Third-Party Data Breaches and Hacking 2FA

Unsecurity Podcast

This week, Brad and Evan discussed third-party data breaches, information security book writing, day-to-day security challenges, the new Modlishka 2FA proxy tool (hacking 2FA), El Chapo’s chats, and Zurich claiming “act of war” while refusing to payout for the NotPetya attack.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:21] Brad Nigh: Welcome back to episode 10, january 13th 2019 insecurity podcast brad and I with Evan Francen. Evan is still down in Cancun, enjoying the warm weather and soaking up the rays. How you doing Evan?

[00:00:37] Evan Francen: doing well, Brad. It’s good to be here. I’m in a Starbucks again so I could hear the background noise. That’s that’s why

[00:00:43] Brad Nigh: that’s all right. I think we’ll let it slide to two weeks though. That’s it.

[00:00:49] Evan Francen: Yeah. Next week we’ll be back in town and I think we’re gonna do our next podcast if I’m not mistaken in the same room. So we should have a lot of good audio stuff figured out.

[00:01:00] Brad Nigh: Yeah, that’ll be very good. I think it’ll uh it’ll help. We’ve done the the or the hangouts that you host together and as those are fun. So I think that will help make this a little bit little full a little bit better.

[00:01:15] Evan Francen: Yeah, I agree. It’s easier to play off of, you know, playoff with somebody when you’re sitting in the room and you can see what their faces telling you.

[00:01:24] Brad Nigh: That’s a great. So how’s the progress on the book going?

[00:01:27] Evan Francen: It’s going all so the same Starbucks I’m sitting at right now. I’m in a place called IsLA no la islam. All so if you’ve ever been to Cancun, it’s sort of in the middle of the hotel zone. Um and my writing place is the Starbucks because it’s the best internet I can find anywhere. The resort internet stinks. Um so I sit outside in a little table um About 12,500 words are done so far. Put that in perspective, probably going to be about 75,000 in this draft. So got a ways to go, but making progress, it’s good.

[00:02:09] Brad Nigh: Well has it been easier after the experience you had with the first one? You still kind of struggling through some of this similar, similar things

[00:02:18] Evan Francen: actually. Yeah, this book is a lot easier. I think the first book, there’s so many new experiences and you know, and you’re constantly second guessing yourself. Like it’s supposed to feel like this is it supposed to be this hard um and it helps, you know, obviously this year I brought my power cord, you remember last year I found it at home. So that, that helps. Yeah, it’s going much smoother. I’ve I’ve started to follow other really good authors on twitter with some great advice. So yeah, it’s going a lot easier.

[00:02:52] Brad Nigh: Yeah, I like the one you sent me basically. It was like, don’t second guess yourself. The first draft is going to suck, totally get it out there and then go back and fix it.

[00:03:03] Evan Francen: Absolutely. And and that’s written by, what’s your name? Delilah, uh Dawson and she’s written tons of books man, this is the new york Times bestseller and I sent that to you because you are going to start, you know at least that’s the plan. You’re gonna start writing your first book with me the second half of this year. So trying to get you. Yeah, I’m ready. Yeah.

[00:03:30] Brad Nigh: Yeah, it was good because I think you and I are very similar and that like not being right bothers me like it has to be good for whatever it is proposals or a report or whatever it is. I don’t like not having a clean refined finish. So it’s gonna be tough to just accept like just get it out and let let go back and clean it up.

[00:03:55] Evan Francen: Oh yeah, it’s a humbling experience when somebody else, when you take so much pride in your work and somebody else critiques it. So when you go through the first edit or maybe it’s a ghost writer, it’s like what in the hell did you just do to my,

[00:04:09] Brad Nigh: that’s not me anymore,

[00:04:11] Evan Francen: My beautiful piece of art. And even and even after the book. Uh so today, okay, so uh my wife join me down here in Cancun uh saturday friday. And she brought hard copies of the book because it was just came in last week. So the first time I’ve ever seen a copy of the book and they’re not for sale yet because they have to be distributed. So I you know, I’ve been telling people down here, Yeah, it’s coming. It’s coming because I was here last year. So I gave a copy to my neighbors and they asked me to sign it. So I signed it. Uh, today he comes out, you know, in that little patio area and he says, hey, Evan read the first chapter. Like awesome man. What did you think? Because really he’s not the audience for this book. It’s more security people.

