Behind the Scenes of a Vishing Scam

Unsecurity Podcast

In episode 117 of the UNSECURITY Podcast, Evan and Brad listen to an impressive vishing scam voicemail Evan received and talk about the novelty of it and how effective it might be. Then, they discuss privacy and whether it’s truly the “right” people claim it to be. Finally, they talk about a well-known problem across the industry: burnout. Give this episode a listen/watch, then send us your questions, comments, and feedback to!

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey there, thank you for taking food. Thank you for tuning in to this episode of the un security podcast. This is episode 1 17. The date is two February 2021 and I’m your host, Evan Francen and joining me. Good friend, pal security expert, awesome guy Brad Nigh. Hi Brad.

[00:00:45] Brad Nigh: Hello,

[00:00:47] Evan Francen: two weeks in a row. We’ve had trouble getting like the initial like the first sentence out of the

[00:00:52] Brad Nigh: Yeah, left same, but I’m not the only one struggling.

[00:00:56] Evan Francen: Mhm. Uh So today, uh some things I’d like to talk about it, I’d like to talk about privacy. Uh just this thing people say sometimes, you know, privacy is a right, right? It’s your right to privacy is all right. And you know, let’s talk about, Well, that’s actually true. And if it were true, would you be able to get it back? Because I think we all agree your privacy is pretty much gone. Mhm. So I’d like to talk about that and then I’d like to talk about burnout writing a blog post. You know, sort of this morning about burnout and then uh we can get into some news. So I have an audio that I’d like to share with the audience. A pretty interesting scam. Audio that I was little. I was impressed by it. Well, before we get to that, we always catch up. How you doing?

[00:01:54] Brad Nigh: Good, good overall. Yes, we were talking before this is two weeks in a row because of the switch, we did record it Wednesday and I forgot to set the alarm and then I totally spaced it sent the wrong alarm last night. So yeah, right, fully awake yet, but we’ll get there.

[00:02:17] Evan Francen: Yeah, I don’t know if you can see my eyes, but they look kind of glossy. Like I didn’t sleep at all.

[00:02:23] Brad Nigh: Here you go. But now it’s been, it’s good. Uh you know, we talked about, it’s been what we’re at 10.5 months into this and finally it was like, all right, I got to do something, so I got myself a fit, but trying to be a little bit healthier or now it’s, I’ll say this, my steps and all that aren’t as bad as I thought there would be. They’re not good. It’s not nearly as bad.

[00:02:56] Evan Francen: Nice. Good man.

[00:02:57] Brad Nigh: Yeah. It’s tough to get you realize it like when your, your home basically all day and it’s winter out here in Minnesota. So it’s, it’s tough to get steps and you have to be consciously aware of it and make an effort.

[00:03:19] Evan Francen: Shut up. Oh yeah, exercise hasn’t been, hasn’t been top of my list. I don’t think it should be holy crap, but

[00:03:31] Brad Nigh: on, yeah, yeah. The other, you know, I’ve only been clear of the dizziness and all that for two weeks. So I had two months. There were I really couldn’t do a whole lot.

[00:03:46] Evan Francen: Mhm. Yeah I think the work has been dominating. I told my wife that it was going to be this way though. You know we came back from Cancun and then uh we’re actually living in a couple of days uh for a real vacation this time. Uh I told her for the next 17 days. That’s how my days there was between that and we’re leaving again that I’m gonna work like all the time. So just you know warning you and she’s you know she signed off on it maybe reluctantly. But you know here we are and I’ve only got a couple days left and I don’t think I probably got Maybe four hours of sleep last night. I finished up uh yeah finished up some. Spect stuff for security studio. Yeah keeps you up late. Yeah.

[00:04:42] Brad Nigh: Yeah. Speaking at security studio. I’ve been working on the R. I. R. Maturity assessment and then that. See MMC stuff. So writing creating it in a way that should be pretty easy to ingest for security studio.

[00:05:02] Evan Francen: That’s awesome man. Yeah I found a database, there’s a database on our group, you know the security studio partner community group. Mhm. Uh I didn’t realize that they have a database there. So I created a bunch of tables. I created a table for cmm secret at the table for C. I A. S. A Created a table for other things where we could put things in, you know, share them out with the partner community. Yes, we’re building.

[00:05:27] Brad Nigh: Yeah. Yeah. That’s gonna be very cool.

[00:05:32] Evan Francen: Yeah, I sort of stumbled on that. All right. So today is uh Tuesday, it’s garbage day. So I got to get the garbage out. That’s my wife. Did it.

[00:05:44] Brad Nigh: Yeah, you should probably do that.

[00:05:47] Evan Francen: Yeah. That’s one thing I’ve noticed. I only have three people who live in my home now. It’s me, my wife and my youngest. And uh I’m amazed at how much garbage would create. I’m like, what the hell did we buy?

[00:06:01] Brad Nigh: Yeah, I was I like have to take out the trash like daily out of the kitchen. It’s like what’s going

[00:06:11] Evan Francen: on where everything’s got packaged and double packaged and some things I can’t open, man. I go to the like I go to the, you know, convenience store gas station and get like a you know, be tricky or be stick and I can’t even get the damn thing open. You ever run into that?

