Connected Devices and Security Incident Response Best Practices

In this episode, Evan and Brad break down connected devices and IOT, the healthcare industry, and security incident response best practices.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Welcome to un security podcast number three as brad tells me First time we tried to say it, I was, I said four. This isn’t four. This is number three. This is number three. I’m usually ahead of myself. Uh today is, well it’s after thanksgiving. Today is November 25 2018. What’s new bread?

[00:00:46] Brad Nigh: Not much. I uh I splurged on a one of your articles about IOT. I was like, oh I got a smart thermostat. I got the echo before it was on sale. We needed to replace ours.

[00:01:01] Evan Francen: Oh before yeah.

[00:01:05] Brad Nigh: We just ordered it so it’s pretty cool. We’ll find out.

[00:01:13] Evan Francen: Did you order it on amazon?

[00:01:14] Brad Nigh: Um, we got it through. No, I saw that one too. No target. Alright. I had the same the same price and We got our extra 5% back because you know that adds up. Yeah.

[00:01:29] Evan Francen: Did you do anything exciting over the thanksgiving holiday?

[00:01:34] Brad Nigh: Yeah. We wouldn’t visited uh my sister and brother in law so shout out to mali and tom for cooking, hosting nothing, cooking. Great thanksgiving dinner. I didn’t have to cook. It was fantastic.

[00:01:47] Evan Francen: We went somewhere. Our friends, mother’s house. Okay. Kind of weird. But then we went black friday shopping because because we would like to go out and just just see all the stuff. I don’t buy anything, I just want to get the atmosphere.

[00:02:06] Brad Nigh: What watch the fights as people go for the $200 TVs.

[00:02:11] Evan Francen: Yeah, no we didn’t see any of that, but uh but I have seen that before. Yeah, wal mart was crazy. Oh my gosh,

[00:02:20] Brad Nigh: Yeah, we avoided that. It was actually, we were down uh south here is 60° on thanksgiving. So we met like kids are fully acclimated to living up here, they were all wearing like ladies and just long sleeve t shirts. They were mad at my wife, we’re not bringing like shorts or t shirts for them to wear because they were too hot. Mhm.

[00:02:44] Evan Francen: That’s cool. Yeah, I was lazy, I’ve been so lazy this weekend,

[00:02:48] Brad Nigh: it’s kind of nice.

[00:02:50] Evan Francen: I don’t know man, I’m starting to feel really guilty now.

[00:02:53] Brad Nigh: No, you gotta, you gotta recharge. This is like last weekend to recharge before the big push to end the year for us, so I get a good time to unplugged for a bitten reset?

[00:03:07] Evan Francen: Yeah, that’s true. We got a got a big football game tonight. Yeah, so what uh so we’re back to work tomorrow. What are you excited about anything cool and exciting this week?

[00:03:19] Brad Nigh: Um You know, this will tell you haven’t even looked at my calendar, I don’t know, it’s been it’s been really good, I took uh harmon’s advice pretty seriously. Um actually gotten into the responsible, I worked on on thanksgiving and uh black friday and third on friday. So we’ll be kicking off our get you know that daily call tomorrow morning. So that will be I’m interested to see what they found. They thought they had found they uh contained it and we’re just trying to find kind of the what was the source and making sure. So I’m interested to see where we’re at.

[00:04:02] Evan Francen: Okay, is Peter been giving you updates kind of throughout?

[00:04:06] Brad Nigh: Yeah, we got one um friday afternoon being an email from our shoes from brian. But yep okay I think we’re in most of the day friday was just getting logged data.

[00:04:17] Evan Francen: Okay. So it sounds like you have containment and sort of investigating now.

[00:04:24] Brad Nigh: Yeah, more investigative.

[00:04:26] Evan Francen: Okay. We

[00:04:27] Brad Nigh: think we’ll find out.

[00:04:29] Evan Francen: Let’s hope so. Never assume. I know right? There are 2.2, I don’t know if you gave that advice to on the on your kick off, but I always give the same things. Two pieces of advice on any incident response. Don’t assume anything. And communication, you know, communicate even when it doesn’t when you just feel like you’re over communicating, communicate some more,

[00:04:55] Brad Nigh: yep. Yeah, we’re going to do daily calls and then twice a day emails at a minimum. Um Just for status updates. And then obviously if as other things are found or as needed but Yeah it’ll be three touch points today.

[00:05:13] Evan Francen: Cool. Well I go to I think I’m out to New Jersey, New Jersey on to Wednesday and thursday this week sort of excited, sort of not excited I’m bringing my wife with, which will be nice. But yeah, we can drive down to uh new york and she can see the tree. I think the trees up.

[00:05:35] Brad Nigh: No. Yeah,

[00:05:37] Evan Francen: yeah, it’s only traveling is so much better when you bring a family. Yeah,

[00:05:42] Brad Nigh: yeah, going alone is it’s I know some people like it, but I don’t know it gets old.

[00:05:52] Evan Francen: It really does man like being home with my, with my wife and Well, one kid now. Yeah, most of time. Yeah, most of the time

[00:06:03] Brad Nigh: the kids can get, there’s

[00:06:06] Evan Francen: there was this weekend in my house, so even more reason for me to just find a hole and be lazy.

[00:06:15] Brad Nigh: I like a good plan. Yeah.

[00:06:19] Evan Francen: All right, well, cool. So we had a great week last week. It sounds like uh thanksgiving was good. This is my week to lead. Next week is yours. Uh and speaking of that, I’m trying to line up uh somebody to be a guest in my next podcast. Are you working on that too?

[00:06:41] Brad Nigh: I am. I was trying to have a couple ideas and you’re mentioning who you thought of and I was like, well, I should probably find somebody else then because we don’t want to be overlapping too much right away. So I got to go back to the drawing board. You beat me to the punch on that one.

