August 7, 2023 • 58 mins
Wouldn't it be great if you could navigate the treacherous landscape of software vulnerabilities like a pro? That's exactly what we're serving up in our latest podcast episode. Together with our dedicated team, we dissect the upsurge of these vulnerabilities, the recent discovery of a toolkit targeting Apple, Mac OS, and stolen chat GPT credentials. We even do a deep dive into the complex CVE system. Our insightful discussion sheds light on how these vulnerabilities have grown over time, largely due to the evolution of software development.
Are you constantly second-guessing whether to update your software due to the fear of breaking things? You're far from alone. Hang out with us as we share our personal anecdotes dealing with software updates, security patches and the puzzling catch-22 situation that arises. In an alarming revelation, we also walk you through the recent compromise of over 101,000 OpenAI chat GPT account credentials. If you’re a user, this is an episode you can't afford to miss.
Imagine living in a world where data breaches are the new golden age. That's the reality we're grappling with, and there's no denying the risks associated with storing data on an internet-connected database. From discussing malicious targeted ad campaigns to delving into the dangers of certain browsers, this episode is a rollercoaster of cybersecurity insight. We round off by examining how data breaches have shaped cybersecurity history. Tune in and arm yourself with the knowledge to combat the rapidly evolving world of software vulnerabilities and cybersecurity.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mandi Rae (00:01):
Thank you for joining us and welcome to today's
episode of the audit, where wewill be discussing recent
headlines in the cybersecurityworld.
Today's focus will be on thediscovery of a new toolkit that
targets Apple, mac OS, stolenchat, gpt credentials and the
security issues associated withChrome.
(00:23):
You are not going to want tomiss this episode, so stay tuned
.
Joshua Schmidt (00:29):
We're talking today about data breaches.
We're talking about somecybersecurity.
In the news Seems like there'salways something going on.
You wanted to share this graph.
What can you tell us about thisgraph?
We were kind of talking aboutit before.
Scotty Rysdahl (00:43):
So this is just a general graph.
There is a citation but Ihonestly haven't gone to
validate it.
But it does follow my narrativehere, which is that the number
of vulnerabilities in softwarein general has just been
following this exponential curvesince people started tracking
this stuff, like back in themid-2000s.
So at some point 20, some yearsago, some researchers and
(01:09):
nonprofit organizations devisedthis thing called CVE, which is
the common vulnerabilities andexposures, and it's kind of this
whole taxonomy or system oforganizing and tracking
vulnerabilities in software andcomputers and even hardware and
devices.
And anybody really can applyfor what's called a CVE, for a
(01:31):
specific identifier for a newsecurity issue that they find,
and the way that they'reformatted is usually the acronym
so CVE, dash the year thatsomething was disclosed or
identified, dash, and then anincrementing number that
basically starts at zero everyyear every January and cruises
up until December 31st andhowever far we get, however many
(01:54):
vulnerabilities are discoveredand disclosed, that's where that
number ends for the year andthen we start over the next year
.
So we're going to talk aboutsome other articles here in
specific vulnerabilities incommon software and we'll see
some of these CVE identifiers inthose articles.
But just looking at this graph,it's pretty easy to see that as
more security researchers andmore cyber criminals have been
(02:17):
collectively looking closely atsoftware and trying to find ways
to exploit it and misuse it tocarry out cybercrime and attacks
, the more of these things arefound.
The more you look, the more youfind, and so you can see on the
graph that back in around 2010,it was barely 5,000, and we've
(02:39):
five times to that in thewhatever in less than 13 years
since then.
So it's just an amazingexplosion, and if you've been a
tech user all that time, you'vekind of felt this, even if you
weren't tracking these numbers.
How often do we have securityupdates that are rated critical
for our iPhones?
Every time I restart my Chromebrowser, it tells me hey,
(03:01):
there's a new version you needto install, and usually it's a
security update for those morefrequent like weekly or even
daily sometimes updates.
So, yeah, just interesting tosee this explosion of just the
critical mass of people lookingand finding problems in software
that can lead to fullcompromise in data breaches.
Joshua Schmidt (03:22):
Not quite a hockey stick, but it's certainly
a ski jump.
Scotty Rysdahl (03:26):
Yeah, I wonder about this year, because if
we're about halfway through theyear now, we're on track to not
make it close to last year, butI would doubt that.
So maybe this data is just notquite up to date, but I would
guess we'll surpass 20,000 atleast and go beyond.
Joshua Schmidt (03:41):
So does this mean you're losing the war, or
is it just mean that, like youkind of mentioned, that these
vulnerabilities are gettingpointed out more readily and
more prolifically as we are moreaware of what's going on?
Scotty Rysdahl (03:57):
Yeah, that's a good question.
I don't think we're losinganything.
I think it just really pointsto more visibility and more eyes
on all the tech we use, andjust more tech being used.
So there's just moreapplications out there, there's
more web frameworks, there'smore versions of the iPhone and
Android phones, so the tech hasexploded in number and the
(04:17):
number of people looking forissues, both good and bad, are
also growing every year.
So maybe that sort ofmultiplied together gets you
this hockey stick.
Mandi Rae (04:24):
I was going to echo that.
10 years ago, think of how manypeople had a phone in their
pocket, and now, I mean atelementary school, they're
carrying phones right.
So exponentially more devicesand software is absolutely what
I think is happening.
Scotty Rysdahl (04:40):
Yeah, and I was talking to Josh before you came
on, mandy, before we startedrolling about kind of how
software development has changedover the years too.
So 20 years ago there was thisvery regimented, scheduled
methodical releases happenedinfrequently and they had a lot
of changes bundled into them.
And nowadays there's like sortof more agile methods of
(05:01):
development that lead to justconstant delivery, continuous
delivery of code to productionsystems.
That makes Microsoft's monthlycadence seem kind of quaint
these days.
So yeah, no longer are wedeveloping software on year
schedules, we're developing itand doing these sprints every
few weeks or every month orwhatever the case may be for
(05:24):
each product.
So more code changes leads tomore possible vulnerabilities
too.
Mandi Rae (05:29):
Really trying to be quick to market with things
right.
You want to be the first,especially when it comes to the
technology arena.
Scotty Rysdahl (05:35):
Yep, yep.
There's this whole concept ofminimum viable product, right.
So don't plan this grand updateor this grand application and
deliver it in years, just like.
Keep iterating as fast as youcan to get that next little bit
out the door, the next littlecheese for the users to nibble
on.
Joshua Schmidt (05:53):
Is this just to keep shareholders happy and just
getting those numberscontinually growing for their
user base?
Mandi Rae (06:00):
I think it's to make that money, Josh.
Joshua Schmidt (06:03):
Yeah, of course.
Of course.
It's just so annoying and itseems to me like a lot of these
applications are fine, you knowhow they are, but if it's a
security thing it's somethingthey have to address.
They're just kind of weighingout that liability versus the
money making risk, right?
So it's an article.
(06:24):
I found I thought wasinteresting.
Cyber security researchers haveuncovered a set of malicious
artifacts that they say is apart of a sophisticated toolkit
targeting Apple Mac OS systems.
Two of the three maliciousprograms are said to be generic
Python based backdoors that aredesigned to target Windows,
linux and Mac OS systems.
The payloads have beencollectively dubbed Joker spy
(06:45):
Scott.
Who comes up with these names?
Are they named?
Is it like, haha, and there'slike a little laughing Joker?
You've been hacked by Joker spy, or how do these names come
about?
Because they're superentertaining.
Scotty Rysdahl (06:59):
Yeah, that takes me back to the movie
hackers from 1995 or whatever.
Angelina Jolie, where everytime there's a virus launched
like, a little smiley face witha pirate patch goes and chomps
its way across the screen.
Joshua Schmidt (07:11):
Dennis Nedry on Jurassic Park.
You didn't say the magic word.
Scotty Rysdahl (07:18):
I wish that's how information security had
developed over time, that we gotmore interactive and colorful.
Joshua Schmidt (07:25):
There's still time for that.
Scotty Rysdahl (07:26):
Yeah, if anything, they've gotten more
stealthy and less visible, Iwould say, With the exception of
ransomware, where there's kindof like that flare for the
theatrical.
You know, like you get a ransomnote on your desktop and it's
they have that chance to kind oflike bully you a little bit
right there.
Would they tell you that theyhave your data?
Joshua Schmidt (07:45):
Yeah, so all you hackers listening, all you
hackers listening to this.
We need a little more StevenSpielberg production in these,
in this malware.
Scotty Rysdahl (07:54):
Yeah, just go on five or and spend 30 bucks
and get some freelancer tohonestly, if you're into that.
Mandi Rae (08:01):
I think we've talked previously on prior podcasts
about CrowdStrike and are theythe ones who do a really great
job connecting a little bit ofanime graphics to
vulnerabilities and exploitsthey find.
Scotty Rysdahl (08:15):
I don't know if you're familiar, but there's
some write ups where they likehave, yeah, like professional,
whatever iconography or kind ofcharacters almost built into
their their analysis right.
Mandi Rae (08:27):
I love the aesthetic of that.
I mean, it's what makessecurity kind of sexy.
Scotty Rysdahl (08:31):
It is, yeah, along with what Josh mentioned,
which is how things kind of getnamed, and that wasn't always
the case.
You know, again, 10, 15 yearsago, vulnerabilities were just
called by their CBE name.
So we had CBE 2010, 115, youknow, and those identifiers are
still used.
But nowadays, if something'sreally big, it'll get some funny
hackery name, you know, and asfar as who comes up with them,
(08:54):
it's usually either the researchteam who kind of uncovers it
first.
They get to name it.
So it's like finding a star orsomething.