[00:06:31] Brad Nigh: Oh yeah, it’s like yeah, I shouldn’t need like scissors and like surgical scalpel to get into the food,

[00:06:42] Evan Francen: right? Yeah, I’m buying it? Because I’m like, you know, you buy that rush kind of like I won’t let this be stick and I want it now. Yeah, I’m hungry as hell. And I get into my truck. And I’m like, what the hell do you can’t open the fucking

[00:06:56] Brad Nigh: oh

[00:06:58] Evan Francen: my gosh, yeah, I don’t know what to do that, but we do all right, so here’s an idea I want to share first before we dig into everything else. Just a voicemail that I got, I think it was last week. Uh, and the reason why I want to share it is I think our listeners might be impressed with the quality of the scam voice myth, wow. Yeah, thankfully this voicemail went to, you know me, I’m a ceo of a security company. So if I fall for it, it’s like well that’s about as embarrassing as it gets. I think so thankfully I didn’t, I took the voicemail, I shared it with our our customer who’s actually referenced in this voice mail and the text I got back was it was it had expletives in it, so I’m not going to share it. But he was very surprised. So I took it around and share it with our E. L. T. Or executive leadership team. Just be like, hey F. Y. I you know this is a scam voicemail that I got. And the cool thing is I got like three texts after I sent it to our eel about hey is this stuff, did you just send me an email? Is this a face this a phishing email. So that was a good sign when you have executives questioning that.

[00:08:20] Brad Nigh: I would say our executives are probably more on top of that stuff and just about anyone else, which is really cool and they want to learn about. That’s that’s what’s so cool.

[00:08:33] Evan Francen: Right. Right. All right, so it’s a minute long voicemail. I’m gonna go ahead and play it here. Uhh share this. Alright, here we go. Mm.

[00:08:47] spk_2: Hello Evan. My name is Angela. Calling from jp morgan on behalf of your customer health. On a recorded blind health would like to change their payment method to s are secure, L. L. C. And asked that we reach out with the details. If you could please return my call at your earliest convenience At 877. Yeah. And please reference the number 1491737. I thank you for your time and I look more just speaking with you soon have a great day.

[00:09:38] Brad Nigh: Mhm. That, yeah, wow,

[00:09:44] Evan Francen: pretty good. Huh?

[00:09:46] Brad Nigh: I think the yeah, the big surprise or I think the big give is like the cadence is off, right? You can just get it just very halting and and just not quite right. But wow, that’s actually really good. Right?

[00:10:08] Evan Francen: Well it’s good and it’s accurate, right? I mean, she she sounded very, you know professional. It did sound like uh you know like yeah, it didn’t sound, you know foreign, you know, from, you know from a foreign country it referenced, you know, jp morgan had referenced a reference number. It referenced a callback number. You know, our rule of thumb, Uh you know, it never ever give out sensitive information on a phone call or any communication that you didn’t initiate, Right? So in this case I didn’t initiate this phone call. They did, but you left a voicemail with a number. So then I’m not invalidating my rule of thumb by calling you back and giving sensitive information. You know what I mean? So it violates that really some.

[00:11:02] Brad Nigh: Yeah. Well for me, if I were to get that, I would have gone online to find a number to call into JP Maury. I wouldn’t have called the number on that. Yeah. And then said, hey let’s mail that said to reference this and see what they said.

[00:11:20] Evan Francen: True. Yeah, I can see that and that is a good tip. But they were also referenced a legitimate customer name. She had she struggled with the customer name, but still you got it right. She got our company name correct. So it, you know, all intents and purposes if you’re not paying attention, you know, it seems legit to me.

[00:11:42] Brad Nigh: Yeah

[00:11:43] Evan Francen: the big tell the big the big tell for me is that you sent it to you called the ceo. Yeah. You know, and I’m like I don’t do crap with money so

[00:11:56] Brad Nigh: that ain’t for me, you’re not allowed to.

[00:11:59] Evan Francen: Exactly thank God. Uh huh. But it was good. It was better than what I get normally. Yeah. Okay.

[00:12:11] Brad Nigh: Oh no, I’m trying to figure out how they would have gotten uh you know, I don’t think it was a mistake or an accident that got a customer name, where would they have gotten that from? Because I don’t think it’s yeah referenced anywhere. That’s interesting.

[00:12:30] Evan Francen: Yeah. Some of us and yeah. Somehow. Yeah. So anyway this this particular scam voicemail didn’t uh didn’t work but you always have to stay vigilant man. It doesn’t matter what what what uh what job you have, what level of the organization you’re in. I mean you gotta pay attention, you got to stop for a second and be like mm. Is this unusual? Yeah, anything that’s unusual certainly should be a red flag. Mhm. Yeah. Anyway, so I sent it on to uh our customer and like I said he was taken aback by it, but now it’s become training material. So

[00:13:16] Brad Nigh: yeah, for the for them like how do you protect yourself? Because if you would, let’s just say, you know, you had fallen for it, it’s a reputational and financial impact potentially for them as well.

[00:13:35] Evan Francen: Right. Yeah. Yeah. Well and what they were targeting is, you know, certainly our payment accounts and then um Yeah and then you wire money, you know usually a ch, yep. And once that money’s gone, if you don’t if you don’t notice it and react to it quick enough. It’s gone gone. Yeah. Especially now after p. P. P. Money this second round of P P. P. I think just came out and I don’t know if that first got any, but I know lots of other companies did. It’s a lot of money in the accounts, man.

[00:14:13] Brad Nigh: I think what’s interesting was we had kind of find the note, we have a I. R. Where it was a wire fraud and they were able to catch the most recent one because the customer reached out was like, hey we haven’t been paid. But I think they were saying that it was had been going on for like months. They don’t know how long this has been wrong, They were trying to figure it out. So I mean if you think about it, even if it’s not a huge amount that’s it’s gone

[00:14:58] Evan Francen: right. Well, oftentimes it is huge. Oftentimes it’s a combination of payments, right? Your accounting department is not paying attention, you know, because it’s multiple fronts for me getting less. This uh this voice mail me not acting your apartment right? Uh Now assume I did have some kind of financial account access and was actually make, you know, able to make those changes anyway, but I’m not but uh afford it onto my accounting department and they go okay? And they called back and they change those numbers, what have you or if I had access, I could have done myself the and then you would have gotten, you know, invoices or

[00:15:48] Brad Nigh: well maybe I will play that’s the other interesting thing because they they don’t send money to them.

