Unsecurity Podcast

If you’re at all in touch with information security news, you likely already know about the SolarWinds breach that was announced yesterday. With the majority of Fortune 500 companies and a number of US government entities using their product, this compromise has the potential to do serious damage. And that was felt throughout the security industry yesterday. So, we pivot! Today, Brad and Evan are joined by Oscar Minks, FRSecure’s Director of Technical Services (and head of our incident response team) to dive further into the breach and its potential ramifications.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Hey there, thank you for tuning in to this episode of the Unsecurity podcast. This is episode 110. The date is december 15th 2020. I’m your host today, Brad Nigh joining me as usual is my good friend and coworker. Evan Francen. Good morning Evan.

[00:00:36] Evan Francen: Good morning Brad.

[00:00:38] Brad Nigh: And as you guys can see if you’re watching joining us this morning is another good friend and coworker. Oscar Minks.

[00:00:44] Oscar Minks: Hey, good morning Brad.

[00:00:46] Brad Nigh: morning.

[00:00:47] Evan Francen: So Oscar Minks as if the fourth quarter wasn’t crazy enough already.

[00:00:52] Brad Nigh: Right? Like we’re two weeks from the end of the year and everybody’s full board and all the sudden solar winds breaks and they’re half so uh, it’s been a little bit, Yeah, I would say yesterday was chaotic. Would you agree Oscar

[00:01:14] Oscar Minks: Yeah, I would say it was chaotic. It’s a fair word.

[00:01:18] Brad Nigh: So before we really dig in uh, into that, let’s catch up and see how everyone is doing Evan. How’s it going?

[00:01:26] Evan Francen: It’s gone, man. It’s 16 days, 15, 16 hours left of 2020. I’m sort of tired of it, man. It’s been a crazy ass here. A lot of good things though. You know, here studio had a good announcement last week, you know, out of the state of North Dakota. They made our, that’s to me uh, for people that know the smes, the personal information, security risk assessment made it available to all their North Dakota residents. Oh, cool. That was, yeah, it was

[00:02:05] Brad Nigh: okay. This is how you can tell. It’s a crazy time of year. I totally didn’t miss that somehow.

[00:02:12] Evan Francen: Yeah, the news came out on friday. That’s when they made the press release. And then, uh, yeah, it’s lots and lots of things have happened in our history since then.

[00:02:24] Brad Nigh: That’s very cool. But you Oscar, I know you’ve got some sweet fishing time and you showed those, uh, great pictures of the rainbow trout you caught the other day.

[00:02:33] Oscar Minks: Yeah, I’m with you guys. I’m ready for 2020 to be over. But I will say that we’re moving into My favorite fishing season of the year, which is trout season down here in Kentucky. It’s a little bit colder, uh, gets primed for catching trout. And so me and my wife got out that some fly fishing Saturday and both of us landed a trophy trout, we consider anything over a 20″ trophy trout. And so there was a lot of fun work is definitely busy. Hectic. I can’t believe like, you know, you guys are saying there’s only 16 days left for the year because I feel like I have way more than 16 days worth of work to still get done and then uh, people continue to get owned. So that pile just keeps getting bigger and bigger. I’m ready to wind this year down and get started in a fresh new one.

[00:03:19] Brad Nigh: Yeah, I’m with you. Yeah, this, they were, those fish were gorgeous. I was a little bit jealous. I’m not gonna

[00:03:25] Oscar Minks: lie. I get so excited man. It’s a good feeling to land one of those, especially on, I use like ultralight gear and so uh, you got to, you know, kind of use some finesse techniques to get those big bulls out of the water

[00:03:40] Brad Nigh: and we’re in between here. It’s too cold to go fishing. Everything is frozen over, but it’s not enough to go ice fishing. So

[00:03:49] Oscar Minks: I heard that you guys are a little behind right on the lake freeze this year.

[00:03:53] Brad Nigh: Yeah, but it’s making up for it to, uh, it’s like 10° out right now. So that’s right.

[00:04:00] Oscar Minks: You guys always make fun of me for not knowing the cold is in Kentucky, but it was like 15 this morning when I woke up. So

[00:04:06] Brad Nigh: that’s cold and

[00:04:07] Oscar Minks: arrogant. Some cold weather.

[00:04:08] Brad Nigh: Oh man. Yeah. You know, he said it’s been just hectic and chaotic and of course, you know, all the, all of our clients are a lot of the clients that we have that we’re using solar winds called. So we were scrambling to make meetings happen and kind of calm them down and

[00:04:31] Oscar Minks: and

[00:04:31] Brad Nigh: you guys were working on putting out that nice release and trying to get educate people because I think, well, good transition. Uh, there was a lot of uh, I don’t know rush to publish the news and it kind of came across this worst. Well, I know when I first saw it, I was like, oh crap. And it’s not, I mean it’s still an oh crap moment, but it’s not as big of one as, as it initially came across as.

[00:05:07] Oscar Minks: Yeah, I would agree with that. Uh, and you know, the unknown still scares me, right? And we don’t know, I think we’ll probably get into that. But my initial gut was uh, same as yours. This is, This is bad, it is bad. Um, but my fear was, you know, how many people could be impacted out of that 300,000 client portfolio of solar winds, which is huge. Blue produces. I think we started to learn a little more as the day went on. It made me sleep a little easier. I still didn’t sleep good. But

[00:05:42] Brad Nigh: yeah, so as well, I guess as everyone else, we evidently, we plan to do the security at home theories again, but it was put in the notes 2020 won’t stop 2020. So we have pivoted today for to talk really about the solar winds and Fireeye and just, you know, try to put some perspective around it I guess. Um, cut through some of the noise And just talk about it. So uh, yeah, it’s also mentioned, you know, the initial reports were, you know, 300,000 customers. And this big huge list 425 of the top 500 Fortune 500 companies that are, you know music. But What it turns out is there were 33,000 use that customers for the Orion product, right? It was just that one specific product that had this happen. And of those 33 they say uh say what, 18,000 ish. Mhm. Actually downloaded the malicious code and from what I’ve seen it appears that this was specifically targeted at government agencies. I mean the list that’s come out is crazy. You know, commerce, treasury, Homeland Security. Uh you know, and that’s just a off the top of my head, I’ve been seeing the latest from overnight.

[00:07:11] Oscar Minks: Yeah, I would say on that 18,000, you know, we were chatting about that yesterday a little bit with our team and everybody’s like, oh my God that’s huge. And that is, you know, it’s a lot of people. But if we do the statistics on that’s about 1% of the solar winds portfolio. So to me That’s a positive note, 1% vs 50 or 60%. You know um I like that number. It was a lot know where the lower than initially thought.