Yeah, it is very much like that.
Yeah, sometimes they do takeclues from the malware.
So there's this whole processcalled reverse engineering,
where the researchers will takethe malware, they'll put it in
(09:16):
kind of a little safe sandboxenvironment and they'll pull it
apart and watch how it works,and they can retrieve some kind
of artifacts from how it wascoded, how it was written, and
so you'll find things in therelike the languages, the human
languages that the hackers, thedevelopers used.
Often they're Russian orwhatever, and so they'll find
(09:36):
little like tidbits, littlekeywords, and they'll name
things after that and then, ofcourse, like hacker groups
themselves get these funny nameslike fancy bear, and I forget
what North Korea is is nowLazarus maybe is one of them.
So, yeah, they even named thegangs, you know, with these kind
of cool theatrical names too.
(09:57):
So yeah, like Mandy said, it'ssexier than you know software
engineering or other subdisciplines of IT, because we
kind of have the cloak anddagger aspect to it.
Joshua Schmidt (10:09):
Meanwhile, behind the scenes at Lazarus,
it's such a really nerdy dudesitting sitting at a big chair,
not so much to the computer, butthey're probably driving Lambos
, you know, in.
Scotty Rysdahl (10:21):
Europe because that's how it works these days.
Mandi Rae (10:23):
Okay, I was gonna say unshowered working in a dingy
basement, but their daytimehours are probably super fun.
Joshua Schmidt (10:31):
In a gaming chair with a 24 pack of Mountain
Dew.
Mandi Rae (10:35):
Exactly.
Joshua Schmidt (10:36):
Joker spy.
So you know I'm a normie,that's my job on this podcast as
well as producing, but you know, I thought you know Apple was
kind of the gold standard insecurity and as far as personal
computing goes.
You know, is this kind of a newthing or has this been going on
for a while and just been notbeen brought to my attention?
Scotty Rysdahl (10:59):
Well, it's not new.
So when somebody finds avulnerability, if they're a bad
guy, they'll oftentimes find away to use it directly or maybe
to resell it on the dark web orwhatever they can find customers
.
If you want to up your game asa seller or distributor of those
(11:20):
types of digital weapons, youcan group them together and you
can categorize them by whichproduct they attack, which
software they impact.
And so, just like you can go toCostco and buy your peanut
butter by the barrel, you can dothat with exploits.
So you can get a whole kit thatbundles all these different
(11:42):
things together, the starter kitfor cybercrime almost, and
it'll include kind of a curatedset of related or even just
totally different exploits thatyou can use to carry out cyber
attacks.
And it's another great exampleof this diversification of
cybercrime, where in the olddays maybe it was the same
person that found a flaw,exploited the flaw and then
(12:04):
carried out the attack andretrieved or stole data.
But nowadays it's like oneperson does the fines to the
vulnerability, another personcollects vulnerabilities or buys
them and puts them into an easyto use kit, and then yet
another person licenses that kitout to cyber criminals who
actually want to carry out theattacks.
They even run help desks thesedays to help their affiliates,
(12:27):
as they're called, use theseweapon kits for their own gain.
So it's really amazing how farit's matured.
You can get text-based supportif you're a virus buyer or a
toolkit buyer, and somebody willhelpfully chat away and tell
(12:47):
you what you're doing wrong.
And oh yeah, did you make surethat you filled this variable in
with the domain that you'retrying to attack, or whatever
the case may be?
Yeah, it's a weird world.
Mandi Rae (12:58):
It's crazy.
I think my first reaction inreading this was like come on
Apple.
Much like you, I think Macsweren't targeted as frequently
as a Windows or Linux-basedmachine or at least that was my
thought, as Macs just seemedmore protected.
I just read another article inPCMag about the migraine
(13:19):
vulnerability that Microsoftfound that where Apple was
allowing attackers to performarbitrary operations on Macs,
they were hiding malicious filesin the monitoring tools and
expanding the scope of themalware to attack the system's
kernel.
They were bypassing the SIP.
(13:39):
It's just like come on Apple,what are you doing?
I hate the critical bug fixeson my phone.
I hate that we're not thinkingabout things and testing things
thoroughly before getting themout into the public.
Joshua Schmidt (13:52):
I've been complaining to Scott for several
weeks now, mandy, about anissue I recently had which was
really a pain in the butt.
I updated automatic update onmy modern-man menu M1 Mac and it
rendered my Final Cut Pro appcompletely useless because of
the third-party software that Ihave on my computer for audio
(14:14):
engineering and audio editing.
There's probably 30 or 40-plusthird-party apps on my computer
plugins and these plugins werestalling Final Cut Pro on
startup to the point where itwould crash my computer and it
just kept crashing my computerand there's been no yeah and I
got to the boss level of the ITdepartment at Apple where they
(14:38):
took over my computer and theguy already.
By the time I got to the bosslevel, the guy already had the
answer.
He knew what he was gettinginto when he took me on.
He was basically like wealready stopped collecting data
on this issue.
So either we're going to do anupdate soon or we're not and
we're going to wait until thesethird-party developers catch up
(15:01):
to what we just did.
But it flabbergasted me, becausethis is an Apple product on an
Apple computer.
They didn't even put in abackstop where I could bypass
these plugins and just force runthis app.
So you're telling me I can'teven use this app today.
I got stuff to do, I havedeadlines and now either my
(15:23):
choices are to partition my harddrive and reinstall Final Cut
Pro on my partition hard driveso that it's not running into
any of these plugins, which tome sounds like a nightmare as a
non-techy kind of person, or todowngrade to a, and I don't even
know how to do that.
I'm sure there's ways to backup on the version of the OS that
(15:45):
I was using, which could createother problems, right?
Mandi Rae (15:48):
I was going to say.
I think that's the catch 22.
If you're up to date on thelatest fixes, then things start
to break right Because, like yousaid, not everybody's caught up
, whether it's Apple or somebodyelse.
However, if you wait, thenyou're not patching these
vulnerabilities.
You're living with these bugsthat they have found, and so
(16:09):
you've got to find that commonmiddle ground.
Scott, what would be yourrecommendation?
Just understanding what Josh issaying?
I mean, I think it's happenedto all of us.
Scotty Rysdahl (16:18):
Yeah, we had discussed this earlier before we
started rolling too, and I wasjust sharing that.
It's the same in the enterprise.
Microsoft releases theirmonthly set of patches and they
often break things in production.
They break critical systemssometimes, and Microsoft treats
their customers like their firstor second round of beta testers
(16:40):
.
Here's the code.
Go for it.
Mandi Rae (16:43):
I don't want to be your pilot.
Scotty Rysdahl (16:45):
I know, and we're paying for that privilege
right To run their bleeding edgecode, but there's really no
choice.
So Microsoft puts it on theircustomers to have their own
update procedures.
So start with a sample group ofyour systems workstations,
servers, whatever the case maybe.
(17:06):
Do the updates, wait a week ortwo, then roll it out to
everybody else and everyorganization has their own
staggered process for doing that.
But yeah, at the end of the day, just because something gets
officially released as stabledoesn't mean it is.
Yeah, I don't know.
I wish I had a better answer.
Mandi Rae (17:26):
You wish Josh well knows.
So would you tell people, do weupdate right away, ernie, wait
a minute.
Scotty Rysdahl (17:34):
Yeah, my answer would be different depending on
what the update is.
So if you're talking aboutmajor updates so going from
Windows 10 to Windows 11, forexample, wait, wait at least a
year Don't be an early adopterfor new major versions of things
.
They're not meant to beproduction ready when version
11.0 comes off the factory.
Wait a year and let Microsoftor whoever figure their stuff
(17:57):
out.
But for minor versions andsecurity patches you really do
have to keep pace.
And then again it's back on thecustomer, and in Josh's case he
doesn't have three M1 MacBookPros to test his updates on.
So for consumers they just getscrewed sometimes.
Joshua Schmidt (18:13):
Yeah, and the cost of these plugins is sky
high.
I mean anywhere from a cup, $20, $30 up to thousands of dollars
for some of these audio suites,whether it's orchestral strings
, and kick it into the thousandsof dollars.
So when those things don't work, and then not only do they not
work on something you're workingon now, but if you have to go
back to an old session of a songthat I was working on for the
(18:37):
Olympics, for example from threeyears ago, that's not going to
work either.
So what a lot of my cohorts dois just not update and they stay
way behind the crest of thatwave and they just take the
security risk in order to havethe workflow be there for them
when they need to.
And I can do that.
(18:58):
My last MacBook I just stoppedupdating it, I just turned off
at one point because I know Ican get another year or two out
of it.
At like year, five Updates areoff.
It's just going to be that wayuntil it dies.
And now it has a big bulge inthe middle of it and doesn't sit
quite level.
So I don't know if it's evensafe to me to say anymore yeah,
(19:19):
don't bring it on an airplane.
I don't know how that lithiumbattery is doing, but OK.
Well, that was fun.
Yeah, let's go on to the nextarticle, unless anyone else has
anything to add.
It's always fun to talk aboutAI and chat GPT, and so this
article grabbed my attention.
Do a little intro to what Ifound here.
(19:40):
It looks like over 101,000compromised open AI chat GPT
account credentials have foundtheir way onto a Lysset Dark Web
Marketplaces between June 2022and May 2023, with India alone
accounting for 12,632 stolencredentials.
The credentials were discoveredwithin information stealer logs
(20:01):
made available for sale on thecybercrime underground Group.
Ib said in a report shared withHacker News.
So you know.
Normie question.
What are they referring tobeing stolen when they're
talking about logs?
Are the malicious actorsstealing the questions and the
request users are prompting intochat GPT for the outputs, or is
(20:25):
this just log in informationand personal information?