[00:15:59] Evan Francen: It’s true. I wonder if it would be a target against centric care ultimately to get their money. What is it changing the way

[00:16:12] Brad Nigh: Yeah, there were two

[00:16:13] Evan Francen: Children way that central Care pays me. Yes, that’s exactly what it is. So they called me we change the way centric care pays us, right? Because that’s what she said she wanted to do was lay centric Care paid us yes. And then sand invoices to centric here. So then centric care would pay them.

[00:16:38] Brad Nigh: Yeah, they were trying to get our like uh a ch number or something like that, whatever that. How about the wire transfers would work. That’s Yeah, they they were actually targeting centric here through us because we don’t spend their money.

[00:16:58] Evan Francen: Right. Well, holding

[00:17:00] Brad Nigh: That’s huh?

[00:17:04] Evan Francen: Right. Well, and that’s what they said to was they wanted to change the way centric care paid us.

[00:17:10] Brad Nigh: Yeah. Uh

[00:17:11] Evan Francen: huh. So then, you know, our invoices would go to centric care as they normally do. But then instead of payment coming back to us, payment would go to where they change the account.

[00:17:25] Brad Nigh: Yeah. She send that over to the uh Hi our guys get you guys.

[00:17:32] Evan Francen: Yeah, I did too. Yeah. Yeah. So anyway. All right, that was good. Be careful. Be vigilant. Uh Yeah, security people are cool because they’re a little bit skeptical. Some of us take it too far and we’re paranoid. But then paranoids Okay, too, I suppose. Thank you. All right. So the next topic, the thing I want to talk about was last week after the security shit show we did on thursday night, we had a really good discussion about just, I don’t know what kind of a quagmire of things, but after that, like, immediately after that I wrote this thing on linkedin about privacy because I sort of get tired about every time you see, you know, like I think I saw tour advertisement, somebody with something tour and I said privacy is you’re right, like it’s smart. So in the last week was privacy privacy today, Did you miss that?

[00:18:37] Brad Nigh: I had no idea. Yeah,

[00:18:39] Evan Francen: yeah, so there was an international data privacy day, it was last week and uh, some people say privacy is our right and so uh what I wrote was the wrong privacy and then I wrote privacy was all right. And now I’m thinking that privacy maybe wasn’t, wasn’t even a right, privacy was never right. There was an expectation of privacy, potentially that was it perceived. Right?

[00:19:09] Brad Nigh: Well, I think, I think you put it right, we traded privacy for convenience, so it if you can give up your rights right there, that’s absolutely a thing. So, and maybe it wasn’t, it wasn’t right at one point, but we’ve as a society have said, getting up and walking across the room, it’s too hard. So I’m gonna give up my privacy so I can, you know, say Alexa or whatever do

[00:19:39] Evan Francen: do your thumb. Yeah, that’s true. The technology, you know, is too convenient to sexy that privacy is an afterthought and by the time I realize that it’s, we’ve already gone so far down this path that you know, you got a question, can I ever get

[00:19:58] Brad Nigh: back?

[00:20:00] Evan Francen: Because we are also allowed privacy and like I posted to, we also allowed privacy to be stolen from us. Oftentimes without our knowledge or consent, it’s just you share information, you apply for a job, you got to give them a social security number, blah blah blah. So this, if you apply to school, same kind of stuff. You go to the doctor, you’re sharing all kinds of information there. You know, social media sharing information there. You sign up for a new credit card, you just giving information there, you know, on and on and on. And it’s all basically out there. Come on.

[00:20:32] Brad Nigh: Well, I mean, yeah, I’ve talked about it before. I had my taxes were fraudulently filed in 2000 16. Yeah. Not through anything I did wrong, right. I freeze on my credit. I had to get all the right things as you would say, but it was one of the like the, gosh, I can’t remember. I think the anthem breach or something at this point. Uh, right. Yeah. So what can you do and you don’t control the stuff that is, I mean realistically like vital to day to day life.

[00:21:15] Evan Francen: All right. Right. And so and I thought it was interesting too that it’s not just digital ideas of things I share online and stuff like that. Then you’ve also got, You know, 50 million More than 50 million surveillance cameras in the United States, which is more per capita because we always say, well, china, trying to trying to china there’s, you know, no privacy that I got cameras all over the place. Well, it’s true. They have marked cameras, but they have less cameras capital than we do in the United States. Mhm. You mean, is it safe than to say that at least from this perspective that there’s less privacy in the United States than there is in china?

[00:21:59] Brad Nigh: Yeah, I guess it would depend on what’s the uh like the breakdown, Right? Are they considering the red light cameras? I would assume that would be part of it where they probably don’t have those in china. And those are in every city. Yeah. Right.

[00:22:18] Evan Francen: Yeah. I don’t know.

[00:22:19] Brad Nigh: Mhm. That’s interesting.

[00:22:22] Evan Francen: But we’re heading down a path where I mean, it’s just not pretty right. They continue to install more cameras. It’s not like they’re taking them out.

[00:22:31] Brad Nigh: No. Yeah, very true. Was it? Is it? Uh Yeah. Yeah, minority report where it’s like free Hey, you thought you got a thought that you were going to commit a crime, so we’re going to arrest you before it happens,

[00:22:52] Evan Francen: right? Yeah. I mean, it’s getting kind of scary and this this kind of dystopian uh society. You also got to consider that, you know, your movements are tracked if not by your mobile devices. By maybe your cars. It’s getting more and more difficult to be able to purchase a car without, you know, the electronics that allow people somebody somewhere to track. They sort of started I think with what was it the on star. It seemed like one of the first things we would put electronics like this in the vehicles I just saw yesterday that’s ford uh for just signed an agreement with android I think are you know, that put crap and all their vehicles. I drive an F 2 50 that’s 2 15. That’s purposely based sort of model doesn’t have any of the electronic stuff in. It still has electronics run the motor but not tracking to my sense and things.

