 74 minutes basically. That’s that’s pretty impressive. I mean it’s pretty I guess it shows you how you know that you know the internet is so resilient but it’s actually kind of fragile too. Right?

[00:38:08] Brad Nigh: Yeah. Yeah it doesn’t. Well I mean I know even from an internal networking perspective it just takes one type of just you know muck everything up. It’s the same thing. It’s funny you just type I think obviously it’s always put the dot in the wrong spot. Mhm. Something like that. Yeah. It doesn’t take much

[00:38:33] Evan Francen: when we’re all prone to it.

[00:38:35] Brad Nigh: So

[00:38:36] Evan Francen: we’re all humans anyway. It’s just weird though because you know we are all humans we all do make mistakes occasionally. But the fact that this isn’t a Nigerian ESP in china a chinese ESP you know it doesn’t it seems a little

[00:38:54] Brad Nigh: you know. Well that’s one of the threat post where we went uh the threat post article went into that a little bit more of, well what does this mean? But you know the The so folks one had a really nice uh point I said you know was it a mistake or was it some sort of conspiracy? Nigeria’s popular popularly connected with online fraud and china is a frequently accused of internet espionage. So you know put it together and it’s like oh sure that was that was totally a mistake. Right? But you know, the flip side of that is that this was a deliberate hijack. They said it was spectacularly ineffective and obvious and that it didn’t work because they noticed really quickly and got it fixed. So

[00:39:46] Evan Francen: Right. But the way the Russians work from what I’ve seen is they do these little probing type attacks so they’re more poc is there proof of concepts than they are an actual the the actual attack?

[00:39:59] Brad Nigh: Mhm. So I think, yeah, that’s the next step. Is does it happen again? Right. Well, you know, put in place to prevent it if anything.

[00:40:09] Evan Francen: Yeah, I mean if there was any malice behind it, at least they know it works that this particular thing works for this long or whatever that, you know, I don’t know, I guess I’m skeptical of, I’m just not as trusting anymore as I used to be maybe of other players. Yeah,

[00:40:30] Brad Nigh: I yeah, and I we just don’t know enough about everything too.

[00:40:36] Evan Francen: Super interesting man. I think you’ve chosen awesome article uh

[00:40:41] Brad Nigh: you can that’s when you can definitely go down the rabbit hole on,

[00:40:45] Evan Francen: right? Yeah. So this was, this was on threat post dot com and it was on like you said naked security dot so folks dot com this is this happened back, you know, second week in november. So just recently actually last week mhm uh in for google and Cloudflare. So two different companies obviously? But you know, they were both off offline.

[00:41:08] Brad Nigh: Yeah, that’s cool masks. All right. So now this one this next story, I just shook my head and just like the face palm.

[00:41:20] Evan Francen: So what do the kids now say? They say? SmH. Shake my head. Yeah, So you’re smh in right

[00:41:27] Brad Nigh: now? I am. Okay. So why is it path a minimal group out of uh the Netherlands was ripped off by Kahneman for $21 million. It all came from a email That said, Hey, send this money for this acquisition and they made four payments in March of this year. The first one was 930,000. The second one was for two point almost 2.8 million. And then again, the 3rd and 4th ones, I didn’t I didn’t see the exact amounts, but um Yeah, million dollars in a month gone.

[00:42:08] Evan Francen: The Attackers sent an email posing as

[00:42:11] Brad Nigh: higher up. Hey, I need you to send this money to this account for this acquisition.

[00:42:18] Evan Francen: Oh my God. And all it took was an email For 2 to send $21 million.

[00:42:26] Brad Nigh: Yeah, well even if it’s even if it’s the first one, like it was the first transfer was for, you know, $930,000. How do you not question? Not much money being requested to be sent on an email, right? I mean, it’s the same attack with the all time.

[00:42:50] Evan Francen: It’s just totally an smH man. I’m smh yourself now.

[00:42:53] Brad Nigh: Yeah. So they finally got the the email, the final email from the fake company boss to repay the cash. But then So March, March eight was the first attack. March 28. Questions began coming in from the headquarters out of Paris as to what is going on.

[00:43:15] Evan Francen: So so March eight, the say that again, March eight, the emails went out and then how when did they get?

[00:43:21] Brad Nigh: They made the emails came in, March, they started they made the first payment that day. So the first payment was March eight. They made three more payments and before it was caught um On 28 March. So in three weeks,

[00:43:37] Evan Francen: 20 days. Yeah. For any red flags, like oh there’s millions of dollars going out the door. Do should we check on this? Yeah, let’s let’s just find out what’s going on. Yeah. Oh my God. So we have such a like lack of financial controls or lack of a lot of things.