[00:07:43] Evan Francen: Yeah, I take the other approach man, I and I like the fact that you know different perspectives are always healthy. But We’re talking 18,000 Organisations, we’re not talking to 18,000 people. You know, it’s not like 18,000 social security numbers are exposed. We’re talking 18,000 organizations potentially and all of their data, you know, the intellectual property, their customers. So I mean, this could get a lot uglier you mean you just think about, you know, the the multiplication through the chain. I mean it’s this isn’t going away anytime soon. Going to be bad.

[00:08:21] Oscar Minks: Yeah, I agree. I’m not saying 18,000 is a good thing. Yeah, I’m gonna downplay that number. Yeah. I was scared it was going to be the whole 300 K. And to learn it was 18 K. Well, at least not everyone. So I think that’s an important thing to that. We’ll probably get into helping folks understand, um, you know, a little bit more about this because I’ve seen a lot of misinformation already. I’m sure you guys have seen a lot of misinformation about this. And um, you know, people don’t understand that. It’s not all of the solar winds products, It’s one product and that’s all Ryan. Now, that doesn’t mean we may not later learn that some of the other products used by solar winds were affected. Uh, but today, um, all we know is that it is O Ryan. And I don’t think we should go assuming that the entire solar winds catalog has been compromised to find evidence that would present that to

[00:09:20] Brad Nigh: us

[00:09:23] Evan Francen: if you were an attacker, you know, with this Sophistication and had this level of access to solar winds infrastructure, what do you think would stop you from potentially getting other products?

[00:09:40] Brad Nigh: Well, I think part of it is, you know, it looks like, so I pulled up the latest list, the Treasury, Department of Homeland Security, Department of State, Defense and Commerce. I mean that’s pretty much the core of the U. S. Government, right? Like you get Homeland Security and state and defense and then you get you know for like protection and all that stuff and then Treasury and commerce for financial. It looks like at this point because I hadn’t seen any reports of any other companies reporting or being reported that they’ve been breached. It looks like this was really was focused on the government. I think that gives those other 18,000 customers a chance to patch without getting own.

[00:10:34] Oscar Minks: If I could play the devil’s advocate for a minute, go for it. Um, my fear, my thoughts around that are um, you know, if you’re an attacker And you have 18,000 candidates um, who are you going to go after? First it’s gonna be, you know, those um those prime candidates, those big candidates. Right? So before your backdoor, your exploit gets had you want to focus on those larger entities and establishing, you know, those persistence mechanisms through pivot because we know they did that here. Now my fear is that a lot of the other organizations don’t have the level of patient needed To detect an attack because we know there’s gonna be a whole lot of those that fall into the 18,000. And my other fear is that they use that back door. It would have been pretty trivial based on what I know to script. Um, Some sort of secondary exploit or attacking that kill chain that cop tax everyone in the back door and employs a second or secondary persistence mechanism utilizing some of the text with the techniques we know they like to do is follow small, we’re living off the land like a lot of stuff we see cobalt strike C2 beacons. So my fear is they could have established further persistence in all 18,000. Um, but it’s going to be difficult to detect.

[00:12:00] Brad Nigh: Yeah.

[00:12:00] Oscar Minks: And they’re not actually going to act on that until they work through those higher tier candidates and then eventually, uh, they make their way down to those others. And that leads me to to the point, you know, I don’t want people to think that a patched as a silver bullet here because they had a back door that was known open to uh, what’s believed to be a Russian, a pt. Um, so they could have easily deployed other backdoor shot their networking on top of that. We know Ryan is a network management system management tool, which means they don’t have to do too much recount enumeration because that their back door already supplied them with a large majority of the re kon they were doing in attacking.

[00:12:42] Brad Nigh: And we know from what I’ve seen, they use the teardrop attack to drop cobalt strike. So we know, I mean that’s what they’re doing. So yo you know, one of my BC so customers Called, you know, email first thing yesterday we jumped on a call at 9:30 and went through all the steps and you know, I had him put in make sure they had partial logging enabled going to their scene looking for encoded power shell uh gave him some things to look for around. You know, additional like he said that those um commanding control on that Orion server and not heard anything from them yet. So that’s a, I’m hoping they got all that done and that there aren’t had that happened. But

[00:13:40] Evan Francen: yeah, and here’s we’ve never, we’ve never seen an attack of this scale. You know, in my 30, almost 30 years in this industry, I’ve never seen an attack of this scale meaning this many organizations involved at the same time. Right? So sort of desensitized. It seems like you know, people that I’ve talked to sort of desensitized by the numbers, You know, when you talk about 18,000 like use 18,000 customers, which is what we’re used to. You know like a big deal. I mean that stuff happens every single day When we talk about 18,000 organizations and Solar Winds Customer List. And this is part of the 300,000. I don’t know how many of these are part of the 18,000 But you’ve got 425 of the US fortune. 500 all 10 of the top 10 U. S. Telecommunications companies, all five branches of the U. S. Military, all five of the top five U. S. Accounting firms, the pentagon, the state department, the National Security Agency, the Department of Justice, the White House. You know, I mean solar winds is so embedded in so many different organizations that and when you think about you know all this stuff that’s going on, our focus today as an industry is on you know government stuff, it’s on fire. I fire. I was the big thing last week we’re not even focused on the small to midsize businesses. I mean fr securities but I’m talking to the industry and so there could be many things going on right now and small to mid sized businesses or education I think is going to get hit hard you know post secondary because they have crafted controls in place already. They’re not going to notice many of the things going on. I mean it’s just this is the biggest shit show I’ve ever seen.

[00:15:41] Brad Nigh: Oh you

[00:15:42] Evan Francen: know, even even if you play it out as positive as possible like well you know maybe they’ll patch because the patches due out today right? Maybe they’ll patch and you know maybe the Attackers weren’t all that concerned about The other, you know, 17,000? I don’t know, man, if any, if I have an indicator that anything in my environment might be compromised, considered compromised.

[00:16:08] Brad Nigh: Yeah. Well,

[00:16:09] Evan Francen: persistence is so easy with this attack to write, I mean, Oh my gosh.

[00:16:14] Brad Nigh: Oh, yeah, yeah. Well that’s what, and that’s why I put in the show notes, I crossed out the first or second home and all hell broke loose, right? Like we’re trying to Yeah. Yeah, it is unprecedented. It’s just crazy.

[00:16:33] Oscar Minks: I think I haven’t had a real good point to that. People should be thinking about, um, just because you’re not using that particular product doesn’t mean you’re not going to be affected by this. Um, you know, knowing the top 10 that were, providers were affected and they likely have hooks and english points into a large majority of our domestic businesses. Um, you know, it’s possible they could pivot through other entities that you’re associated with. You know, going back to knowing your vendors and knowing what technologies your vendor use, why that’s important here, is to know if you’re using a vendor, even though you weren’t using a Ryan. Um, if you have a vendor who does utilize O Ryan, um, it’s possible you could be affected as a secondary,

[00:17:17] Brad Nigh: Well, how many MSP s are in that, 18,000? Right, So now, what’s the number of secondary companies that are directly licensed for Orion that are being monitored by Orion. You know that 18,000 maybe it is closer to 30,000. We don’t know. I think this is something that it’s gonna be, it’s gonna be a long time before we truly understand the total impact of this. And that’s how you been going into if there’s retaliation and what happens

[00:17:51] Evan Francen: going back. Yeah. Yeah. This is uh I mean it was it was sort of Mhm. One of the perfect targets. You know what I mean? You go after solar winds and you know, it’s embedded in so many different places and most people white left or you know uh Well the doctor proved you know DLL s and things like that that are running from Orion because it’s chatty well, but it’s trusted

[00:18:24] Brad Nigh: solar wind has in their documentation to exclude the install directory from virus scans.