[00:23:55] Brad Nigh: Yeah, a little older than yours. But

[00:24:00] Evan Francen: I don’t think I’m ever going to upgrade it. And I mean like I don’t want, yeah, it’s not like, and I know people say, well uh well, you know, if you’re not doing anything wrong, you have nothing to worry about. I say bs well, on bs anyway, you have my data. I don’t know how you plan to use it. If you’re just planning to use it just to stop me from doing a crime or to investigate a crime that relates to me, okay. Maybe. But the thing is is oftentimes they’re collecting this data and there are no rules. Yeah but they get to do data what they’re truly doing. I think in a lot of places is there profiling me? You can get start to get predictive, you can start to tell where I’m gonna go and get something there before I get there to maybe influenced me to buy a product. Maybe. Uh well we know the story.

[00:24:57] Brad Nigh: I don’t know we know stores are tracking Bluetooth like they track how you walk through the store with Bluetooth now even if they don’t know who you are, there’s a MAC address associated with that there’s an identify their and they can definitely start seeing that. So like you know, if not to pick on any story walmart target whoever it is. But if you’re you know, let’s say you’ve got the store’s app, they’re not going to start sending you like, hey I notice you walked in the door

[00:25:31] Evan Francen: right here’s a coupon. That’s the thing. I mean you collecting all the data and it’s not for my benefit. That’s the lie. Right? I think consumers and people citizens think well cameras are here from my benefit. These device tracking is for my benefit. The you know, tracking my shopping. That’s just my shopping experience that much better. So it’s for my benefit, it’s like no that’s not benefit. Even if it even if it did, even if it started as a benefit for you, It’s only a matter of time before men, women, people, human beings corruption.

[00:26:12] Brad Nigh: Yeah.

[00:26:14] Evan Francen: I started to realize, oh my gosh look at all this value I’ve got in front of me. If I used it this way We could you know, realize another $100 million dollars in revenue. So what are they gonna do?

[00:26:27] Brad Nigh: Yeah. Well. Right. Yeah, I’m with you.

[00:26:32] Evan Francen: I mean is and so uh so another thing you know, and so you know, I continue down with a list of you know, certainly one or more of your government issued ideas whether it be your driver’s license, Social security number, passport number something or all of it. We can all agree with given the number of breaches, the expanse of breaches the organizations that were breached. Do you think it’s safe to assume that you’re your government issued I. D. S. Are out there?

[00:27:01] Brad Nigh: Yeah. Well already

[00:27:02] Evan Francen: been compromised.

[00:27:03] Brad Nigh: We’ve talked about it before. The problem is that Social Security number was intended to be an identify their not an authenticator and it’s been bastardized. You can’t use the same thing for both. That’s a fundamental contradictory things. Yeah. So that’s that’s really the big thing. They’ve got to stop using Social Security numbers as both. You know, it should only be an identify where it should not be an authenticator in any way,

[00:27:33] Evan Francen: right? And to that. And to that point you know may have started off from my benefit. But then you start seeing all these other potential uses for it, right? And then you start using it for their peoples benefit. The Social Security number is a perfect example of that. It was originally designed for you to track my Social Security account, right? My benefits, you know that sort of thing. So it was for my benefit. That was the only use. Now there was no there were no constraints. There were no specific laws around the protection of that account thing. So then what happened? Well, we started using it to track your bank account numbers, your taxes, your on and on and on. Now it’s out of control.

[00:28:13] Brad Nigh: Yeah. Well, you know, realistically

[00:28:15] Evan Francen: it’s not convenient.

[00:28:17] Brad Nigh: Well, I don’t have a problem with it being used as an identifier for those other things, right? Like okay, that’s that’s fine. I’m gonna identify it myself. But when it’s public from well from a identify or standpoint you can’t use it as an authenticator as well like. Right?

[00:28:38] Evan Francen: Yeah, I think and I take exception of both. I take exception to the fact that it is used, you know, dual purpose for authentication and identification. That’s certainly a violation of just logic. And I do take exception to using a single identifier in all these locations without specific rules. Yeah. The uh because now if you come because one of the things that I’m, you know, we’ve talked about this too with biometric authentication. If whoever is collecting my biometric whether it be a fingerprint and geometry retina scan, whatever my job. You know, the biometric is if the system or the device or the people behind it aren’t storing data correctly. So let’s say they’re storing the entire image as opposed to the minutia of the image, right? If they do that and that image gets lost or stolen, Well now you’ve lost or stolen something that I cannot change. Yeah. And I have the same issue, the same problem with my Social Security. Maybe I can change it, but I’ve, from what I’ve heard, it’s like it’s you have a better chance of, you know, lifting that titanic off to the bottom of the sea by yourself.

[00:29:55] Brad Nigh: Oh I mean well like you were just saying think about all the things you have to change like yeah, it’s almost like overwhelmingly difficult to the point of it’s not worth it.

[00:30:15] Evan Francen: Right? Yeah. Yeah. So there’s that and then uh certainly are online habits are tracked basically everywhere you go online, you know, and you can take some precautions to limit the damage there. But essentially uh they can still build a pretty good profile even if you have, you know, as many blocking technologies as you haven’t even if you’re using tor you know, people don’t realize how tor actually works. A lot of the exit nodes for tor are actually controlled by government and private entities.

[00:30:47] Brad Nigh: Right.

[00:30:48] Evan Francen: So even there they can track and people like oh it’s completely anonymous. Well maybe yeah, maybe and then we have this lust man, we keep adding more crap. We just can’t seem to stop ourselves from adding more devices, adding more cool gadgets making our homes smart art. It’s like let’s define what smart is, is smart using something without really understanding the consequences. Is smart using something without being responsible for the something you’re using. Uh Yeah. So that’s the privacy, that’s where we’re at. And when you think about national Data privacy day and people who assume that privacy is our right, Tell me how you could ever come to that conclusion. Yeah,

[00:31:45] Brad Nigh: wow. Uh again, I think just looking or thinking about it, it’s like I think it is all right, but it’s one that the population in general has accepted giving up.