[00:06:57] Evan Francen: Well, you can always you can always play. Was that the defense a defensive maneuver?

[00:07:05] Brad Nigh: Yeah, I get it in. That’s true. I got the next podcast that you do,

[00:07:10] Evan Francen: yep. And I haven’t even mentioned the name yet because you know nothing is confirmed. Yeah,

[00:07:18] Brad Nigh: had a couple. I’ve got some ideas. Cool if it happens.

[00:07:23] Evan Francen: Well I’ve got some news I picked, How did I pick six news things this week for us to talk about? Um The first one is uh well it’s actually one that you sent me. Yeah, it’s the hcea news, it’s about health care, health care system neglect is top cause of data breaches. This comes from health care analytics news. Have you ever read healthcare analytics news before?

[00:07:56] Brad Nigh: I have not. This is actually during the drive down was driving after I worked and this is what I was doing is uh reading news about about this stuff. So this is the first time I’ve read this one.

[00:08:10] Evan Francen: So you do security in your free time to,

[00:08:13] Brad Nigh: I mean, I don’t think you can never get away. I’d be surprised if you didn’t.

[00:08:19] Evan Francen: I know we’re we’re bunch. Yeah. Well anyway in this article uh comes from michigan a study that michigan state University and john Hopkins University Did where they researched 1800 large data breaches of ph I so for those of you don’t know what ph I it’s protected health information or sometimes people call it patient health information. uh but they detailed, they looked at 1800 large data breaches over seven years And 33 of those hospitals that they researched, experienced more than one substantial breach. Um, but through all this, they they found that most of the breaches just happen because of neglect, because of poor just pour practices, poor processes, internal mistakes, not hackers.

[00:09:20] Brad Nigh: Yeah, I was surprised. And this is this study looked pretty, I actually read into it a little bit more because I, you know, had eight hours of driving to kill and it looks pretty legit too. It’s not it’s not like the one we talked about last year or last week.

[00:09:37] Evan Francen: Right. Well, it’s michigan State University and john Hopkins, which is to, you know, legit schools and the guy who or the professor who led the study, he’s got a PhD. So it’s gonna be pretty good.

[00:09:54] Brad Nigh: Both of them. The lead author and co author both

[00:09:58] Evan Francen: see if you have phds, it’s got to be a good study.

[00:10:01] Brad Nigh: Right?

[00:10:03] Evan Francen: Yeah. All right. So they found that 53 of breaches were the result of internal factors in health care entities, So over half. Yeah, not surprising. Right. If you work in health care.

[00:10:20] Brad Nigh: Yeah, I was a little surprised how high that was, but I was I wasn’t surprised. It was the biggest clause. Yeah,

[00:10:31] Evan Francen: Well, in 33% were external breaches, which I don’t know what they’re their definition wealth theft, I guess 33%. And then the The 12% were hackers. Yeah. So if 12%,, mm. So the thing is with healthcare breaches that concerns me is Attackers have learned how to monetize ph I now, I mean they have for a while, right? Because I’ve heard two things that Attackers are doing with ph i they’re reselling it so that people can get health care under somebody else’s insurance. And the other is which I’ve never really heard of before. I mean, I never really thought of it this way, but um, they’re taking health records going and seeing doctors and getting um, opioids prescribed for pain and then they’re taking that and selling it on the street. That’s it’s kind of scary.

[00:11:38] Brad Nigh: Huh? Yeah. Yeah, because yeah, then you go and try and get care or whatever and nope, or you get a surprise visit right from the uh from law enforcement about what he fought so many opioids.

[00:11:54] Evan Francen: Yeah. Yeah. But if you spread it out right, they don’t know. Yeah. Person,

[00:11:59] Brad Nigh: it’s a while. Yeah.

[00:12:00] Evan Francen: So the employees taking ph I home forwarding data to personal accounts and devices, email mistakes are all cited as things that lead to or the internal factors. So when you call internal factors, I guess it’s a whole smarter sport of things. Yeah, 53% of breaches come from that. Um, and then, you know, they have, they give her their suggestion at the end, which is adopt internal policies and procedures to tighten processes and prevent internal parties from leaking PhD easier said than done.

[00:12:39] Brad Nigh: Right Well and I think you know, one of the things that it has on there is that Um 25% of all cases were caused by unauthorized access or disclosure. Now I wish they would just break that out which was unauthorized access and which was unauthorized disclosure because I think there is a difference there. Uh it’s two different solutions to it. Um but yeah, I think that that you know, man, that’s a

[00:13:13] Evan Francen: lot well and I couldn’t find the actual, well here we go, the actual study because it would be good to read the actual study to find out what their definitions are, a lot of these things. So the study is on Jama Internal medicine to the Jama network J. M. A. If you want to read more about it, which I think I’ll probably do. Uh but after the podcast, you don’t want me to read the study while I’m on the podcast. Right?

[00:13:40] Brad Nigh: Um We could, we might not get everybody’s

[00:13:48] Evan Francen: gonna leave these guys are blame

[00:13:50] Brad Nigh: the three that we had are going to leave us. Right?

[00:13:53] Evan Francen: Hey, somebody will get four. Yeah.

[00:13:57] Brad Nigh: And then what let’s just go for one for podcast.

[00:14:01] Evan Francen: one that works for me. All right, well enough of that one uh policies procedures, the non sexy part of information which is, you know, it’s critical. I mean I get, I guess there are other, you know, you can put some technical controls sort of around it. Uh but we’ve worked in health care, you know, it’s a very strong vertical for us. Um you know, there’s technical controls to just aren’t there, you know, to detect when users are doing things they shouldn’t be doing egress filtering on firewalls. You know, I mean just simple, basic hygiene type things aren’t in a lot of health care organizations. Um so these things are bound to happen and I think you just have to tighten everything.