Scotty Rysdahl (20:31):
So it says in the article there that some of
it was stolen credentials, soit's presumably usernames or
emails and passwords.
Usually when you store apassword in a database that's
connected to the internet oranywhere, you don't store it in
its normal form.
You store what's called thehash of it, so it's a one
directional cryptography.
(20:51):
So it's like encryptingsomething without the option to
decrypt it by design, and thenthat version of it is what's
checked every time somebody logsin.
And the point is that when theyget breached and the hacker
grabs these 100,000 credentials,they have kind of the scrambled
version.
It's unique to what the realpassword is, but it's scrambled
(21:15):
to the point where they can'tjust say, oh, it's my Toyota
truck 7.7, and then go try tobreach other accounts belonging
to the same person.
So it's meant to kind of limitthe blast radius, as they say,
of any particular breach.
But yeah, if chat logs, chatGPT logs, were also stolen, that
(21:35):
would be those interactionsbetween the customers and the AI
.
So write me a job description.
Write me a resume, clean up myresume, and so the input and the
output of those interactionsbetween humans and the AI.
If those are stolen, you canonly imagine what kind of
sensitive information would bein there, like I mean everything
(21:56):
from embarrassing personalstuff about hair loss, who knows
, to those weird conversationsthat we've all had with AI to
try to see what it's capable of.
Talk to me like a pirate, justkind of the weird things that
you do.
Two very sensitive tradesecrets and source code for
applications that programmers atdifferent companies are trying
(22:17):
to have the AI help them debug,for example.
So the most sensitive tradesecrets just about could end up
in these systems, which isobviously bad for the customers
who are affected.
Joshua Schmidt (22:32):
Like, can I mix my C Alice with my pro Zach?
Scotty Rysdahl (22:36):
Exactly seriously.
Bing now is using open AI forsearch results, right.
So imagine if that data is inthere.
You get all sorts ofpotentially very sensitive, just
normal everyday person typequestions that, yeah, probably
shouldn't be shared with theworld, right, this article is
from June 20th, but I imagineand maybe the article says that
(22:58):
I didn't see it in there, butthat these actually were stolen
back in March when the open AIdata breach happened.
So it seems like this articleis just saying it's news now
because these things are beingposted on the internet, right,
so the breach happened monthsago.
Now we're seeing these thingsfor sale out in the darker parts
of the internet.
Mandi Rae (23:17):
Dark Web is like the upside down.
Scotty Rysdahl (23:21):
Yeah, yeah it very much is.
Joshua Schmidt (23:22):
It seems like there'd be a ton of information
to parse through to findanything valuable, especially if
a lot of the chat GPT answersthat I've received or the
prompts that I've given it andthen it spits something out are
very long depending on what theprompt is.
But I'm sure there's systems inplace that can skim through
that, looking for keywords andwhatnot, to identify personal
(23:46):
information things that might beof value.
Is there something that you'reaware of that?
That because not only arepeople using these but
businesses have started to adoptthese into their workflow.
I think that's part of thebigger part of the issue, like
sensitive information thatthey're putting into these
(24:07):
things without thinking aboutsecurity ramifications.
Mandi Rae (24:12):
That's what Scott was mentioning earlier.
Yeah, it's the proprietary datathat they're looking for.
Scotty Rysdahl (24:17):
You can see the footnote there at the bottom of
the screen.
Employees enter classifiedcorrespondences or use the bot
to optimize proprietary code.
So that's exactly the worstcase scenario for the customers
there.
Chat GPT standard configurationretains all conversations.
This could inadvertently offera trove of sensitive
intelligence to threat actors.
Joshua Schmidt (24:35):
So this seems like something that might be
inherently a problem with AI.
Because of the nature of itlearning from, based on the logs
that is keeping ofconversations.
It seemed like it would be evenmore vulnerable to this type of
hacking and gleaming some ofthis value from these things
since it has to save so muchdata, so many conversations.
(24:57):
Is AI more valuable to hackersin the long run because of the
nature of it storing all ofthese conversations?
Scotty Rysdahl (25:09):
Yeah, I think what you just said is the key
point.
It's not really that it's AI,it's that the conversations are
stored.
It's kind of back to this ideaabout where does your data live.
So 10, 15 years ago,everybody's data lived in their
own data centers, on their ownservers in the offices, and so
there was this kind of clearperimeter to every
(25:30):
organization's network and kindof digital footprint, and it
often corresponded to thephysical perimeter that they
have their offices, their leastdata center space.
But now, in the intervening time, we've all moved to the cloud
and our data lives in datacenters owned by just a few big
players, along with everybodyelse's data, and so when
(25:53):
breaches happen out in thoseplaces, depending on the type of
cloud service that we'retalking about, the impact is
potentially bigger, and there'sjust a lot of.
It's kind of like the wateringhole idea, where all these
animals come to this one placeto drink, and so that's a place
for predators to go and attack.
So if it was possible to hostyour own version of OpenAI which
(26:16):
I think is something they dooffer or are going to be
offering, just like any otherretail IT product if you could
take that and put it in your ownenvironment, the risk of this
kind of breach goes downsignificantly because your data
is not out there with everybodyelse's data.
I'd imagine that you'd pay apremium for that private hosted
(26:36):
version of service, but the sameis true of the cloud.
The more you want to havecontrol over where your data
lives and how it's secured, themore money you're going to pay
for that privilege if you'retrusting it to some third party.
Joshua Schmidt (26:50):
So are these clouds safe with our sensitive
information?
Because, for one, don't post mychildren on Facebook, for
example.
To each their own.
That's just not something I wascomfortable with.
But I know they're on a cloudbecause I'm storing all my
photos on my phone and whatnot.
So how safe are these clouds?
(27:11):
In comparison?
Some of these apps like ChatGPTand things like that?
Mandi Rae (27:18):
I mean, I don't think anything is safe anywhere.
Joshua Schmidt (27:20):
Do you?
Mandi Rae (27:21):
have a strong password.
Do you use MFA two-factorauthentication?
Scotty Rysdahl (27:26):
Yeah, that's a good answer.
I would say it depends.
It depends what securityprotections are in place and one
of the benefits of the cloud isthat they're dedicated to doing
this type of hosting hosting,whereas a company just running
their own servers in their ownlocations maybe don't have the
maturity or the expertise or themoney to put in the same kinds
(27:46):
of protections.
So I think most of the bigcloud providers like Amazon and
Microsoft they don't reallypublish directly like the
physical locations of their datacenters.
You can find them and they'lltell you generally where they
are.
You know they're in Virginia,they're in Oregon, they're in
the Bay Area of California, butif you ever go, look at some of
(28:09):
these places it's like amilitary outpost.
There's multiple layers ofrazor wire fences.
There's humans with the kindsof weapons you would expect
patrolling 24-7.
There's biometric multi-factorauthentication to get into the
facility.
Every person's access is basedon the job that they have.
So the security guard on theoutside can't necessarily get to
(28:31):
the data center floor.
On the inside, each cabinet islocked and secured and there's a
short list of people who canget to it.
So is your data secure out inthe cloud, maybe more secure
than your company could manageto keep it in your own offices.
Mandi Rae (28:50):
But again, the threat is the people.
So everything Scott's saying isright they are absolutely
securing our data, but if yourpassword's summer 2022 and
you're using it across multiplethings and you end up getting
fished or something, then that'swhere you have a compromise.
Joshua Schmidt (29:10):
How did you know my?
Mandi Rae (29:11):
password.
Scotty Rysdahl (29:15):
It's right there on the list of the top 10
worst passwords from 2022.
Mandi Rae (29:18):
Your dog's name yeah.
Scotty Rysdahl (29:22):
So it's a trade-off.
You do get a lot of securityjust by being a customer of AWS
or Microsoft Azure or GoogleCloud Platform, but you're also
voluntarily putting yourself inthose watering hole locations
where everybody else is keepingtheir data, so it makes the
reward from compromising thosethings a lot more lucrative.
Mandi Rae (29:45):
You knew more about data centers than anyone I've
ever talked to.
Scotty Rysdahl (29:50):
They're pretty cool.
Actually, I'm glad I don't workin one, because really it's
just like working in a warehousefull of noisy machines of any
kind.
Mandi Rae (29:56):
That you can't touch, can't do anything with you
can't touch.
Yeah, I wouldn't mind being theguy walking around with a gun,
though That'd be pretty tightgig.
Well, security there, physicalsecurity.
Scotty Rysdahl (30:05):
Yeah, I mean, you could wear a camel jumpsuit
in your day-to-day mandate and Idon't think anybody would
complain.
It'd be epic, I may even start.
Mandi Rae (30:14):
You know, as I was reading through that article,
something caught my eye, but I'mcoming into it very naive, but
it was talking about how itmentioned how Raccoon was one of
the primary impulse dealers.
So it said.
A further analysis has revealedthe majority of logs containing
chat GPT accounts have beenbreached by the notorious
(30:35):
Raccoon.
What do you guys know aboutRaccoon?
Because I looked it up andthere's some other interesting
things going on with them.
Is it a person?
Is it a process?
Is it a?
What is it?
Joshua Schmidt (30:50):
Well, I'm going to throw this up, yeah.
Mandi Rae (30:54):
That's a great idea.
Scotty Rysdahl (30:57):
Actual photo of this is young yeah.
Mandi Rae (31:00):
Yeah, so does anyone.
Scott.
Do you know about who's likethe notorious Raccoon Info
Stealer?
Scotty Rysdahl (31:07):
Yeah, so I just in my 30 seconds of Googling
here while we were talking.
So an Info Stealer in generalis a type of malware.
So it's not a person, it's aprogram.
