June 21, 2025 • 42 mins
https://www.malwarebytes.com/blog/news/2025/06/google-bug-allowed-phone-number-of-almost-any-user-to-be-discovered
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey, So I go to the chiropractor and walk up
the receptionists and say I need to book an appointment.
She says, okay, how about ten tomorrow. I said, no,
I only need one. It's not a Michelle Bustamante dirty joke,
but it is in keeping with the tradition of this
(00:22):
show where I start with a dad joke. I thought
that was appropriately bad.
Speaker 2 (00:26):
Dad jokes are good. Appropriately.
Speaker 3 (00:29):
We have a lot of younger listeners, which is surprising,
but good younger listeners. We appreciate you, we do.
Speaker 1 (00:42):
All right, So welcome to Security this week. That voice
you heard was the voice of the lovely Michelle Bustamante.
She is our first guest on the panel as we
go through these stories. But also there's a history between
Patrick and Michelle that has to do with a podcast called.
Speaker 2 (01:01):
Luckdown Locked Down because what you don't know can hurt you.
Speaker 1 (01:06):
That's right, that's right.
Speaker 4 (01:08):
That was our by life.
Speaker 1 (01:09):
She remembers, Yeah, wow, that was the tagline. Yeah. So, anyway,
we've been doing podcasts for a long time and we've
been friends with Michelle for ever before, way before podcasts.
Speaker 4 (01:20):
Before she was born.
Speaker 2 (01:26):
Nineteen wait, Carl, it was nineteen ninety four.
Speaker 1 (01:29):
We are friends when you were a gleam in your
father's eyes. Okay, so let's start with this one. Get
lab patches high severity account takeover, missing off issues. Okay,
tell me, tell me what happened here. It doesn't sound good.
Speaker 2 (01:48):
Well, missing off automatically sounds terrible. Just throwing that out.
Speaker 4 (01:51):
I going to say, right, but patching is good.
Speaker 1 (01:54):
Yeah, is good.
Speaker 4 (01:55):
It's patched. That's that's the good news.
Speaker 3 (01:56):
But who wants to be who wants to be bothered
by that pesky authoruthentication stuff? Right? So you know, get
lab really hasn't caught a break this year. We've seen
several patches come out, including get lab. So this latest
one is a HTML injection issue.
Speaker 1 (02:15):
Interesting, Yeah, is that from cross site scripting or something?
Or how does one inject HTML?
Speaker 3 (02:21):
So that's that's that's let's uh, let's dig into it.
CV two eight an issue has been discovered with get
labs ce slash ee, affecting all versions starting with eighteen
and before eighteen oh two. Under certain conditions, HTML injection
in new search pages can lead to account takeover.
Speaker 4 (02:42):
When when you said ee, I thought you started speaking dolphin.
Speaker 3 (02:46):
No. Now, so typically what this might be is maybe
you can maliciously send someone a link that has a
pre filled in search query and when they click on
it at that point.
Speaker 4 (02:57):
Is that how you do it?
Speaker 3 (02:58):
You know, I'm just if somebody want to do it,
that's probably a suggestion.
Speaker 4 (03:03):
The shame if your get lab got infected.
Speaker 3 (03:06):
Shame if you clicked on that link. I stand to Patrick,
So that's what this looks like. So yeah, I agree
with Patrick, O patch this one. But yeah, if you
guys get lab, you should be probably checking patches every day.
Speaker 1 (03:19):
So it sounds like a sort of a sequel injection
or something that's a little more nefarious than just what
you're going to put up in HTML on the page.
But anyway, yeah, and it can be.
Speaker 3 (03:30):
I mean, sometimes it's just the injection is to feed
a cookie back to the attacker, right. Sometimes it's like
the injection is to grab information from the attacker and
feed it back that sort of stuff.
Speaker 5 (03:40):
Okay, So one of the things that we've encountered. We're
always looking at fishing and how phishing can be evolved
and how it's evolving, and one of the things that
we've seen is conditional HTML, where if the client viewing
the email is outlook. It displays one link and if
it's not, it displays a different militia. And so that
(04:01):
way it can get past the filters of you know,
Office three sixty five and the higher standards. But if
you view it through a browser, it's less likely to
get caught. And they so it's that conditional injection that
we see it everywhere. Injection is an attack that is
just keeps on giving.
Speaker 1 (04:19):
Yep, the hits keep coming, all right, So this one's
from life hacker. One million two factor authentication codes were
recently exposed. And this doesn't make sense to me because
two FA off codes are generally in real time. How
why does anybody care about used off codes.
Speaker 5 (04:40):
It may be because they're they're pseudo anonymous and therefore
they're predictable if you know one of them.
Speaker 3 (04:45):
So it can be that. But if I can tie
a phone number back to a user foreshadowing, maybe then
you could have a pretty good attack here. Right. So
if I say had a couple hundred million dollar I
stole over ransomware, and I then spun up a telco company,
and then I signed a contract to be the cheapest
one routing SMS messages in the clear, I could pick
(05:09):
up a lot of these. So this, this is in
essence what happened where we have I'm not saying there's
you know, not legitimate telco company. However, having all the
codes in the clear is a little weird.
Speaker 4 (05:20):
Well, it is weird that most of the elite hackers
we know always say I work for a telco.
Speaker 3 (05:25):
Well they do. Yeah, all hackers work for telcos.
Speaker 2 (05:28):
But every single one of them.
Speaker 3 (05:30):
There's no other way.
Speaker 1 (05:31):
That's it.
Speaker 2 (05:31):
But isn't it true, Like I mean, SMS is now
basically deprecated as a recommended form of MFA in the
first place, right, and yet you still have sites that
let you log in with your phone number, foreshadowing maybe it'll.
Speaker 5 (05:46):
It'll take twenty years before that deprecation filtered system.
Speaker 2 (05:50):
This is the problem. This is a problem because like
even banks, even like financial institutions that literally should care
more than anybody about protecting these account they don't. They
don't want the friction.
Speaker 5 (06:03):
The podcaster and me is very upset about this, but
the cybersecurity services purveyor is very happy about this.
Speaker 2 (06:11):
Yeah, I mean, it's a gift that keeps on giving, right,
Like I do all kinds of identity solution architecture, implementation,
access management, and these are the things that literally nobody
seems to be listening when they were reading and understanding
and following the rules and the guidance. So we get
to come in and tell them the guidance they should
probably already know, right, Yeah.
Speaker 1 (06:33):
In hindsight, that's always the fun kind, right, and tell
them what they did wrong. And if you had only done.
Speaker 6 (06:40):
This, if they only have well hines my hind hindsight, hindsight,
that should be, that should be.
Speaker 1 (06:52):
It is now.
Speaker 3 (06:54):
So according to the article, teleco companies commonly use intermediaries
to send text messages at cheaper rates like we just said,
which is possibly thanks to large contracts with multiple carres
and ownerships of so called global titles network addresses and
facilitate communications between carriers and countries. So if you position
yourself as a telco that's going to send these messages
(07:16):
super cheap, then you get all of your your telecommunications
companies wanting to route through you. And that's where they
were seeing low a spider, Google, Amazon, Meta Tender, Snapchat,
Finance Signal, and WhatsApp all potentially routed through here.
Speaker 4 (07:29):
For the low low price of I'll pay you a
penny apiece.
Speaker 3 (07:32):
Right, yeah, exactly. Then you can see everybody's to a
FA which is kind of nice.
Speaker 1 (07:36):
Hmmm.
Speaker 3 (07:37):
I kind of like that. Okay, But Jim Michelle, you're
absolutely right. We have been pushing use the multi factor
authentication app anytime, like, use Google Authentication, use Microsoft Authenticator,
use whatever it is. But SMS should be dead. The
order it goes in is authenticator app. Then if you
can't use that, SMS, and then if you can't use that,
(07:57):
use email. But email is usually the first thing they've im.
Speaker 2 (08:00):
First when they breach, and it's the first one they
want to use.
Speaker 4 (08:03):
For some reason, I prefer the North Korean applications. That's
the one that I find the most.
Speaker 3 (08:09):
Yeah.
Speaker 2 (08:10):
Well what about what about past keys though? Right? Like,
so that's what they're trying to get, right.
Speaker 5 (08:14):
So they're not consistent yet everyone billing their own. A
past key is a machine key that your phone and
the site, or your your computer or browser and the
site established. It's like a primary key, public private keypre
very long. Think of it like an eighty character one
hundred character password between your device, which gets authenticated usually
(08:37):
with biometrics on higher level, and the site. The problem
with pass keys is you get a storm if you
want to use them across sites, which Bitwarden and other
password managers do. The problem right now is almost everyone
is implementing them differently. There's not a consistency yet. So
I would recommend everybody start using them and experience that
pain of your learning a different way of past key
(09:00):
for every platform, and eventually it'll standardize.
Speaker 4 (09:03):
But it's worth it to be ahead of the curve.
Speaker 1 (09:04):
GitHub uses past case now optionally.
Speaker 3 (09:07):
Yeah.
Speaker 2 (09:07):
The other thing is a year ago, people didn't even
want to try it, right, I mean, it was all
the recommendations where Fido is not going anywhere and nobody's
adopting and.
Speaker 4 (09:16):
It's going to get broken.
Speaker 2 (09:18):
Yeah, But I want to tell you I had a
customer that has you know, like twenty five million users
that decided to go ahead and do it, and they
started getting adoption and people actually signed up and they
had no friction, and it was kind of like a risk,
you know, like an opt in risk, but they really
wanted to force it on people and they managed to
(09:39):
do it.
Speaker 5 (09:39):
So I'm hoping twenty twenty five is the year of
pass key, but I think it's twenty twenty six.
Speaker 2 (09:43):
I agree, Yeah, all right.
Speaker 1 (09:45):
Should we talk to times.
Speaker 3 (09:46):
I love v v VI.
Speaker 1 (09:49):
We've talked about VAN before, but what the heck is it?
Speaker 4 (09:52):
It's the noise you make when you're going down a
big sled hill.
Speaker 1 (09:57):
Only in Calvin and Hobbs, right, I think I saw
that Kure strip.
Speaker 3 (10:02):
Yeah, so virtual machines. We've talked about virtual machines in
the past, right, So, yeah, you may not want to
have a live hardware for everything, so you run virtual
machines for certain types of services. Now you need to
back them up and be able to replicate them and
send them to a dr site. And veme does just that.
So it's a piece of software that will back up
virtual machines and restore them and make sure they're up
(10:23):
and running and all that good stuff. Problem is, they
generally get access to everything, right they have to. They
need access to the VM at the lowest level. They
need to be able to copy things around that sort
of shop. So an exploit in VM generally is a
bad thing.
Speaker 1 (10:36):
You've talked about this before, Patrick, that backup is one
of those things in your IT set up that is
by nature vulnerable because it needs to have system level
access to everything.