[00:14:47] Brad Nigh: All right. Yeah. And one and a lot my experience on this is a lot of them are very resistant to to putting any of these controls in place because the most common quota here is what we can’t afford to have, you know, interruptions or were health care and it typically takes a breach or something an incident happening to, you know, to flip that. And uh we see it all the time.

[00:15:19] Evan Francen: Well, what Yeah, I mean, and what are the consequences? I mean, the OcR so far behind in their own, you know, investigations of breaches because the OcR tried to do the audit protocol as far as I know they’re not doing audits anymore, are they? Have you heard?

[00:15:35] Brad Nigh: No, they I think they’ve they’ve stopped a couple years ago.

[00:15:39] Evan Francen: The only work that they’re really doing in terms of information, security is investigating after the fact. Right,

[00:15:46] Brad Nigh: Right. Yeah. They’ll come in and investigate and I think that’s when they’re gonna look at that audit protocol and what else all the other things around it

[00:15:55] Evan Francen: they’re so far behind. I mean when you look at the number of healthcare breaches and then you look at you know because every time they kinda it seems like every time they kind of do an enforcement action they do a press release and they announced you know the fine and the compliance action plan and all that stuff but they’re so far behind it seems.

[00:16:16] Brad Nigh: Yeah. Yeah it takes well I mean I guess it makes sense that they are actually you know investigating but it takes years for this to you know go through

[00:16:31] Evan Francen: and then on the other side you’ve got like I mean if I. Yes I do you know hospital its purpose is to save lives right to treat you know illnesses and things and I assume I mean maybe sometimes things are just so urgent that I have to bypass control so I can’t have a password and you know what I mean I mean. Which you know then they have those proximity card you know things but I think there’s just a lot of opportunity to be a lot more creative in health care as opposed to just doing policies and procedures and expecting doctors to and nurses right you know. Yeah

[00:17:18] Brad Nigh: they’ve seen a couple that have had the their computer you know in the exam room has yeah that little card you know their I. D. Card their proximity card and that’s what unlocks it and it’s tied into active directory and all that and then when they walk away to lock and somebody else can come in and swipe their card they’ll unlock and it’ll be a fresh to their count. It seems like a really good solution. I can’t remember who what that’s called off the top of my head and uh

[00:17:51] Evan Francen: I know what you’re talking about. Privada.

[00:17:54] Brad Nigh: Yes Yeah Yeah I’ve seen that implemented several places and you know the nurses and healthcare people actually seem to to like it so they haven’t usually they mean us the nurse they have no problem complaining about I. T. And security stuff in the way and they said it helped out it was better than their what they had before. So there are solutions out there.

[00:18:22] Evan Francen: Yeah you’re right I mean you just can’t get in the way of but then you also I mean somebody’s ph i somebody’s private information the protection of that. It seems like that should also be part of just the care of the individual right? Yeah it’s not just the physical well being but think of the stress and everything else that comes with you know. Yeah I I mean there’s I don’t know there’s lots of there’s lots of we could talk all night about about health care

[00:19:02] Brad Nigh: and at this point isn’t basically everybody in the U. S. Had their P. H. I. Leaked with the anthems and right. Some of these other big ones that this which is it’s frustrating I guess the big differences you know new insurance information as it comes up. But man

[00:19:23] Evan Francen: right well there’s no light central repository for the healthcare information. So you have multiple health records in multiple places.

[00:19:30] Brad Nigh: Yeah so they can have different information.

[00:19:33] Evan Francen: Yeah I mean in one place your health record might be accurate and not lost or stolen but then you know in another place uh you know it might not even be you. Yeah it’s interesting anyway lots of work to do in that. Yeah the second news article that I that I pulled up or that you know I thought was interesting. Uh This one comes from info security magazine dot com. Uh It’s the title is alleged sim swap fraudster soul stole $1 million from an executive. And and this this news doesn’t surprise me either. But when one of the things that is sort of concerning is the increase in sim swap identity theft. Yeah. Um It’s it’s 2658 By January two. So in January 2013 Uh there’s 1,038 reported incidents in 2016 2,658. I don’t know what the number is today. Um But it’s I think it’s a it’s a it’s a fraud that most people aren’t aren’t even aware of it, they don’t even know what it is. But in this article anyway, uh this guy they caught him nick or Nicholas True Julia, Truglia 21 years old uh targeted a few victims. But the person that he he nailed was the fourth victim that he tried. So the first three Sort of caught on the 4th 1. Uh a guy named robert ross and what he did was he hijacked. So he used sim swapping, so swim sim sim swapping swim, swim stopping ever. Uh you know the way that attack works is a, you know, gather. But so the salmon attack you and brad, I’d find all the information I possibly can about you in terms of like uh you know mother’s maiden name, address, way with high school, you know all these things because those things will be security questions when I call your cellular provider. Uh huh. You know, because that would be another piece that I would go and try to find us who yourself provider is and then I would call the cell provider and tell them I have I need a new sim card. Mine was lost or stolen or broken or whatever and then answer those questions correctly. And then the your cell provider would send the attacker or send me a new sim card and then I would use that sim card because so now the second factor of authentication which sometimes is texting or whatever bank accounts are sometimes associated with phones you know numerous different things and now that I have your essentially a clone of your phone um I can bypass those security mechanisms and start maybe doing transactions and that’s sort of what happened. Yeah with this robert ross

[00:22:56] Brad Nigh: yeah that’s why sms is no longer hasn’t been for a couple of years at this point you know a secure method or recommended method for uh for multi factor. Right?

[00:23:11] Evan Francen: So this guy got away with $500,000 In a coin base account and then $500,000 in a Gemini account. So he was targeting Cryptocurrency. Uh huh. The good thing is he was caught.