[00:18:30] Evan Francen: I know right. You’re not gonna find it. And and yesterday I think I saw some the virus total one out of 67 A. V. S were picking up on the DLL. I’m sure that numbers increased now. But we’re still so signature based that. Yeah, it’s floated for what

[00:18:47] Brad Nigh: it’s so easy to change that. Maybe not now they hopefully cut them out of solar wind so they can’t inject it to sign deals. But

[00:18:58] Oscar Minks: yeah, I will I will say the whole exercise that uh gave kudos to Farrah because you know it’s a fortunate they were owned but they’ve been transparent without them being owned. That’s probably what went on a whole lot longer than it did. Um They did have the level of sophistication to determine this exploit and then also they’ve been pretty transparent and so a lot of security companies, companies in general don’t take that approach of transparency and so I will give them kudos I think they’re working hard to get this information out and um they did release more information last night, you know war domains more hashes, things like that. But there’s something to that. You know we all have to be aware of is that you know like you were saying brad those those indicators are gonna last very long knowing this is likely a nation state. As soon as those indicators go live considering burn, they’re gonna pivot to new infrastructure instantly and keep you know moving so we can’t detect them.

[00:19:58] Brad Nigh: Yeah they planned for that. You don’t do something at this level without having that as part of it. Right? Like additional things. Yeah. What was uh I was gonna say something and I forgot darn it

[00:20:16] Evan Francen: well and it was funny too because yesterday or was it yesterday that Sisa released their emergency directive and they were instructing all agencies to turn off right? Fireeye or even stall it. Uh huh. But wait a second that’s your stuff to monitor stuff now. Not only now, not only have you. Yeah you may have, you know potentially thwarted that one particular attack factor. but now all the other attack factors go undetected potentially.

[00:20:48] Oscar Minks: Yeah, I’ve seen some other recommendations around that and it’s, you know, shut down from your NMsR modern system around uh shut down the internet access. Right? The back door is coming from the internet, you still need them out of the health. So an alternative approaches don’t allow it. Egress from there, let it talk to your internal nodes because they can’t sell people to the back door if you sit down and go sneakers to the internet there. And so like Evan saying you can still know the health and up time, but it is a risk, you know, in some mechanism. But yeah, it’s scary stuff, especially when you have critical assets, you need to know if they are up or down now you’re flying blind. Uh you learned your N. M. S. Has been back doored this bad day for a lot of folks.

[00:21:29] Brad Nigh: Yeah.

[00:21:31] Evan Francen: On the bad days we’ll continue for a while I think, you know what I mean? Yeah, I mean if uh if I were running solar winds in my environment and Alison Orion user, I’d be going on a serious threat hunting exercise throughout my entire environment right now.

[00:21:49] Oscar Minks: Yeah.

[00:21:49] Brad Nigh: Yeah,

[00:21:51] Evan Francen: don’t just waste that time. Don’t just waste that time if you’re doing a threat hunting exercise. So that’s my advice. And if you’re if you’re doing a threat hunting exercise, don’t waste it by like, well, you know, we didn’t find any threats, know, as you’re going along, start closing things, right? Most organizations do a terror job of egress to do a terrible job of default instead of the default deny they go with the default approve, you know, use this opportunity as you’re going through your threat hunting exercise to document your environment to really close things down, get closer to a default deny stance because that’s the best stance. Right?

[00:22:32] Brad Nigh: Yes. Good advice. I think that’s what I’ve been telling everyone that I’ve talked to is right, get your power shell logging, turned on, start watching it start exactly what you’re saying, reviewing in depth, what’s going on in your environment and shut down anything that our fix anything you find.

[00:22:53] Evan Francen: Mhm. Right. The best advice I ever got, you know, was very I was I was a junior sort of security analyst at the time and one of the, you know, grumpy old pros other than telling me, uh r I f you know, RFM all the time. You know, our TFM, you guys get that advice a lot.

[00:23:14] Brad Nigh: Not anymore, but yet

[00:23:15] Evan Francen: remember this, remember those guys? It’s the right you’d ask a question, but are TFM

[00:23:22] Brad Nigh: your units that you have it,

[00:23:26] Evan Francen: right. But one of the things he told me and it still sticks with me today is the people who are the best at security, there are people who intimately understand themselves. So understanding all of your assets, understanding all your network, understanding all these things Now complexity got way out of hand. So most organizations have no clue about a lot of stuff. It seems overwhelming, but at some point you’re gonna have to get your head around what is approved and what is not approved what data flows are. I mean, you just have to get detailed, you have to understand yourself. Yeah, I don’t know, man, but yet you’re right to Oscar, I mean, Fireeye comes out looking like a champ on all of this. You know, last week they were sort of the chump this the the champ, right? Because they did do a great job of finding this

[00:24:17] Brad Nigh: And they released what, 300 something uh, countermeasures for their own tools

[00:24:24] Oscar Minks: really released all the six. They continue to release updates as they learned right now. And it was funny, had a call from a personal friend on saturday and he’s like, hey, uh, I’ve got some extra cash. I’m thinking about investing right now. Give me a stock to buy. I was like, media, Fireeye music wise, that they got breached stocks plummeted this week, I’ll bet anything they recovered come through this looking really good on the other side is gonna do something to help people. It was like, all right. And then yesterday I’m like told you,

[00:24:50] Brad Nigh: but no, I mean there’s there, they are handling this. I think about as well as I’ve ever seen a company like at that level of compromise right? I mean they lost all their red team tools,