It's a virus, right, and theway that the purpose of them
typically is to infect acomputer and just kind of hang
out and wait to see what typesof valuable information they
(31:31):
might be able to pull out of thepassword saved in your browser,
the text on your screen rightwhen you go to your online
banking account, credit cardnumbers that you enter into
Amazon or whatever.
So they're typically they'remeant to just hang out quietly
and then look for certainactivity happening on the screen
in memory specific programsthat are launched, that sort of
(31:53):
thing and just send that stuffback to Stalingrad or whatever
for resale and reuse bywhoever's behind this thing.
Mandi Rae (32:04):
So that really reminds me of some of our
earlier podcasts about personalinformation security and how we
talk about as a best practice.
I totally get it.
It is convenient to save yourpassword in your browser, but
don't I totally get that puttingyour credit card and having
that saved so that you can makethose impulsive online purchases
.
It's so easy.
(32:25):
But don't do it Like.
These are exactly the kinds ofthings that are out targeting
innocent people.
Well, raccoon isn't just doingthat.
So if you've got any moreimages of Raccoon as a threat
actor, I found it reallyinteresting.
There's an article aboutmalvertising, which was kind of
a new term.
(32:46):
I mean, I know malware andadvertising, so now we're doing
a mashup.
So new malvertising campaignsvia Google ads to target users
searching for popular software,and so how interesting you do a
Google search for some software.
The ads are popping up.
(33:06):
You go with one of the top,most popular ones and guess what
?
They're going to redirect yourtraffic from a benign site.
They're going to have youdownload a malicious file.
I wanted to talk a little bitabout that, targeted ad
campaigns being kind of one ofthe new things to be worried
about.
Or is this an all the timething?
(33:27):
Malvertising Scott.
Have you ever used?
Scotty Rysdahl (33:31):
that word?
Yeah, it's one of my leastfavorite cybersecurity port
mantues, is that how you say it?
Yeah, but yeah, it's exactlysort of what you described,
mandy.
It's leveraging very, verycommon ad networks, ad resellers
like Google.
Google is not a technologycompany, right, they're an
(33:52):
advertising company.
That's what they do, and so ifyou, as a malicious person, want
to get your tax in front of theright people, google is happy
to help you with that.
Right, they maybe don't intendto, but their business is
targeted advertising.
So if I want to sell a new dietpill, I don't want to spend a
(34:13):
bunch of money putting it infront of people who aren't
looking for diet pills.
I'm going to have Google put itin front of people who search
for diet pills Osempic, whateverthe case may be and then my
that's a hot one right now too,scott, good call, it is super
hot.
Mandi Rae (34:28):
Yeah, yeah, seo, osempic, osempic, osempic.
Scotty Rysdahl (34:33):
I see all those commercials in my nightmares,
may cause hallucinations andinternal bleeding.
Mandi Rae (34:39):
Now it's going to cause targeted ads on your
screen.
Scotty Rysdahl (34:41):
Right, right, especially now that we're saying
it out loud.
Mandi Rae (34:44):
If you that's why I said it three times my Alexa's
going to grab it.
No, I'm going to start seeingtargeted ads too.
If you scroll down, I thinkthere's a really-.
This first graphic is reallycool to kind of explain it and
sorry if I was speaking over you, scott, but down a little
further they kind of show youcan see where the threat actor
is lurking in this timeline typeformat.
Scotty Rysdahl (35:05):
Yep.
So yeah, if they can use theirUse a little bit of money to put
ads in the right people, like,let's say, they're targeting
people who use Enterprises whouse a particular kind of
software, right, maybe like SAPor QuickBooks or something.
So maybe, if they know thatthey have a way to attack
(35:26):
QuickBooks I guess this is areally bad example maybe but
they would target those mal adsas to those search results which
you can kind of see in thefirst diagram up there, and then
they would, you know, googleoffloads the click right.
So somebody clicks on the ad inthe search results, they
(35:46):
offload it, they send it to theultimate destination and then
the attackers, like it's showinghere, are able to you know sort
of launder that click throughwhatever intermediary points are
needed to kind of make Googleor whoever not really care where
the ad is going, but thenultimately land at a malicious
(36:06):
page that maybe is meant to looklike QuickBooks or look like
whatever it is that the targetis.
And then I don't think we'vetalked about the Chrome
vulnerabilities yet.
Mandi Rae (36:18):
But that is a nice segue.
Scotty Rysdahl (36:20):
There you go, man.
You have three steps ahead.
So then they know that wheneverthe ultimate landing page is
for this attack that the peoplewho get there are primed to
already, you know, either bevulnerable through, let's say, a
browser exploit or, you know,download, like it says here,
download grammarlyzip thatcontains the malicious content,
(36:46):
whatever it is.
So what better way to get yourvirus out there than through
Google, you know, the most usedwebsite on the Internet, to
target it with the most advancedad targeting technology on the
planet?
Mandi Rae (36:57):
It's just feeding into this whole thing.
Threat actors have it easythese days.
Scotty Rysdahl (37:03):
Yeah, these Fortune 500 companies will do
all the work for them.
Mandi Rae (37:06):
Exactly.
Scotty Rysdahl (37:07):
Yeah, but to Mandy's point earlier, josh,
this is another reason that youwant to look into an ad blocker,
because this is pretty commonand just like there are targeted
versions of these attacks,there are untargeted versions of
these attacks, drive bydownloads, as they call them,
where people just sort of end upat a malicious website.
And if you had a little moresecurity you know automation,
(37:28):
looking at the places thatyou're going on the Internet,
behind the scenes you can avoida lot of those kind of sketchy
parts of the Internet.
Joshua Schmidt (37:38):
I like hanging out in sketchy areas though.
Mandi Rae (37:41):
Go to the dark web.
Scotty Rysdahl (37:42):
Yeah, yeah, you can do that.
You just got to bring the rightsort of you know prophylaxis.
Joshua Schmidt (37:49):
So, on that note , you know what are some great
ad blockers, or what can I andother people do to block ads and
, to you know, secure ourselveseven further?
Mandi Rae (38:02):
I was going to say I'll let you answer, but I'd
love to drive people to checkout our personal information
security series.
It was a four part podcastseries Comes with checklists.
We go through ad blockers.
We also talk about other thingslike how to keep kids and teens
safe.
It looks really deep into yourpersonal security and the things
(38:23):
you do banking.
Talk about cookies.
Cookie Is it Ghost?
Is that the name of it?
I'm trying to think of the onethat.
Let me look and see what I have.
Joshua Schmidt (38:39):
Is this an app you're running like a VPN,
essentially, or is it?
It's a privacy ad blocker.
Mandi Rae (38:47):
I say ghost just because it looks like it's part
Pac-Man ghost but part Snapchatfigure, you know.
So I just never really know.
Scotty Rysdahl (38:57):
Yeah, that one's good.
There's Adblock Plus, which hasbeen kind of the standard
browser-based adblocker for along time it's.
They all have their pros andcons, but, yeah, putting
something right in the browseris a great way to go.
I know Google, for their part,has been fighting a war against
adblockers, for reasons youmight imagine, for a long time,
(39:18):
and I think Chrome is going inthe direction of not supporting
a lot of those things anymore.
That's probably a whole episodein itself.
But if adding extensions toyour browser isn't the way to go
and there are security pitfallswith that too, because that
whole ecosystem is also fraughtwith, you know, mal, mal
(39:38):
extensions and things-Malvertising.
Yes, I really like that word.
But there are easier and harderways to do it.
That can get pretty geeky.
There's a free project calledPiehole.
I'm sure, mandy, you've heardabout this before.
Mandi Rae (39:56):
I mean I use the word Piehole quite a bit these names
keep getting better.
Scotty Rysdahl (40:00):
This is why we're in Infosec.
Mandi Rae (40:02):
Nothing's more fun.
Scotty Rysdahl (40:03):
Yeah, so Piehole is something that you
actually install on like alittle computer or a big
computer, whatever you have inyour home, and it sits on your
local network and it sort ofsits in the middle between you
and the internet, sort of like aVPN or a proxy, but different,
and it maintains its own listsof bad sites and it'll just
transparently, without anyinteraction with you, it'll just
(40:26):
kind of swap down thoseattempts to go to sites that it
knows are bad, which is prettycool.
If you don't have the interestor the technical expertise to
set something like that up,there are free services, like
Cloudflare has one.
They're worldwide DNS networks,which we're going to get back
into the techie weeds here.
(40:46):
There's also one called Quad9.
But all you have to do is yougo into, like your internet
modem, so the Comcast modem orwhatever it is that you have, or
you could even just do it oneach of your devices and you
change what's called the DNSserver and without spending a
lot of time on this.
Dns servers are what turn nameslike yahoocom into numerical
(41:08):
internet addresses that internetcan use to get traffic and
bring it back to you.
Right, so you can use theseservices to do that translation
for you, and they're not justdoing the translation, they're
also doing their own like threatchecking against the results
that they return to you.
So this is by far the easiestway to do that is to use
Cloudflare, use Quad9, and justhave your whole home.
(41:32):
Use that to resolve internetnames into internet addresses,
and then you don't even have tothink about it.
And if you go to a site that'ssort of blacklisted or disallow
listed, it'll just flash up apage saying, hey, this is a bad
page, you shouldn't go here.
So yeah, I don't know.
Do we add things to show noteslike this so people can use some
(41:53):
of those resources?
We could throw some of those inthe notes.
Huh, you throw it in the chat,yeah we're on the website.
Yeah, yeah, I will.
So yeah, depending on yourtechnical acumen, there you go
com.
Yeah and hey, if you wanted apersonal security review, it
Audit Labs has done those.