[00:05:03] Brad Nigh: Right?

[00:05:04] Evan Francen: They said, well, I think you have too many words. And I was like, okay, his name is, his name is Don, like, what else do you got for me? He goes, well, ah, because I did include both of them a little bit in this book. I kind of um recapped a conversation we had had last year. Uh, and he had to remind me that, Well, that’s not exactly how the conversation went. I’m like, well, but don it’s the point. Anytime you’re going to quote somebody like this in a book, it’s it’s a paraphrase, right? I didn’t record our conversation, but you got the point, right? Well, still though that’s it wasn’t exactly what went down like, all right.

[00:05:49] Brad Nigh: So,

[00:05:50] Evan Francen: I mean, I think when you, even after the book, I mean, I’m sure there’s gonna be tons of people in our industry are going to be like Evans full of crap. Uh, you got a thick skin man.

[00:06:01] Brad Nigh: Yeah, yeah. I mean it takes a lot to kind of put yourself out there, You’re you are opening yourself up for Lot of 2nd guessing and criticism and nitpicking. So

[00:06:14] Evan Francen: yeah, yeah. So I think, you know, it’s it’s like an artist, you know, painting a painting he or she sort of, you know, does what’s inside and puts it on a canvas, right? I think it’s the same sort of thing with the book. When you write, when you write your parts of our book together and I write my parts, you’ll be expressing the things that are inside of you and you kind of don’t need to worry too much about what people might think of it, right?

[00:06:43] Brad Nigh: Yeah. Well, and I think you I have a very similar approaching that I do on this is I’ll fully admit, I don’t know everything. No, there’s no way, but I’ll do the best I can based on your education and experience, are we going to make mistakes or misinterpret something or look at? It may be interpreted differently than others, of course, but we’re both hoping to learning from that and taking that feedback and improving and moving forward,

[00:07:12] Evan Francen: right? And I think a lot of people in our industry and information security are intimidated by the fact that they might say something that’s not dead on or they might, you know, make a small mistake or whatever or they express an idea that, you know, to somebody who’s experienced might go, man, that’s a crazy idea that’s never gonna work. And we cut each other down so much so I’d really like to see. And I started to see more just people lifting each other up, get out there, make make mistakes, man, you know, you’ll be better for

[00:07:45] Brad Nigh: Yeah, that’s I mean like that’s still even, you know, I thought I kind of struggled with with the speaking engagements and doing this and it’s a little nerve wracking to be like, all right, well what am I going to say? That’s gonna blow up, but so far so good.

[00:08:02] Evan Francen: I know, right? Yeah, sometimes you’re speaking. And that gave up, Oh my God, reminds me of a presentation. I gave up in uh bismarck, it was a security conference there. And I thought I was in like one of the breakout rooms, you know? So I was expecting 2030 maybe 40 people. Well, I get there and I’m like, all right, so where you know, where am I talking? They’re like, oh, over here, And I’m like, oh, okay, it’s a big it’s a big room, like yeah, it’s the main conference room and I’m like, whoa, all right, I didn’t expect that. And so in this room there were like 700 people. I know, and I’m like, Oh God. And I was talking about something. So our marketing team actually created this presentation that I was going to be giving. Uh So they created the topic, It was the art and science of threat management. Mm Now if you know me, I can talk about thread management a lot but I’m not an expert at that. I mean I can, I’m serviceable I guess. But to get up in front of 600, people at a security conference and many of them are much more technology technologically than I am. Uh Gosh, I was just really careful to just use the right words don’t uh so I don’t know, I made it out of their life I guess. That’s good enough,

[00:09:33] Brad Nigh: yep. That works take

[00:09:36] Evan Francen: it right. Yeah. So tell me about your week then you had a super busy week last week?