[00:32:00] Evan Francen: Yeah. So if you’ve given up your right, let’s say that it was your right or at least they’re the perception of privacy was right or something and you have given it up to the extent that we have as a society, can you ever put the genie back in the

[00:32:15] Brad Nigh: I don’t think you can put it back but you can stop the bleeding as it were right? Make changes because it it’s better moving forward. But what’s out there is out there, you know, that’s you can’t stop, you can’t get that back. But you can stop future stuff from happening

[00:32:36] Evan Francen: right? When I agree you want state is out there, once it’s exposed, it’s exposed. You can’t get it back. So I think your alternative then for that data is to make the data that’s out there no longer valid. Mhm. So Take my social security number for instance. That’s the easiest one. Actually. Believe it or not. Out of all these other things uh you know my social security numbers already lost or stolen. You know some criminals somewhere some state governments, somebody has or some you know other government has it and they’ll use it whenever they just because they haven’t used it yet. Doesn’t mean it’s not out there, right? Doesn’t mean it’s not already in a bad person’s hands. No way I can recover that part of my digital identity is to change it.

[00:33:26] Brad Nigh: Yeah. Yeah. Yeah. Well you know it’s crazy to think about what you would have to do. Like think about the hassle that women have when they change their name if they get married and they change their name. Like I know what a pain it was for my wife to do all that. Can you imagine that’s just changing the name? Like imagine changing this super secret number that everybody relies on and you have every credit card, every bank account, every you know government function at healthcare. Like it’s so entwined that you know, how do you, how do you do that?

[00:34:13] Evan Francen: What it takes. So I think it it takes something as big and powerful as the U. S. Government to do it. Which is good because they’re the ones who got us into this mess to begin with. They’re the ones who created that number. I didn’t create that number. I didn’t have a choice whether or not you’re going to create this number. You created it to me, shoved it down my throat. Not everybody in the world to use it. And then it’s my problem when when when you know when it’s abused, right? I mean it’s not it’s too racket and uh so the government would have to do it and the government has to design it correctly and they’ve got plenty of help, right? You can reach out. There’s lots of security people in this country that would be you know, willing to design I think a pretty you know, possibly a pretty solid solution right? The specific rules when things are compromised. I have the ability to change it quicker, right? Because now you’ve got all the associations built. You gotta you gotta start over.

[00:35:17] Brad Nigh: Yeah. Yeah. You know the thing is I think it can be done right? Like we’re seeing that I think a little bit with CMm see where they’ve learned from some of the stuff in the past. And uh Mhm. It’s uh it’s a in general it’s a good standard is a good approach to doing this to protecting you know in this case D. O. D. Information but we know they can do it.

[00:35:50] Evan Francen: Yeah well it takes work. People don’t like work and people are I think are distracted with so many other things going on. If you were to ask them how big of a deal this is on their list of things that the government should be focused on right now. I think it makes your top 10.

[00:36:07] Brad Nigh: Oh yeah right now. No

[00:36:10] Evan Francen: But you know the sad thing is though it it should be in your top 10. This is your identity, This is who you are.

[00:36:20] Brad Nigh: Yeah. It does it does impact it does impact people right now, right. Because how are they tracking vaccination? How are they tracking unemployment benefits? How are they tracking stimulus payments all through? You know the social Security number?

[00:36:39] Evan Francen: Right. Well what’s the alternative? So let’s say that we decide, you know, it’s just not worth it. It’s too much work. It’s gonna be too expensive. You know, I just don’t want to embark on this. Uh where does it go? Mhm. The problem doesn’t go away. It doesn’t get less worse. It gets worse worse. Yeah. You know because you know if your social security numbers or you know, these things are already out there and they haven’t been used against you yet

[00:37:19] Brad Nigh: or that, you know of.

[00:37:21] Evan Francen: Yeah. Right. And so and I just think, you know, if you play this through because we play this big global chess game between, you know state actors like Russia, china, Israel us North Korea. I just saw North Korea’s being ordinary again. Uh you know we’ve got this chess game going on. Well let’s say china or maybe Russia maybe both have this huge treasure trove of Social Security numbers related to every U. S. Citizens. Mhm. Right. It’s conceivable. Certainly given that, like I said the number of breaches and you know where things are and go and well that means they have the identity of every U. S. Citizen. Don’t you think they could use that when when the time is appropriate? Mm I wouldn’t use it now because I’m not motivated by money, I want to call is cause instability in the financial markets, I want to do something bigger grander.

[00:38:21] Brad Nigh: Well we just saw that with with the solar winds at the time, you know that release and chaos and everything that was going on,

[00:38:31] Evan Francen: right, I just have this fear and I think it’s justified that were sort of sitting ducks right now and the chickens will come home to roost and it’s gonna suck. Fuck really bad not to be a downer. I mean it’s only Tuesday and all that, but I don’t know uh get some silver, get some cash, you know, crypto something uh because I think it does just, it just continues to go down this nasty path until we until we actually make a concerted legitimate effort to reel this back in. Yeah so that’s that uh the other thing I want to talk about was burn out. So you know, you talk about the work required to get, this is done. It’s like, oh, I can’t put on my plate right now, man, I don’t know about you. I’m guessing you’re probably pretty busy too.