We've gone to people's housesand set up little network
(42:13):
security devices like this forpeople who are like VIPs, you
know.
So the CEO of a company mightbe worth spending a couple
hundred bucks to protect even intheir home.
Or if you're just someone whohas a particular threat that
they are concerned about, youknow, maybe you've had a stalker
, maybe you've whatever.
Whatever the case may be, itAudit Labs can offer that
(42:34):
service.
We're happy to come in and do alittle home security hygiene
inspection and give you sometips.
There's the plug.
So I think we are.
Joshua Schmidt (42:46):
Piehole, shut your piehole.
Tm.
That reminds me of the one onSilicon Valley.
What was the company?
Have you guys ever watchedSilicon Valley?
Their company was Pied Piper.
Yep, I love that.
Scotty Rysdahl (43:03):
Yeah, you know what we should do?
A whole episode on like cybersecurity portrayals in media.
That's actually a pretty funtopic and we could show some
clips and laugh about it.
Mandi Rae (43:14):
There's so many movies and so many shows.
I think we recently did asocial media poll just talking
about like, have you guys?
Oh, I won't even bring it up.
Eric would be so upset if wetalked about the new season of
Black Mirror but I want toencourage everybody to watch the
new season episode one, andlet's do a podcast about it
Really digs into data privacy toa crazy extent, but it's
(43:39):
incredibly entertaining, yep.
Joshua Schmidt (43:42):
I would like to do that too, and also maybe even
talk about some of our favoritemovies.
Scott, you mentioned hacker,hackers, yep.
Scotty Rysdahl (43:52):
Swordfish, the Matrix, what else is?
Joshua Schmidt (43:54):
I was at the lawnmower man.
Scotty Rysdahl (43:59):
Oh yeah, Hellraiser 2 or 3 takes place in
like the metaverse.
I think Red U Player 1 is agreat one if you haven't seen
that yet.
Joshua Schmidt (44:08):
I have not seen that yet.
Mandi Rae (44:10):
Yeah, I was thinking about the social engineering
happening in shows, even justregular network like White
Collar, right Blacklist or yeah.
Scotty Rysdahl (44:24):
Mr Robot.
Mandi Rae (44:25):
Yeah, mr Robot is like my favorite.
Yeah, good, call out.
Joshua Schmidt (44:30):
Well, there you go.
Scotty Rysdahl (44:32):
Even in a new episode.
Joshua Schmidt (44:34):
I was reading a Dean Koontz book and it was like
then I ate my Doritos, or Likewhat.
This is oddly specific Severalmentions of different products.
This has got to be placed inhere intentionally.
Yeah, cool, so let me pull thisup.
The last article we want totalk about is Cromin.
(44:55):
It's vulnerabilities.
During 2022, security weekreported on 456 vulnerabilities,
averaging 38 per month,including 9-0 days.
The high number of flaws neededto be patched poses a simple
question is Chrome safe to use?
Scott, can you first tell uswhat zero days means, because I
keep seeing that.
(45:15):
I think I know what it means,but yeah.
I want to get you clarification.
Scotty Rysdahl (45:19):
Yeah, yeah, it's a common term.
So it's a vulnerability that isdisclosed typically with no
immediately available fix andalso with the knowledge that
it's being attacked in the wild,as they like to say, like
already.
So it's the worst case scenariofor a security vulnerability.
(45:41):
The world knows about it,people are weaponizing it to
carry out cyber attacks and thevendor, the manufacturer of the
software or device, hasn'treleased a fix yet.
So it's like everybody knowsit's a problem and it just runs
wild throughout the internet.
For as long as it takes forpeople to patch and that's
usually not days, it's usuallynot even weeks, it's sometimes
(46:04):
months and even years that ittakes for patches to get to make
it literally around the worldand have full adoption.
And we talked earlier aboutsome of the reasons that might
be.
You know, patches break things.
Patches often require you tohave a support agreement or you
know a current supported versionof a product.
So zero days are bad, butthere's like this whole you know
(46:28):
time period of months where youknow the world catches up with
whatever the released fixeswhenever it's released.
Joshua Schmidt (46:37):
Man, do you use Chrome?
Mandi Rae (46:40):
I do sometimes, but the thing that triggers me about
Chrome is very similar to likewhy I don't like TikTok.
You know how the privacy dataprivacy was in question with the
TikTok user agreement andeverybody was kind of up in arms
in that over this past year andit just kind of made me giggle
because it's like well, what doyou think Chrome is doing?
Like everybody's doing this tomonetize something, and so
(47:03):
they're looking at yourlocations, your searches, your
browsing history, and they'resaying they're all doing this
for, like, personalizationpreferences.
But it's a monster.
So I use it in work andbusiness, but not my favorite
browser.
Joshua Schmidt (47:21):
Do you use Edge, then?
Or what is your go-to Gross?
Mandi Rae (47:28):
Safari or Firefox is what I predominantly use.
How about you?
Joshua Schmidt (47:33):
Well, I've been using Chrome since I got my new
computer.
There's certain things andwebsites that don't work very
well in Safari, like MinnesotaCare, for example.
I don't know why it doesn'tlike Safari and just won't open
certain pages.
But, scott, what do you use?
Scotty Rysdahl (47:52):
I use everything.
It just depends on the context.
So, fun fact, edge is actuallyChrome.
A few years ago, microsoft gaveup on developing their own
in-house browser to some extent,and they took Chromium, which
is the open-source projectthat's developed by Google but
also by people outside of Google, and then they take that source
(48:16):
code and they build Edge usingthat source code.
So, under the hood, chrome andEdge are essentially the same
thing, with littlecustomizations from Google or
Microsoft, depending on whichone we're talking about.
So if something affects Chrome,it's very possible it affects
Edge too.
Mandi Rae (48:32):
I'll have to see if I hate it less now that I know
that, because I don't know ifit's an aesthetic thing or a
functionality thing.
But yeah, not my favorite.
Scotty Rysdahl (48:42):
It's just cool to hate Microsoft's browsers too
, because they're always kind ofa joke.
But if you work in theenterprise, a lot of times it's
mandatory to use Edge especially, or maybe Chrome.
A lot of organizations doenforce standardization so that
they can support fewer thingsfor their customers.
Firefox is great and it's beengreat for a long time.
(49:03):
It's privacy-focused.
It's a nonprofit organizationthat develops it.
It has a really good ecosystemof plugins with things like ad
blockers and privacy.
But just like Josh, you weresaying about MinnesotaCare
because Chrome slash, edge isthe you know elephant in the
room because it has the majorityof users.
That's what most sites aredeveloped for.
(49:25):
So does Safari get the samekind of developer attention and
debugging as Chrome when anycompany is developing a web app?
No, probably not.
And Firefox is even more of anafterthought because it has a
smaller slice of the user pie.
Joshua Schmidt (49:40):
You know, most people like me aren't thinking
about these things in the sameway that you folks are.
So that's my role in thispodcast, but hopefully I'll
learn a few things as we keepgoing.
But yeah, I don't think mostpeople are thinking about this.
You know, like I mentionedpreviously, most of my cohorts
aren't even updating their OS,let alone worrying about things
(50:03):
like this.
So, yeah, it's quite shocking.
It's quite shocking.
Why is such a big company likeAlphabet having these issues?
It seems to me from readingthis article that it's a money
thing.
Once again, the security kindof falls into a secondary or
tertiary spot in terms ofpriority, below rolling out the
(50:27):
shiny new things they talk aboutin this article, and that's
just to capture market share.
That has really nothing to dowith with anything else other
than money.
Scotty Rysdahl (50:41):
Yeah, so there's a graphic that you find
in the IT world from time totime and it's sort of like this.
I remember it as a triad.
I could look it up, but it'slike a triangle, and so there's
security on one point, featureson another point, and then like
ease of use on the third point,and so your product is always
(51:02):
going to find itself somewherewithin that triangle, and if
you're closer to one point,you're farther away from the
other two, and so if there's afinite amount of developer time
that you have to dedicate tosomething, what are you going to
do?
What are you going toprioritize Features, ease of use
or security?
And every software developmentmanager has to make that
(51:25):
decision, you know, and so oftenfeatures and ease of use get
prioritized and security gets abackseat because it doesn't get
across to the consumer as abenefit like the other two do.
Mandi Rae (51:40):
Until there's a breach.
Until there's a breach and theynever.
I think that was really wellstated.
And then everyone cares.
Scotty Rysdahl (51:44):
And then everyone cares and says how dare
you not prioritize security?
Yeah it's an impossible battleto win.
Joshua Schmidt (51:51):
So what can we do to stay safe on these
browsers?
We might have already mentionedthis, but if we could give
people a couple bullet pointsfor the shorts and the reels and
let people know what can we doto stay safe on these browsers?
Scotty Rysdahl (52:07):
Well, in general, security is best
applied in layers, right?
Just like an onion or an ogre,you don't trust any one thing to
keep you safe.
You layer on the protection tomake it harder for any one
attack to be ultimatelysuccessful, right?
So keep your browser updated isalways good advice.
Use antivirus or PC securitysoftware that is capable and is
(52:33):
well regarded.
So nowadays that's things likeEDR and XDR, which are kind of
the next gen antivirus andthey're not just looking for bad
files, they're looking for badbehaviors, things like that.
So use a good personal securityproduct like that.
Store your passwords in apassword manager that's secure,
so that even if someone were tocompromise your computer, it
(52:55):
would be hard to access thosecrown jewels, that really
important, sensitive informationthat you have.
Don't reuse your passwords fromsite to site, right.
Have secure passwords that areseparate for each site.
So if one site gets compromised, like the open AI thing, those
hackers don't immediately haveaccess to all of your other
services too.