Speaker 3 (10:48):
You know, it's even better than the fact that it
has accessed to everything. Usually backup accounts aren't audited, right,
They actually bypass auditing because they touch every file, so
we just sully up the audits. So if you can
compromise an account that has backup rights, at that point
you can access files without anybody knowing it. Yeah, it's
it's not enough to say that that's a target. I mean, career,
(11:11):
you want to move around a network without anybody knowing
compromise of acribacat.
Speaker 1 (11:15):
And that would be today's criminal career advice for all
the music Brandon.
Speaker 5 (11:20):
It's even administrators. If I had to choose to get
access to a credentialed account, I would typically pick a
backup administrator before a full administrator. Yeah, because of the audit.
So that's a fantastic observation, Dwan. I'm sure it's not
based on any of your recent weekend activities now I'm
(11:44):
talking about, but yeah, it's it. Basically, it's like Spider
Man says, with great power comes great responsibility.
Speaker 1 (11:51):
I think someone else said that before Spider Man did,
no Winston Churchill.
Speaker 2 (11:55):
I think I think Spider Man's dad said that.
Speaker 3 (11:58):
That's just true.
Speaker 4 (12:00):
Always wait, uncle Owen with yes, may he rest in peace?
Speaker 3 (12:05):
Was Luke Skywalker's uncle.
Speaker 2 (12:06):
I don't know, but he was a lot of uncles.
Speaker 4 (12:09):
But anyways, yes, but anyways, or they fun uncles.
Speaker 1 (12:13):
That's the first uncles.
Speaker 3 (12:15):
So what's green about this exploit? Is you read through here?
It is a remote code execution? Have me done by
any domain users? You don't need to be an administrator.
You just run this execution. But in this article it
doesn't explain what the execution is. So if you want
to know exactly what it is, you can just take
cve twenty twenty five two three one two one and
put it into chat GPT and say can you tell
me how to exploit this?
Speaker 1 (12:36):
Oh man?
Speaker 3 (12:36):
And chat GPT comes back and says, yeah, absolutely. Any
VEM server that's attached to a domain, well, have a
de serialization bug and a dot net object that has
a remoting interface in the VEM dot backup, dot e
SX manager, dot XML framework, and VM dot backup, dot Corp,
DOUG backup summary interfaces.
Speaker 1 (12:56):
Don't you wish we could just kill dot net remoting? Michelle?
Can you work on that?
Speaker 3 (13:01):
Yeah?
Speaker 2 (13:03):
Yeah, yeah, I thought it was dead, so apparently, well.
Speaker 1 (13:06):
Still dead to me.
Speaker 4 (13:08):
I think I think Ingo Ramer may take issue with that.
Speaker 2 (13:12):
Yeah, that's I think. I think there's a lot of
protocols that sort of like live dormant to write on
systems everywhere, including in the cloud, Like you forget to
turn off the least the least future need.
Speaker 5 (13:24):
Stuff is very convenient, and convenience is the equivalent of
not secure.
Speaker 1 (13:29):
That's the problem.
Speaker 3 (13:30):
Yeah, agreed. We I mean when we audit companies, when
we're breaking into a place, we're literally looking for things
that are either a misconfigured number one issue or be
turned on that nobody knows about. I can't tell you
how many times we're talking to a customer like okay,
yeah we were able to get to the main administrator
through this s FTP server and they're like sorry, like
I think that we stopped using that about forty years ago. No,
(13:52):
still up and running out of that's still there, Yeah exactly.
Speaker 5 (13:56):
What Yeah, we see horrible is when the person who's
got the test servers, the one that brought us in
the gig that.
Speaker 4 (14:02):
Happens and it's like I'm sorry, but it's your system.
Speaker 3 (14:06):
Yeah, you're the biggest law goodbye. Yeah. So if you're
ever looking for more details on some of these exploits,
go to the AIS. They will pull a lot more
information out than you might get from these articles.
Speaker 1 (14:17):
Interesting.
Speaker 2 (14:19):
One thing we might want to say is the closing
message on that one is, Hey, all of you employees,
you know, vendors and yend users of applications, if you're
not in pain, suffering and upset on a daily basis,
you are not secure.
Speaker 5 (14:32):
Yes, yeahmple right, although you still might not be secure
even if you are those Yeah.
Speaker 2 (14:38):
Sorry, that's the starting message, like, for sure you're not secure.
The right flas step is are you ever secure?
Speaker 3 (14:44):
Well? And it's funny you say that, Michelle, because we
do get when we're auditing customers environments, we obviously are
hitting software that they didn't make right. And it might
be point of sale software, it might be booking software,
it might be whatever. And we've seen some companies where
we'll find critical flaws and we'll reach out to the
and they'll be like absolutely super happy to work with you, guys,
what are your suggestions? How do we fix this? And
(15:05):
then we've had other companies literally come to us and say,
what are you doing? Why are you looking at our software?
Speaker 1 (15:09):
Go away?
Speaker 3 (15:10):
And just drop the issue because they didn't pay us
for the pent test. Their customer did. So yeah, we've
seen that in the field where they're like, you know
what our suffers find like scoot.
Speaker 2 (15:21):
So yeah, it's well, you can't force the vendor to
pick up right like, yeah, but you have been war.
Speaker 3 (15:28):
But in ninety days, you can publish the exploit publicly.
Speaker 4 (15:31):
And we also we see we see.
Speaker 3 (15:33):
For example, we see proper disclosure.
Speaker 4 (15:36):
It shows the culture of the vendor, and we do
see problem after problem after problem about those that resist
us versus those that embrace us.
Speaker 6 (15:47):
Yeah.
Speaker 3 (15:47):
I mean we say us as in not necessarily our company,
but our division, our industry, our industry, defensive cybersecurity people.
People generally look at us weird. Yeah.
Speaker 5 (15:55):
Yeah, when a governor tries to sue someone for finding
a flaw in their government website, that's that's a sign
that they're.
Speaker 4 (16:02):
Going to have more problems. Yep, sorry, go ahead, Michelle.
Speaker 2 (16:05):
No, just that. I mean we see it too, like
with identity protocols, right, Like the same thing where we
do integrations for customers and then we'll run into a
vendor they're trying to integrate with that is completely custom
It has to be custom threat modeled, it's not following protocol,
or it's actually going against a protocol that's been deprecated
with like a list of resources that say why don't
(16:25):
use this, and that vendor doesn't update because maybe they're
hands are tied, right, like they're in as sas or
they're you know, they have the resources, et cetera. But
our job is just to point out to our customer,
like this is a you know, it's a third party
that you're trusting that could actually leak and cause problems
with your users, right, so like you know it's a
(16:47):
it's a third party issue.
Speaker 3 (16:50):
Yeah, yeah, absolutely, And here's the risk. I mean, that's
your job, right, Like, here's the risk here if they yes.
Speaker 2 (16:55):
Supply chain vector, right yeah, yeah, absolutely.
Speaker 1 (16:59):
All right, before we take break, let's do this story.
If you've been following the security news over the last
month or so, you will know that high jinks are
happening in North Korea, well even in the United States
and with North Korean IT workers that are sort of
hiding themselves. But North Korea is in the news again
(17:21):
this week. This story from Bleeping Computer, north Korean hackers
deep fake execs in zoom call to spread Mac malware.
This is so full of hijinks, I just don't know
where to start. So good.
Speaker 3 (17:37):
Yeah, so you guys have probably seen Sora and all
the other AI models for generating video or have you
guys looked at them? Yeah, they're getting really they are good.
So if there is enough video and or voice of
people like somebody who does a podcast every week, it
is super easy to get an AI at any talk
(18:01):
like you. It's there are services out there that you
can give them the voices in likeness and they will
create an agent for you.
Speaker 4 (18:09):
I resent the implications.
Speaker 2 (18:13):
Can they give me a boop job?
Speaker 1 (18:18):
The robot? Overlord?
Speaker 3 (18:23):
You are a robot?
Speaker 1 (18:26):
What did you call me? Yeah?
Speaker 2 (18:33):
We do.
Speaker 3 (18:35):
Yes. So if you are the new CEO of an organization,
let's say, and there's video and voice of you out there,
somebody might actually go and h model you and put
you out there.
Speaker 1 (18:46):
And if this has happened before and it wasn't, Yeah,
it was like a couple of years ago that this
started happening, these kind of deep things.
Speaker 3 (18:54):
I would assume. I would hope that after five minutes
of talking to an AI I would realize I'm not
talking to Patrick.
Speaker 4 (19:01):
Maybe well, we have challenging responses built in.
Speaker 1 (19:05):
Yeah, that's right, we do.
Speaker 4 (19:06):
Actually we do.
Speaker 5 (19:07):
There's been times when we've like you know, built up
like a you know, throwing a random question or say
things that helps us know that the other person wants
an authentication.
Speaker 4 (19:17):
We're paranoid as hell.
Speaker 2 (19:18):
What a great idea, though, like that you should you
should totally uh you know.
Speaker 1 (19:22):
Trademark that or Patrick the rooster crows at midnight?
Speaker 4 (19:25):
Patrick, it does, I would like some eggs please.
Speaker 1 (19:30):
There you go.
Speaker 2 (19:31):
I think you need to do that. Also with like
ransom calls, right, like that's the only thing that's happening
if people are voices.
Speaker 3 (19:39):
Yeah.
Speaker 5 (19:40):
So I'll tell a story that's actually a true story
that happened to me the other day. And the poor vendor,
I feel bad for them. But we had a contract
to do something. I got it through a one of
the standard DOCU signed paned doc kind of emails. I
read the contract, I expected it, I signed it, and
then something changed and we had to do it again.
But the poor vendor, who I'd never emailed with, sent
(20:02):
me an email that just had a link to the
doc and I'm like, dude, there's no way in hell
I'm clicking on this. I don't And I gave them
like a whole narrative and c see the person from
our staff that was responsible for and I said, I
just I don't care if I even expected it.
Speaker 4 (20:18):
I don't know this.
Speaker 5 (20:19):
This domain doesn't look right, and here's all the reasons
I'm not going to click on this. And then finally
our person got in. I had a conversation with them,
but it sounds like a waste of time and being pedantic.
But I'm very hard target because of that, because of
that level of paranoia, and I'm trying to teach it
to other people.
Speaker 4 (20:36):
Don't like an insurance.
Speaker 5 (20:38):
A credit card company should never ask me to call
a phone number that isn't on the back of my card.
They should always start with call the phone number in
the back of your card, then click, then ask for
extension one, two, three, four five. I'll call that every time,
but if they tell me to call any other number,
I'm only calling the call number on the back of
my card. We have to train people, we have to
learn the right way to do this stuff.
Speaker 3 (20:59):
But it surprises. You need to train people in this
because if somebody were to walk up to your house
and be like, oh, you know what, I work for
the number one roofing company in the state, and your
roof's terrible and whatever. Right, Like you wouldn't trust him,
you'd be like, you know what, if I'm looking for roofing,
I'll go find you know, the betters. You're all find
who's right. I'm not going to take this random person
who just showed up on my lawn.