[00:09:40] Brad Nigh: I did yes, we recorded on was that was that Tuesday that we ended up reporting I think. Uh so Wednesday went down to Iowa uh all day thursday today uh specific policy workshop for a bunch of higher ed for colleges down in Iowa which That was good. It was about 20 people I think and they’re representing 15 or 16 different institutions. So really good mix and had some uh those are tough because let’s be honest, it’s not the most exciting topic. What was your topic? Infotech policies? Oh my gosh, so but it was it was really good because we went through like kind of, you know the reasoning around some of the stuff and there’s a lot of really good questions that came out of it and you know higher ed is a it’s a different beast because you get all the professors and people that are like well we don’t need any we can’t have any sort of filtering in place. We can do whatever we want. But they’ve got you know Hipaa data and for requirements and all this other these controls. There are these this data that has to be protected and then you know staff and educational stuff is going well. I need to host this on my private personal google account for sending out surveys and all this other stuff. So it’s really good conversation. But

[00:11:12] Evan Francen: that’s good. Yeah. I think one thing that comes to mind, you know right away when you’re talking about a topic like that, I always judged the success of my talk by how many people stayed awake and we’re not heads down in their phone. Right? So

[00:11:27] Brad Nigh: I have my note here was it was a success. I didn’t hear a single store the entire time so that we’re on the same page. On that

[00:11:35] Evan Francen: winning.

[00:11:36] Brad Nigh: Yes. No it was good. Um You know we tried to break it up into like hour, hour and a half chunks and then take you know 5 10 minutes. And I kept you know every time we come back it was a new joke. So I did I tell you the joke about UdP but you may not. I can’t guarantee you get it right? I can’t get anyone. Uh I don’t know if you’ve heard this. So I was told my passport had to be eight characters, so I chose Snow White and the seven dwarves. I

[00:12:05] Evan Francen: was security humor.

[00:12:07] Brad Nigh: Right? It was out of uh found that one, I can’t remember. The guy’s name was like a comedy festival out of like Scotland. That was like the one of the winning jokes. That’s that’s pretty

[00:12:18] Evan Francen: funny. We’ll see. No wonder people don’t invite us to parties

[00:12:21] Brad Nigh: spread, right? Yeah, just early. That’s some good ones.

[00:12:27] Evan Francen: That is good. So so no, I was just thinking uh that’s a challenging crowd too, because in post secondary education there’s I mean they’re so far behind, right? Because they have this research area of the academic part that just doesn’t want to play by the rules. Any rules,

[00:12:48] Brad Nigh: yep. Yeah, it was it was difficult because I was the argument that they kept saying, and this was a bunch of, you know, I team managers and see IO level, so it was higher up, which is good. But they kept saying every time we say we need to do this, it’s well, but academics and we can’t do it right, we need that academic freedom to be able to do whatever. So I’m like, yeah, gosh, well here we go. And just walking through it. It’s good, I will say is as dry as that material is. I do enjoy doing those for that kind of spontaneous questions and the challenge that that does present.

[00:13:35] Evan Francen: Yeah. And honestly, man, I mean, I’ve said in your talks before, you’re very you’re very good in person. I mean, I think you’re better in person, so you know, that helps.

[00:13:48] Brad Nigh: Thank you. Yeah, I don’t I can’t do the recorded like the recorded training or recording sessions. Oh, that’s that’s painful for me. But in person, when I can like see people and play off of them, it’s a lot more Oh yeah, easier. I think, yeah,

[00:14:05] Evan Francen: I think that’s why are our next uh next podcast and future podcast will be even better than what we’re doing right now because we’ll be in person. I’m such a visual person. But if I don’t see visual cues, if I don’t see even micro expressions, thank you, chris had Maggie or you know, I’m like, I feel like a missing right arm.

[00:14:30] Brad Nigh: Yeah, it’s you’re doing it blindfolded, right? It’s kind of you’re missing something. Yeah.

[00:14:38] Evan Francen: So you got back on thursday and then friday, you were slammed. Probably would just office stuff I suppose.

[00:14:44] Brad Nigh: Yeah. Just trying to get caught up. I was going to tell you, you know, I woke up sort of the new puppy and he woke us up and like 5:00, but I was in the middle of a dream and I was very distinct that I remembered it. So I was gonna tell you about is and around, you know, you’ve been working too much. So don’t remember the the person who was talking to me was a faceless person but our sales director drew has joined me on this trip. His new you know luggage which the soup bag that zips up and it was really nice nice leather bag and put it could carry on and with a big so in this dream if somebody was showing me how they handled this stuff and they were building in some sort of technology around it and then they said basically I asked how they handled those uh I don’t remember but somehow it came up about deviates and passwords and how they secured this stuff and they were like oh don’t worry the guy says that they’re secure because only he can see them and I was explaining to him about Salting and hashing in a dream. So that’s my I’ve been working too much moment of the week

[00:16:00] Evan Francen: so you’re having a logical discussion with some uh

[00:16:07] Brad Nigh: like luggage designer,

[00:16:09] Evan Francen: some faceless luggage designer about uh the importance of salting and hashing passwords. Yeah well maybe you have worked a little too hard so you’ve gotten rest now I hope

[00:16:23] Brad Nigh: yes I was that was my cue to just take it easy this weekend. So so I have taken it easy this weekend too reset from a very long week. Good but I thought there was plenty of a couple was like oh man that’s not good. No

[00:16:39] Evan Francen: no but so long as long as it’s not a regular occurrence that doesn’t happen every night, that be a problem.