[00:25:09] Oscar Minks: we have to like in that situation you have to write they really they’re doing the right thing. They don’t have any other choice. So if this is a chance for them to prove they are the company to say they say they are so anything else would have been unacceptable and that stock would continue to plummet um you know and that business would have been in our streets but um I’m happy to see they are doing the right thing and you know the biggest thing to me like is if they didn’t get breached, how long would this this have gone on before? It was detected because we it took you know a leading security company to identify this And we know too. So this is important for people to understand the timeline that we’ve been given so far was that this backdoors first implemented in March of this year, although we did look, the last the first update affected was 2019.4 which actually came out in November of 2019 so we know we can confirm at least nine months potentially 11 months right now this backdoor has been in the wild and no one has detected it um and fire I took fire are getting breached to detect it if Farrell was never breached. This could have gone on for another 12 months maybe even longer. And so we’re lucky on a few things there that fire I did get breached and they were lucky to look at this is a P. T. Mistake they should have held off on fire and focused on softer targets and they would have been undetected. Um but yeah there’s to me it’s scary to right to know and this is a you know a supply chain attack that is sophisticated. We hear that a lot like a sophisticated attack blah blah blah. No most of them are not. This is right. We would all agree this is a sophisticated attack and what scares me too is the implications of now we have to start looking at those supply chains a little bit more like we should have already been doing and so solar winds has owned how many other vendors are affected in supply chains that we’re not putting under scrutiny because of those things like this. Um Just going back to what you said brad solar winds recommends your want list or approval list their application installation directory. How many other vendors have you done that for? How many other tools are you doing that for? And how confident are you in their security and then being part of your spa chain and knowing that they’re not affected. So it’s going to flip things a little bit for a lot of researchers and you know this is the things that we’ve known I’m feared. But this puts those things into the President a lot more. And so I think as a researcher. Um, and you know, as a threat hunter forensic expert. Um, when we look at those sign and we’ve seen this before right in older attacks, but we look at those signed applications. You can’t trust always trust those, trust your gut when you’re researching and you’re investigating and if that signed application is doing something that it should not be doing, then it needs to go under scrutiny. They need to investigate that. The challenge for me is I’m not gonna be able to get source code for solar winds somehow fire I did. And then you know, that’s a big question. How did they get the source code? I don’t know. Um, but it’s at least worth recognizing those and then opening that channel communication with those vendors to say this application is not behaving as expected. I need you to tell me why.

[00:28:26] Brad Nigh: Yeah. Well you mentioned they have the source code. I mean literally there was that article, they went through 50,000 lines of source code for solar ends o brien and found the back door like as they were they investigating their own like yeah, the odds of that happening are so minuscule. Yeah. That’s crazy.

[00:28:50] Oscar Minks: Yeah. The biggest thing like we’ve talked about, you know before we hopped on here is and I just said it, but like how they get the source code. Um, maybe it is available. I don’t know if that’s true or something? Yeah, but, and it is, you know, again, kudos to them for being in that, you know, investigation, looking at assigned approved application. No noticing anomalies in that behavior and then saying, we gotta break this code apart and see what’s going on.

[00:29:18] Brad Nigh: I saw another article that was saying that the the Attackers were active in the government as of sunday to like this was an active, this wasn’t something that they were just sitting back and had the doctors there. They were actively in agencies. Mhm. Like how it’ll be interesting to see as this comes out, like how much data was expelled or they just monitoring what, what what is the impact of this going to be?

[00:29:48] Oscar Minks: I doubt we’ll ever know. Unfortunately, going back to what Evans said most places suck at egress. And so what are the chances were well knowing number one, this could go back almost a year today. So a what are the chances that you’ve got immediate egress logs, identify what could’ve been X field? They’re not great and then change that to a year brother? It’s, you know, but you know, we’re gonna, I would say we would rely on the backbone and hopefully that backbone providing this could, you know, help the government entities and help those, um, you know, sensitive organizations. Uh, but now, knowing that a lot of our backbone uh, was likely compromised. And certainly, I mean, we could almost say certainly at this point compromised then, is that going to be, you know, were treatable? Can we ever validate this? I don’t know, I don’t feel good about it.

[00:30:45] Evan Francen: Well, knowing knowing Russians, like I know Russians, you know, Russians have always been known for being really good chess. Mhm. Right. And so you think multiple steps ahead and you know, we said, you know, thank God, fire I you know, maybe they chose the wrong target. Maybe they chose the right target. Maybe that was the point was for you to detect and spend all your time because they do diversion attacks all the time too, for you to detect, spend all your time on solar winds while other things are occurring to write because it wasn’t an accident. They chose to expel things from fireeye and become known, yep, that part scares me too.

[00:31:30] Oscar Minks: Yeah, that’s a really good point. Evan, I don’t know how we want to get into their personal paranoia podcast here if you want to stay on inputs. No,

[00:31:39] Evan Francen: but it’s very conceivable, right?

[00:31:42] Oscar Minks: No, that’s exactly, I’ve thought about this a lot to about the time they showed their hand on top of that, you know, it was a week before certification of our election. Also, knowing that they were at such a sophisticated level, they could own a major vendor and supply chains of 300,000 people export that code and get that code distributed? Uh that makes me question if they need to get those tools they even expelled from mandate. Right? So is this a show like Evans, is this a move for a bigger play that we’re unaware of? And and my gut to like, you know, I don’t want to go too far off topic is uh we know they want to cause social chaos and social disruption. That’s always a primary motive of Russian A. P. T. S. We have to accept that. And this is a prime time and a very, very challenging year for americans to pull off attack of the sophistication level that has implications that could cause significant disruption in our society. Uh business entities and personal as well. And I don’t want to go into that too much, but there’s gonna be a lot of runoff from this that we’re going to see over the next two weeks that I believe will further, you know, expand that combustion. They already chambers already lit four or five years ago and continue to cause social chaos, antitrust and division. Um, I don’t want that, but I fear that’s what’s happening.

[00:33:07] Brad Nigh: I mean, they got like we say they’re in the top 10 telecom. Imagine they take down, you know, one of those and not what a quarter of the US offline business and personal bane. You know, I mean, I don’t know how many people those, those top 10 serve, but I would guess it’s probably in that like 80 plus percent easily. Oh yes.

[00:33:35] Oscar Minks: Mhm. Yeah and I would like to see to who the top 10 are because there’s if you guys know I think that’s there’s three companies that own something like 70% of the world’s backbone. Uh those three are in that top 10 then don’t even care about the other seven. I know that that they have hooks available uh everywhere.

[00:33:58] Brad Nigh: Yeah.

[00:34:00] Evan Francen: Yeah. Well and you brought up a good point to brad and I don’t think this is tin foil hat stuff. This is very very conceivable things. Tinfoil hat stuff is stuff where it’s like I make a big leap from this to that right? There are lines that you can draw from where we are today or this could go how we got here. You know if you got the perspective of seeing kind of these pieces being played on a big chessboard right? They made their move expect us to make our moves right? And then they’re not going to make you know I mean there’s this anticipation now we do the same thing. I am not saying that our three letter agencies, the NSA doesn’t have their things that they’re doing as well, but what’s the next move right? You mentioned, you know are so we’ve got all this crap that I have to deal with here in my own backyard. But I’m also thinking like what happens when the U. S. Decides to do what they decided with their allies meaning you know great Britain Canada Israel you know this because truly what took place this particular thing is evidence of war. This is a cyber war that is warfare. You don’t attack 18,000 entities including our own government and not call it war all it what it is.