[00:23:26] Brad Nigh: Yeah only You know what they said, only 300,000 and stolen funds was recovered though. So the guys out of $700,000, that’s a lot of money.

[00:23:38] Evan Francen: But he’s from san Francisco money is different out there

[00:23:41] Brad Nigh: you know. Well yeah I guess still a lot of money right?

[00:23:49] Evan Francen: He was arrested so truly was arrested at his West 42nd Street High Rise Apartment. Uh huh. Yeah good I guess jail time is coming his way. So

[00:24:03] Brad Nigh: one of the things on that that you can do uh to fight it because right if you get targeted there’s not a whole lot you can do is uh but you can put in um pin codes or passcodes on your account as opposed to just that knowledge based uh you know questions and answers so you can put in wireless passcodes or whatever. So A. T. And T. And Verizon if you just google you know pin code for your carrier should be able to pull it out pretty quickly and easily.

[00:24:38] Evan Francen: Yeah exactly

[00:24:39] Brad Nigh: at the level

[00:24:41] Evan Francen: Yeah 18 T. S got uh they’ve got a pass code sprint I think because a pin T. Mobile lets you set create what’s called a care password Verizon I think also has a pin. Yeah it would be a good idea to call your cell provider and find out what additional security features they have or go visit their store. I mean they’ve got stores everywhere.

[00:25:04] Brad Nigh: Yeah most of the time outside if they cannot allow you to do it. Yeah

[00:25:10] Evan Francen: and then a sign that you know you’ve been a victim your phone would would stop working.

[00:25:16] Brad Nigh: Yeah

[00:25:18] Evan Francen: so that may be a sign but the attacker has to work pretty fast for that. So uh Yeah not not a big concern. I just think it’s interesting. I think a lot of people, lot of listeners don’t know what sim swapping you even is.

[00:25:34] Brad Nigh: Yeah. Yeah I think that’ll probably what we’re gonna see a big increase in that seems like the next.

[00:25:45] Evan Francen: Yeah I don’t know. So you think that the cell providers to our because one A. T. And T. They were sued or I think that was still pending for $223 million because of this.

[00:25:59] Brad Nigh: That’s a lot of money.

[00:26:01] Evan Francen: Well yeah not the at and T. I suppose. Shit it’s like you know I can change

[00:26:09] Brad Nigh: it. Turned over their couch fishing over the weekend.

[00:26:12] Evan Francen: Yeah look $223 million. Just several. All right. So we picked on last week we picked on the post office. Yeah. I thought I’d I thought I’d pick on the post office again. Uh This this news also comes out of info security magazine. Uh Online U. S. Postal service exposes 60 million users in A. P. I. Snafu. Only 60 million.

[00:26:43] Brad Nigh: I mean you know that’s only what 1/5 of all everybody in the U. S. Something like that. Yeah.

[00:26:49] Evan Francen: Yeah no big deal. And this was this news. So this news was just recent, it was in the last week. Um But it was this service called informed visibility which I guess USPS uh you know the post office. Um It’s a service that they provide to track messages. I’m sorry track packages uh real time or near real time tracking. Well they have this ap I because you know other applications other things you know they want to uh inter operate with uh but the thing that they forgot in their A. P. I was access control.

[00:27:31] Brad Nigh: You know that’s overrated. Right?

[00:27:36] Evan Francen: So if you had an account or you you um you know you were able to access the ap so they did have authentication but beyond that there was there was no access control. So I could, you know, a person could view just about anything. Yeah including email address, username, user id account number, street address, phone number. Uh huh authorized users mail, campaign data. And so this news was first broke but was first broken by uh brian Krebs which no surprise there. He is. Okay awesome. Yeah api security that’s that’s the thing that developers I don’t think, you know um a lot of the companies that I’ve worked with over the years that have had internal development shops and have exposed a piece um A. P. A. Testing wasn’t real common, I mean it wasn’t just part of their normal release cycle like um Right like user testing or integration testing are interface testing. I’m just so I think there’s there’s a lot of risk in a lot of different places with a peace security and there are some good best practices on how to enable better uh api security. Mhm. But anyway authentication first, obviously test your A. P. I. S. You know looking for vulnerabilities making access control a part of the A. P. So that you know a single user or authorized application accessing that ap I can’t access everything.

[00:29:39] Brad Nigh: Okay. I mean but it blows my mind like that seems like that should be a basic function if you have a you know that secure development life cycle. That should like be one of those core things you’re checking for right like amongst other things, but man, that’s crazy.

[00:30:01] Evan Francen: Yeah. Absolutely. Uh Hey

[00:30:06] Brad Nigh: big hole, can I use your log in and see everything else or just their stuff Seems like a pretty like easy starting point.

[00:30:17] Evan Francen: Yeah, but I think a lot of times to when people, you know expose P. I. S. It’s usually a rush, it seems like it seems like you know there’s another company that wants to integrate with us and this is a great opportunity and everybody’s hurry, hurry, hurry, hurry, hurry to get that integration true. Established and then Okay good. And then they just kind of move on.

[00:30:40] Brad Nigh: Yeah. Oh yeah, I mean well it kind of ties into like the IOT? That’s absolutely the what you see that rush to published and then we’ll we’ll fix it later. Hopefully we we can fix it before there’s a breach or someone else catches it.

[00:30:59] Evan Francen: Well, Nischelle prevalent this is too, I mean the same story cited And improve a poll that was done earlier this year. They claimed 69 affirms expose apis to the public And their partners managing on average, 363. Apis

[00:31:20] Brad Nigh: thank you. Why? Yeah,

[00:31:24] Evan Francen: so a lot of testing. Yeah, it’s the post office, who cares. Right.

[00:31:31] Brad Nigh: Fun mm. Mhm.