[00:16:47] Brad Nigh: Yeah. Yeah. That’s that’s the nerd nerd part of it.

[00:16:50] Evan Francen: Well, I know some developers dreamcoat dreaming code. I’m not a developer like that, but I’ve heard that numerous times that they dream and code. It’s like, well maybe you’re coding too much. Maybe not. I don’t know, developers are weird.

[00:17:08] Brad Nigh: Yeah. I can’t do it. I’m not a I’m weird. I like power shell but I don’t like doing code. I like the power show because I was a sys admin and it was really, really useful. Right? Yeah. I get the code. I just can’t get into it.

[00:17:26] Evan Francen: I’m not creative enough to actually create something meaningful out of code a little, you know, scripting things like that find and creating a full functioning application. I don’t have the creativity or the forethought to think it all through how it’s all going to work. So

[00:17:42] Brad Nigh: yeah, just it’s a different way of thinking.

[00:17:44] Evan Francen: Yeah. Not my cup of tea. Yeah. It’s good to catch up with you, man.

[00:17:50] Brad Nigh: Yeah, it’s good. I was going to say, have you had any any recent successes? I know we just launched or you just launched Evan francine dot com. Well I got a big or

[00:18:02] Evan Francen: those marketing people did that,

[00:18:03] Brad Nigh: the marketing folks.

[00:18:05] Evan Francen: That’s that’s the that’s one part of sort of what’s emerging. I think in my job is and it’s uncomfortable for me because I don’t necessarily like, okay, I don’t want it to be about me. Right. I mean we have a mission and it’s to really help people with information security is to fix this broken industry to do things, right? Uh So yeah, when you, when they set up a website, you know, and that’s what the book was written for and then they set up a website. It’s Evan francine dot com. It’s like uh but I get it right. That’s that’s part of the it’s part of the the mission.

[00:18:43] Brad Nigh: Right? Uh yeah, it’s kind of uh you have to take the necessary evil as it were,

[00:18:51] Evan Francen: Right? So if you want to know kind of what what I’m up to. No more information about the book. The book will the first book, the one I was just talking about will go on sale soon as soon as it gets to distributors now, if you want to follow that and eventually we’ll have the podcast onto that website as well. Uh but Evan francine dot com soon we’ll have a brad ni, I assume brad ni dot com when we write our book together and it’ll all come together. Beautiful.

[00:19:21] Brad Nigh: I’m gonna have to go register that before other people here that on the site on the broadcast now. Oh man,

[00:19:28] Evan Francen: is there a bread knife dot com already registered? No. Okay. Get up,

[00:19:33] Brad Nigh: do that. I have to do that. I had uh so we’re talking about our twitter last week and mine yours, this Evan francine and minds at brad and I and this week I got the Minnesota I Saca chapter followed Masco but I better keep it straight and narrow now so don’t kick me out.

[00:19:57] Evan Francen: Yeah. Yeah. Yeah. Well and since, so last week we talked about a little bit about tom and tom that one Post on linkedin now as like 180,000 views and I don’t know, 800 likes or whatever, which is by far exceeds anything I’ve ever done on linked in before. But since then also uh I mean like a dozen or so more twitter followers. Uh which is nice because I really want to help, you know, interact. I love if people would ask questions, tell me what they like what they don’t like so that we can provide more value. Same thing with at brad and I, right

[00:20:38] Brad Nigh: Yeah, I’m for it. It’s uh I was looking to see how I can do that real quick. All right, it’s not registered. So I mean I have to take care of

[00:20:47] Evan Francen: that and then expensive. Yeah.