[00:35:30] Oscar Minks: Yeah I did do some research thinking about this too last night. And so I was looking at other attacks that have happened in supply chains about nation states right? And it’s going back to what Evans saying here. Like there have been other supply chain attacks right? That’s target. But we’ve seen like before like Russia we know targeted eastern europe and Ukraine when Ukraine was you know more riddle right? And and we’ve seen like china execute attacks in Asia and even specific outlets within china itself. But we haven’t seen an A. P. A. P. T. Do this large of a targeted supply chains attack on another nation state. And so that’s scary to me because I think it’s going to force our government into a response of some sort. And I think the more that the people our people understand and learn about this the more we’re gonna understand we deserve a response. We deserve you know support from our government and their deserves to be a response to to the whoever if we confirmed this was Russia right? There deserve deserves to be a response. And I haven’t seen that this has been confirmed yet. It is speculation still at this point. But if this is confirmed, I believe it will be confirmed. It warrants a response and it scares me. I mean, it really does scare me for what that means. Um for our nation, for the state of the world and where we go from here.

[00:36:55] Brad Nigh: Okay, this is a huge escalation and yeah, the decider were kind of field, I guess. I don’t know what the right term is for that, but this is, I mean this was a massive, massive escalation and like you said it, they didn’t have to expel those tools like this was there was a reason it happened at that point and they made it known that this happened. You don’t get in and do this without and and make a mistake like that.

[00:37:30] Evan Francen: You know, these guys, these guys are too good to be making mistakes, right? You don’t get to where you’re at doing what you’re doing by making mistakes. There’s purpose behind just about everything they do. This isn’t like the old school, you know, Attackers either where we were doing things for fun, right? We did make mistakes, we were noisy. This is like nations, shit isn’t noisy. There aren’t mistakes, it’s a chess game. And what our movie is next is gonna dictate, you know, multiple moves down the road. The uh yeah, man, it it’s messy. And and if you ask anybody on the street about this, they have no clue that stuff is going on

[00:38:13] Brad Nigh: or they’ve heard of it? But don’t comprehend the scope of it,

[00:38:18] Oscar Minks: that scares me too. You know, that, that no one knows where they’ve heard of it. They don’t comprehend. And it scares me because we know that a lot of the folks are going to learn about this through likely through individuals that shouldn’t be telling people about it. I mean, folks that don’t really understand themselves. And so we’re gonna get a lot of parenting and media read a lot of misinformation in the media and I think it’s, uh, that’s a risk. You know, I mean, I want people to understand what this is, what the implications are.

[00:38:47] Evan Francen: Um, yeah, and I understand, I understand there’s certain people that are passive, you know that. Well, the why would the us respond? Why do we need to respond? Because if you don’t, it just continues and it continues to get worse and worse and worse. There has to be retaliation of some sort plus, uh, I mean, that’s the thing, This is like, it’s almost like a, like, you know, really, really, really, really big schoolboys bullying each other on the playground, you know, on the internet playground, You know, and we’re all sort of, we’re all sort of, uh, collateral damage. Mm. You know?

[00:39:31] Brad Nigh: Yeah, yeah.

[00:39:32] Oscar Minks: When does when does something of this magnitude become an act of war? You know, this is cyber warfare, we could say that, but when does it become an act of war? Like if you confirm it’s a nation state sponsored by military that actively targeted United States entities, businesses and people? When does that become an act of war? What magnitude? Because I don’t think it’s going to see one any bigger than this?

[00:39:54] Brad Nigh: Well, and, and my concern is right, if we escalate with a cyberattack back, what’s their next step? Right? What is the correct response? Because I don’t know, you know, if we go and knock something off line for them? Well, we know they’ve already got hooks into so many things

[00:40:16] Evan Francen: like, well, that’s okay to have hooks. It’s like the nuclear standoff, you have to get to a point where they, you both believe will mutually destroy each other.

[00:40:26] Brad Nigh: Yeah.

[00:40:28] Evan Francen: You know, you can do this one thing if you push one step further, this is with it, you know what I mean? And then, do you want to just and everything now?

[00:40:38] Brad Nigh: Yeah. I’m wondering if we’re not going to hear some sort of elite about the other way kind of like, hey, yeah, that’s great. But here’s what we’ve got and then that kind of, you know, I’m expecting something more like economic sanctions or something like that to hurt them. So it doesn’t necessarily escalate and right, really become disruptive because, and I don’t think either country really truly wants to be knocked off?

[00:41:08] Oscar Minks: I don’t know enough about this? You know, the economic state between United States and Russia, but would an economic sanction have any implication of them? I don’t know do we have any reliance on each other? I’m not worldwide.

[00:41:21] Brad Nigh: I think you would have to get buying and from all the allies to, Right.

[00:41:27] Oscar Minks: Yeah. I don’t know what the next steps are, but I think that

[00:41:31] Brad Nigh: yeah.

[00:41:32] Oscar Minks: 2020 Man Rot.

[00:41:35] Brad Nigh: This is yeah. It’s going

[00:41:38] Evan Francen: out with a bang

[00:41:39] Brad Nigh: just so much. And and I think it’s gonna be weeks before we have a good picture and a good understanding and probably years before we truly realized that forced over this,

[00:41:52] Oscar Minks: I’ve seen it was either tweet or applying reddit or something. Someone was replying to this when it broke and they said uh I’m not this is not verbatim, but it’s, you know, this rot is gonna go so deep, it’s going to take years to find. And I like that word being used for this this rot. And that’s really what it is. You know, it’s an erosion of our security, erosion of our networks and erosion of our trusted into these and partners, um I don’t know that will ever fully know how far this goes.

[00:42:24] Brad Nigh: Yeah.

[00:42:25] Evan Francen: No. Now when you have this level of access into something that’s so complex that people can’t stand. Mhm. Most people can’t understand their infrastructure.

[00:42:37] Brad Nigh: Yeah. I mean, how many I r s do we work that they’re like, even though I have no idea of what’s going on?

[00:42:44] Oscar Minks: Yeah. Unfortunately, you know most people don’t have a like Evan had already mentioned a good handle on their ingress or egress on their network. Don’t have good system inventories don’t have good data inventories or not never diagrams do that stuff. People please do that.

[00:43:02] Evan Francen: Well now would be the time. So two of the things I was thinking about is what listeners need to do, you know? And I think what listeners need to do is freaking we’ve said it so many times. Master the basics of information security built in default, deny and everything you do don’t just trust things White list things for the sake of white listing things. I mean actually understand your shit. Excuse my language, understand your stuff. Okay. Um and set yourself up as like an independent island right? Like this is just my little thing and I’m not letting anybody into it until unless I trust you and I vetted you in a treater right treat your golden gems like Arnett golden gems. That’d be weird portraiture cold like it’s gold, the crown jewels jewels. There you go cheetos like they really are crown jewels.

[00:44:02] Brad Nigh: Yeah I think this is an excellent opportunity for security people to to pitch and maybe even get buy in and be able to pivot to deny by default. Right? White list only.