[00:43:54] Brad Nigh: So the interesting part on this one, I mean that that’s we see that all the time or a bad attack isn’t surprising, but they were both fired and then one of them sued to get his job back or get paid. Um and the court decided that even though he’d been lured by conman, he should not have been fired on the spot even though he ignored several red flags. So he’s getting his back pay for, you know, eight months or seven months. But in accordance, acknowledge you missed a bunch of red flags.

[00:44:32] Evan Francen: Right? And you’re right, we do see this attack all the time. I mean I get attacked all the time with this. They’ve sent emails to Peter, the males to Caitlin posing as me. They sent emails to 3, 2 or three other people that? S our secure saying, hey, I need to go and get gift cards or I need, you know, whatever. And one time Peter actually replied back and said, where do you want me to send these to the attacker? You’re not? I don’t send those emails. Right, right.

[00:45:04] Brad Nigh: Yeah, he came to talk to you about that and he’s like, mm I almost got

[00:45:09] Evan Francen: it. Oh my gosh. It’s like, like I

[00:45:10] Brad Nigh: was just going on my own man. Then I was like, oh wait, that’s not right, hold on. So yeah, it’s easy to happen like when nothing happened out of that one,

[00:45:19] Evan Francen: but Caitlin, I mean, yeah, there’s

[00:45:24] Brad Nigh: even

[00:45:25] Evan Francen: in our own organization. So, but the thing that makes this one so sensational is politics was an email. Mhm. And they processed that payment on that first email the same day without any red flags. I mean that that attacker got, you know, you just imagine that I’m going to get paid $800 $900,000. They’re just sending an email. Yeah. And then you get the payment. That’s just crazy that I don’t know, It’s just, it’s such easy money for the Attackers. It’s

[00:46:07] Brad Nigh: yeah, that’s a lot of money.

[00:46:11] Evan Francen: And who would think that? I mean, I just, I can’t imagine, I mean, I don’t know this dutch company obviously, but what sort of culture in a company? I don’t know. We were just what I mean. Well, it’s, and I think that’s one of the differences between maybe us, security people and I call, you know, we call them normal people right to normal people. That’s just, you know, and I understand no people are bad. It’s just that they think different.

[00:46:42] Brad Nigh: Right? Yeah. Yeah. That’s definitely not a put down by any means or a slight by any means. It’s just, it’s a very different way of thinking of things that we have, we’re not normal

[00:46:53] Evan Francen: when we obviously have not gotten, we have, we haven’t translated our language well and we haven’t gotten through to some of these people or most or something, you know, whatever.

[00:47:03] Brad Nigh: I think, you know, the biggest town. It’s just the numbers, the numbers game. We did not away not being effectively done.

[00:47:14] Evan Francen: Was there any mention that um they caught the bad guys?

[00:47:21] Brad Nigh: Uh No,

[00:47:25] Evan Francen: no. So the Chief executive and the Chief financial officer finance guy. We’re both fired,

[00:47:35] Brad Nigh: yep. And the safe trying to find where it was. Um Chief exit. I’m trying to find where they were finance. The finance chief is, who sued, which is how we know about all the details.

[00:47:57] Evan Francen: Okay. Yeah. So then it becomes public, right? Because he goes into the court court documents. Right?

[00:48:04] Brad Nigh: So

[00:48:05] Evan Francen: otherwise we wouldn’t have known about it.

[00:48:07] Brad Nigh: No, no, no.

[00:48:10] Evan Francen: So that’s why it happened in March eight and we didn’t find out until november. Yeah,

[00:48:19] Brad Nigh: yeah, that’s just that’s a lot of running for such an I mean, I don’t want to say an easy, you know, scam, but it’s a relatively Common one We see. Right?

[00:48:34] Evan Francen: So yeah, Well, the one that, you know, I used as an example, I obviously can’t say the company, but it was, you know, compromise. An email account for somebody in accounting turns out it was somebody in accounts payable, you know, and the attacker obviously was probing for a while before they found the accounts payable person. Once they had a considerable person, single factor authentication and outlook web access. Right? That’s a single factor authentication. You can tie most of these attacks back to things like that. Right? Because now I’ve got a foothold in your system and so I can send an email as that person, you know, set up email rules so that when you reply back, the real user of that account never sees the emails that you replied back on because the attacker doesn’t want the person who uses the email account to know that No,

[00:49:31] Brad Nigh: no. You know what I mean? First step is cover your

[00:49:34] Evan Francen: tracks. Yeah. So yes, you’re so common and it’s a bummer because people, you know this stuff really, you know, you know me, it ticks me off. You know, that’s money that this organization can’t use for expansion, their employees innovation, whatever. And this is money now that the Attackers can use to make their attacks better. Right. Which, you know pisses me off.