Before you even hear about thishack I think someone mentioned
(53:16):
this earlier, I don't rememberhow it came up but delete data
that you don't need, right?
So a lot of corporations willhave retention policies, right?
So if you don't need emailsolder than two years, if that's
company policy, just delete them, and then, if you get breached,
the hacker has less data thatthey can extract and misuse, and
(53:38):
that goes for personal stufftoo.
If you don't need digitalcopies of your bank records
forever, store them offline,print them up, put them in a
filing cabinet.
So yeah, just look for layers,look for different ways to
increase your overall security.
It's a cumulative thing, andthe more that you do, the harder
it's going to be for somebodyto ultimately get to something
(54:01):
that really disrupts your life.
Mandi Rae (54:03):
That was really good.
Scotty Rysdahl (54:04):
Thanks.
I've given that speech likeonce a month for my entire
career.
Mandi Rae (54:07):
I'm not giving you anything money to add to it.
Scotty Rysdahl (54:10):
Oh, the DNS filtering.
So do use Cloudflare or Quad9for your personal devices and
your home network to letsomebody else worry about what
good and bad sites are, and soyou can kind of browse a little
more carefree.
Joshua Schmidt (54:25):
I'd like to schedule my.
Scotty Rysdahl (54:26):
IT Auto Lab assessment now.
We'll probably give you one onthe house.
Joshua Schmidt (54:33):
This is something I thought was really
interesting kind of ties in toour conversation today and then
also my world, which is thismusic world how Billy Corgan
paid off a hacker who threatenedto leak the new Smashing
Pumpkins song.
So I guess this is becomingmore and more common in the at
least the top 1% of the musicworld Taylor Swift's, smashing
(54:58):
Pumpkins, those top levelmusicians I think there's most
musicians wouldn't care ifsomeone leaked their song before
, if it got more plays onSpotify or any kind of attention
.
But this seemed like a big dealto Billy because he actually, I
think, paid a hacker to getinvolved, to hack the hacker or
(55:19):
the hacker.
It stole several songs and wasblackmailing him essentially
that they would leak the songs.
So I think this is going tobecome even more relevant to the
cybersecurity world, for evenmusicians, especially the top
tier ones, like I mentioned,hiring security firms to keep
(55:40):
their data safe.
I've also actually even heard ofinstances of stealing ideas and
going into top level producerslike Max Martin, who does Ed
Sheer.
He just he's done pretty muchevery hit for the last 10, 15
years.
But if you can hack into MaxMartin's you know Pro Tools
(56:01):
computer at his studio, whatkind of hits can you steal, you
know?
Or DJ Khaled what?
What do you?
What can you get?
You know how much fun wouldthat be for a hacker right and
then also be able to sell thatinformation to other producers,
or you know, or blackmail therecord label right, the same
thing happened, boy, like 10years ago now, right In the big
(56:24):
Sony hack.
Scotty Rysdahl (56:25):
you guys remember that Sony got breached
in like 2011 or something andthe people, the attackers behind
it, were sort of blackmailingthem and they were going to
release you know I think, if Iremember right it was that movie
Joe Rogan and and what's hisname, who go to North Korea and
(56:45):
hang out with Kim Jong-il.
You guys?
Remember this movie oh oh yes.
Joshua Schmidt (56:53):
Was it James Franco or something he's from?
Mandi Rae (56:55):
Knocked Up, I can see him yeah.
Scotty Rysdahl (56:56):
James Franco yeah, it wasn't Pineapple
Express, but it was around thattime.
Joshua Schmidt (57:00):
It was the same guy Seth Rogan and James Franco.
Mandi Rae (57:03):
Yes, there you go, thank you.
Scotty Rysdahl (57:05):
The interview.
The interview yeah, so that wasone of the movies that was
stolen, I think, in that breach,and the hackers released it or
threatened to release it orwhatever.
So just yeah, like the Korganexample, it almost doesn't
matter.
You know what industry it's in,everything's digitized nowadays
and everything has value.
So if you can break insomewhere, you find what's of
(57:25):
value and then you can extortand sell and and it doesn't even
have to be tangible orstreamable.
Mandi Rae (57:32):
Sometimes it's just proprietary data, sometimes it's
emails where people are sayingthings that they shouldn't be.
Scotty Rysdahl (57:38):
Yeah, the golden age of data breaches is
still here.
Mandi Rae (57:44):
So protect what's important to you and call IT
Audit Labs or go toitauditlabscom.
Joshua Schmidt (57:51):
And shut your piehole.
I'm sorry, I'm not going tostop saying that today.
This was a really funconversation.
I know we kind of wandered allover the place, but I think
that's great.
Mandi Rae (58:07):
You can stay up to date on the latest cybersecurity
topics by giving us a like anda follow on our socials and
subscribing on Apple, spotify orwherever you source your
podcasts.
More information can be foundon itauditlabscom.
Thank you for joining us and welcome to today's
episode of the audit, where wewill be discussing recent
headlines in the cybersecurityworld.
Today's focus will be on thediscovery of a new toolkit that
targets Apple, mac OS, stolenchat, gpt credentials and the
security issues associated withChrome.
(00:23):
You are not going to want tomiss this episode, so stay tuned
.
Joshua Schmidt (00:29):
We're talking today about data breaches.
We're talking about somecybersecurity.
In the news Seems like there'salways something going on.
You wanted to share this graph.
What can you tell us about thisgraph?
We were kind of talking aboutit before.
Scotty Rysdahl (00:43):
So this is just a general graph.
There is a citation but Ihonestly haven't gone to
validate it.
But it does follow my narrativehere, which is that the number
of vulnerabilities in softwarein general has just been
following this exponential curvesince people started tracking
this stuff, like back in themid-2000s.
So at some point 20, some yearsago, some researchers and
(01:09):
nonprofit organizations devisedthis thing called CVE, which is
the common vulnerabilities andexposures, and it's kind of this
whole taxonomy or system oforganizing and tracking
vulnerabilities in software andcomputers and even hardware and
devices.
And anybody really can applyfor what's called a CVE, for a
(01:31):
specific identifier for a newsecurity issue that they find,
and the way that they'reformatted is usually the acronym
so CVE, dash the year thatsomething was disclosed or
identified, dash, and then anincrementing number that
basically starts at zero everyyear every January and cruises
up until December 31st andhowever far we get, however many
(01:54):
vulnerabilities are discoveredand disclosed, that's where that
number ends for the year andthen we start over the next year
.
So we're going to talk aboutsome other articles here in
specific vulnerabilities incommon software and we'll see
some of these CVE identifiers inthose articles.
But just looking at this graph,it's pretty easy to see that as
more security researchers andmore cyber criminals have been
(02:17):
collectively looking closely atsoftware and trying to find ways
to exploit it and misuse it tocarry out cybercrime and attacks
, the more of these things arefound.
The more you look, the more youfind, and so you can see on the
graph that back in around 2010,it was barely 5,000, and we've
(02:39):
five times to that in thewhatever in less than 13 years
since then.
So it's just an amazingexplosion, and if you've been a
tech user all that time, you'vekind of felt this, even if you
weren't tracking these numbers.
How often do we have securityupdates that are rated critical
for our iPhones?
Every time I restart my Chromebrowser, it tells me hey,
(03:01):
there's a new version you needto install, and usually it's a
security update for those morefrequent like weekly or even
daily sometimes updates.
So, yeah, just interesting tosee this explosion of just the
critical mass of people lookingand finding problems in software
that can lead to fullcompromise in data breaches.
Joshua Schmidt (03:22):
Not quite a hockey stick, but it's certainly
a ski jump.
Scotty Rysdahl (03:26):
Yeah, I wonder about this year, because if
we're about halfway through theyear now, we're on track to not
make it close to last year, butI would doubt that.
So maybe this data is just notquite up to date, but I would
guess we'll surpass 20,000 atleast and go beyond.
Joshua Schmidt (03:41):
So does this mean you're losing the war, or
is it just mean that, like youkind of mentioned, that these
vulnerabilities are gettingpointed out more readily and
more prolifically as we are moreaware of what's going on?
Scotty Rysdahl (03:57):
Yeah, that's a good question.
I don't think we're losinganything.
I think it just really pointsto more visibility and more eyes
on all the tech we use, andjust more tech being used.
So there's just moreapplications out there, there's
more web frameworks, there'smore versions of the iPhone and
Android phones, so the tech hasexploded in number and the
(04:17):
number of people looking forissues, both good and bad, are
also growing every year.
So maybe that sort ofmultiplied together gets you
this hockey stick.
Mandi Rae (04:24):
I was going to echo that.
10 years ago, think of how manypeople had a phone in their
pocket, and now, I mean atelementary school, they're
carrying phones right.
So exponentially more devicesand software is absolutely what
I think is happening.
Scotty Rysdahl (04:40):
Yeah, and I was talking to Josh before you came
on, mandy, before we startedrolling about kind of how
software development has changedover the years too.
So 20 years ago there was thisvery regimented, scheduled
methodical releases happenedinfrequently and they had a lot
of changes bundled into them.
And nowadays there's like sortof more agile methods of
(05:01):
development that lead to justconstant delivery, continuous
delivery of code to productionsystems.
That makes Microsoft's monthlycadence seem kind of quaint
these days.
So yeah, no longer are wedeveloping software on year
schedules, we're developing itand doing these sprints every
few weeks or every month orwhatever the case may be for
(05:24):
each product.
So more code changes leads tomore possible vulnerabilities
too.
Mandi Rae (05:29):
Really trying to be quick to market with things
right.
You want to be the first,especially when it comes to the
technology arena.
Scotty Rysdahl (05:35):
Yep, yep.