Speaker 5 (21:20):
I don't think you're right. I don't think you're right.
I think a lot of people will.
Speaker 2 (21:24):
I don't think you're right either. I think I think
people will do it all day long, all day long.
My dad asks me all the time, did you see
that video I sent you? And the answer is always,
I have not seen that video. You know why because
I mean, he says.
Speaker 4 (21:42):
I don't trust you, old man. I don't trust you.
Speaker 1 (21:46):
Ever since you took away my lollipop when I was five.
Speaker 2 (21:51):
Remember when you grounded me because screw you dead?
Speaker 3 (21:55):
Yeah?
Speaker 4 (21:58):
Wow, I could have been a beller word for you.
I could have got a booth.
Speaker 2 (22:10):
Oh yeah, that's it's just going to keep going, isn't it.
Speaker 4 (22:13):
My apologies to tell you?
Speaker 2 (22:16):
Like my dad will love this, So I gotta tell
my brother to listen to this episode, okay, And the
thing is is he gets all these links from all
his old buddies, right, and they're all like sending funny
things and funny memes and funny links. But there's like
never any texts, just a limit is clicking those all day.
Speaker 5 (22:34):
Long, just like in the Old Folks Home. They're just
swapping viruses, that's all it is. I think this is
our funniest episode.
Speaker 2 (22:46):
Yeah.
Speaker 1 (22:47):
Oh boy, Well with that, are we done with North Korea?
Speaker 4 (22:50):
Or I think they're done with us?
Speaker 6 (22:52):
Yeah?
Speaker 3 (22:53):
I think so.
Speaker 1 (22:54):
All right, so deep fake zoom attack, read up on it. Yeah,
and after the break, we're going to talk about Iran.
So stick around. We'll be right back, and we're back
at Security this week. I'm Carl Franklin. That's Patrick and
Duane and Michelle Bustamante is with us, and it is
(23:15):
turning out to be one of our funniest, if not
scariest shows, maybe for the same reason. I don't know.
So this is in the Hacker news. Iran slows internet
to prevent cyber attacks amid escalating regional conflict. I'm calling
bullshit on this, huh, Because if you slow the internet,
(23:38):
that is going to prevent things like your people from
getting information. Yes, but it probably won't prevent cyber attacks.
They'll just go slowly.
Speaker 4 (23:49):
This is a this is.
Speaker 5 (23:50):
A I'm going to uh, I'm going to inject bleach
into it, and that's.
Speaker 4 (23:55):
That's going to solve some problem.
Speaker 3 (23:57):
Or there are so many people brute forcing accounts and
iran that their Internet slower and they're like, we did,
we did. We slowed it down. You didn't slow it down,
We slowed it.
Speaker 1 (24:05):
Yeah, we did that on purpose.
Speaker 5 (24:07):
I posted this article because I thought it would be
interesting to talk to Dwayne about. I don't think this
would be an impediment at all for you. It might
keep you from downloading hundreds of gigabytes of files in
a ransomware, but it really wouldn't stop.
Speaker 4 (24:19):
You would just slow it down.
Speaker 3 (24:20):
Yeah, I mean we've we've used command control structures over
d over DNS and DNS is very very short like
burst text messages. Think of it that way, so you're
not you know, you could slow down the Internet. It
wouldn't matter. The other thing that's kind of weird here
is they say uh pros and early group claimed responsibility
for cyber attacks on Israel are on Iran's bank, crippling
(24:43):
access to its website and ATMs. I don't know how
many people keep their their ATMs on the Internet. It
sounds like maybe some basic blocking and tackling is what
Iran needs, maybe not slowing down their Internet.
Speaker 4 (24:56):
But yeah, I think they have other concerns this week.
Speaker 3 (24:59):
A little bit. And here's the other thing, just sort
of a little bit of advice for anybody who's going
to be in a global war. The cyber attacks happened
before the missiles fly right, not after, So usually they're
already in the system first the.
Speaker 5 (25:13):
Cyber attacks, first, the information campaigns, then the cyber attacks.
Then you preposition commandos to take out the air defenses.
Speaker 4 (25:21):
And then and then the pages explode.
Speaker 1 (25:25):
I kind of feeling that Dwayne could launch nuclear missiles
with a three hundred bod modem and a.
Speaker 3 (25:30):
Turn firm or deny. But I got to play war games.
Speaker 1 (25:34):
You don't necessarily need fast, you just need access.
Speaker 3 (25:38):
You just need access a couple of bits. That's always.
Speaker 4 (25:41):
So we wanted to post this story because to debunk
the well, if I go slower, it's it's like, if
if I can get them to stab me slower, maybe
that will be stabbed.
Speaker 3 (25:52):
Right yeah.
Speaker 2 (25:53):
Yeah, you lock the front door, but your windows are
still open. Somebody will find an opening somewhere, right, yeah,
but let's talk about it. The name of that group
that did the attack on on their systems predatory Sparrow.
Speaker 3 (26:06):
I love the really cool name.
Speaker 4 (26:09):
Actually it's a giant sparrow.
Speaker 5 (26:10):
I don't think I'm afraid of a predatory sparrow, like
big bird, four thousands of the bird with a machine gun.
Speaker 2 (26:19):
I'm just thinking of a logo here.
Speaker 3 (26:21):
You know, right now, there are a lot of really
cool hackering. Actually, there's been this movement in the cybersecurity
community to stop giving hackers like really cool names because
a lot of hackers are like, oh yeah, we're or
you know, we're crip spider, and it was like, it's
actually kind of cool.
Speaker 4 (26:37):
No, no, no, your wet diarrhea. That's your new name.
Speaker 3 (26:42):
That's what we need to do. Patrick. That group is Simphilis.
Speaker 1 (26:49):
Aka adult diapers.
Speaker 4 (26:51):
Yeah, aka adult diapers. That's that's I'm a member. I'm
a member of Adult Diapers.
Speaker 3 (26:59):
Well, there we go. We solved to solve that problem
for the world.
Speaker 2 (27:03):
We went from predatory sparrow to wet diarrhea.
Speaker 4 (27:07):
I mean, that's a little redundant. But you know, I'm
trying to cast an image here.
Speaker 3 (27:13):
I'm trying to kind yeah, thanks, or maybe you just
need the one brand to pick up.
Speaker 2 (27:20):
So it's always what right, isn't then every single name
just adult adult diapers?
Speaker 1 (27:31):
Yes, pretty much?
Speaker 4 (27:32):
Covers isn't dry? Isn't the dry version of the end
of cholera?
Speaker 3 (27:35):
Isn't It might be it is?
Speaker 1 (27:37):
Yeah, all right, So so there's no nothing anybody can
do about this. It's just kind of a neat story.
Speaker 4 (27:45):
We want them to understand it. This is not a
way to stop.
Speaker 3 (27:49):
No, no, not at all. I mean, cyber attacks come. There
are a lot of times you're.
Speaker 5 (27:53):
Living off the land a lot of the times, and
a lot of the processing is on site.
Speaker 3 (27:58):
Let's say we're hacking into a place that's that's that's
foreign and hostile. We're not, and that's my story.
Speaker 4 (28:08):
Let's say we're not. Let's say we're not.
Speaker 3 (28:11):
But let's just say we're probably not going directly there.
We're probably going through like five or six different locations.
You're gonna have a slow connection anyways, right, so all
of your attacks have to allow for a very slow connection.
But that's all I'll say on it.
Speaker 1 (28:24):
I wonder how many members of our discord are going
to turn out to be cyber criminals.
Speaker 3 (28:28):
Dude, our discord has been awesome, by the way, Hey,
speaking of we've sent out some more lock picks for
people on the discord. If you guys get the lock picks,
by all means, take some pictures and post them. We'd
love to link to you on our LinkedIn or whatever.
Speaker 5 (28:42):
It is extra credit if you get. If it's a
picture of you getting arrested for using it, you can't
say that I'm just kidding. I'm just kidding, kidding, got kidding,
but get arrested.
Speaker 4 (28:53):
No, all right, so let's move on discord.
Speaker 3 (28:59):
Yeah you can this cord.
Speaker 1 (29:00):
You should.
Speaker 3 (29:01):
You're a message date, yes, yeah, you can mess with
our AI. That's there, Okay.
Speaker 1 (29:07):
So gov dot UK put out a press release new
plans to supercharge UK cyber sector.
Speaker 4 (29:14):
A good news story, a feel good story.
Speaker 1 (29:16):
The UK is growing cybersecurity sector will be boosted by
millions in new investment and a cyber growth Action plan.
It's partner the government's plan for change. That's good.
Speaker 3 (29:25):
This is good news.
Speaker 1 (29:26):
Yeah. That sounds like a smart thing that a country
would do spend money on security.
Speaker 4 (29:32):
Or something or something they do just before they start
a cyber war.
Speaker 1 (29:36):
Maybe Patrick, don't do anything that we don't know.
Speaker 4 (29:40):
No.
Speaker 5 (29:41):
I can neither counfirm nor deny No. I think this
is a good idea, especially where are you. There's a
war in Ukraine.
Speaker 4 (29:47):
I can't share that I am on a major US
military base in the office. You shouldn't even say that
of a general.
Speaker 1 (29:55):
Why would you even say that? Now you're just asking
the cases.
Speaker 4 (30:00):
By the time this releases, I'll be gone and the
world have always started.
Speaker 5 (30:04):
And I'm associated with so many generals, Like, how are
they going to get which one that's true?
Speaker 1 (30:08):
This is how our fans stalkers figured out that we
would always eat it del Frisco's.
Speaker 4 (30:13):
Because did they figure that out?
Speaker 2 (30:15):
It?
Speaker 1 (30:15):
And we posted it after the fact and somebody mentioned
I know where that is?
Speaker 3 (30:19):
Did they did?
Speaker 5 (30:20):
They did?
Speaker 2 (30:21):
Stock?
Speaker 3 (30:21):
They found it? Yes? Yeah they were.
Speaker 4 (30:24):
No, nobody shout up. Will you tell them when next time.
Speaker 3 (30:27):
We announce it? Yeah, there'll be people camping out of
Del Frisco.
Speaker 1 (30:29):
That's well, we want to announce it. We'll just say
we had dinner and we didn't tell you about.
Speaker 3 (30:34):
It or our next live show will be from Del Frisco.
Speaker 1 (30:36):
There you go.
Speaker 4 (30:36):
Well, we're gonna have to meet in the middle of
the country, so Michelle can join us.
Speaker 2 (30:39):
Now, I was just going to say, why don't you
come to San Diego?
Speaker 4 (30:42):
But okay, well, Saint Louis is kind of in the middle,
so I think it's sat.
Speaker 1 (30:45):
How about Orleans? Sandy was nicer, Yeah, but New Orleans
Orleans is halfway and they have good food there.