[00:50:01] Brad Nigh: Yeah, that, that one definitely funded quite a bit of additional taxes. I guess.

[00:50:08] Evan Francen: He chose a good one, man. That’s a good one. Crazy. Uh, what was that story that was Dutch news?

[00:50:13] Brad Nigh: Dutch news had the details on that. I don’t remember where I saw it originally. Um, but yeah, that’s where that had the best details on that one.

[00:50:26] Evan Francen: Path. The path A P A T H E. What do they call that on top of the accident?

[00:50:32] Brad Nigh: I don’t know the flashy thing.

[00:50:34] Evan Francen: Senor. Senior security

[00:50:37] Brad Nigh: guys not

[00:50:37] Evan Francen: parallel path. A cinema group.

[00:50:41] Brad Nigh: This is why I have somebody else proof read.

[00:50:44] Evan Francen: Right. You should see the first version of the manuscript in my book. Be like, what the hell is he saying? Nobody gets hurt until you have an editor,

[00:50:54] Brad Nigh: yep. All right. Next one. I think this will be fairly quick hitter, but it was interesting. This was on the naked security site for sofas as well, botnet pond 100,000 routers using what they call it. An ancient security Fillon was like what I looked at it and it was indeed I would consider ancient. It was a security flaw affecting broadcom Router software first made public in February of 2013. So The Botnet covers 116 different devices. Uh D link Cisco linksys or Belkin, Tv link Z. Excellent. Broadcom. They set up to 400,000 routers are susceptible to this and it’s using the universal plug and play the U. P. N. P.

[00:51:44] Evan Francen: Actually miss this one to wow

[00:51:45] Brad Nigh: so the moral of this one is disable things you don’t need. Uh But it was crazy because I was looking through it and like how how could there possibly be the security flaw that was made public, you know, 5.5 years ago and Broadcom patched it fairly quickly and it looks like nobody else actually put the patch in. So there was a patch out there that nobody actually did right or rather the owners aren’t doing it because it’s you know, homes or small businesses that just never do that type of thing and just let it run and you know, the only time it reboots or it has anything happened is if it quits working and they unplug it and plug it back in. Mhm. But yeah it was there saying it scans for U. N. P. R. U. P. N. P. On TCP port 54 31 then udP 4th 1900 used by broadcom and it’s using it to proxy traffic. So it’s basically a spam About that uh that’s infected 100,000 routers.

[00:53:08] Evan Francen: Yeah, there’s a lot of troubling things about this.

[00:53:10] Brad Nigh: Yeah. Okay.

[00:53:14] Evan Francen: When we’re starting to see Attackers increase the sophistication of their attacks on home users,

[00:53:21] Brad Nigh: Well, you know, I think this really plays into why I don’t have a lot of like IOT things for this reason. I don’t need my refrigerator on the internet. And do they have any sort of patch in place to have any sort of, you know, how are they gonna push updates down? You don’t see it? They don’t have that because it’s just first to market will figure that out later. And then you get you get this.

[00:53:49] Evan Francen: That’s totally true man. It’s like I get asked, you know, I get asked all the time and like you do too, I’m sure from friends and things. Hey, what, you know, what are some things I can do to protect myself or what’s, you know, what are the top five things, what’s the best thing I can do? It’s like people really need to realize that the more things you add, the more complex things get things you need to do to secure your yourself if you didn’t have, if you didn’t have a smartphone, if you didn’t have a laptop, if you didn’t have home network if you didn’t have all these things. Imagine how much easier would be to secure your home then with all that stuff. Right? But you just keep adding stuff, It’s like, well, you know, you know, security and after that.

[00:54:38] Brad Nigh: Yeah, well, and to some extent, you know, there is that risk assessment that, you know, decision that needs to be done, you know, I have on my front door a uh a lot that’s got bluetooth and it’s bluetooth enabled, so I can manage it and give out like a code to my daughter’s got, you know, the pen, they could punch in their uh their codes or if we needed somebody to, you know, watch the dog or something, we can give them a temporary one. And like when I was looking at getting it was like, gosh, you know, what is this opening me up to? What’s not to the internet is just a bluetooth and so they would have to be, if I was gonna get hacked, it would have to be here on site here. And quite frankly, if they’re if they’re hacking my bluetooth, front door lock and not smashing the window, I got bigger problems. Right, So that was kind of the benefit there was worth it. But yeah, overall, I just don’t see the benefit a lot of times.