[00:20:52] Brad Nigh: But yeah, it is weird that because I think it’s because that’s what we were just talking about. It’s like you’re always at, I was like, oh gosh, what am I say? You know what’s gonna get caught out and just yeah that’s self promotion side of it kind of like with you. Like I like doing what I do but it feels weird that it’s I don’t know, I just don’t see myself like that, I’m just doing my job

[00:21:16] Evan Francen: because maybe it’s because there are a lot of self promoters in our industry, people who are in it just for themselves in it, just for their name or less their primary motivation and so for people and I think I’m speaking for you because we do think a lot of like um I’m not in it for a name if the name helps further the mission, if the name helps make things better for people than fine, you know? But if it doesn’t, there’s no there’s no use to it to say much writing a book. I didn’t write a book to get a name. I wrote a book to try to help fix the broken industry and, you know, if it doesn’t help with that. Well, that was a waste of everybody’s time. Yeah,

[00:22:01] Brad Nigh: yeah, it will be, it will be, I think it’s gonna be good for for both of us to go through this kind of force things because you’re really good speaker, like in front of people as well. Well, thanks man, and you don’t, you know, but it’s not there. There’s no I don’t humble about it too. So it’s good for us to kind of get forced into this a little bit, I think

[00:22:23] Evan Francen: All right, thanks. So too, it’s in it’s cool going in in into this with somebody that I actually like, you know, I admire your work. I like you. Um it’s just it’s great to be able to work together with you, especially when you get to come together and further mission and when when we as we move the mission forward, everybody benefits. It’s just it’s a lot of fun doing it with you. So I’m very excited about the next, I don’t know however many years we get to work together man.

[00:22:54] Brad Nigh: Yeah, I think this will be fun. It’s so crazy how far we’ve come, you know, as an organization we keep going back to it. But you know like just looking at the last 2.5 years we’re at now and where we where we’re gonna be is is exciting.

[00:23:10] Evan Francen: It’s crazy.

[00:23:14] Brad Nigh: All right. So we talk about some news. Sure. So the first one we had was another bypass is two factor authentication broken. This is on threat post that has it as well as the so folks naked security blog has an article about this as well. So there’s a pin test tool which I’m going to butcher the name of because it’s polish mode Liska which means mantis uh basically intercepts and works as a proxy for uh one time passwords. And what is I think a little bit different on this plan is it actually serves up the information from the actual site and then just grabs what it needs out of it. So it makes it even harder to, to note from a user perspective. And yeah, I don’t know it’s tough. You know, there’s some good things in the article, you know S. M. S. And the one time codes are the most at risk even though you only have a very short period of time to actually utilize them. And I don’t know. What did you think?

[00:24:30] Evan Francen: Well, you know, it’s it’s funny because when there’s two, a couple of things I thought roger grimes. Somebody that I might have mentioned before. Uh he is uh kind of the chief evangelist at no before and he released an article, I don’t know a while back about 12 ways to hack multifactor authentication. Um, and so he and I were having a discussion, you know, he’s going to be speaking to our PSA and and the That number now has grown from 12 to like he said 50 or something but he can only keep it to 12 because he’s got an hour. Yeah. And you know, and as he was talking and then you see a tool like this, I guess part of me is like yeah uh why did I see that coming? You know what I mean? It makes perfect sense. And so now that you released a tool that does the proxy and you know captures captures that authenticator and it makes perfect sense. So I guess I’m not surprised. I’m a little disappointed that I didn’t even see it coming I guess.

[00:25:42] Brad Nigh: Yeah, I think the yeah, I don’t know what yeah, it’s tough because we’re already having I think enough issue getting people to even use two factor right? We still see just single factor authentication all the time and now we’re you’re getting stories that well two factors broken and I think people are gonna miss that even if it’s got some weaknesses, it’s still so much better than not having it. Right.

[00:26:16] Evan Francen: That’s a key point. I mean none of this has never been about information security has never been about risk elimination. It’s always been about risk management. So ask yourself, is it more or less risky? Committee used two factor authentication regardless of whether or not this tool exists, it’s less risky. So you still use two factor authentication but don’t give yourself this false sense of security that you found the Holy Grail. You still have to stop clicking on links, you still have to verify, you know where you’re at on the internet before you type in authentication. So yep.

[00:26:52] Brad Nigh: No and I think that was going to be my next point is even with this it comes back down to user training because in the articles they say well what do you use? We’ll use like a USB key or the google titan one of those, you know physical devices to add to the level of security and my thought was I can’t get a user to figure out how to not click accept on an app. That’s you know, on their authentic data app when they haven’t logged in anywhere. How are you going to teach them to use a totally different key that how are they, how many of these are going to get lost? What happens then?