[00:39:24] Brad Nigh: Oh yeah, I’ve got quite a lot of things,

[00:39:28] Evan Francen: right? So I started writing this blog post and uh, and it’s actually a letter. It’s D. D. L. And Head of household. And I think it was, this was another night after the shit show. A couple of weeks ago that I wrote this, I just stumbled on it yesterday. I was like, yeah, I should post that. But it’s, here’s Ceo and Head of Household. I’m tired. Before you ask why I’ll tell you I’m tired because I work 80-plus hours a week to, to protect you and all your responsible for. I’m fighting a fight. I cannot win, especially without your help. I’m asking for your help, but you’re not listening. We’re under relentless attack, but you don’t seem to care. You think it won’t happen to us. I’m afraid it already has. I’m in support of my friends. They sacrificed time with me and they don’t understand why you won’t step up and take the time to understand what you’re responsible for. I need to help you. I need you to help me solve problems, but I can’t get you to participate. You think this is my responsibility, but it’s not, it’s yours. I tell you things with honesty and transparency yet. I don’t think you trust me. We’re understaffed and underfunded. But you keep telling me to do more with less. I need you to champion the cause. But you don’t, but you do nothing more than tolerated. I want to teach you about information, security budget too smart for education. You don’t see the value in me as to you. I’m nothing more than a cost center.

[00:40:58] Brad Nigh: Yeah. I mean that resonates right? And that’s sad.

[00:41:05] Evan Francen: This Yeah. Because that stuff leads to frustration. I think frustration leads to burnout because if you are working long hours and you’re not feeling appreciated and you’re reaching out, you’re trying to get people to listen and they don’t eventually, you get to the point where you say what’s the use I’m done

[00:41:23] Brad Nigh: well and, and not not only that, but on top of all that you get blamed for anything that happens and but there’s never like, yeah, that’s, that’s kind of the uh, whatever the word is the, I don’t know anyway. You know, it’s always like everything is working. So people like, well, what are you doing? And then if something breaks or like what did you do? Why haven’t you fixed it yet? You don’t, if it’s working. You shouldn’t hear from me. That’s a good thing, right? But that’s not how people see it and it is absolutely frustrating,

[00:42:07] Evan Francen: right? And I think that’s maybe why are abandoned brothers and sisters and other genders, uh are we’re also kind of tight. You know, we have our in fighting. You know, we do that a lot. But I know that nobody else can relate to some of them go through in my life other than other security people. Mhm. Yeah. That’s why those things resonate. If you read those off to some other people will be like, yeah, that all sucks. But that doesn’t happen. It’s like mm kind of all that does this is us. Mm. Uh huh. So how do you uh can I know a lot of friends good security people over the years who have just burned out. They just run out of gas man. You know, they were tired of it. I figured what’s the use I’ve got some money saved up. I’m just out the check out. You think that you’ve always been good at balance? That’s one thing I really admire about you. But do you feel those things?

[00:43:11] Brad Nigh: Oh, I mean I definitely felt that in the past. I don’t feel them here, which is great. Right? I think and that’s my that was gonna be my answer is there’s other jobs find one that fits you right? That’s that’s the how you prevent it. But I’ve absolutely been there in the past where it’s just like I need out. I’m done. I can’t do this anymore. Yeah. But yeah, I think, you know, for me even though it never really stops right? Like I T or security you’re you just you can’t turn it off and go because We’re 24/7 Society at this point right? So it’s always been there. But you know I think I really make an effort to vlog out as it were for the day and shut off the work bring for that period between you know 55 ish and the kids bedtime try to be there for them and not focus on work if I work after that. You know, no big deal where I worked earlier in the morning when they were still asleep and You know not not really a big deal because I’m not there 20 minutes of getting ready for school that I would see them right? It is it’s it’s so easy to just get overwhelmed and sucked in and two totally consumed.

[00:44:42] Evan Francen: Yeah. Yeah I agree. It. Uh I think yeah I’ve definitely worked in places where it’s been like that you know and it would be such a tragedy to me personally if you know the companies that I Ron ended up like this. If we had people feeling like this you know what I mean? What I just showed you this is part of our mission to right to not be this to not get here to support each other to make sure that we don’t burn out. We do a lot of work which we can do a lot of work without burning out

[00:45:18] Brad Nigh: right going back to the executive level, I mean every one of them has been in that position to and they’re all as far as I can tell, every one of them is committed to exactly that, not having that happen here.

[00:45:34] Evan Francen: Yeah, yeah, I think there’s a value and just human beings here, which is really cool. I was talking with john last week and uh and it hit home with me because we were having, we had a meeting and it was kind of an impromptu one and he was like Tuesday and you know, for the listeners, john is the president of fr secure and yeah, I’m like, hey, how you doing man? He’s like lambert, uh huh, like, you know, so we talked a little bit about that, talked about other topics, but then before we left I was like, what are you gonna do about that? Right? It’s like do about what like being burned because oh, I’m taking the afternoon off, you know, to go to top golf. I’m like bit awesome man, I love that because uh you gotta keep keep the stuff in balance, man, it gets out of the, gets out of whack quick.

[00:46:28] Brad Nigh: Well, you know, having worked at home before, but like that big thing that’s changed is people haven’t right, they’re not used to it and it’s easy to get burned because you’re never leaving. So you know, at my office, I get dressed and not just wearing sweats or whatever, like get dressed for the day and when the day is over, I go and have a, yeah, you know, make it a committed commute as it were a transition. Uh, I’ll go and change into, you know, sweats and whatever so that there is a delineation between, hey, you’re at work and now you’re at home and you know, it seems kind of silly or simple, but it makes a difference, right? Like you’re losing that you to decompress and change and transition at least, You know, I don’t have that 20, minutes anymore, but still making that okay. Right. Yeah, definite.