[00:31:35] Evan Francen: All right. What’s my next news? I can’t even remember anymore,

[00:31:39] Brad Nigh: you’re uh a few gadgets.

[00:31:41] Evan Francen: Yeah, tell me about IOT. So you bought an IOT gadgets you were saying?

[00:31:46] Brad Nigh: Yeah. The fourth gen though, I waited till it was hopefully they’ve gotten a lot of the bugs out by now.

[00:31:53] Evan Francen: So it’s uh yeah, because I mean IOT is everywhere, right? I mean I o T. I was like I said I was doing some black friday shopping and saw, I mean IOT devices everywhere. I mean The big things were Google home was being sold everywhere. I guess there was a special for $25 bucks um didn’t see a lot of Alexa, but they’re not, I don’t know. Well,

[00:32:19] Brad Nigh: so the one I got that ties into Alexa, but I verified before that I can turn that off. So the microphone will actually be not functional because that’s kind of where I draw my line.

[00:32:33] Evan Francen: So you the eavesdropping.

[00:32:35] Brad Nigh: Yeah, I don’t, it’ll, in theory, we’ll see if that actually happens, but in theory it will turn off the microphone so I won’t even enable it.

[00:32:45] Evan Francen: Well this story that that uh you know that I sent to you and that we’re talking about from threat post. One of my really like a lot of the news on threat post, but this is as black friday looms Iot gadgets take the risk spotlight. Oh t is everywhere, you know, I get asked, just like you, I assume um what’s the one thing, what’s the best, the best thing I can do to protect myself and but people, I don’t think, I don’t think realize is, um, the more complex you make your life more difficult. It is to secure Bruce schneier, It was the first guy that I ever heard say it, but complexity truly is the enemy of security. Yeah. And so, uh, and this is just how weird. I think, um, I was thinking about that guy who, um, what the crap, what, that’s the name that, uh, he was like, I think he was a missionary. He went to go visit the natives. Yeah, they have,

[00:33:58] Brad Nigh: yeah, they killed him. Yeah.

[00:34:01] Evan Francen: And for some reason my brain is weird. I was thinking what, I wonder what information security concerns those guys have. Uh huh. You know what I mean? They don’t have any yeah.

[00:34:14] Brad Nigh: No. Yeah, they’re not, there was a pre me elliptic or whatever. Yeah.

[00:34:19] Evan Francen: I mean that’s about a simple, I think is, yeah. Uh, his life probably gets now that we can relate to the, uh, I mean, they have no information security concerns. They’re not cared about caring about, you know, ph I or their social security numbers or no, and you kind of translate that to kind of what we deal with. I mean, we’re connected everywhere are watches. I, I was looking, um, one of the things I asked my wife for christmas was this ring? Yeah, I showed you that. Did I show?

[00:34:54] Brad Nigh: Yeah, that’s really cool. Yeah. The one you and Brandon we’re talking about.

[00:34:58] Evan Francen: Yeah. And it’s a, you know, it’s a fitness tracker, my my ring for kind of a wedding ring, you’ve got that, you’ve got, you know, an apple watch or you know, smartwatches and smartphones. Your cars are connected, pacemakers are connected, headsets, games, laptops, I mean you name it, right? Yeah, thermostat like what you’re talking about. Um

[00:35:28] Brad Nigh: I was looking in that article, they have a link to Mozilla’s uh, the privacy not included where they give you like a creepy to not creepy emoji based on what the IOT does and like there’s a IOT sou vys cookers and water bottles and it’s like, why what, why do you need a hey internet smart water bottle to determine if you drink enough or not. Right. Some of the stuff out there is crazy.

[00:36:08] Evan Francen: It really is the uh And I mean, what do you, what do you do? My house? You know, I was, my house was built in 1872, so there’s not, I can’t run a lot of wires anywhere. You know, you’re pretty much stuck with what you’ve got. But you know, he obviously, you know, have wifi and things like that because it seems like you can’t, he almost can’t live without wifi now in your house. Yeah, they don’t have, you know, I don’t have google home. I don’t have Alexa, I don’t have really any other IOT first, well my watch, my phone, I mean if you want to call those IOT stuff. Um but I’m purposely like trying to fight against it,

[00:36:55] Brad Nigh: you know, So, so I and I got to the point where I was looking at, you know, we have the thermostat is just the builder grade. It’s not real good. It does, it’s not real smarter. It doesn’t have like good scheduling or you know, run the fan every hour for 15 minutes at the if the system doesn’t turn on when I started looking it was, it was just as much for one of the good programmable thermostats is or you know, just a little bit more to get this one. This will be my first drill IOT being

[00:37:38] Evan Francen: well, yeah, I mean, I think it’s it’s only a matter of time. Right? I mean there’ll be a day when you want to be able to by a thermostat, that’s not maybe, you know.

[00:37:47] Brad Nigh: Yeah, I’ve got a second. I got real cool. But I have a separate wifi network for each of the, you know, Roku has its own as this idea that doesn’t can’t see anything else because it reports back everything that’s on the network with it. I’ll be setting up a separate for that, you know, so that the computers are on one and kids ipads and stuff are on a separate one. It’s all segmented out. Oh, am I going overboard? Yeah, probably, but the nurse. So why not?

[00:38:22] Evan Francen: All right. Well and I know a lot of people who are very much cutting edge type people. Right. I mean their whole houses are and I mean everything is connected. Yeah. And uh and there’s nothing against that you know. But the point is to just you know not rush and not account for security in all of it. Mhm. Uh so you mentioned one good best practices um well sort of mentioned it but you know separating a you know having a separate wireless network for your IOT Yeah of an IOT device is compromised. You know, maybe we can keep it isolated to that IOT dedicated network. Yeah. Right. Hopefully. But there’s some other good advice you know in that threat post uh news article uh just doing a little bit of research. You don’t have to go crazy with it. Uh but something as simple as you know typing the IOT device, you know is searching googling the IOT device and the word hack. Yeah security, you know, something like that. Just to get some ideas about, you know, how secure that thing is or how secure you can make it.