Speaker 4 (30:55):
I've heard we digressed and speaking of not good food UK, So.
Speaker 1 (31:01):
The UK.
Speaker 2 (31:03):
A mash. You don't like bangers and.
Speaker 1 (31:04):
Mass not really bangers.
Speaker 3 (31:09):
You can't complete that joke.
Speaker 5 (31:11):
I can't, please, don't one word joke. So this is
good news. We want to see more countries doing that.
I'm going to ignore that those last comments. And we
need every country to really start paying attention to this
because the more they pay attention, the more it might
trickle down to the technologies and the people, and and
that's what we need.
Speaker 4 (31:31):
More awareness. That's what this podcast is all about. It's
about awareness more.
Speaker 2 (31:34):
Hopefully, well hopefully each country is able to therefore, you know,
you know, disseminate knowledge right to companies that are working
in the region. Drop giving example, dropping knowledge, given examples.
The best way to protect yourself is to know how
everything works.
Speaker 1 (31:51):
You know, for stop going to Del Frisco's. I won't
be able to get any.
Speaker 4 (31:54):
Chowder, legal seafood chowder. It's not really the same. That's
not really the same.
Speaker 3 (32:01):
Carl No, Carl no, no, all right.
Speaker 1 (32:05):
Hacker news Google warns of scattered spider attacks targeting IT support.
Speaker 3 (32:11):
Yes, scattered spideryore so, scattered spiders.
Speaker 2 (32:17):
No, it's no, it's it's scattered spider also known as
wet diarrhea.
Speaker 3 (32:21):
A right, exactly.
Speaker 4 (32:25):
They are coming after us so hard.
Speaker 1 (32:27):
That's the image I have in my mind. Yeah, all right,
let me get through this headline and then you can
make jokes wars of scattered spider attacks targeting IT support
teams at US insurance firms. Insurance firms are are so awesome.
They don't deserve.
Speaker 4 (32:46):
This kind of their light years ahead of the medical establishment.
Speaker 2 (32:50):
That is true.
Speaker 3 (32:51):
Yeah. So we we've seen attackers over the last patrick
probably four or five years, shift targets.
Speaker 1 (32:59):
Right.
Speaker 3 (32:59):
So we've seen before it's financials and it's still always financials, right,
banks and investment houses and that sort of stuff. And
then we saw them shift over to hospitality hotels, right,
hotel chains and country clubs and that sort of stuff
where they're actually trying to look at how do we
track humans who we want to know what they're doing,
whether they're journalists or you know, worth a lot of
money or whatever it is. And this is just sort
(33:22):
of the next wave is they're now looking at you know,
insurance companies, a they have access to potentially a lot
of money. There's a lot of payouts that happen. So
one of the most one of the most prevalent attack
right now is business email compromise. I break in your email,
I wait for you to send money somewhere, and then
I automatically start intercepting those messages and tell you to
change it to a different bank account or wire it
(33:43):
to a different place, and you don't know, so you
do it right. So absolutely I can this. This makes
sense from you know, where's the money. If you can
get an insurance company to pay you as opposed to
the person they're supposed to pay, that makes sense.
Speaker 2 (33:56):
So I'll tell you though, like I mean, this is
a time targeted attack, and this particular group you know
has been at it for a long time and they
say that they've been escalating the last three years or
two years, and they focus on a lot of social
engineering and simswapping, which we were talking about, you know,
the issues with SMS. So, I mean the social engineering
(34:17):
side is interesting because again, we do tons and tons
of identity solutions, but what you forget is when somebody
can't get into their account and forgot password doesn't work,
or they can't connect their accounts, or they already had
an account but they didn't have a log in yet
and they're having trouble making that connect because you know,
it's hard to do that right if you don't have
a log in first, that's a verified They don't verify emails,
(34:38):
they don't verify phones, and now they have to call in.
They call and support. What are these support people? You know,
how are they prepared to handle? You know, the person
that's saying, oh my gosh, you know, but I have
to do it now and I really need your help,
and you know, they're looking for sympathy and they're totally
social engineering, like essentially getting access to the account. Oh yeah, absolutely,
(35:00):
and and there's no documentation.
Speaker 4 (35:02):
You should respond, human, I am here to help, exactly.
Speaker 3 (35:08):
I could see if Michelle were to call up, say
a major bank, and say that her husband set up
a bank account and she's trying to check the balance
and whatever, and she can't walk into the website, and
she has a tape, a tape, wow, a tape a
YouTube video I don't know, playing in the background right
of a baby crying constantly, and she's like, oh my god.
(35:30):
And she goes over and she's like pretending to coddle
the baby and she's like, I can't get accesses.
Speaker 5 (35:35):
Frustrating and exploiting social exploding social norms as social engineering,
that's what it is. Yeah, but you have to become
a heartless monster. And the insurance industry is well equipped.
Speaker 6 (35:46):
Did you do that?
Speaker 2 (35:48):
Oh no, you didn't.
Speaker 3 (35:49):
I just do wow, And we don't get any insurance
claims anymore. Thanks.
Speaker 2 (35:55):
That still comes back to the training aspect, right, which
is like companies need to look at their as much
as they look at their online systems, you know, how
to prevent attacks. And I just don't think they're doing
it because as many companies as we run into, I mean,
they never really invite us in to give that side
of the guidance, right, Like as oh yeah, we've got
(36:17):
a support team, they have rules.
Speaker 4 (36:18):
It's okay, trust us from the government. I'm here to help.
Speaker 2 (36:25):
So I think he's going to be hit or missed
depending on the business. And this just elevates the need
for it.
Speaker 3 (36:30):
And out of the four of us, Michelle could way
better get anything she wants on a call than the
three of us guys could. I'm just saying, just saying,
people like to help.
Speaker 2 (36:41):
One can try, one can try. I'll give it.
Speaker 4 (36:46):
It's a burden.
Speaker 1 (36:49):
And a gift.
Speaker 2 (36:50):
Yes, okay, call you for help and see if you respond.
Speaker 1 (36:56):
All right? Our clickbait story today Google bug allowed phone
number of almost any user to be discovered, and it
does use the word allowed in past tense, so I'm
assuming that it was updated fixed.
Speaker 3 (37:14):
Yes, yes, so this has to do with a botguard,
so there. I love how even the researchers now are
using I'm assuming this is a pseudonym or a you know,
a handle a cybersecurity researcher called brute Cat.
Speaker 2 (37:32):
That can't be a real name, as.
Speaker 3 (37:38):
I was able to figure out that the phone number
link to any Google account. Information that's usually not public
and considered sensitive can be found on a page where
a user can recover their Google account if they have
forgotten their logins, log in details lacked. Brought guard protection,
So bockguard protection is a cloud service that's going through
and making sure that there's certain sensitive data that you
(37:59):
can't just call out off the internet and bots search
engines aren't coming and grabbing that information. However, there is
in an oversight. If that website doesn't actually serve up JavaScript,
then unfortunately your buck guard does not work. So all
of your accounts were leaking.
Speaker 2 (38:16):
So jeez, yeah, and I'm going to bring that back
to the basics, right, Like, this comes back to how
people set up their logging system and the recovery system.
They're sending a text to somebody and they're you know,
leaking that the phone number exists somehow, so they're allowing
account enumeration to happen. They're showing you, oh that symbo
(38:40):
has already taken or like, yeah.
Speaker 4 (38:43):
That's not the right password. Well, now you've verified that
the account.
Speaker 2 (38:46):
Exists, right, exactly right, and you're never supposed to do that,
And then you know, you try to tell companies like
don't do this, and their comment is yes, But now
my user's confused because they don't. They never got the
email to register their account because the email's already taken and.
Speaker 4 (38:59):
You're it just were confused a long time ago.
Speaker 2 (39:03):
Yeah, I I the way you said that right now,
if you had a wig on, you could have been
like missus doubt fire.
Speaker 3 (39:15):
Yeah, that's right. So you're absolutely right. So usually there's
systems to stop you from like brute enumerting user accounts
and in this case phone numbers. Right, but they were
able to bypass the capture that stopped it so they
could do forty thousand requests per second there again, right,
you're absolutely right, Michelle. They're just not looking at the
(39:36):
tech stack and seeing, Okay, how do I stop people
from enuberating emails and saying, oh, you know, my phone
number is this? No, it's wrong, my phone number is this? No,
it's wrong, whereas other systems should say if you say
this is my phone number, it might say okay, if
that's your phone number, we'll send you a message, right,
and you never know whether it's true or false. And
we find that that's sort of a big blunder too.
In development, a lot of developers like to be helpful.
(39:58):
Let me switch that at developers like to be helpful
to themselves, so they'll throw up very detailed there or
message when something goes wrong, so that they know, oh,
I know exactly what the issue is, letting me fix
it for that mass, for the user. All of that
needs to be turned off when you're dealing with a
system that has access to the bad neighborhood called the Internet,
(40:18):
because any type of information I get is an attacker.
I'm going to use to profile that system and see
how I might Oh, you told me the user name
was bad, but not the password, so now let me
enumerate user names so on and so forth. Right.
Speaker 2 (40:29):
So, so companies are expecting to, you know, be protected
by the fact that nobody's targeted them yet. But the
minute they get targeted, it's all over. Right, So I
think a lot of companies are sent they're led into
a false sense of security because nothing's happened yet. I mean,
I've had this terrible system for you know, like ten years,
and it's just still there and it's working. Why should
(40:50):
I pay to fix it? Until they have an employee
that leaves who is dissatisfied, or a customer who's malicious
or whoever.
Speaker 5 (40:58):
Right, there's a psychological bias there that when somebody takes
part in a risky activity, no matter what it is,
whether it's texting and driving, the more often they do
it without suffering that the negative camistrophic event, the less
likely they believe it is right until it suddenly happens
because they run out of.
Speaker 2 (41:15):
Luck exactly, or they do something sid Good luck to
you all, Mercy on your soul.
Speaker 3 (41:22):
If you had a competent pen testing team actually check it,
then maybe you would know before you get hit by attackers.
Speaker 1 (41:29):
You know, you got to pay for infomercials.
Speaker 3 (41:33):
The money will shop in your account, okay, and then
get removed.
Speaker 2 (41:37):
Who partner to that? If you had a company that
could help you actually design the rights and then get
a tested that.
Speaker 4 (41:50):
Was a really nice sneaking m transition.
Speaker 1 (41:52):
And if you need some help getting started with Blazer,
you might need a developer slash trainer who knows what
they're doing. Security.
Speaker 4 (42:02):
And if you need some cheap way powder. No, I'm
just kidding, way.
Speaker 1 (42:07):
I thought we were selling everything here all right, people,
this has been a gas Michelle, thanks for joining us.
Speaker 2 (42:15):
Thank you so much for having me here today. Love it.
Speaker 4 (42:17):
Thank you for joining us. It's awesome awesome, great time.