[00:44:16] Evan Francen: And what I don’t want people to do is to go out and buy another damn blinky light because all you’re doing is adding more complexity and more things to endure environment that you don’t understand. The stuff that we’re talking about the basics, the fundamentals. They’re free in most cases and then build on top of that foundation. Right? So then the rot, the rot doesn’t get into your foundation, right? You have something to stand on. Uh, and I think what we need to do is as an industry is we need to, we need to hold people accountable. What’s going to happen to solar winds for this? You should have been, I know it was a super sophisticated attack, but your source code control should never allow this type of behavior.

[00:45:04] Brad Nigh: How did you allow your Dll files be modified without realizing it.

[00:45:11] Oscar Minks: That blows my

[00:45:12] Evan Francen: mind. It’s one of the biggest keys is right. I mean those are your crown jewels. That is the whole purpose for solar winds even existing is they’re soft and if you can’t protect your software, your crown jewels and I don’t care how sophisticated of an attack it was that, I mean, unless it was like they use pixie dust and yeah, they used they use pixie dust and unicorn horns. That’s how they get okay, I’ll cut you some slack. But they didn’t do that right? There was an electronic intrusion and you should have been monitoring those things, right? You should have everything should have been hashed. So nothing gets pushed into production. Everything is tracked. I mean it’s just crazy that you have this many fingers into this many organizations and your source code control allows somebody to change a dll that you inject into everybody else. So something needs to, and I don’t know how long we’re going to continue to do this as an industry before. We actually hold somebody accountable because if you don’t hold them accountable, expect more of the same crap. Oh sure. And I know there’s probably a lot of great people that work at solar winds, but you got to pay for this. This was your mistake.

[00:46:31] Brad Nigh: Mm. Yeah, I mean it is, I think that’s the biggest thing is this was a complete failure on solar winds. Mhm.

[00:46:41] Oscar Minks: The only thing that I could see there would be, what if there was a massive internal espionage campaign. They had insiders who were running that code base, who actually injected the code? Uh, that’s the only way I could ever like logically explain how a company like solar winds would be able to let those things slip past uh, their processes and into production. Um, but I don’t, we don’t know how it happened yet, but I’m with you guys. I mean, at this point it seems like an external attack. And if that’s the case, I mean, that’s like source one on one, right? Your monitor for changes to your source code. Any changes that are made a review to prove tested. Uh, so

[00:47:23] Evan Francen: how did that slip in them? Uh And the sad thing is we’ve, we’ve always, for so long, we’ve, we’ve just accepted this behavior In our industry. Are we slap you with a $50? $50 million $6 billion dollar company. I don’t care. You have to pull people accountable otherwise they won’t change. Right. If solar winds, let’s say we, we hold solar went so accountable, then we actually put them out of business. You don’t think all the other software development companies going to take notice and be like, oh crap, we better. Okay, let’s, let’s get our ducks in a row.

[00:48:00] Brad Nigh: Yeah. Well, and the thing I saw was like the Orion accounted for like 70% of the revenue Through the 1st 3/4 of the year. Well, you know what?

[00:48:13] Evan Francen: It’s every single person, I mean, truly truly your crown jewels, right?

[00:48:18] Brad Nigh: Yeah. So every, every company using a Ryan, I would guarantee that contract would allow you an out that hurt him that way. Like can you imagine me just losing, Even if half those people dropped 35% of your revenue overnight, How you know, and it’s not like you’re going to gain it back because you’ve just been completely owned

[00:48:41] Evan Francen: and Gordon? I was involved in, Sorry, go ahead.

[00:48:45] Brad Nigh: I was just going back to the Oscars point on insider. Either there’s, there’s either they’ve got a failure there. That one person would have that ability or they had, how many people compromised?

[00:49:00] Oscar Minks: I mean it’s still ultimately that responsibility, Right? I agree with that. Ultimately that and even like when I say internal espionage, like I’m not saying, that’s the thing, I’m just saying when I think logically through how this, that that could have happened, like, You know, maybe that’s played three.

[00:49:15] Brad Nigh: I was just, I’m just saying like there’s a lot, there’s some issues with that. Even

[00:49:20] Oscar Minks: right? Like, oh, for

[00:49:21] Brad Nigh: sure. You know, either they’ve got one person that was able to do this. Well, that’s a huge failure or they had, how many are multiple people that were compromised? And that’s a, that’s a problem too.

[00:49:39] Evan Francen: Right? We need, we just need to start, we need to have accountability man. Otherwise it’s the same old, same old. You know, solar winds will continue down the same path their stock rebounded, you know, from its low. It’s still not even at its 52 week low right now. So you know, it’s we, we, we, we, we got, we need, we just need to hold people accountable otherwise, nothing changes expect more of this, expect every other software and how I’m gonna get off on a tangent. I don’t want to, but that’s what ticks me off. You know what I mean? If you don’t, it’s like a bunch of kids, you know, if I don’t hold my kids accountable for their behaviors and yeah, I have to punish. Yeah. I don’t like punishing my kids, but I don’t get a kick out of spanking my kids. But if they misbehave or they do you know, if you don’t hold them accountable for their behavior, they continue same thing with our companies in our industry. If we don’t hold them accountable, if we don’t spank them, why would I change money? Hand over fist?

[00:50:45] Brad Nigh: And the problem is, you know, like I said, hey, yeah, the easy way for companies to hold them accountable is to cancel contracts, right? Like there’s no way that you don’t have an out at this point. The problem is, how much of the nightmare is it to replace your network monitoring system? I mean that is a huge, huge undertaking. So it’s not like something you can just like snap your fingers and be done with this is going to be in terms of

[00:51:14] Evan Francen: Work, make them pay for threat to make them pay for threat hunting exercises for all 18,000 entities that might be involved.

[00:51:21] Oscar Minks: Yeah. Let me ask you something. I don’t know the answer to this. I really would like to hear your thoughts on it. So depending upon the outcome, I expect that knowing our government is involved in all these high profile entities are involved that silver winds is going to be forced to do a proper investigation to determine how this happened, right? And I also believe that report should be publicly released eventually. Uh do we believe that this exercise, that exercise, I’m sorry, could lead to possible sanctions that could be implemented onto large scale providers um, in that space or just in our space in general, do we think this is something that the government may use to later enforce specific sanctions regarding security onto those companies and providers?

[00:52:08] Brad Nigh: I mean, I think that there’s this this would be the start of it. I think, to have that accountability, I wouldn’t be surprised to see some new laws put into place specifically addressing this kind of a scenario

[00:52:23] Evan Francen: around crappy loss. You know what I mean? That was going to be my

[00:52:29] Oscar Minks: next question is, do you think our government will actually employ the people who would have the ability to help develop those sanctions and create realistic and valuable sanctions around this? Or do you think it’ll be a miss we’ve seen MRS before.