[00:39:45] Brad Nigh: Yeah, I thought that was really good. I like the other one they had in there about, you know, before you buy it or anything create, create a temporary email or throwaway email address and create an account and log in and see what you can do. What are their password requirements. What do they have on their about security. That was really good advice.

[00:40:06] Evan Francen: Yeah that is good advice and I’m one of those guys to where I don’t, you know, I I grew up a networking guy and I don’t I don’t like anything on my network that’s not managed mm I can’t manage it. Um So if I were to put some I. O. T. Devices on my network, I would want something that I can manage. Yeah, that I can configure, I can change default settings, I can change default, you know, user names and passwords um which are all good things too because we know that the Attackers, excuse me, you know, the Attackers know those things, they know the defaults on the manage devices. Mhm. It’s not a managed device and how would I ever patch it? Because I know that every every application, you know, just about every application has bugs. Mhm. So yeah.

[00:41:02] Brad Nigh: Yeah, I mean, well, you know, it’s doing things and you know, this is the other thing is yeah, running either, you know, pf sense or cell phones, you tm some of these free home users uh if you’ve got the technical capability, it’s just so they’re so easy at this point. Right? Uh But that’s, you know, most places that are, most people that’s just never going to happen

[00:41:35] Evan Francen: well and it’s not, I mean I think being more aware maybe being less less ignorant, you know, learning more about things before you jump into things and if you don’t know, I mean it reminds me of like when I was growing up Vcrs were a big thing and you know, my grandparents had no idea what the heck this thing was, but they know they wanted to watch movies at home. Uh, so they would have me come over, you know and set up the VCR for them. We’ve all got family members and chances are most of us have a geeky family member somewhere um are called geek squad. I mean there’s all kinds of different ways that you can implement these things correctly. And I think the if you cost, you know cost you 20 bucks, 100 bucks or whatever to have it done right. I think you’ll save yourself a lot in the long run. Yeah.

[00:42:32] Brad Nigh: Yeah I know, you know, you’re in the same boat where I get calls from all the family for for doing that or but if they’re calling me or asking, hey, you know I’m trying to do this right or I saw this and what do you have recommendations? I will never say no to that because I’d rather than, you know, they’re exactly that they’re learning, they’re trying to do the right thing. Let’s help them make sure they do it correctly and educate. And plus it could be a lot less of my time to help them up front then if something happens and there, you know having issues and you lose all their money out of their account or something. Right for devon go Evan.

[00:43:26] Evan Francen: Yeah I’m still here, I was thinking sorry?

[00:43:29] Brad Nigh: No

[00:43:32] Evan Francen: I’d be willing to help most of my family members, I think

[00:43:36] Brad Nigh: it’s how they approach it,

[00:43:38] Evan Francen: there’s some, you know you almost like actually help them all but there’s something almost like to see suffer just a little bit

[00:43:45] Brad Nigh: how much effort goes into the help is that’s what’s negotiable

[00:43:51] Evan Francen: Yeah well most of my family members I think they’re pretty self aware, you know uh you know, I think maybe because they know that they have me and the family somewhere um two, they’re more cautious right? A lot of my family also doesn’t use much for IOT Yeah, because you know I I understand the thermostat thing, I think if my thermostat went out and I wanted more capabilities I would probably do the same thing, you know, get maybe a nest or something. Yeah, um but like a lot of these other things, I mean I just would be so awkward to be walking into a room and say google tell me how to make

[00:44:34] Brad Nigh: pastry Yeah, kind of very that’s that’s tough, I would love to have the functionality of you know like you know the nest of the the ego be that I get without having to have wifi connectivity, if I could have that functionality without having to go out that would be like ideal but I get you know they’re using, learning about, you know when we get when we’re there and I turn on the device it’s a little unsettling but I get it and I’m willing to Save, you know, they claim 23% savings so. Oh that’s good. It seems worth it. We’ll see.

[00:45:16] Evan Francen: Yeah. Well I think the first IOT I can already tell you, I think what it’s going to be for. I mean the first kind of I. O. T. I. O. T. Thing in my house, we’ll probably be surveillance. Probably camera surveillance and I’d rather write that out to the cloud but do it securely. Yeah. I travel a lot and be nice to just have eyes here, yep,

[00:45:40] Brad Nigh: I’m with you degree.

[00:45:44] Evan Francen: Yeah, I’ll probably do that but not yet

[00:45:48] Brad Nigh: do your homework right? That’s I checked days, you know a. S. And for the local and TLS out to the to the clouds that they’ve got. You know, I did my homework on that. But all you can do right be educated.

[00:46:05] Evan Francen: That’s it. That’s it. And then account, you know, account for the risk as best you can write, I mean every time you bring something into your environment, anytime you bring something into your house there’s going to be a risk associated with it. You can’t eliminate it. But you made a good when you do your, when you do your research like you did and uh you choose to accept the risk or maybe you put some mitigating controls or something but you you accepted it. That’s totally different and and that’s the right way to do it versus just total ignorance.

[00:46:38] Brad Nigh: I’m just gonna plug it in and

[00:46:40] Evan Francen: hey, it works. This is an awesome right? Yeah. Until it doesn’t work.

[00:46:45] Brad Nigh: Blank password. Sweet. I don’t have to remember it so

[00:46:49] Evan Francen: easy. Yeah, My next uh article uh, so moral that story Ayotte. No, unless you do some research or get somebody who did the research for you.