Speaker 1 (42:21):
We'll see you next week. Bye bye bye
Hey, So I go to the chiropractor and walk up
the receptionists and say I need to book an appointment.
She says, okay, how about ten tomorrow. I said, no,
I only need one. It's not a Michelle Bustamante dirty joke,
but it is in keeping with the tradition of this
(00:22):
show where I start with a dad joke. I thought
that was appropriately bad.
Speaker 2 (00:26):
Dad jokes are good. Appropriately.
Speaker 3 (00:29):
We have a lot of younger listeners, which is surprising,
but good younger listeners. We appreciate you, we do.
Speaker 1 (00:42):
All right, So welcome to Security this week. That voice
you heard was the voice of the lovely Michelle Bustamante.
She is our first guest on the panel as we
go through these stories. But also there's a history between
Patrick and Michelle that has to do with a podcast called.
Speaker 2 (01:01):
Luckdown Locked Down because what you don't know can hurt you.
Speaker 1 (01:06):
That's right, that's right.
Speaker 4 (01:08):
That was our by life.
Speaker 1 (01:09):
She remembers, Yeah, wow, that was the tagline. Yeah. So, anyway,
we've been doing podcasts for a long time and we've
been friends with Michelle for ever before, way before podcasts.
Speaker 4 (01:20):
Before she was born.
Speaker 2 (01:26):
Nineteen wait, Carl, it was nineteen ninety four.
Speaker 1 (01:29):
We are friends when you were a gleam in your
father's eyes. Okay, so let's start with this one. Get
lab patches high severity account takeover, missing off issues. Okay,
tell me, tell me what happened here. It doesn't sound good.
Speaker 2 (01:48):
Well, missing off automatically sounds terrible. Just throwing that out.
Speaker 4 (01:51):
I going to say, right, but patching is good.
Speaker 1 (01:54):
Yeah, is good.
Speaker 4 (01:55):
It's patched. That's that's the good news.
Speaker 3 (01:56):
But who wants to be who wants to be bothered
by that pesky authoruthentication stuff? Right? So you know, get
lab really hasn't caught a break this year. We've seen
several patches come out, including get lab. So this latest
one is a HTML injection issue.
Speaker 1 (02:15):
Interesting, Yeah, is that from cross site scripting or something?
Or how does one inject HTML?
Speaker 3 (02:21):
So that's that's that's let's uh, let's dig into it.
CV two eight an issue has been discovered with get
labs ce slash ee, affecting all versions starting with eighteen
and before eighteen oh two. Under certain conditions, HTML injection
in new search pages can lead to account takeover.
Speaker 4 (02:42):
When when you said ee, I thought you started speaking dolphin.
Speaker 3 (02:46):
No. Now, so typically what this might be is maybe
you can maliciously send someone a link that has a
pre filled in search query and when they click on
it at that point.
Speaker 4 (02:57):
Is that how you do it?
Speaker 3 (02:58):
You know, I'm just if somebody want to do it,
that's probably a suggestion.
Speaker 4 (03:03):
The shame if your get lab got infected.
Speaker 3 (03:06):
Shame if you clicked on that link. I stand to Patrick,
So that's what this looks like. So yeah, I agree
with Patrick, O patch this one. But yeah, if you
guys get lab, you should be probably checking patches every day.
Speaker 1 (03:19):
So it sounds like a sort of a sequel injection
or something that's a little more nefarious than just what
you're going to put up in HTML on the page.
But anyway, yeah, and it can be.
Speaker 3 (03:30):
I mean, sometimes it's just the injection is to feed
a cookie back to the attacker, right. Sometimes it's like
the injection is to grab information from the attacker and
feed it back that sort of stuff.
Speaker 5 (03:40):
Okay, So one of the things that we've encountered. We're
always looking at fishing and how phishing can be evolved
and how it's evolving, and one of the things that
we've seen is conditional HTML, where if the client viewing
the email is outlook. It displays one link and if
it's not, it displays a different militia. And so that
(04:01):
way it can get past the filters of you know,
Office three sixty five and the higher standards. But if
you view it through a browser, it's less likely to
get caught. And they so it's that conditional injection that
we see it everywhere. Injection is an attack that is
just keeps on giving.
Speaker 1 (04:19):
Yep, the hits keep coming, all right, So this one's
from life hacker. One million two factor authentication codes were
recently exposed. And this doesn't make sense to me because
two FA off codes are generally in real time. How
why does anybody care about used off codes.
Speaker 5 (04:40):
It may be because they're they're pseudo anonymous and therefore
they're predictable if you know one of them.
Speaker 3 (04:45):
So it can be that. But if I can tie
a phone number back to a user foreshadowing, maybe then
you could have a pretty good attack here. Right. So
if I say had a couple hundred million dollar I
stole over ransomware, and I then spun up a telco company,
and then I signed a contract to be the cheapest
one routing SMS messages in the clear, I could pick
(05:09):
up a lot of these. So this, this is in
essence what happened where we have I'm not saying there's
you know, not legitimate telco company. However, having all the
codes in the clear is a little weird.
Speaker 4 (05:20):
Well, it is weird that most of the elite hackers
we know always say I work for a telco.
Speaker 3 (05:25):
Well they do. Yeah, all hackers work for telcos.
Speaker 2 (05:28):
But every single one of them.
Speaker 3 (05:30):
There's no other way.
Speaker 1 (05:31):
That's it.
Speaker 2 (05:31):
But isn't it true, Like I mean, SMS is now
basically deprecated as a recommended form of MFA in the
first place, right, and yet you still have sites that
let you log in with your phone number, foreshadowing maybe it'll.
Speaker 5 (05:46):
It'll take twenty years before that deprecation filtered system.
Speaker 2 (05:50):
This is the problem. This is a problem because like
even banks, even like financial institutions that literally should care
more than anybody about protecting these account they don't. They
don't want the friction.
Speaker 5 (06:03):
The podcaster and me is very upset about this, but
the cybersecurity services purveyor is very happy about this.
Speaker 2 (06:11):
Yeah, I mean, it's a gift that keeps on giving, right,
Like I do all kinds of identity solution architecture, implementation,
access management, and these are the things that literally nobody
seems to be listening when they were reading and understanding
and following the rules and the guidance. So we get
to come in and tell them the guidance they should
probably already know, right, Yeah.
Speaker 1 (06:33):
In hindsight, that's always the fun kind, right, and tell
them what they did wrong. And if you had only done.
Speaker 6 (06:40):
This, if they only have well hines my hind hindsight, hindsight,
that should be, that should be.
Speaker 1 (06:52):
It is now.
Speaker 3 (06:54):
So according to the article, teleco companies commonly use intermediaries
to send text messages at cheaper rates like we just said,
which is possibly thanks to large contracts with multiple carres
and ownerships of so called global titles network addresses and
facilitate communications between carriers and countries. So if you position
yourself as a telco that's going to send these messages
(07:16):
super cheap, then you get all of your your telecommunications
companies wanting to route through you. And that's where they
were seeing low a spider, Google, Amazon, Meta Tender, Snapchat,
Finance Signal, and WhatsApp all potentially routed through here.
Speaker 4 (07:29):
For the low low price of I'll pay you a
penny apiece.
Speaker 3 (07:32):
Right, yeah, exactly. Then you can see everybody's to a
FA which is kind of nice.
Speaker 1 (07:36):
Hmmm.
Speaker 3 (07:37):
I kind of like that. Okay, But Jim Michelle, you're
absolutely right. We have been pushing use the multi factor
authentication app anytime, like, use Google Authentication, use Microsoft Authenticator,
use whatever it is. But SMS should be dead. The
order it goes in is authenticator app. Then if you
can't use that, SMS, and then if you can't use that,
(07:57):
use email. But email is usually the first thing they've im.
Speaker 2 (08:00):
First when they breach, and it's the first one they
want to use.
Speaker 4 (08:03):
For some reason, I prefer the North Korean applications. That's
the one that I find the most.
Speaker 3 (08:09):
Yeah.
Speaker 2 (08:10):
Well what about what about past keys though? Right? Like,
so that's what they're trying to get, right.
Speaker 5 (08:14):
So they're not consistent yet everyone billing their own. A
past key is a machine key that your phone and
the site, or your your computer or browser and the
site established. It's like a primary key, public private keypre
very long. Think of it like an eighty character one
hundred character password between your device, which gets authenticated usually
(08:37):
with biometrics on higher level, and the site. The problem
with pass keys is you get a storm if you
want to use them across sites, which Bitwarden and other
password managers do. The problem right now is almost everyone
is implementing them differently. There's not a consistency yet. So
I would recommend everybody start using them and experience that
pain of your learning a different way of past key
(09:00):
for every platform, and eventually it'll standardize.
Speaker 4 (09:03):
But it's worth it to be ahead of the curve.
Speaker 1 (09:04):
GitHub uses past case now optionally.
Speaker 3 (09:07):
Yeah.
Speaker 2 (09:07):
The other thing is a year ago, people didn't even
want to try it, right, I mean, it was all
the recommendations where Fido is not going anywhere and nobody's
adopting and.
Speaker 4 (09:16):
It's going to get broken.
Speaker 2 (09:18):
Yeah, But I want to tell you I had a
customer that has you know, like twenty five million users
that decided to go ahead and do it, and they
started getting adoption and people actually signed up and they
had no friction, and it was kind of like a risk,
you know, like an opt in risk, but they really
wanted to force it on people and they managed to
(09:39):
do it.
Speaker 5 (09:39):
So I'm hoping twenty twenty five is the year of
pass key, but I think it's twenty twenty six.
Speaker 2 (09:43):
I agree, Yeah, all right.
Speaker 1 (09:45):
Should we talk to times.
Speaker 3 (09:46):
I love v v VI.
Speaker 1 (09:49):
We've talked about VAN before, but what the heck is it?
Speaker 4 (09:52):
It's the noise you make when you're going down a
big sled hill.
Speaker 1 (09:57):
Only in Calvin and Hobbs, right, I think I saw
that Kure strip.
Speaker 3 (10:02):
Yeah, so virtual machines. We've talked about virtual machines in
the past, right, So, yeah, you may not want to
have a live hardware for everything, so you run virtual
machines for certain types of services. Now you need to
back them up and be able to replicate them and
send them to a dr site. And veme does just that.
So it's a piece of software that will back up
virtual machines and restore them and make sure they're up
(10:23):
and running and all that good stuff. Problem is, they
generally get access to everything, right they have to. They
need access to the VM at the lowest level. They
need to be able to copy things around that sort
of shop. So an exploit in VM generally is a
bad thing.
Speaker 1 (10:36):
You've talked about this before, Patrick, that backup is one
of those things in your IT set up that is
by nature vulnerable because it needs to have system level
access to everything.