[00:27:31] Evan Francen: Well, and I agree, I mean and are you, I think it’s foolish to think that you be key is perfect or any other technology is perfect. I mean if it was created by a human being, it’s got a flaw somewhere. So even those technologies, well somebody will find something to bypass or to compromise that too

[00:27:55] Brad Nigh: well and again, and it comes, it’s still going to come down to the end user right? You’re still gonna have to train them how to do it, train them how to do it correctly. And if they mean we’ve seen it in instant responses, we’ve done where users have authenticated is in the multi factor with an app logging in on the computer. Yeah, but they weren’t walking in like they were getting pop ups and they finally just said yes go because they got tired of getting ping by the app that they were found to authenticate. Like uh

[00:28:32] Evan Francen: a long way to go well for sure. But you know, and these things violate, you know, two truths are principles that I’ve always held onto one complexity is the enemy of more complex. We make things harder, we make it to log into things. So the more steps you have to do, the more gadgets you have to carry around, it’s not actually making it more secure, you may seem like it, but it’s not right. And the second thing is businesses are in business to make money. And so the more, the more difficult we make it for people to accomplish the tasks that we need to accomplish at work, the more money it’s costing them right, defeats that purpose too. So, you know, there’s not, there’s never going to be a holy grail, so stop looking for it. You know, you do have to actually learn, you know, some of these things and train your users and where users fail has something in place to detect it and respond to it,

[00:29:28] Brad Nigh: right. One, what happens? And I know I’m guaranteed you’ve seen it is, you know, we make it too difficult for the user to do a task. What do they do? They look for workarounds, shortcuts other ways to do it and that almost always introduced as additional risk that you aren’t even aware of,

[00:29:47] Evan Francen: Right? And I, and then, and then now you have this adversarial relationship with the users, they’re not going to listen to other things that you talk to and that they already view you as an adversary. If they’re trying to look for ways around things, even if it’s not fully conscious, subconsciously they’re looking for ways to not work with you.

[00:30:05] Brad Nigh: Right? Right. And you don’t want that.

[00:30:07] Evan Francen: No, that’s a huge problem?

[00:30:10] Brad Nigh: Oh, boy. Well, it’ll be interesting to keep watching and, and I on this and see what happens. You know, I think, you know, there’s some comment about, should they have released this tool to get up? And I think the 0.1 of the articles was like, well, yes, because you know, there’s already tools out there that are being used. So let’s allow security researchers the opportunity to actually test this and have an opportunity to maybe you’ll find some some better fixes around it. So

[00:30:40] Evan Francen: yeah, absolutely. I agree with that completely. Because in penetration testing or you know, whatever red teaming, um we have to we have to devise strategies on how to protect against these things. So the tool again, I don’t know if people cut it up front, but it was M O D E L I S H K A if you’re interested in looking it up.

[00:31:06] Brad Nigh: Yeah, it looks like a pretty cool tool. But

[00:31:10] Evan Francen: yeah, if I had more time if I had more time I play with it, but I get home

[00:31:15] Brad Nigh: and they have to sit over or make sure that the are tech services guys have an opportunity to see about using that for some of their stuff.

[00:31:25] Evan Francen: Yeah, that reminds me last are on Tuesday we were talking about, I don’t know, I don’t know if we’re supposed to use his name. I did use it in the last podcast. So I’m just going to use mind flay. Did we are am I becoming unstable?

[00:31:46] Brad Nigh: Oh so you’re Cancun internet kicked in right there And we got a nice digitized voice of of parts of you.

[00:31:54] Evan Francen: Yeah that was that was my that was my hacker side coming out.

[00:31:58] Brad Nigh: That was the auto tuning or whatever it is.

[00:32:01] Evan Francen: Yeah I know but we promised on Tuesday I think to fight to give the U. R. L. For the tool that one of our sex services people created.

[00:32:10] Brad Nigh: Yeah I totally feel because I was out didn’t seem that on friday so I will get that. Uh Well nature. Yeah. Yeah well last week

[00:32:27] Evan Francen: it sounds good. Can come internet. It’s going funky on me.