[00:47:05] Brad Nigh: Mhm Oh,

[00:47:07] Evan Francen: so the next one is out of security week, which is another news, you know, site I just dig uh, they outed. So Tessa 88 was doxed ox. If you don’t know for listeners docks, just means that your details, your real life identity, your real details. Uh, I’ve been outed. So a lot of times we use not we, but Attackers, not even me, I suppose, um, these monikers whose names that aren’t associated necessarily with our real identities to kind of protect our privacy online. Yeah. Well anyway, behind the attacks, numerous attacks, uh, you know, he was selling a lot of data, a lot of data, uh, underground forums from linkedin yahoo Myspace, remember Myspace, don’t you? Yeah, uh, bad Do I mean all kinds of different places, a lot millions of accounts. Um, and A few years ago, I think it was maybe three ish, maybe 2-3 years ago. It was all kind of backed. It was all uh, pointing to this Tessa 88, that’s one thing, but who really is Tessa TSS A 88. Well, that’s the news. There’s a, I think they found or I’m pretty sure they do a recorded future is the name of the organization. Uh, they’re researchers think that they have or believe they have identified the man behind the name. Uh huh. That’s, that’s hard work. I mean, yeah, that’s impressive. Yeah. So the guy’s name is maxim M A K S. I am Donna cough from Penza Russia. I can’t believe there’s Attackers in Russia.

[00:49:10] Brad Nigh: Right? Is

[00:49:11] Evan Francen: that right? There must be a miss miss prep. But anyway, so he’s uh, he’s been outed. I don’t know if you did, you do need a research on this guy.

[00:49:21] Brad Nigh: I honestly know. Okay. I want to, I just got in late last night and I’ve been busy today with christmas decorations. So I know I didn’t do, I didn’t do my homework as well as I typically would.

[00:49:34] Evan Francen: No, no, that’s totally cool because it’s thanksgiving anyway, I was surprised, well, grateful that we still got to do it this week knowing that, you know, thanksgiving and all that stuff. Uh, but if you google his name, you know, simple, you know, maxim Donna coffee. You get to see who he, who he is interesting. Just interesting looking fella. Uh, anyway, he’s been outed, not arrested. Uh, this was, it’s only a matter of time because, you know, with Russia, Russians are encouraged to hack western companies, you know, not, not outwardly. Well, maybe outwardly, but the only times Russians get in trouble. Hackers get in trouble is when Russian hackers attack Russians,

[00:50:33] Brad Nigh: right? Yeah, they kind of look the other way unless it causes them headache. Yeah.

[00:50:43] Evan Francen: So for now Tessa 88 or maxim is, you know, safe and sound, as long as he stays there and doesn’t fall out of favor with Russian authorities. If either one of those things happen, then you’ll see him probably extradited.

[00:51:00] Brad Nigh: Yeah, I think the biggest impact is probably he’s not going to be leaving Russia anytime soon.

[00:51:08] Evan Francen: No,

[00:51:09] Brad Nigh: I would assume that if he leaves, they’re going to pick him up pretty quickly.

[00:51:14] Evan Francen: Yeah. Oh yeah, yeah, yeah, I’ll be in trouble. Well, I thought it was interesting too because when uh when you look at some of the exposed um So the way they track it back, as you know, you follow the trail of evidence and Tessa 88 was used here. It was used here is used here email, it was associated with the same email address. You know what I mean? You just keep following the trails. Yeah. And it’s not rocket science. It’s just, you know, I think really time consuming in a lot of cases. Um Yeah, but then you see some of the pictures that he posted and some of the pictures that he posted, He posted with The Tessa 88 account. Uh huh. So I don’t know if you smart.

[00:52:03] Brad Nigh: Well isn’t that always the it’s always some, you know the Opsec is the hardest part. Right? That’s there’s just always something they do that that gives it away. I think you can cover his tracks and go through all the different VPNS. But then yeah, Post one picture or whatever and that’s all it takes.

[00:52:24] Evan Francen: Yeah, exactly. Make one mistake. And uh yeah, I can only imagine. So I’m not a bad guy. Neither of you thank God. Because guys, but how much stress it must be, how stressful it must be too two never make a mistake. You know to just live under that knowledge of if I make one mistake with this fake identity, it could be the end. Right? And it probably will be the end because if I have made a big enough name for myself, I’ve done enough damage. If I made enough money, there are people waiting for that mistake that’s made, You’re done

[00:53:10] Brad Nigh: and they’re not just waiting. They are like actively looking for it. Yeah.

[00:53:17] Evan Francen: So anyway, I thought that was interesting to Tessa. Tessa is outed. We’ll see you know what comes of that? The last news story I have is from the register. Do you ever read anything? You ever read the register? I think they’re so funny.

[00:53:32] Brad Nigh: I do. Um Yeah, it was they’ve got some good stuff. I actually did an interview with. I can’t remember who it was at the register would have been fun like a group. It was like a group one at uh what was that? It was like a spice works at the User Conference. Gosh, five or 6 years ago. Okay. I have to go back and look. But yeah, they’re super great group of people. I I enjoyed it.

[00:54:02] Evan Francen: Well there are articles are always very sort of humorous, right? Very snarky. Yeah, it must be just the whole UK thing. Um but this is one that you know, I didn’t really see anywhere else. But you know, they’re the title of the of the news stories technical foul amazon suffers data snafu. Day before, days before black friday emails world plus dog. That’s that’s their snarky humor. But so when was this? This was last Tuesday Wednesday. Uh middle part of last week. Um I guess amazon had this data, they call it data snafu. Um but they haven’t released any information about it. I assume that they’re just hoping at all go away. Um but the text of the email. So they sent out emails to all these people. Yeah, yeah, that had information disclosed and says hello, we’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. No, the issue has been fixed. This is not a result of anything you have done. And there is no need for you to change your password or take any action sincerely sincerely customer service. That’s it. Yeah. So imagine getting that email.