Speaker 3 (10:48):
You know, it's even better than the fact that it
has accessed to everything. Usually backup accounts aren't audited, right,
They actually bypass auditing because they touch every file, so
we just sully up the audits. So if you can
compromise an account that has backup rights, at that point
you can access files without anybody knowing it. Yeah, it's
it's not enough to say that that's a target. I mean, career,
(11:11):
you want to move around a network without anybody knowing
compromise of acribacat.
Speaker 1 (11:15):
And that would be today's criminal career advice for all
the music Brandon.
Speaker 5 (11:20):
It's even administrators. If I had to choose to get
access to a credentialed account, I would typically pick a
backup administrator before a full administrator. Yeah, because of the audit.
So that's a fantastic observation, Dwan. I'm sure it's not
based on any of your recent weekend activities now I'm
(11:44):
talking about, but yeah, it's it. Basically, it's like Spider
Man says, with great power comes great responsibility.
Speaker 1 (11:51):
I think someone else said that before Spider Man did,
no Winston Churchill.
Speaker 2 (11:55):
I think I think Spider Man's dad said that.
Speaker 3 (11:58):
That's just true.
Speaker 4 (12:00):
Always wait, uncle Owen with yes, may he rest in peace?
Speaker 3 (12:05):
Was Luke Skywalker's uncle.
Speaker 2 (12:06):
I don't know, but he was a lot of uncles.
Speaker 4 (12:09):
But anyways, yes, but anyways, or they fun uncles.
Speaker 1 (12:13):
That's the first uncles.
Speaker 3 (12:15):
So what's green about this exploit? Is you read through here?
It is a remote code execution? Have me done by
any domain users? You don't need to be an administrator.
You just run this execution. But in this article it
doesn't explain what the execution is. So if you want
to know exactly what it is, you can just take
cve twenty twenty five two three one two one and
put it into chat GPT and say can you tell
me how to exploit this?
Speaker 1 (12:36):
Oh man?
Speaker 3 (12:36):
And chat GPT comes back and says, yeah, absolutely. Any
VEM server that's attached to a domain, well, have a
de serialization bug and a dot net object that has
a remoting interface in the VEM dot backup, dot e
SX manager, dot XML framework, and VM dot backup, dot Corp,
DOUG backup summary interfaces.
Speaker 1 (12:56):
Don't you wish we could just kill dot net remoting? Michelle?
Can you work on that?
Speaker 3 (13:01):
Yeah?
Speaker 2 (13:03):
Yeah, yeah, I thought it was dead, so apparently, well.
Speaker 1 (13:06):
Still dead to me.
Speaker 4 (13:08):
I think I think Ingo Ramer may take issue with that.
Speaker 2 (13:12):
Yeah, that's I think. I think there's a lot of
protocols that sort of like live dormant to write on
systems everywhere, including in the cloud, Like you forget to
turn off the least the least future need.
Speaker 5 (13:24):
Stuff is very convenient, and convenience is the equivalent of
not secure.
Speaker 1 (13:29):
That's the problem.
Speaker 3 (13:30):
Yeah, agreed. We I mean when we audit companies, when
we're breaking into a place, we're literally looking for things
that are either a misconfigured number one issue or be
turned on that nobody knows about. I can't tell you
how many times we're talking to a customer like okay,
yeah we were able to get to the main administrator
through this s FTP server and they're like sorry, like
I think that we stopped using that about forty years ago. No,
(13:52):
still up and running out of that's still there, Yeah exactly.
Speaker 5 (13:56):
What Yeah, we see horrible is when the person who's
got the test servers, the one that brought us in
the gig that.
Speaker 4 (14:02):
Happens and it's like I'm sorry, but it's your system.
Speaker 3 (14:06):
Yeah, you're the biggest law goodbye. Yeah. So if you're
ever looking for more details on some of these exploits,
go to the AIS. They will pull a lot more
information out than you might get from these articles.
Speaker 1 (14:17):
Interesting.
Speaker 2 (14:19):
One thing we might want to say is the closing
message on that one is, Hey, all of you employees,
you know, vendors and yend users of applications, if you're
not in pain, suffering and upset on a daily basis,
you are not secure.
Speaker 5 (14:32):
Yes, yeahmple right, although you still might not be secure
even if you are those Yeah.
Speaker 2 (14:38):
Sorry, that's the starting message, like, for sure you're not secure.
The right flas step is are you ever secure?
Speaker 3 (14:44):
Well? And it's funny you say that, Michelle, because we
do get when we're auditing customers environments, we obviously are
hitting software that they didn't make right. And it might
be point of sale software, it might be booking software,
it might be whatever. And we've seen some companies where
we'll find critical flaws and we'll reach out to the
and they'll be like absolutely super happy to work with you, guys,
what are your suggestions? How do we fix this? And
(15:05):
then we've had other companies literally come to us and say,
what are you doing? Why are you looking at our software?
Speaker 1 (15:09):
Go away?
Speaker 3 (15:10):
And just drop the issue because they didn't pay us
for the pent test. Their customer did. So yeah, we've
seen that in the field where they're like, you know
what our suffers find like scoot.
Speaker 2 (15:21):
So yeah, it's well, you can't force the vendor to
pick up right like, yeah, but you have been war.
Speaker 3 (15:28):
But in ninety days, you can publish the exploit publicly.
Speaker 4 (15:31):
And we also we see we see.
Speaker 3 (15:33):
For example, we see proper disclosure.
Speaker 4 (15:36):
It shows the culture of the vendor, and we do
see problem after problem after problem about those that resist
us versus those that embrace us.
Speaker 6 (15:47):
Yeah.
Speaker 3 (15:47):
I mean we say us as in not necessarily our company,
but our division, our industry, our industry, defensive cybersecurity people.
People generally look at us weird. Yeah.
Speaker 5 (15:55):
Yeah, when a governor tries to sue someone for finding
a flaw in their government website, that's that's a sign
that they're.
Speaker 4 (16:02):
Going to have more problems. Yep, sorry, go ahead, Michelle.
Speaker 2 (16:05):
No, just that. I mean we see it too, like
with identity protocols, right, Like the same thing where we
do integrations for customers and then we'll run into a
vendor they're trying to integrate with that is completely custom
It has to be custom threat modeled, it's not following protocol,
or it's actually going against a protocol that's been deprecated
with like a list of resources that say why don't
(16:25):
use this, and that vendor doesn't update because maybe they're
hands are tied, right, like they're in as sas or
they're you know, they have the resources, et cetera. But
our job is just to point out to our customer,
like this is a you know, it's a third party
that you're trusting that could actually leak and cause problems
with your users, right, so like you know it's a
(16:47):
it's a third party issue.
Speaker 3 (16:50):
Yeah, yeah, absolutely, And here's the risk. I mean, that's
your job, right, Like, here's the risk here if they yes.
Speaker 2 (16:55):
Supply chain vector, right yeah, yeah, absolutely.
Speaker 1 (16:59):
All right, before we take break, let's do this story.
If you've been following the security news over the last
month or so, you will know that high jinks are
happening in North Korea, well even in the United States
and with North Korean IT workers that are sort of
hiding themselves. But North Korea is in the news again
(17:21):
this week. This story from Bleeping Computer, north Korean hackers
deep fake execs in zoom call to spread Mac malware.
This is so full of hijinks, I just don't know
where to start. So good.
Speaker 3 (17:37):
Yeah, so you guys have probably seen Sora and all
the other AI models for generating video or have you
guys looked at them? Yeah, they're getting really they are good.
So if there is enough video and or voice of
people like somebody who does a podcast every week, it
is super easy to get an AI at any talk
(18:01):
like you. It's there are services out there that you
can give them the voices in likeness and they will
create an agent for you.
Speaker 4 (18:09):
I resent the implications.
Speaker 2 (18:13):
Can they give me a boop job?
Speaker 1 (18:18):
The robot? Overlord?
Speaker 3 (18:23):
You are a robot?
Speaker 1 (18:26):
What did you call me? Yeah?
Speaker 2 (18:33):
We do.
Speaker 3 (18:35):
Yes. So if you are the new CEO of an organization,
let's say, and there's video and voice of you out there,
somebody might actually go and h model you and put
you out there.
Speaker 1 (18:46):
And if this has happened before and it wasn't, Yeah,
it was like a couple of years ago that this
started happening, these kind of deep things.
Speaker 3 (18:54):
I would assume. I would hope that after five minutes
of talking to an AI I would realize I'm not
talking to Patrick.
Speaker 4 (19:01):
Maybe well, we have challenging responses built in.
Speaker 1 (19:05):
Yeah, that's right, we do.
Speaker 4 (19:06):
Actually we do.
Speaker 5 (19:07):
There's been times when we've like you know, built up
like a you know, throwing a random question or say
things that helps us know that the other person wants
an authentication.
Speaker 4 (19:17):
We're paranoid as hell.
Speaker 2 (19:18):
What a great idea, though, like that you should you
should totally uh you know.
Speaker 1 (19:22):
Trademark that or Patrick the rooster crows at midnight?
Speaker 4 (19:25):
Patrick, it does, I would like some eggs please.
Speaker 1 (19:30):
There you go.
Speaker 2 (19:31):
I think you need to do that. Also with like
ransom calls, right, like that's the only thing that's happening
if people are voices.
Speaker 3 (19:39):
Yeah.
Speaker 5 (19:40):
So I'll tell a story that's actually a true story
that happened to me the other day. And the poor vendor,
I feel bad for them. But we had a contract
to do something. I got it through a one of
the standard DOCU signed paned doc kind of emails. I
read the contract, I expected it, I signed it, and
then something changed and we had to do it again.
But the poor vendor, who I'd never emailed with, sent
(20:02):
me an email that just had a link to the
doc and I'm like, dude, there's no way in hell
I'm clicking on this. I don't And I gave them
like a whole narrative and c see the person from
our staff that was responsible for and I said, I
just I don't care if I even expected it.
Speaker 4 (20:18):
I don't know this.
Speaker 5 (20:19):
This domain doesn't look right, and here's all the reasons
I'm not going to click on this. And then finally
our person got in. I had a conversation with them,
but it sounds like a waste of time and being pedantic.
But I'm very hard target because of that, because of
that level of paranoia, and I'm trying to teach it
to other people.
Speaker 4 (20:36):
Don't like an insurance.
Speaker 5 (20:38):
A credit card company should never ask me to call
a phone number that isn't on the back of my card.
They should always start with call the phone number in
the back of your card, then click, then ask for
extension one, two, three, four five. I'll call that every time,
but if they tell me to call any other number,
I'm only calling the call number on the back of
my card. We have to train people, we have to
learn the right way to do this stuff.
Speaker 3 (20:59):
But it surprises. You need to train people in this
because if somebody were to walk up to your house
and be like, oh, you know what, I work for
the number one roofing company in the state, and your
roof's terrible and whatever. Right, Like you wouldn't trust him,
you'd be like, you know what, if I'm looking for roofing,
I'll go find you know, the betters. You're all find
who's right. I'm not going to take this random person
who just showed up on my lawn.