[00:32:31] Brad Nigh: Yeah that’s okay. I’m gonna fold we’ll get to hear parts of that and talk be more interesting than I can only get parts of the of what he’s talking about.

[00:32:46] Evan Francen: Yeah this is what you get for doing podcasts from Cancun Starbucks.

[00:32:51] Brad Nigh: I mean I don’t think it’s gonna anybody that fall two for that. I mean I know I’m I would mind switching his places so

[00:33:01] Evan Francen: Yeah. Anyway we’ll try

[00:33:04] Brad Nigh: next. Yeah it’ll it’ll work the the story got was off of the register. Um It was who cracked el Chapo’s encrypted chats and brought down the mexican drug king king and his team manager. So apparently two day last week I was in the trial. The FBI admitted had been able to access hundreds of phone calls made by el Chapo and associates did and christian custom encryption because uh huh and it was really interesting so appearance

[00:33:46] Evan Francen: uh

[00:33:48] Brad Nigh: what guy and it turned out that the tape was very untrusting and put like spice on just uh To end up to 50 devices and he actually had somebody full time revealing all the communications this was just a kind of interest. Uh huh. Wait look behind this is the kind of this investigation went down.

[00:34:23] Evan Francen: Yeah and I could talk more if wifi wasn’t so bad here in Cancun interesting story though.

[00:34:34] Brad Nigh: Yeah. Yeah it’s definitely Look maybe you know they 15 polls 1011 of 2012. Um there was some I was reading some others not this story but on twitter uh that about the number and you know it was really interesting at one point apparently he used his wife wife’s phone and had her handed over to her father who was part of the drug kingpin or cartel as well. And it was just really interesting how they were able to go around and break all this stuff down.

[00:35:18] Evan Francen: Well it’s funny how criminals are so paranoid which they should be. They don’t trust anybody yet no matter what you do. You still have to trust somebody. So trusting somebody came around to vitamin the but

[00:35:34] Brad Nigh: yeah uh you know was that not trusting anybody is what what it was if he hadn’t installed the software and I can’t remember what it was, but basically they were able to get go to the software company and get a subpoena and that’s how they were able to get in. So if he hadn’t installed the spice off where they would have been able to get this information.

[00:36:00] Evan Francen: Yeah, it’s an interesting story. And the good thing is, it’s a short read, but it gives you some some kind of insight on how tech played a role and taking them down.

[00:36:12] Brad Nigh: Yeah. All right. So next story I had was by uh boat security magazine dot com. And again, register that’s co dot UK both have articles about this, Zurich is refusing to pay out for, not pizza ransomware last year. So Mandela’s, which is the owner of Cadbury Uh, filed a claim for cyber insurance because they had permanent damage to 1700 servers and 24,000 laptops in addition to unfilled orders and other disruption. And the Zurich is refusing to pay it claiming it was an act of war Because the UK said in February that they blamed Russia for the attacks that happened in June of 17. So this was this is gonna be a really interesting one to watch.

[00:37:15] Evan Francen: Yeah, this has huge implications. $100 million Internet an act of war. It’s just we have different adversaries, but everything it’s like it is war. So, you know, I don’t, if I were on the jury I based on what I read, I don’t I don’t know anything beyond, you know, it’s publicly available, but Zurich, in my opinion, doesn’t have a case, man pay it out.

[00:37:44] Brad Nigh: No. Yeah. Well, and what was interesting um info security magazine article, they had somebody that and direct should have instead of going with the Act of war because it’s gonna be really hard to prove that it was Russia that actually did this right now. They’re not going to claim it, but that they should have gross negligence because Mandela’s was hit twice by that same ransomware so that they would have been a much easier argument like this may be the insurance companies trying to get out from under I think there’s an article, there are a number of eight billion or was it 8? And mind Felix losses that insurance is going to have to pay three billion, sorry, three billion.

[00:38:43] Evan Francen: Yeah, it’s crazy. It’ll be interesting, like I said, I’m very interested to see how this thing plays out because it has implications for, you know, many, many other people.

[00:38:56] Brad Nigh: I think it’s a good thing to take out of this is, and we’ve heard it uh well, I’ve got insurance uh to do anything because I’m covered. Mhm No. Uh huh just because you have insurance does not guarantee that they’re gonna they’re gonna investigate with a reason to not pay, they don’t want to pay out, you know, a billion dollars, you know, however, that big that number is so yeah, I keep doing good security.