There's this whole concept ofminimum viable product, right.
So don't plan this grand updateor this grand application and
deliver it in years, just like.
Keep iterating as fast as youcan to get that next little bit
out the door, the next littlecheese for the users to nibble
on.
Joshua Schmidt (05:53):
Is this just to keep shareholders happy and just
getting those numberscontinually growing for their
user base?
Mandi Rae (06:00):
I think it's to make that money, Josh.
Joshua Schmidt (06:03):
Yeah, of course.
Of course.
It's just so annoying and itseems to me like a lot of these
applications are fine, you knowhow they are, but if it's a
security thing it's somethingthey have to address.
They're just kind of weighingout that liability versus the
money making risk, right?
So it's an article.
(06:24):
I found I thought wasinteresting.
Cyber security researchers haveuncovered a set of malicious
artifacts that they say is apart of a sophisticated toolkit
targeting Apple Mac OS systems.
Two of the three maliciousprograms are said to be generic
Python based backdoors that aredesigned to target Windows,
linux and Mac OS systems.
The payloads have beencollectively dubbed Joker spy
(06:45):
Scott.
Who comes up with these names?
Are they named?
Is it like, haha, and there'slike a little laughing Joker?
You've been hacked by Joker spy, or how do these names come
about?
Because they're superentertaining.
Scotty Rysdahl (06:59):
Yeah, that takes me back to the movie
hackers from 1995 or whatever.
Angelina Jolie, where everytime there's a virus launched
like, a little smiley face witha pirate patch goes and chomps
its way across the screen.
Joshua Schmidt (07:11):
Dennis Nedry on Jurassic Park.
You didn't say the magic word.
Scotty Rysdahl (07:18):
I wish that's how information security had
developed over time, that we gotmore interactive and colorful.
Joshua Schmidt (07:25):
There's still time for that.
Scotty Rysdahl (07:26):
Yeah, if anything, they've gotten more
stealthy and less visible, Iwould say, With the exception of
ransomware, where there's kindof like that flare for the
theatrical.
You know, like you get a ransomnote on your desktop and it's
they have that chance to kind oflike bully you a little bit
right there.
Would they tell you that theyhave your data?
Joshua Schmidt (07:45):
Yeah, so all you hackers listening, all you
hackers listening to this.
We need a little more StevenSpielberg production in these,
in this malware.
Scotty Rysdahl (07:54):
Yeah, just go on five or and spend 30 bucks
and get some freelancer tohonestly, if you're into that.
Mandi Rae (08:01):
I think we've talked previously on prior podcasts
about CrowdStrike and are theythe ones who do a really great
job connecting a little bit ofanime graphics to
vulnerabilities and exploitsthey find.
Scotty Rysdahl (08:15):
I don't know if you're familiar, but there's
some write ups where they likehave, yeah, like professional,
whatever iconography or kind ofcharacters almost built into
their their analysis right.
Mandi Rae (08:27):
I love the aesthetic of that.
I mean, it's what makessecurity kind of sexy.
Scotty Rysdahl (08:31):
It is, yeah, along with what Josh mentioned,
which is how things kind of getnamed, and that wasn't always
the case.
You know, again, 10, 15 yearsago, vulnerabilities were just
called by their CBE name.
So we had CBE 2010, 115, youknow, and those identifiers are
still used.
But nowadays, if something'sreally big, it'll get some funny
hackery name, you know, and asfar as who comes up with them,
(08:54):
it's usually either the researchteam who kind of uncovers it
first.
They get to name it.
So it's like finding a star orsomething.
Yeah, it is very much like that.
Yeah, sometimes they do takeclues from the malware.
So there's this whole processcalled reverse engineering,
where the researchers will takethe malware, they'll put it in
(09:16):
kind of a little safe sandboxenvironment and they'll pull it
apart and watch how it works,and they can retrieve some kind
of artifacts from how it wascoded, how it was written, and
so you'll find things in therelike the languages, the human
languages that the hackers, thedevelopers used.
Often they're Russian orwhatever, and so they'll find
(09:36):
little like tidbits, littlekeywords, and they'll name
things after that and then, ofcourse, like hacker groups
themselves get these funny nameslike fancy bear, and I forget
what North Korea is is nowLazarus maybe is one of them.
So, yeah, they even named thegangs, you know, with these kind
of cool theatrical names too.
(09:57):
So yeah, like Mandy said, it'ssexier than you know software
engineering or other subdisciplines of IT, because we
kind of have the cloak anddagger aspect to it.
Joshua Schmidt (10:09):
Meanwhile, behind the scenes at Lazarus,
it's such a really nerdy dudesitting sitting at a big chair,
not so much to the computer, butthey're probably driving Lambos
, you know, in.
Scotty Rysdahl (10:21):
Europe because that's how it works these days.
Mandi Rae (10:23):
Okay, I was gonna say unshowered working in a dingy
basement, but their daytimehours are probably super fun.
Joshua Schmidt (10:31):
In a gaming chair with a 24 pack of Mountain
Dew.
Mandi Rae (10:35):
Exactly.
Joshua Schmidt (10:36):
Joker spy.
So you know I'm a normie,that's my job on this podcast as
well as producing, but you know, I thought you know Apple was
kind of the gold standard insecurity and as far as personal
computing goes.
You know, is this kind of a newthing or has this been going on
for a while and just been notbeen brought to my attention?
Scotty Rysdahl (10:59):
Well, it's not new.
So when somebody finds avulnerability, if they're a bad
guy, they'll oftentimes find away to use it directly or maybe
to resell it on the dark web orwhatever they can find customers
.
If you want to up your game asa seller or distributor of those
(11:20):
types of digital weapons, youcan group them together and you
can categorize them by whichproduct they attack, which
software they impact.
And so, just like you can go toCostco and buy your peanut
butter by the barrel, you can dothat with exploits.
So you can get a whole kit thatbundles all these different
(11:42):
things together, the starter kitfor cybercrime almost, and
it'll include kind of a curatedset of related or even just
totally different exploits thatyou can use to carry out cyber
attacks.
And it's another great exampleof this diversification of
cybercrime, where in the olddays maybe it was the same
person that found a flaw,exploited the flaw and then
(12:04):
carried out the attack andretrieved or stole data.
But nowadays it's like oneperson does the fines to the
vulnerability, another personcollects vulnerabilities or buys
them and puts them into an easyto use kit, and then yet
another person licenses that kitout to cyber criminals who
actually want to carry out theattacks.
They even run help desks thesedays to help their affiliates,
(12:27):
as they're called, use theseweapon kits for their own gain.
So it's really amazing how farit's matured.
You can get text-based supportif you're a virus buyer or a
toolkit buyer, and somebody willhelpfully chat away and tell
(12:47):
you what you're doing wrong.
And oh yeah, did you make surethat you filled this variable in
with the domain that you'retrying to attack, or whatever
the case may be?
Yeah, it's a weird world.
Mandi Rae (12:58):
It's crazy.
I think my first reaction inreading this was like come on
Apple.
Much like you, I think Macsweren't targeted as frequently
as a Windows or Linux-basedmachine or at least that was my
thought, as Macs just seemedmore protected.
I just read another article inPCMag about the migraine
(13:19):
vulnerability that Microsoftfound that where Apple was
allowing attackers to performarbitrary operations on Macs,
they were hiding malicious filesin the monitoring tools and
expanding the scope of themalware to attack the system's
kernel.
They were bypassing the SIP.
(13:39):
It's just like come on Apple,what are you doing?
I hate the critical bug fixeson my phone.
I hate that we're not thinkingabout things and testing things
thoroughly before getting themout into the public.
Joshua Schmidt (13:52):
I've been complaining to Scott for several
weeks now, mandy, about anissue I recently had which was
really a pain in the butt.
I updated automatic update onmy modern-man menu M1 Mac and it
rendered my Final Cut Pro appcompletely useless because of
the third-party software that Ihave on my computer for audio
(14:14):
engineering and audio editing.
There's probably 30 or 40-plusthird-party apps on my computer
plugins and these plugins werestalling Final Cut Pro on
startup to the point where itwould crash my computer and it
just kept crashing my computerand there's been no yeah and I
got to the boss level of the ITdepartment at Apple where they
(14:38):
took over my computer and theguy already.
By the time I got to the bosslevel, the guy already had the
answer.
He knew what he was gettinginto when he took me on.
He was basically like wealready stopped collecting data
on this issue.
So either we're going to do anupdate soon or we're not and
we're going to wait until thesethird-party developers catch up
(15:01):
to what we just did.
But it flabbergasted me, becausethis is an Apple product on an
Apple computer.
They didn't even put in abackstop where I could bypass
these plugins and just force runthis app.
So you're telling me I can'teven use this app today.
I got stuff to do, I havedeadlines and now either my
(15:23):
choices are to partition my harddrive and reinstall Final Cut
Pro on my partition hard driveso that it's not running into
any of these plugins, which tome sounds like a nightmare as a
non-techy kind of person, or todowngrade to a, and I don't even
know how to do that.
I'm sure there's ways to backup on the version of the OS that
(15:45):
I was using, which could createother problems, right?
Mandi Rae (15:48):
I was going to say.
I think that's the catch 22.
If you're up to date on thelatest fixes, then things start
to break right Because, like yousaid, not everybody's caught up
, whether it's Apple or somebodyelse.
However, if you wait, thenyou're not patching these
vulnerabilities.
You're living with these bugsthat they have found, and so
(16:09):
you've got to find that commonmiddle ground.
Scott, what would be yourrecommendation?
Just understanding what Josh issaying?
I mean, I think it's happenedto all of us.
Scotty Rysdahl (16:18):
Yeah, we had discussed this earlier before we
started rolling too, and I wasjust sharing that.