[00:55:35] Brad Nigh: I honestly I probably would have just deleted at his fam.

[00:55:41] Evan Francen: Yeah. All right. And I think it costs it costs a lot of confusion for the people who got these emails because some people thought it was spam. Some people thought it was a phishing attack because there was a link in there. Yeah. Um Some people had no idea what the heck it was. So some people contacted in the UK. No, I think this I don’t even know if it was isolated just to the U. K. I don’t know the expanse of this. Uh But in the UK there’s this place called the Information Commissioner’s Office and they’re kind of the privacy watchdog for, you know, the U. K. So it was reported to them, you know, because in the U. K. To you. I mean this is a european thing. Do we have G. D. P. R. Problems maybe right associated with this? Um So the Ceo the Information Commissioner’s office. Mhm. I gathered that they don’t intend to really investigate this. They don’t think it was a breach. Uh amazon didn’t report it as a breach.

[00:56:49] Brad Nigh: Yeah, I mean, well that’s kind of where they however it is. They said they’re kind of like, well they’re amazons are required to report it or I would assume if if enough customers call and complain, that’s when they will get involved. But you know, they don’t seem to be they’re not proactive on that stuff.

[00:57:09] Evan Francen: Right? And it wasn’t just the UK because you know it uh it was us two. I thought the tweet, you see the tweet from Drew al Din. Yeah. You know when our companies like amazon or at amazon going to realize how to write a proper breach letter. Once again this sounds scam me as blank as a completely unnecessary link at the bottom. So yeah, I don’t know, you know, a big company like amazon you think they definitely have the resources, but maybe it’s just so big and so many moving parts that the left hand isn’t what the right hand’s doing some sometimes

[00:57:52] Brad Nigh: I mean yeah, obviously not not uh are secure, but you know, a lot of times marketing just throws it out and then, you know, I tears in for a second like whoa wait, what? What? Have you what?

[00:58:04] Evan Francen: Yeah, that’s actually true. Yeah, I can think of a lot of times when

[00:58:08] Brad Nigh: Yeah. Yeah, luckily our marketing group is sharpened all the time they come and they’re like, can you check this before we send it? So I appreciate that.

[00:58:20] Evan Francen: Yeah, but then the onus is on me, are you to check it? Because sometimes, I mean you’re just so darn busy, like all right, I give it a glance over. It looks good. Go ahead. Yeah, but I’m wondering if I’m giving it to do. Oh, you know, I’m reading it as much as I should

[00:58:38] Brad Nigh: have told them, you know? Well I’ll get to it when I can. What’s the priority? Right. Yeah.

[00:58:48] Evan Francen: But anyway the only thing that was exposed. Name and email address but the thing is with name and email address that’s plenty for a good spear phishing attack. Right? Name, name, address and obviously where you did business uh if that’s been exposed, which would be amazon easy to send an email purporting to be from amazon asking you to change maybe change your password or do something different. Yeah. Uh so it’s not as innocent as it seems just because it’s email, you know name and email address. Um I don’t know I don’t know much more about it. I just thought it was interesting because you don’t see a lot of this from amazon. I can’t remember anything like this in amazon before but I could use you.

[00:59:43] Brad Nigh: Yeah, I’d like to know more about what their data staff who actually was.

[00:59:49] Evan Francen: Yeah, I would too. So maybe that’s another piece to kind of keep an eye on in the next, you know, in the coming week or two. What was the other thing I was going to kill that that health care study. Yeah, I’m going to read that but I mean I’m going to read it. I’m not going to read it here. Drama. Network the hospital data breaches letter now. It’s funny that research letter is June 2017. When is the Yeah, whatever, 19th. Okay So November 19 was the public release. Yeah, but then it looks like the study might have been,

[01:00:29] Brad Nigh: I think that’s pretty normal. That it takes a little while for, you know, from when they do it to go through all the pure reviews and all that stuff.

[01:00:41] Evan Francen: Kind of get on the horse, man.

[01:00:45] Brad Nigh: I guess if you’re going to be, you know, I’d rather than be take their time on some of that.

[01:00:50] Evan Francen: Yeah, accurate or

[01:00:51] Brad Nigh: something, you know, maybe

[01:00:56] Evan Francen: fine. It doesn’t seem as exciting,

[01:01:00] Brad Nigh: definitely not.

[01:01:02] Evan Francen: All right, well, that’s all I have for, for today’s, uh, podcast, you have any parting words brad?

[01:01:12] Brad Nigh: No, um, no, I’m, I’m uh, I did think of one more thing this week that I’ve got coming up. I remembered something, so I’ll wrap up on that. I get to go and do the planning for next year.

[01:01:26] Evan Francen: Oh, yeah.

[01:01:28] Brad Nigh: So I am excited not. Yeah, it’ll be fun and it will be fun. So, all right. So next week, my prep work early,

[01:01:38] Evan Francen: right? There you go. So next week is, you’re leading, you’ll create the news. I do think that, uh, you know, having thanksgiving, you know, I just, I didn’t feel as much in the rhythm, but maybe that’s just me to

[01:01:55] Brad Nigh: know I’m very much on board with that one,

[01:01:59] Evan Francen: which is good. Right? You’re, you’re saying that at the beginning it’s good to uh, to unplug a little bit. That was good, but tomorrow we’re back at it, 90 mph. Uh, All right. So this was podcast three next week is podcast number four. Pretty soon. We’ll stop saying episode well, we’ll always say episode number, but it won’t be as exciting as the first handful or so. Uh, but next week you lead. Um, yeah, that’s all I’ve got right. I don’t have a great week.

[01:02:34] Brad Nigh: Yeah, yeah, enjoy your trip to New Jersey.

[01:02:38] Evan Francen: Thanks man. We’ll talk. We’ll talk next week.