[00:47:41] Evan Francen: Well, that’s, that’s a big reason why, you know, Yeah, uh I do, I have to, I have to do vacations because if I’m anywhere near my office for my workstation, I’m going to work. I don’t have the same kind of self discipline. Um, you know, I did a lot of work this weekend and it’s not so much that it’s gonna burn me out because um work is almost like my heart, like I just genuinely enjoyed doing it. You know, I love doing stuff like this, but, but then when you realize that my wife is sacrificing time with me and my Children are sacrificing time with me when you realize how for me, if I’m working the way I would, it’s a real selfish thing. And that also comes back to haunt you when you get up from the office or you get up from your home office and I walk on the other side of the door and I’m like, where’d everybody go? Yeah. Well, they got on with their day without you because you were so focused on work. Yeah. They’re either in bed, they went out to eat, they did some of these things. And you and that’s when it dawns on you. Like, I’m really alone. You know what I mean? Dad also contributes to burn out. You can’t do that very often.

[00:49:09] Brad Nigh: Yeah. Well, it goes back to the self care, right? And you now have set up the uh, your office right in one of the spare bedrooms. So you’re not just like in the living room on the couch. Like for me, I closed the door to the office when I leave, right? I have the doors that I have our had our glass, right? So you can see through them. And I ended up putting the static, like, frosted clean whatever on it. So I don’t I don’t I can’t even see in like if I was fine, it’s there. So it’s it’s these little tricks to like make yourself like this weekend, you know, I had been working some stuff on friday and I was really into it. It was tough to not be like, spend all weekend kind of seeking out on some of this stuff and working on it. But you know, it’s like, no, I I’m going to spend some time with the family and so it does take self control because it is, it’s so easy to just get consumed. Right. So many of us are so passionate about what we do too. And that, that doesn’t help in this. You know,

[00:50:27] Evan Francen: if you combine the passion with, uh, I really love doing this shit. Yeah, it becomes like, oh God, here we go. So yeah, I think so. I’ll post this this uh, this blog post, maybe the next, maybe today. And uh, maybe we can even pick it up some more next uh, next week because it’s one of those topics that you could just your podcast on this, right? Just on burnout. So to give it only 10, 15 minutes every 2030 40 episodes because we have talked about it before. It just doesn’t do it justice. Right? Listeners need to here it again and again. These are habitual things that we need to address. Yeah. Okay. Yeah. Right. On the news, before we wrap this thing up, I think it’s been a kind of an action packed a you know, a lot of stuff in this episode, which is cool. First one I’ve got is from the set we live security dot com in the article is apple patches, three IOS zero days under attack. If you have not passed your IOS devices. Uh, do it, your watchers, your apple TVs, your ipads, your iphones. They’re all affected Patrick. Yeah,

[00:51:57] Brad Nigh: once. So, I mean we’ll just think about how widespread that is, right.

[00:52:06] Evan Francen: Mm hmm. When you can’t say you didn’t hear it right, These 30 days are being actively exploited in the wild. I think one of them for sure is a zero clicks. So you don’t have to do anything after the attacker to exploit the vulnerability. Um, so update, I think 14.4 is the latest version, uh, iphones and ipads. So if you don’t know how to do that, open up your ipad, iphone, go to settings right at settings, you’ll do um, general check for something to do up. Software update, yep. And it goes checking for update and it says IOS 14.4 your software is up to date. That’s because I’m a security guy. I passed my stuff. You should too. All right. So that’s that, Patrick. You’ve got no excuses now. You heard that? And I thought this next one was sort of interesting. I’m not gonna spend a ton of time on it. Um, it’s from security incidents dot com, but I think might be IBM’s plug, but the title is seesaw success. It’s about more than tech skills. I want to go through the whole article here. There’s nothing revolutionary here. If you’ve been in this industry for a while. If you’ve been in leadership for a while. None of it was like earth shattering. We’ve preaching lots of these things. The one thing that’s kind of refreshing is I like the way the author George Platt says uh laid things out. Mhm. But the best Ceasar’s I’ve met in my career are not expert technologists, They are expert leaders, their expert lovers of their teams, they’re just really good people.

[00:54:02] Brad Nigh: Yeah, that doesn’t mean that you can’t have a good one that has, you know, is a tech expert. But it’s those, I think it’s the other skills that are far more important and are what make you successful or not. I mean, the technology is almost a uh a bonus I guess, or kind of secondary tertiary skill, right? It might make you better at it, but it’s not going to make you good at it.

[00:54:37] Evan Francen: And I’ve almost found a few seesaws come to mind that we’re actually not. Yeah, not good technologists. They were really good leaders. Um it was almost worked out to their benefit because they were humble, they were more humble. They have a big tech ego.

[00:54:58] Brad Nigh: Yeah, that’s the big thing, like, like I said it being successful in that role doesn’t like you don’t you don’t have to be a technique to be successful. You have to have those other skills to be successful doesn’t mean if you are really technology focused or have that back or you can’t be successful, but you better have, you have to have the skills to be successful.

[00:55:27] Evan Francen: It’s 100% very,

[00:55:29] Brad Nigh: very fine line on that I think like

[00:55:34] Evan Francen: Yeah, Yeah. You know, we’ve some of us have learned that. I mean, some of us have learned that the hard way I’ve seen since I’ve just learned that way. Yeah. Because the more, you know, if you don’t have those other soft skills, you know, going back to the burnout thing, you just accelerate that process too because nobody understands what you’re talking about. Nobody wants to work with you. Yeah, it’s tough. All right. The last one I’ve got is from zd net, the title is in somewhere gangs now have industrial targets in their sights. That raises the stakes for everyone.

[00:56:13] Brad Nigh: You know, it’s just a matter of time. Uh, we’ve seen a lot of manufacturers, uh, in those kind of what you consider, I guess nontraditional targets. But we’re starting to see, we’ve seen quite a few manufacturers or along those lines being targeted. Yeah. You know, engineering firms, those kind of, you would think typically healthcare and banking or finance that you’ve seen. You’ve seen others. Yeah,

[00:56:43] Evan Francen: yeah, yeah. And this is a thinking man, when it’s a, when you look at some of our infrastructure, it’s such a massive mhm thing. Like take a look at, you know the way the electrical grid works across the country and how they connect to each other and all this other stuff. It’s like, wow, that’s complex. You wonder if at some point we’re just gonna have to buck up and just redesign the whole damn thing.