[00:55:42] Evan Francen: Well let’s see, but you do it the way we’re trying to teach everybody to do it, you consider the risks first. Right, Right. I’m not saying it’s not a good idea to get, you know, Alexa and you know, other IOT, you know, baby monitors and things like that, but understand each thing that you add into your home, understand the risks that come with it, and then account for those things. Right, right. If you’re going to hook your home up to the internet, you’re basically inviting the world to connect to your home.

[00:56:14] Brad Nigh: Mhm.

[00:56:15] Evan Francen: You have to check your router on a regular basis for patches. Yeah. You know, and you have to stay uh you know, sort of up to up to date on the news about things like this, so that you can do something about it, right? Rather than just being a another, you know,

[00:56:34] Brad Nigh: sheep and, you know, well, and it doesn’t help when the vendors aren’t putting in patches either. Right. So

[00:56:43] Evan Francen: yeah, if I had, if I had one of these devices, which I don’t think God, but if I did, and the vendor doesn’t provide a patch, will then get a different vendor.

[00:56:55] Brad Nigh: Don’t. Yeah, but you look at those names, I mean, those are the pretty much the names for

[00:57:03] Evan Francen: Yeah. D link linksys, you bet

[00:57:06] Brad Nigh: keep you link. Yeah, and broke on some anyway. Yeah. Pat your stuff. Turn off the services you don’t need.

[00:57:16] Evan Francen: Right? Because also in that, in that, you know, last year we had the the heck is it? It’s in that same last year we had the VPN filter dot net, which was traced back to Russian group, I think, or another another attack was the Russian group

[00:57:33] Brad Nigh: called? That was steep, yep.

[00:57:37] Evan Francen: Yeah, So these things are being targeted, you know you have to be careful.

[00:57:42] Brad Nigh: Crazy. Oh boy. All right, so the last story, This one really had me uh sn 18 I guess. That’s right.

[00:57:54] Evan Francen: I also we’re going with now I’m messing 18,

[00:57:56] Brad Nigh: I’m we’re so not young. Um So this one is off of imposed security magazine, its employees, poor security habits getting worse survey finds this is from last week and uh sale point did some research It quiz 1600 global employees. So you know, I obviously don’t have access to the actual survey to figure out you know Uh what the breakdown was in terms of age and all that and where they’re working, but it’s still pretty disheartening to see this. Um so 1600 employees 75% reuse passwords across both personal and professional accounts, which is up from 56% in 2014. So it’s getting worse by a lot that they’re using it across. And that’s after we keep seeing all these, you know, stories come out and say yep here they were able to get into your gmail account because of the um linkedin or whatever breach that you use the same password across all of them for. Right, just crazy that that would be the case

[00:59:11] Evan Francen: how many millions of dollars are spent on training and awareness and all these things and if you know like you said this is one study and It’s just you know 1600 employees out of millions that are actually employed. Yeah. Uh But if we’re to assume that this stuff is true are accurate. Yeah we gotta be really be rethinking about what we’re doing

[00:59:41] Brad Nigh: right and I think this is the this next part was really what Is going to be the driver and is really the scary part. They said 18-25 year olds who admitted reusing passwords was 87%. So you’ve got young people coming in to use the same password across the board forever. And my guess is that’s probably where that the majority of that jump comes from is people coming in. Which ties back to what are you training on from a security perspective with new hires because actually catch those types of things. Right. So Yeah I mean there’s just so much in this 23% of those polls that they only change their work passwords two times a year or fewer. 15% would consider selling their workplace passwords to a third party. Got what

[01:00:37] Evan Francen: what are we doing?

[01:00:38] Brad Nigh: Um Now this one you know you came from I. T. As well. Uh They said Uh 13 or half of the respondents said IT is a source of inconvenient and 13% would not immediately inform mighty if they’ve been hacked. So I think that’s that’s a failure on I. T. And and security more than on the employees which was kind of eye opening. Mhm.

[01:01:08] Evan Francen: Well I think you know two things for me you know about this. You know I do do question the findings a little bit because they’re so counter to what I see. I mean I we still have a long long ways to go but I don’t think we’ve gone backwards like this study suggests.

[01:01:30] Brad Nigh: Yeah and without seeing the demographics right? It really does naked. We can only go with what what information we see in that story

[01:01:39] Evan Francen: right? Because you get so many news things from everywhere anyway and I think it’s just healthy to be skeptical about some of this stuff. So what I’m skeptical but not I’m not discounting it at all. I mean a little bit just you know I’m skeptical but I think the take away from me really is never lose focus of trying to communicate you know well with your employees and and try to be try to get them to be a fan of yours. You know this old school sanctioned based mandatory training that kind of crap doesn’t work. What works is collaboration working together, personalizing this you know game ification giving awards you know and rewards for good behaviors. That’s the stuff that seems to work because that’s what motivates people.