[00:39:34] Evan Francen: Yeah, I agree. And I think the reason why my internet is going to crap is because some kids are playing games on my internet. I should get up and go knock the phones out of their hands.

[00:39:47] Brad Nigh: Is this big go through a man. I just I didn’t say I’m Courtney a podcast. I think it’s delicious.

[00:39:57] Evan Francen: Yeah, no, I’m just gonna go do it. I’m a I’m a foreigner.

[00:40:04] Brad Nigh: All right. The last one I have and I saw they mm And uh, if you posted it before I put this in here or if it was just coincidence and we were looking at the same thing. Uh, but it was out of again, security magazine, third party breach expo 2008 the needs in the end. Oh, getting idea. Talk about third party risk management and generous management. And you just keep seeing it come up and these aren’t small breaches.

[00:40:48] Evan Francen: No. And I wrote an article this week for the marketing team about, um, You know, the importance of 3rd party information, stimulus management. Uh, and there’s really no excuse for not managing these risks anymore.

[00:41:08] Brad Nigh: Meat kids in their games, one class keeps um, so yeah, sure. Right. Yeah. Well kevin,

[00:41:31] Evan Francen: I lost my connection altogether. Think smallest. What’s that game that everybody’s playing now.

[00:41:37] Brad Nigh: Fortnite.

[00:41:38] Evan Francen: Yeah, freaking Fortnite. Fortnite is killing me over here?

[00:41:43] Brad Nigh: Okay. I did my old clouds, those kids in their games.

[00:41:50] Evan Francen: Fortnite man. Why do why do parents let their kids, why do parents let their kids play so many games around here? You have business to do?

[00:41:58] Brad Nigh: Yeah, important podcast to record,

[00:42:02] Evan Francen: Right? I’m trying to fix a broken industry here and you’re playing Fortnite.

[00:42:06] Brad Nigh: So you that you think you had written an article but I can’t, do you know what is the percentage of breaches that are through third party?

[00:42:20] Evan Francen: Well, depends on, you know, it’s I’ve read anywhere between 60-65% of all breaches come through third parties. Okay.

[00:42:33] Brad Nigh: That’s what I was thinking. But I didn’t want to say because it seemed really high but Okay.

[00:42:38] Evan Francen: Yeah. Either directly or indirectly. I mean the fact of the matter is third parties don’t treat your information as valuably as you do.

[00:42:48] Brad Nigh: Right? Well and that’s the thing. Everybody says, well I’ve got a business associated during the B. A. Or we’ve got a contract and you know, unprotected and well no because who can name the H Vac vendor in the the target. Gosh, the target breach is your data, you’re the one who’s going to take the hit for it regardless of of what the third party who the third party was?

[00:43:18] Evan Francen: Well, exactly, I mean having a B. A. Is one thing. But is that does that constitute due diligence? Right. And that’s what’s going to matter. So if you didn’t do a risk assessment, if you haven’t considered the risks in using the third party, you haven’t done your due diligence? It’s that simple,

[00:43:36] Brad Nigh: yep. No, I got nothing, dad. You’re right.

[00:43:40] Evan Francen: Yeah, I’m sorry about my internet down here, man. What a bummer.

[00:43:45] Brad Nigh: Well, right, where me is you to Cancun and less than there so we can record in person. So that

[00:43:53] Evan Francen: together, that’s what we’re doing next year. In terms of next week, we’ll be together so we want to have this issue next week. But this

[00:44:01] Brad Nigh: big you hear me talk more anyway, said nobody ever.

[00:44:07] Evan Francen: Yeah, and we had so much, we had so much good meet at the beginning of the podcast, so I don’t feel bad. Yeah, just look.

[00:44:18] Brad Nigh: So just now they get to hear the new uh I think it was the new out Outro out take whatever it’s called. Was it on the last one? Or is this going to be the new on this one?

[00:44:30] Evan Francen: I think it’s this is the first one. We’ll have the out take

[00:44:34] Brad Nigh: look at me. I’m just breaking news all over the place.

[00:44:36] Evan Francen: You’re a news. Breaking security guy, man.

[00:44:40] Brad Nigh: Harry. Stay tuned for the anti official indian here.

[00:44:49] Evan Francen: That’s right. Alright man, we’ll talk next week.

[00:44:51] Brad Nigh: All right. Have fun this weekend and enjoy Cancun.

/by