[00:57:12] Brad Nigh: Yeah.

[00:57:14] Evan Francen: And build it, right, build it with security. Built in, built it with resilience. You know, there are still places significant points of failure where you can’t patch a computer because you bring you bring power down regional redundancy, so they sit there with the next piece system.

[00:57:36] Brad Nigh: Yeah, it’s I mean, yeah, we’ve seen it with where, you know, they’re the skater systems are like, well, no, we can’t take it down. There’s no right, like uh fingers crossed then.

[00:57:58] Evan Francen: Well, the thing is, is like, the logic is either you take it down in a planned manner in a controlled manner or the attacker will take it down for you. Mm Which do you prefer? I’d rather do it myself, you know, like, notify all my customers, Hey, we’re going to have a power outage for, you know, five minutes, 10 minutes. Make it during the day when it will be, you know, Saturday, I’m some some somewhere when there’s least load then other times.

[00:58:33] Brad Nigh: Well, it I mean, you’ve got California for sure. Like you did the rolling brownouts,

[00:58:40] Evan Francen: right?

[00:58:41] Brad Nigh: Like, okay, well why not do that? So you cannot think this stuff. It’s very inconvenience. Yeah. What’s a bigger inconvenience? That being ransomed?

[00:58:54] Evan Francen: Right? Yeah, it is 10 minutes or 10 hours or 10 days.

[00:59:01] Brad Nigh: Mhm.

[00:59:03] Evan Francen: All right, well, good man, that’s it for episode 1 17. Good talk, man, It’s always a good talk with you. It actually wakes me up. You know, I came into this podcast, like, you, you know, dragging ass a little bit. But you know, I’m kind of fired up and ready to kick some ass

[00:59:22] Brad Nigh: and hopefully the listeners can tell the last what is the third or fourth one gets the fourth one where kind of went away from the scripted pieces just just talking.

[00:59:37] Evan Francen: I think it might put show notes out still, but I won’t do the script. I’ll just put topics.

[00:59:43] Brad Nigh: Yeah, because I don’t know. I think it just, it’s more flags not knowing where this is going to go.

[00:59:51] Evan Francen: Yeah, totally. Yeah. You didn’t know the topics until you jumped on the conference.

[00:59:58] Brad Nigh: Yeah, Somebody was asking me about doing what we were digital weapon on there. Like it’s really high level and, and it’s like, are you okay with that? I’m like, I do a podcast where I don’t find out what we’re talking about until I get on like, yeah, I’m not really good with just going with the flow and uh huh

[01:00:19] Evan Francen: Yeah, me too. Alright, well that’s it. Uh thank you to our listeners. Send us things old crap. That reminds me it’s on my task list. So for any of the listeners, we got some email, man, I went into town males like, oh crap. We promised people books. I gotta get those books sent out. Uh Yeah, so there you go. I will be checking and I’ll put it on my task list to do that regularly. So send us things by email. We promised to reply. Uh send us at un security at proton mail dot com. If you are the social type you can certainly socialize with us on twitter. I’m @EvanFrancen brad is @BradNigh uh basically uh actually shout out spread, you gotta shout out um

[01:01:11] Brad Nigh: mm You know I’m trying to think

[01:01:17] Evan Francen: brad, it’s now official brad brad appreciates nobody.

[01:01:21] Brad Nigh: Uh Well we just had a potential reverse shell pop on one of the I. R. S. So a little distracted just now. Sorry. Uh Yeah gosh you know so it seems just all the kind of the back end people are secure that just made my job so much easier. You know like the marketing people where I don’t have to write a full blog post. I can just do what we’re doing and talking or you know operationally with like are you know Uh huh the our resource manager, customer success manager, project manager team those just all the stuff that they do and so you kind of see what they’re doing. It’s like wow. Yeah that makes him having to do some of it or whatever. It’s like cool. Yeah they really make my life easier so

[01:02:17] Evan Francen: he had no doubt I’m gonna give a shout out, I leave a redundant before and you know certainly in the past shout out to my son, joe. Uh I’m just amazed at how good quality of character that kid has it. You know, when you raise kids, you just want them to be better than you were. And you know joe is definitely that he came over this weekend and uh just a great kid and very, very proud of him.

[01:02:48] Brad Nigh: Okay. I’ve heard nothing but good things from a work perspective as well.

[01:02:53] Evan Francen: Yeah, I don’t know what well Mr cross or something. I don’t know

[01:02:59] Brad Nigh: right? Like my kids do that and I’m like, you okay? You sure your mind, right?

[01:03:08] Evan Francen: Well, I told joe to, you know, I told all my kids, you know, when I, when I raised them, you know, your dad set the bar pretty low for you, meaning, you know, there are things like if you can just like not, you know, kiss my past is troubled, you know, that was a rebel man. If you could just not get arrested uh, until after the age of 14, you already surpassed that bar. Right? So, you know, those bars were low and then, you know, I I started pushing the bar up and as I got older. But anyway, lastly, uh we do have companies who work for it. And uh, you know, security studio is @StudioSecurity somewhat. Uh they’ve been posting a lot of stuff and then @FRSecure. Always good stuff there. I want to remind listeners about the CSP metro program we heard yesterday Morning uh 2163 I think registrations, which they surpassed all of 2020. Uh, looks like we might hit 5000.

[01:04:12] Brad Nigh: So it’s pretty cool. We, there’s a good chance we’re gonna have more this year than combined previous.

[01:04:20] Evan Francen: It’s awesome. I love it helping people man serving people. That’s what we do. All right brother, you have a good one. All right. All right.