[01:02:37] Brad Nigh: Uh huh. Yeah and I would I fully agree with you and I think that that you know I wonder what the company size was because you know our primary market is that small to mid size you know not the enterprise You know, we can work in there. But typically the smaller mid size companies are a lot more at least in my experience there’s less red table a lot of times we’ll put it that way. So they’re a little bit more willing to change and go towards that approach versus you know, the very rigid all the politics involved and you know this is the way we’ve done it. We’ve always done it this way. We’re going to continue doing it this way that you might see in some of the larger organizations. Yeah.

[01:03:27] Evan Francen: Yeah. I think security personnel are more accessible and approachable and small and small to medium sized companies than they are in large companies. Large companies I think a lot of Csos I’ve seen talk to our overworked. I think there’s a lot of Csos in those bigger companies who are not approachable at all for whatever reason.

[01:03:49] Brad Nigh: Yeah. There’s also a lot out there that very much had that, you know, militaristic approach to it. I’ve just, nope, we’re not doing it. No questions asked. I said no you’re not. You know I know we both worked with those types of people in the past.

[01:04:04] Evan Francen: Nobody wants to work with those people right.

[01:04:07] Brad Nigh: So you know I would say great assault. But I out of these statistics the 75% reusing the 87% using across the board for 1820. Those really like I was like wow that’s absurd. But then the ones that didn’t surprised me was I. T. V. And a half of people saying I. T. Or and I’m assuming I. T. And information security or being tied together here given what they’re using you know The verb it but a source of inconvenience and 13% not immediately informing it if they’ve been hacked. That honestly doesn’t surprise me.

[01:04:51] Evan Francen: No that’s true. Doesn’t either.

[01:04:53] Brad Nigh: So you know and again I think I’m gonna go back to that’s a failure on on our behalf because we shouldn’t be you know when we do social engineering we never we make it very clear to the company you can’t this is not a sanctioned thing if they get you know if it happens it’s going to happen to someone. We’re not gonna get stopped right? I mean you know it sounds a little bit arrogant but we’ve talked about enough scams and phishing emails and there’s enough stories you know what’s happening? It has to be a learning opportunity. You can’t use this to punish someone. And I think there’s still a lot of that thinking out there.

[01:05:33] Evan Francen: Oh for sure yes that’s like this in my mind aren’t a condemnation of users. It’s a condemnation of us yep ravi were obviously sucking. I mean if this is true like I said I’m I’m skeptical that it’s this bad. But if it is we just really suck at our jobs we got to do a lot better. We’re not a lot of work ahead of us. Nobody’s listening. Right? Yeah.

[01:05:59] Brad Nigh: Well, and you know, again global. So where are they? Out of what? You know, there’s just so many unknowns out of this. But you know, it was, uh,

[01:06:08] Evan Francen: so for people listeners, this is on info security for information info security dash magazine dot com. And this is A study from sale point. Right. one word if they want to do more research on it, which I probably will now too because

[01:06:25] Brad Nigh: yeah, I did some skeptical, high level digging and I didn’t see a whole lot. But yeah, I got busy because you guys all took off on friday. I know, right?

[01:06:35] Evan Francen: We’re not, we’re not good at that.

[01:06:38] Brad Nigh: No, no, it was, yeah, I thought that was interesting now. I mean, that’s definitely one. Maybe we can come back and revisit

[01:06:47] Evan Francen: for sure. That’s a good, that’s a good one. All right. So next week I’m putting together great, great job, man. They, this is for me, this is really fun because I just feel like we’re kind of in this together and I really enjoy our, our or so together every sunday.

[01:07:06] Brad Nigh: She even, it’s nice to be a little bit more. Yeah, lay back and just talk security about it instead of yeah, day to day issues.

[01:07:17] Evan Francen: Right? I mean, I don’t actually have to write a report after this.

[01:07:20] Brad Nigh: Right. That’s awesome. No slides involved, nope.

[01:07:25] Evan Francen: So we got next week, uh, you’ll be driving, so hopefully, you know, you can still do 5 30 but we’ll uh, we’ll do another another call. I’ll put together the content. I’m don’t worry about I’m not calling a guest next week, I don’t think, but I’m not gonna tell you this is competitive now.

[01:07:41] Brad Nigh: All right.

[01:07:43] Evan Francen: Have a great rest of the

[01:07:45] Brad Nigh: night, man. Thank you to.

[01:07:47] Evan Francen: All right. Bye.

[01:07:48] Brad Nigh: Bye.