Speaker 5 (21:20):
I don't think you're right. I don't think you're right.
I think a lot of people will.
Speaker 2 (21:24):
I don't think you're right either. I think I think
people will do it all day long, all day long.
My dad asks me all the time, did you see
that video I sent you? And the answer is always,
I have not seen that video. You know why because
I mean, he says.
Speaker 4 (21:42):
I don't trust you, old man. I don't trust you.
Speaker 1 (21:46):
Ever since you took away my lollipop when I was five.
Speaker 2 (21:51):
Remember when you grounded me because screw you dead?
Speaker 3 (21:55):
Yeah?
Speaker 4 (21:58):
Wow, I could have been a beller word for you.
I could have got a booth.
Speaker 2 (22:10):
Oh yeah, that's it's just going to keep going, isn't it.
Speaker 4 (22:13):
My apologies to tell you?
Speaker 2 (22:16):
Like my dad will love this, So I gotta tell
my brother to listen to this episode, okay, And the
thing is is he gets all these links from all
his old buddies, right, and they're all like sending funny
things and funny memes and funny links. But there's like
never any texts, just a limit is clicking those all day.
Speaker 5 (22:34):
Long, just like in the Old Folks Home. They're just
swapping viruses, that's all it is. I think this is
our funniest episode.
Speaker 2 (22:46):
Yeah.
Speaker 1 (22:47):
Oh boy, Well with that, are we done with North Korea?
Speaker 4 (22:50):
Or I think they're done with us?
Speaker 6 (22:52):
Yeah?
Speaker 3 (22:53):
I think so.
Speaker 1 (22:54):
All right, so deep fake zoom attack, read up on it. Yeah,
and after the break, we're going to talk about Iran.
So stick around. We'll be right back, and we're back
at Security this week. I'm Carl Franklin. That's Patrick and
Duane and Michelle Bustamante is with us, and it is
(23:15):
turning out to be one of our funniest, if not
scariest shows, maybe for the same reason. I don't know.
So this is in the Hacker news. Iran slows internet
to prevent cyber attacks amid escalating regional conflict. I'm calling
bullshit on this, huh, Because if you slow the internet,
(23:38):
that is going to prevent things like your people from
getting information. Yes, but it probably won't prevent cyber attacks.
They'll just go slowly.
Speaker 4 (23:49):
This is a this is.
Speaker 5 (23:50):
A I'm going to uh, I'm going to inject bleach
into it, and that's.
Speaker 4 (23:55):
That's going to solve some problem.
Speaker 3 (23:57):
Or there are so many people brute forcing accounts and
iran that their Internet slower and they're like, we did,
we did. We slowed it down. You didn't slow it down,
We slowed it.
Speaker 1 (24:05):
Yeah, we did that on purpose.
Speaker 5 (24:07):
I posted this article because I thought it would be
interesting to talk to Dwayne about. I don't think this
would be an impediment at all for you. It might
keep you from downloading hundreds of gigabytes of files in
a ransomware, but it really wouldn't stop.
Speaker 4 (24:19):
You would just slow it down.
Speaker 3 (24:20):
Yeah, I mean we've we've used command control structures over
d over DNS and DNS is very very short like
burst text messages. Think of it that way, so you're
not you know, you could slow down the Internet. It
wouldn't matter. The other thing that's kind of weird here
is they say uh pros and early group claimed responsibility
for cyber attacks on Israel are on Iran's bank, crippling
(24:43):
access to its website and ATMs. I don't know how
many people keep their their ATMs on the Internet. It
sounds like maybe some basic blocking and tackling is what
Iran needs, maybe not slowing down their Internet.
Speaker 4 (24:56):
But yeah, I think they have other concerns this week.
Speaker 3 (24:59):
A little bit. And here's the other thing, just sort
of a little bit of advice for anybody who's going
to be in a global war. The cyber attacks happened
before the missiles fly right, not after, So usually they're
already in the system first the.
Speaker 5 (25:13):
Cyber attacks, first, the information campaigns, then the cyber attacks.
Then you preposition commandos to take out the air defenses.
Speaker 4 (25:21):
And then and then the pages explode.
Speaker 1 (25:25):
I kind of feeling that Dwayne could launch nuclear missiles
with a three hundred bod modem and a.
Speaker 3 (25:30):
Turn firm or deny. But I got to play war games.
Speaker 1 (25:34):
You don't necessarily need fast, you just need access.
Speaker 3 (25:38):
You just need access a couple of bits. That's always.
Speaker 4 (25:41):
So we wanted to post this story because to debunk
the well, if I go slower, it's it's like, if
if I can get them to stab me slower, maybe
that will be stabbed.
Speaker 3 (25:52):
Right yeah.
Speaker 2 (25:53):
Yeah, you lock the front door, but your windows are
still open. Somebody will find an opening somewhere, right, yeah,
but let's talk about it. The name of that group
that did the attack on on their systems predatory Sparrow.
Speaker 3 (26:06):
I love the really cool name.
Speaker 4 (26:09):
Actually it's a giant sparrow.
Speaker 5 (26:10):
I don't think I'm afraid of a predatory sparrow, like
big bird, four thousands of the bird with a machine gun.
Speaker 2 (26:19):
I'm just thinking of a logo here.
Speaker 3 (26:21):
You know, right now, there are a lot of really
cool hackering. Actually, there's been this movement in the cybersecurity
community to stop giving hackers like really cool names because
a lot of hackers are like, oh yeah, we're or
you know, we're crip spider, and it was like, it's
actually kind of cool.
Speaker 4 (26:37):
No, no, no, your wet diarrhea. That's your new name.
Speaker 3 (26:42):
That's what we need to do. Patrick. That group is Simphilis.
Speaker 1 (26:49):
Aka adult diapers.
Speaker 4 (26:51):
Yeah, aka adult diapers. That's that's I'm a member. I'm
a member of Adult Diapers.
Speaker 3 (26:59):
Well, there we go. We solved to solve that problem
for the world.
Speaker 2 (27:03):
We went from predatory sparrow to wet diarrhea.
Speaker 4 (27:07):
I mean, that's a little redundant. But you know, I'm
trying to cast an image here.
Speaker 3 (27:13):
I'm trying to kind yeah, thanks, or maybe you just
need the one brand to pick up.
Speaker 2 (27:20):
So it's always what right, isn't then every single name
just adult adult diapers?
Speaker 1 (27:31):
Yes, pretty much?
Speaker 4 (27:32):
Covers isn't dry? Isn't the dry version of the end
of cholera?
Speaker 3 (27:35):
Isn't It might be it is?
Speaker 1 (27:37):
Yeah, all right, So so there's no nothing anybody can
do about this. It's just kind of a neat story.
Speaker 4 (27:45):
We want them to understand it. This is not a
way to stop.
Speaker 3 (27:49):
No, no, not at all. I mean, cyber attacks come. There
are a lot of times you're.
Speaker 5 (27:53):
Living off the land a lot of the times, and
a lot of the processing is on site.
Speaker 3 (27:58):
Let's say we're hacking into a place that's that's that's
foreign and hostile. We're not, and that's my story.
Speaker 4 (28:08):
Let's say we're not. Let's say we're not.
Speaker 3 (28:11):
But let's just say we're probably not going directly there.
We're probably going through like five or six different locations.
You're gonna have a slow connection anyways, right, so all
of your attacks have to allow for a very slow connection.
But that's all I'll say on it.
Speaker 1 (28:24):
I wonder how many members of our discord are going
to turn out to be cyber criminals.
Speaker 3 (28:28):
Dude, our discord has been awesome, by the way, Hey,
speaking of we've sent out some more lock picks for
people on the discord. If you guys get the lock picks,
by all means, take some pictures and post them. We'd
love to link to you on our LinkedIn or whatever.
Speaker 5 (28:42):
It is extra credit if you get. If it's a
picture of you getting arrested for using it, you can't
say that I'm just kidding. I'm just kidding, kidding, got kidding,
but get arrested.
Speaker 4 (28:53):
No, all right, so let's move on discord.
Speaker 3 (28:59):
Yeah you can this cord.
Speaker 1 (29:00):
You should.
Speaker 3 (29:01):
You're a message date, yes, yeah, you can mess with
our AI. That's there, Okay.
Speaker 1 (29:07):
So gov dot UK put out a press release new
plans to supercharge UK cyber sector.
Speaker 4 (29:14):
A good news story, a feel good story.
Speaker 1 (29:16):
The UK is growing cybersecurity sector will be boosted by
millions in new investment and a cyber growth Action plan.
It's partner the government's plan for change. That's good.
Speaker 3 (29:25):
This is good news.
Speaker 1 (29:26):
Yeah. That sounds like a smart thing that a country
would do spend money on security.
Speaker 4 (29:32):
Or something or something they do just before they start
a cyber war.
Speaker 1 (29:36):
Maybe Patrick, don't do anything that we don't know.
Speaker 4 (29:40):
No.
Speaker 5 (29:41):
I can neither counfirm nor deny No. I think this
is a good idea, especially where are you. There's a
war in Ukraine.
Speaker 4 (29:47):
I can't share that I am on a major US
military base in the office. You shouldn't even say that
of a general.
Speaker 1 (29:55):
Why would you even say that? Now you're just asking
the cases.
Speaker 4 (30:00):
By the time this releases, I'll be gone and the
world have always started.
Speaker 5 (30:04):
And I'm associated with so many generals, Like, how are
they going to get which one that's true?
Speaker 1 (30:08):
This is how our fans stalkers figured out that we
would always eat it del Frisco's.
Speaker 4 (30:13):
Because did they figure that out?
Speaker 2 (30:15):
It?
Speaker 1 (30:15):
And we posted it after the fact and somebody mentioned
I know where that is?
Speaker 3 (30:19):
Did they did?
Speaker 5 (30:20):
They did?
Speaker 2 (30:21):
Stock?
Speaker 3 (30:21):
They found it? Yes? Yeah they were.
Speaker 4 (30:24):
No, nobody shout up. Will you tell them when next time.
Speaker 3 (30:27):
We announce it? Yeah, there'll be people camping out of
Del Frisco.
Speaker 1 (30:29):
That's well, we want to announce it. We'll just say
we had dinner and we didn't tell you about.
Speaker 3 (30:34):
It or our next live show will be from Del Frisco.
Speaker 1 (30:36):
There you go.
Speaker 4 (30:36):
Well, we're gonna have to meet in the middle of
the country, so Michelle can join us.
Speaker 2 (30:39):
Now, I was just going to say, why don't you
come to San Diego?
Speaker 4 (30:42):
But okay, well, Saint Louis is kind of in the middle,
so I think it's sat.
Speaker 1 (30:45):
How about Orleans? Sandy was nicer, Yeah, but New Orleans
Orleans is halfway and they have good food there.
Speaker 4 (30:55):
I've heard we digressed and speaking of not good food UK, So.