[00:52:44] Brad Nigh: I think that’s the big that’s the important part is bringing in true industry experts to to consult on this and help them understand because we know, I mean, you know, the normal people as we call them is they don’t get this and we know, and this is not a shot at anybody in Congress. But the majority of them are those air quote normal people. They don’t truly understand technology and security and the implications around it. So yeah, you have to hope that they’re going to bring in the right people to help with this.

[00:53:24] Evan Francen: Right? When here here’s just a, you know, a gut check, right? We, In my 30 years I was saying that this is the most significant cyber attack I’ve ever witnessed. You know, and I don’t have insider track information like you know. Right? But so it’s that big of a deal, right? Do you guys agree? I mean is this the biggest thing that you guys have seen in your I mean

[00:53:50] Brad Nigh: uh well certainly it appears that way, you know, we don’t even know the full scope and it’s easily in the in terms of uh

[00:54:02] Evan Francen: was in the surface, right. On the surface you have a confirmed breach of fire. I at the same time you’ve gotta confirmed breach at the U. S. Treasury Department at the same time you’ve got a confirmed breach at the Commerce Department at the same time you’ve got a confirmed breach of source code at An organization that has 18,000 infected installs across you know, our industries. I mean, can you think of a, can you think of any breach that’s been this impactful?

[00:54:32] Oscar Minks: No, the only thing I would say would be comparable but it’s not, I mean would be the pet, you not put your stuff right? But the implications weren’t quite as severe here. The main difference and this is something probably we need to make sure everybody understands that was based upon exploitation of vulnerability, Decision of vulnerability implant. This is a back door that was forced into those 18,000 focuses networks without them. They don’t have any control over. There’s nothing they could have done. Uh so yeah, I agree, I think this is certainly the biggest attack on the surface that we’ve seen right now. And we’re only like we said, just discovering the rot uh it’s going to go deep and it’s going to get bigger and bigger. So yeah

[00:55:12] Brad Nigh: I was thinking of it from I think you’re right, but from a like immediate impact, it’s not like, you know, you would see like the heartbleed or some of those, you know, bigger attacks that would actually cause some issues we don’t even know at this point because nobody was Mhm You know, deny, deny,

[00:55:35] Evan Francen: right? And that’s not how you play chess,

[00:55:37] Brad Nigh: right?

[00:55:38] Evan Francen: You know what I mean? It’s a game that plays out over time. And and I’m not a guy who raises red flags much, right? I’m not a panic guy. But if I were to raise this would be something I would be raising a red flag is bad. The worst I’ve seen. Uh huh. And the reason why I say that is is if it’s that bad, you go to google news and what are the headlines, number one headline Russia. And the reason why I’m making the drawing the line now between us and normal people, the people that aren’t in our industry, the people that were charged with protecting Number one headline Russia’s President Putin congratulates, joe biden on us election victory. So if I read that as a normal person like us in Russia. Yeah, we’re cool. You and I are talking about act of war. Mhm. So, so, so if you want to make change, if you want to affect change, get lost past, that crab has to change.

[00:56:47] Brad Nigh: Yeah.

[00:56:49] Evan Francen: Because people, it’s going to be the population that’s going to force it. Us security people, we can bitch and complain as much as we want. We still don’t even have a national data breach law. You still don’t have a national data privacy law. You know what I mean? It’s just like we just take this as well, you know, whatever it’s yeah, this is crap, man. It’s very frustrating because we have so much ignorance in our population, in our society that we don’t even know that this stuff is going on.

[00:57:21] Brad Nigh: Yeah, yeah, yeah. Just looking at just what’s out there. I think it’s going to be like I said years before we truly understand the scope and I don’t know if we’ll ever

[00:57:32] Evan Francen: fully know that it’s going to be it. But the my my problem is it’s gonna be too late.

[00:57:39] Brad Nigh: Oh yeah, yeah. I mean the fact

[00:57:43] Evan Francen: that

[00:57:44] Brad Nigh: that it’s that we don’t know is Yeah. And take this chance to pivot to deny by default, do some stuff correctly. Do the basics, you know?

[00:58:02] Evan Francen: Yeah, I’m not a tinfoil, that guy. But the number one headline is Putin congratulating biden right there. President, congratulating our president. Nothing about. yeah, assuming it’s Russia, which I have no reason to believe. It’s not, you know, just compromised, you know, your own government, the same government that joe biden represents and I’m not trump or biden. It doesn’t matter. This is an act of war and most people sitting in their living rooms today. No clue. Yeah. Let’s buy some more IOT devices. Let’s talk some more shit into our, into our, into our homes. You know, uh, it’s just like I got to slow down and we got to get our hands around this stuff before it gets worse because it is getting worse, man. Uh, so I am panicky.

[00:58:51] Brad Nigh: I think we could probably go on with this for hours, but in the interest of all of our listeners will, we’ll wrap it up for

[00:59:00] Evan Francen: today. You’ll see. You’ll save them from me.

[00:59:03] Brad Nigh: Yeah. We’ll have, we’ll have to have you on in like a month after we know a little bit more.

[00:59:08] Oscar Minks: Sure. Be glad to come back. Can we rehash for our listeners? I think it’s critically important what they do right now. Yeah. And like Evan mentioned early on, it’s funny, I’ve made a few notes. Three little notes about what people need to know number one. I don’t think the patches a silver bullet okay. That’s not going to fix. If you’ve already been known. It may fix that particular backdoor, but very possible. They put another back door in your network, uh, which leads me the next point, which they haven’t said before. Straight hunts. If you have the software thread hunt, look for anomalies, look for things are suspicious. Look for things you don’t suspect and use this as an opportunity to do some cleansing on your own infrastructure, right. Uh Number three understand this is an implant like I mentioned and not a vulnerability. It doesn’t have to be exploited. Your software has already been exploited. I understand that’s a key difference here. So that’s why that patch is not a silver bullet. Um, and also all the IOC’s we’re sharing now sees fire out share analyses all that stuff expect those are good for a very short amount of time. Don’t expect you just look for those offices and that’s it. Look for anomalies in your network. Look for things that aren’t normal. If you see those things you need help, we’re here to

[01:00:24] Brad Nigh: help turn on powershell logging, it’s not on by default. I wish Microsoft would fix that literally that that’s one of the that is mind blowing on itself because we’re seeing so much stylist malware that exploits power shell, nobody has logging on. They don’t

[01:00:46] Oscar Minks: and it’s the level two I think there’s a level by default that’s on now, but it’s not very good. Make sure that you’re on includes script block logging and it may vary depending upon the os flavor that you’re on right now. The os build but script block logging specifically as one of our most crucial artifacts and identifying the execution of commanding control framework and we know that command control frameworks so

[01:01:09] Brad Nigh: monitor your DNS requests. That’s another good one. Right? Yeah. G. C. You know, unusual request going out to our request but it’s unusual domains