Speaker 1 (31:01):
The UK.
Speaker 2 (31:03):
A mash. You don't like bangers and.
Speaker 1 (31:04):
Mass not really bangers.
Speaker 3 (31:09):
You can't complete that joke.
Speaker 5 (31:11):
I can't, please, don't one word joke. So this is
good news. We want to see more countries doing that.
I'm going to ignore that those last comments. And we
need every country to really start paying attention to this
because the more they pay attention, the more it might
trickle down to the technologies and the people, and and
that's what we need.
Speaker 4 (31:31):
More awareness. That's what this podcast is all about. It's
about awareness more.
Speaker 2 (31:34):
Hopefully, well hopefully each country is able to therefore, you know,
you know, disseminate knowledge right to companies that are working
in the region. Drop giving example, dropping knowledge, given examples.
The best way to protect yourself is to know how
everything works.
Speaker 1 (31:51):
You know, for stop going to Del Frisco's. I won't
be able to get any.
Speaker 4 (31:54):
Chowder, legal seafood chowder. It's not really the same. That's
not really the same.
Speaker 3 (32:01):
Carl No, Carl no, no, all right.
Speaker 1 (32:05):
Hacker news Google warns of scattered spider attacks targeting IT support.
Speaker 3 (32:11):
Yes, scattered spideryore so, scattered spiders.
Speaker 2 (32:17):
No, it's no, it's it's scattered spider also known as
wet diarrhea.
Speaker 3 (32:21):
A right, exactly.
Speaker 4 (32:25):
They are coming after us so hard.
Speaker 1 (32:27):
That's the image I have in my mind. Yeah, all right,
let me get through this headline and then you can
make jokes wars of scattered spider attacks targeting IT support
teams at US insurance firms. Insurance firms are are so awesome.
They don't deserve.
Speaker 4 (32:46):
This kind of their light years ahead of the medical establishment.
Speaker 2 (32:50):
That is true.
Speaker 3 (32:51):
Yeah. So we we've seen attackers over the last patrick
probably four or five years, shift targets.
Speaker 1 (32:59):
Right.
Speaker 3 (32:59):
So we've seen before it's financials and it's still always financials, right,
banks and investment houses and that sort of stuff. And
then we saw them shift over to hospitality hotels, right,
hotel chains and country clubs and that sort of stuff
where they're actually trying to look at how do we
track humans who we want to know what they're doing,
whether they're journalists or you know, worth a lot of
money or whatever it is. And this is just sort
(33:22):
of the next wave is they're now looking at you know,
insurance companies, a they have access to potentially a lot
of money. There's a lot of payouts that happen. So
one of the most one of the most prevalent attack
right now is business email compromise. I break in your email,
I wait for you to send money somewhere, and then
I automatically start intercepting those messages and tell you to
change it to a different bank account or wire it
(33:43):
to a different place, and you don't know, so you
do it right. So absolutely I can this. This makes
sense from you know, where's the money. If you can
get an insurance company to pay you as opposed to
the person they're supposed to pay, that makes sense.
Speaker 2 (33:56):
So I'll tell you though, like I mean, this is
a time targeted attack, and this particular group you know
has been at it for a long time and they
say that they've been escalating the last three years or
two years, and they focus on a lot of social
engineering and simswapping, which we were talking about, you know,
the issues with SMS. So, I mean the social engineering
(34:17):
side is interesting because again, we do tons and tons
of identity solutions, but what you forget is when somebody
can't get into their account and forgot password doesn't work,
or they can't connect their accounts, or they already had
an account but they didn't have a log in yet
and they're having trouble making that connect because you know,
it's hard to do that right if you don't have
a log in first, that's a verified They don't verify emails,
(34:38):
they don't verify phones, and now they have to call in.
They call and support. What are these support people? You know,
how are they prepared to handle? You know, the person
that's saying, oh my gosh, you know, but I have
to do it now and I really need your help,
and you know, they're looking for sympathy and they're totally
social engineering, like essentially getting access to the account. Oh yeah, absolutely,
(35:00):
and and there's no documentation.
Speaker 4 (35:02):
You should respond, human, I am here to help, exactly.
Speaker 3 (35:08):
I could see if Michelle were to call up, say
a major bank, and say that her husband set up
a bank account and she's trying to check the balance
and whatever, and she can't walk into the website, and
she has a tape, a tape, wow, a tape a
YouTube video I don't know, playing in the background right
of a baby crying constantly, and she's like, oh my god.
(35:30):
And she goes over and she's like pretending to coddle
the baby and she's like, I can't get accesses.
Speaker 5 (35:35):
Frustrating and exploiting social exploding social norms as social engineering,
that's what it is. Yeah, but you have to become
a heartless monster. And the insurance industry is well equipped.
Speaker 6 (35:46):
Did you do that?
Speaker 2 (35:48):
Oh no, you didn't.
Speaker 3 (35:49):
I just do wow, And we don't get any insurance
claims anymore. Thanks.
Speaker 2 (35:55):
That still comes back to the training aspect, right, which
is like companies need to look at their as much
as they look at their online systems, you know, how
to prevent attacks. And I just don't think they're doing
it because as many companies as we run into, I mean,
they never really invite us in to give that side
of the guidance, right, Like as oh yeah, we've got
(36:17):
a support team, they have rules.
Speaker 4 (36:18):
It's okay, trust us from the government. I'm here to help.
Speaker 2 (36:25):
So I think he's going to be hit or missed
depending on the business. And this just elevates the need
for it.
Speaker 3 (36:30):
And out of the four of us, Michelle could way
better get anything she wants on a call than the
three of us guys could. I'm just saying, just saying,
people like to help.
Speaker 2 (36:41):
One can try, one can try. I'll give it.
Speaker 4 (36:46):
It's a burden.
Speaker 1 (36:49):
And a gift.
Speaker 2 (36:50):
Yes, okay, call you for help and see if you respond.
Speaker 1 (36:56):
All right? Our clickbait story today Google bug allowed phone
number of almost any user to be discovered, and it
does use the word allowed in past tense, so I'm
assuming that it was updated fixed.
Speaker 3 (37:14):
Yes, yes, so this has to do with a botguard,
so there. I love how even the researchers now are
using I'm assuming this is a pseudonym or a you know,
a handle a cybersecurity researcher called brute Cat.
Speaker 2 (37:32):
That can't be a real name, as.
Speaker 3 (37:38):
I was able to figure out that the phone number
link to any Google account. Information that's usually not public
and considered sensitive can be found on a page where
a user can recover their Google account if they have
forgotten their logins, log in details lacked. Brought guard protection,
So bockguard protection is a cloud service that's going through
and making sure that there's certain sensitive data that you
(37:59):
can't just call out off the internet and bots search
engines aren't coming and grabbing that information. However, there is
in an oversight. If that website doesn't actually serve up JavaScript,
then unfortunately your buck guard does not work. So all
of your accounts were leaking.
Speaker 2 (38:16):
So jeez, yeah, and I'm going to bring that back
to the basics, right, Like, this comes back to how
people set up their logging system and the recovery system.
They're sending a text to somebody and they're you know,
leaking that the phone number exists somehow, so they're allowing
account enumeration to happen. They're showing you, oh that symbo
(38:40):
has already taken or like, yeah.
Speaker 4 (38:43):
That's not the right password. Well, now you've verified that
the account.
Speaker 2 (38:46):
Exists, right, exactly right, and you're never supposed to do that,
And then you know, you try to tell companies like
don't do this, and their comment is yes, But now
my user's confused because they don't. They never got the
email to register their account because the email's already taken and.
Speaker 4 (38:59):
You're it just were confused a long time ago.
Speaker 2 (39:03):
Yeah, I I the way you said that right now,
if you had a wig on, you could have been
like missus doubt fire.
Speaker 3 (39:15):
Yeah, that's right. So you're absolutely right. So usually there's
systems to stop you from like brute enumerting user accounts
and in this case phone numbers. Right, but they were
able to bypass the capture that stopped it so they
could do forty thousand requests per second there again, right,
you're absolutely right, Michelle. They're just not looking at the
(39:36):
tech stack and seeing, Okay, how do I stop people
from enuberating emails and saying, oh, you know, my phone
number is this? No, it's wrong, my phone number is this? No,
it's wrong, whereas other systems should say if you say
this is my phone number, it might say okay, if
that's your phone number, we'll send you a message, right,
and you never know whether it's true or false. And
we find that that's sort of a big blunder too.
In development, a lot of developers like to be helpful.
(39:58):
Let me switch that at developers like to be helpful
to themselves, so they'll throw up very detailed there or
message when something goes wrong, so that they know, oh,
I know exactly what the issue is, letting me fix
it for that mass, for the user. All of that
needs to be turned off when you're dealing with a
system that has access to the bad neighborhood called the Internet,
(40:18):
because any type of information I get is an attacker.
I'm going to use to profile that system and see
how I might Oh, you told me the user name
was bad, but not the password, so now let me
enumerate user names so on and so forth. Right.
Speaker 2 (40:29):
So, so companies are expecting to, you know, be protected
by the fact that nobody's targeted them yet. But the
minute they get targeted, it's all over. Right, So I
think a lot of companies are sent they're led into
a false sense of security because nothing's happened yet. I mean,
I've had this terrible system for you know, like ten years,
and it's just still there and it's working. Why should
(40:50):
I pay to fix it? Until they have an employee
that leaves who is dissatisfied, or a customer who's malicious
or whoever.
Speaker 5 (40:58):
Right, there's a psychological bias there that when somebody takes
part in a risky activity, no matter what it is,
whether it's texting and driving, the more often they do
it without suffering that the negative camistrophic event, the less
likely they believe it is right until it suddenly happens
because they run out of.
Speaker 2 (41:15):
Luck exactly, or they do something sid Good luck to
you all, Mercy on your soul.
Speaker 3 (41:22):
If you had a competent pen testing team actually check it,
then maybe you would know before you get hit by attackers.
Speaker 1 (41:29):
You know, you got to pay for infomercials.
Speaker 3 (41:33):
The money will shop in your account, okay, and then
get removed.
Speaker 2 (41:37):
Who partner to that? If you had a company that
could help you actually design the rights and then get
a tested that.
Speaker 4 (41:50):
Was a really nice sneaking m transition.
Speaker 1 (41:52):
And if you need some help getting started with Blazer,
you might need a developer slash trainer who knows what
they're doing. Security.
Speaker 4 (42:02):
And if you need some cheap way powder. No, I'm
just kidding, way.
Speaker 1 (42:07):
I thought we were selling everything here all right, people,
this has been a gas Michelle, thanks for joining us.
Speaker 2 (42:15):
Thank you so much for having me here today. Love it.
Speaker 4 (42:17):
Thank you for joining us. It's awesome awesome, great time.
Speaker 1 (42:21):
We'll see you next week. Bye bye bye
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.