[01:01:23] Oscar Minks: that’s so noisy and so hard but we know too that we see two beacons uh run through DNS sometimes too. So we’re trying to track down uh compromised systems. Uh That’s a treasure trove if you have that DNS logging and able

[01:01:38] Brad Nigh: to. Yeah. All right. Well you know, surprisingly it’s gonna blow your minds. There was other news last week it wasn’t just solar winds and fireeye but I know so I really don’t have a lot of time here to go through them. I just want to mention them. Uh There was an IOT security bill signed into law so it requires the creation of some standards. So that’s a positive I think because that’s an area that has been badly neglected. Uh And the next two of the next three are directly related to that in my opinion. Um So uh that that was a dark reading. Uh Nasa released a alert for I. C. S. Medical advisory for G. E. Healthcare imaging and ultrasound products uh where they could be uh compromised in patient data can be mm exposed. Uh So be aware if you’re using that and then there was a zero click farmable are ce vulnerability reported in Microsoft teams now this is why, you know, typically we would recommend probably not allowing communication with the outside with your internal communication tools if possible because it requires a specially crafted message to be sent to the person and then when they click it exploits this,

[01:03:09] Oscar Minks: they don’t even have to click it, they just have to look at it. And that’s that was super interesting, brad the researcher who found that actually disclosed 50 clicks within the team’s platform. Microsoft quietly fixed one of those five but has failed to respond if the other four has been fixed and why that’s concerning is if you get a business email compromise in your own organization, that attacker can then message your folks, all of your folks and exploit their systems as well. So if you see messages that look erroneous coming from people that you would not expect, uh that should be investigated would be my word of advice for everyone.

[01:03:45] Brad Nigh: Yeah, that’s scary. And yeah, like Microsoft note was we don’t we don’t released like the vulnerability if it’s automatically updated.

[01:03:56] Oscar Minks: Mhm Yeah, they’re not going to give the details of that. Uh I think though you can see, you can see the proof concepts, there’s a Git hub, I think I did share that link in the under the hood stuff last week folks would check it out. It’s scary.

[01:04:09] Brad Nigh: Uh And then the last one that was from the hacker news. The last one is from sc magazine, amnesia. 33 vulnerabilities affect 158 vendors, millions of devices. So this is a vulnerability in the open source TCP I. P. Staff. Uh And they’re saying that there’s a good chance that these vendors and manufacturers don’t even know. And do they have any way of pushing updates to address this vulnerability? Are you gonna have millions of devices that the user has to go out and manually update? You know, you

[01:04:52] Oscar Minks: mean there never me. They’re never going to be remediated thing. Right. Right.

[01:04:57] Brad Nigh: So this is gonna be I’m a little bit

[01:05:03] Oscar Minks: concerned about that. Who’s the who’s the I’m sorry the vendor I missed the vendor, you

[01:05:07] Brad Nigh: know, it’s so it’s there’s 158 different vendors that they’ve uh affected researchers at four scout are the ones who identified this. And so they reported it to cisa But they forced out it was able to identify 158 different manufacturers using the vulnerable stack through Internet scams, estimates the total amount of vulnerable devices in the millions.

[01:05:36] Oscar Minks: That’s interesting. I’m gonna have to

[01:05:37] Brad Nigh: yeah, it’s using uh they were doing an audit of the of the open source TCP I. P. Seven stacks. Finding vulnerabilities in four U. I. P. New net definite. And PICO TCP.

[01:05:51] Oscar Minks: What is uh is there an exploit for this. You know, I’m curious like I

[01:05:58] Brad Nigh: didn’t see anything about an exploit but data is then identified is going to be a matter of time. So yeah, it’s like the media tech Mt 768 y 81 wifi module and vulnerable. So I mean that’s where you go on to like show them and look for what’s on the internet with that now you’ve got the list of

[01:06:27] Oscar Minks: Yeah, I’m too wondering like so it’s wifi modules right? Like going back to what we saw with that iphone zero click I guess seeing that last week we talked about on under the hood but it can be used possibly it’s like data harvesting techniques for IOT devices as well as being cell phones,

[01:06:44] Brad Nigh: you know, we’ll think about what those IOT devices collecting personal information and Uh huh. All right. And what’s crazy is any one of those could have been an entire episode and they’re like an afterthought given how were

[01:07:03] Oscar Minks: Rad? Alright, 2020 Man.

[01:07:06] Brad Nigh: I know. Uh So that’s it for episode 1 10, thank you. Evan an Oscar shout outs for anyone.

[01:07:14] Evan Francen: Mhm. Uh shout out to the state of north Dakota, you know uh in there. See so kevin ford He did a one hind uh you know, getting the assessment out to their citizens. So shout out and then uh Ryan Cloutier who worked with, you know, kevin ford.

[01:07:35] Oscar Minks: I’m gonna give a shout out team ambush. I think I always do what I’m on here. But I love those dudes, but uh they’re busting but, you know, Q. Four like you guys said a really busy queue for and uh just keep getting busier right now too, so just shout out to my team for working their butts off and kicking so much. But while you work your butt off many times gonna say button sense,

[01:07:57] Brad Nigh: I mean it seems uh I don’t want to say it’s it’s not cheesy, it’s legitimate like truly appreciate the teams were not just, this isn’t just lip service and I would agree the consulting side, the the back office, the supporting staff, she has like everybody has just been so busy and what we’ve been able to continue doing and continue growing during a pandemic just speaks so much towards, you know the quality of people, we have lucky to work with these people

[01:08:37] Oscar Minks: For sure. Yeah, I agree with 100% of that Brian shout out to you dudes for having me on,

[01:08:45] Brad Nigh: It’s been fun. Yeah, we’ll definitely have to do a follow up once we know a little bit more, probably that would be an ongoing service are serious.

[01:08:56] Oscar Minks: Yeah and I’d like to plug under the hood to, if that’s cool, I started up a new web series we’re doing once a month now and it’s gonna be diving in on cyber threat, intel actionable items, Breaking apart exploits, so folks can kind of go under the hood of these exploits a little bit more understand them and really understand how you can directly respond to those things, what you should be done. So, um, if you folks are interested, uh, send an email to me uh, or hit up fr security and we’ll get you on the list and we usually give away something free. Uh, well actually we’re always give away free stuff. Uh, but we’ll make sure you know about that sweet free stuff.

[01:09:34] Brad Nigh: Nice. Uh that’s good. I’m glad you brought that up. Um All right, well thank you to all our listeners, uh, suggest things by email at unsecurity@protonmail.com. You’re the social type uh socialize with us on twitter. I’m @BradNigh Evan, is @EvanFrancen as Oscar mentioned, he’s now doing his uh web series under the hood so you can reach out to him or reach out through our website and get signed up for that. And lastly follow security studio @StudioSecurity and FRSecure @FRSecure for more information. And that’s it. We’ve talked to everyone next week.