It's the same in the enterprise.
Microsoft releases theirmonthly set of patches and they
often break things in production.
They break critical systemssometimes, and Microsoft treats
their customers like their firstor second round of beta testers
(16:40):
.
Here's the code.
Go for it.
Mandi Rae (16:43):
I don't want to be your pilot.
Scotty Rysdahl (16:45):
I know, and we're paying for that privilege
right To run their bleeding edgecode, but there's really no
choice.
So Microsoft puts it on theircustomers to have their own
update procedures.
So start with a sample group ofyour systems workstations,
servers, whatever the case maybe.
(17:06):
Do the updates, wait a week ortwo, then roll it out to
everybody else and everyorganization has their own
staggered process for doing that.
But yeah, at the end of the day, just because something gets
officially released as stabledoesn't mean it is.
Yeah, I don't know.
I wish I had a better answer.
Mandi Rae (17:26):
You wish Josh well knows.
So would you tell people, do weupdate right away, ernie, wait
a minute.
Scotty Rysdahl (17:34):
Yeah, my answer would be different depending on
what the update is.
So if you're talking aboutmajor updates so going from
Windows 10 to Windows 11, forexample, wait, wait at least a
year Don't be an early adopterfor new major versions of things
.
They're not meant to beproduction ready when version
11.0 comes off the factory.
Wait a year and let Microsoftor whoever figure their stuff
(17:57):
out.
But for minor versions andsecurity patches you really do
have to keep pace.
And then again it's back on thecustomer, and in Josh's case he
doesn't have three M1 MacBookPros to test his updates on.
So for consumers they just getscrewed sometimes.
Joshua Schmidt (18:13):
Yeah, and the cost of these plugins is sky
high.
I mean anywhere from a cup, $20, $30 up to thousands of dollars
for some of these audio suites,whether it's orchestral strings
, and kick it into the thousandsof dollars.
So when those things don't work, and then not only do they not
work on something you're workingon now, but if you have to go
back to an old session of a songthat I was working on for the
(18:37):
Olympics, for example from threeyears ago, that's not going to
work either.
So what a lot of my cohorts dois just not update and they stay
way behind the crest of thatwave and they just take the
security risk in order to havethe workflow be there for them
when they need to.
And I can do that.
(18:58):
My last MacBook I just stoppedupdating it, I just turned off
at one point because I know Ican get another year or two out
of it.
At like year, five Updates areoff.
It's just going to be that wayuntil it dies.
And now it has a big bulge inthe middle of it and doesn't sit
quite level.
So I don't know if it's evensafe to me to say anymore yeah,
(19:19):
don't bring it on an airplane.
I don't know how that lithiumbattery is doing, but OK.
Well, that was fun.
Yeah, let's go on to the nextarticle, unless anyone else has
anything to add.
It's always fun to talk aboutAI and chat GPT, and so this
article grabbed my attention.
Do a little intro to what Ifound here.
(19:40):
It looks like over 101,000compromised open AI chat GPT
account credentials have foundtheir way onto a Lysset Dark Web
Marketplaces between June 2022and May 2023, with India alone
accounting for 12,632 stolencredentials.
The credentials were discoveredwithin information stealer logs
(20:01):
made available for sale on thecybercrime underground Group.
Ib said in a report shared withHacker News.
So you know.
Normie question.
What are they referring tobeing stolen when they're
talking about logs?
Are the malicious actorsstealing the questions and the
request users are prompting intochat GPT for the outputs, or is
(20:25):
this just log in informationand personal information?
Scotty Rysdahl (20:31):
So it says in the article there that some of
it was stolen credentials, soit's presumably usernames or
emails and passwords.
Usually when you store apassword in a database that's
connected to the internet oranywhere, you don't store it in
its normal form.
You store what's called thehash of it, so it's a one
directional cryptography.
(20:51):
So it's like encryptingsomething without the option to
decrypt it by design, and thenthat version of it is what's
checked every time somebody logsin.
And the point is that when theyget breached and the hacker
grabs these 100,000 credentials,they have kind of the scrambled
version.
It's unique to what the realpassword is, but it's scrambled
(21:15):
to the point where they can'tjust say, oh, it's my Toyota
truck 7.7, and then go try tobreach other accounts belonging
to the same person.
So it's meant to kind of limitthe blast radius, as they say,
of any particular breach.
But yeah, if chat logs, chatGPT logs, were also stolen, that
(21:35):
would be those interactionsbetween the customers and the AI
.
So write me a job description.
Write me a resume, clean up myresume, and so the input and the
output of those interactionsbetween humans and the AI.
If those are stolen, you canonly imagine what kind of
sensitive information would bein there, like I mean everything
(21:56):
from embarrassing personalstuff about hair loss, who knows
, to those weird conversationsthat we've all had with AI to
try to see what it's capable of.
Talk to me like a pirate, justkind of the weird things that
you do.
Two very sensitive tradesecrets and source code for
applications that programmers atdifferent companies are trying
(22:17):
to have the AI help them debug,for example.
So the most sensitive tradesecrets just about could end up
in these systems, which isobviously bad for the customers
who are affected.
Joshua Schmidt (22:32):
Like, can I mix my C Alice with my pro Zach?
Scotty Rysdahl (22:36):
Exactly seriously.
Bing now is using open AI forsearch results, right.
So imagine if that data is inthere.
You get all sorts ofpotentially very sensitive, just
normal everyday person typequestions that, yeah, probably
shouldn't be shared with theworld, right, this article is
from June 20th, but I imagineand maybe the article says that
(22:58):
I didn't see it in there, butthat these actually were stolen
back in March when the open AIdata breach happened.
So it seems like this articleis just saying it's news now
because these things are beingposted on the internet, right,
so the breach happened monthsago.
Now we're seeing these thingsfor sale out in the darker parts
of the internet.
Mandi Rae (23:17):
Dark Web is like the upside down.
Scotty Rysdahl (23:21):
Yeah, yeah it very much is.
Joshua Schmidt (23:22):
It seems like there'd be a ton of information
to parse through to findanything valuable, especially if
a lot of the chat GPT answersthat I've received or the
prompts that I've given it andthen it spits something out are
very long depending on what theprompt is.
But I'm sure there's systems inplace that can skim through
that, looking for keywords andwhatnot, to identify personal
(23:46):
information things that might beof value.
Is there something that you'reaware of that?
That because not only arepeople using these but
businesses have started to adoptthese into their workflow.
I think that's part of thebigger part of the issue, like
sensitive information thatthey're putting into these
(24:07):
things without thinking aboutsecurity ramifications.
Mandi Rae (24:12):
That's what Scott was mentioning earlier.
Yeah, it's the proprietary datathat they're looking for.
Scotty Rysdahl (24:17):
You can see the footnote there at the bottom of
the screen.
Employees enter classifiedcorrespondences or use the bot
to optimize proprietary code.
So that's exactly the worstcase scenario for the customers
there.
Chat GPT standard configurationretains all conversations.
This could inadvertently offera trove of sensitive
intelligence to threat actors.
Joshua Schmidt (24:35):
So this seems like something that might be
inherently a problem with AI.
Because of the nature of itlearning from, based on the logs
that is keeping ofconversations.
It seemed like it would be evenmore vulnerable to this type of
hacking and gleaming some ofthis value from these things
since it has to save so muchdata, so many conversations.
(24:57):
Is AI more valuable to hackersin the long run because of the
nature of it storing all ofthese conversations?
Scotty Rysdahl (25:09):
Yeah, I think what you just said is the key
point.
It's not really that it's AI,it's that the conversations are
stored.
It's kind of back to this ideaabout where does your data live.
So 10, 15 years ago,everybody's data lived in their
own data centers, on their ownservers in the offices, and so
there was this kind of clearperimeter to every
(25:30):
organization's network and kindof digital footprint, and it
often corresponded to thephysical perimeter that they
have their offices, their leastdata center space.
But now, in the intervening time, we've all moved to the cloud
and our data lives in datacenters owned by just a few big
players, along with everybodyelse's data, and so when
(25:53):
breaches happen out in thoseplaces, depending on the type of
cloud service that we'retalking about, the impact is
potentially bigger, and there'sjust a lot of.
It's kind of like the wateringhole idea, where all these
animals come to this one placeto drink, and so that's a place
for predators to go and attack.
So if it was possible to hostyour own version of OpenAI which
(26:16):
I think is something they dooffer or are going to be
offering, just like any otherretail IT product if you could
take that and put it in your ownenvironment, the risk of this
kind of breach goes downsignificantly because your data
is not out there with everybodyelse's data.
I'd imagine that you'd pay apremium for that private hosted
(26:36):
version of service, but the sameis true of the cloud.
The more you want to havecontrol over where your data
lives and how it's secured, themore money you're going to pay
for that privilege if you'retrusting it to some third party.
Joshua Schmidt (26:50):
So are these clouds safe with our sensitive
information?
Because, for one, don't post mychildren on Facebook, for
example.
To each their own.
That's just not something I wascomfortable with.
But I know they're on a cloudbecause I'm storing all my
photos on my phone and whatnot.
So how safe are these clouds?
(27:11):
In comparison?
Some of these apps like ChatGPTand things like that?
Mandi Rae (27:18):
I mean, I don't think anything is safe anywhere.
Joshua Schmidt (27:20):
Do you?
Mandi Rae (27:21):
have a strong password.
Do you use MFA two-factorauthentication?
Scotty Rysdahl (27:26):
Yeah, that's a good answer.
I would say it depends.
It depends what securityprotections are in place and one
of the benefits of the cloud isthat they're dedicated to doing
this type of hosting hosting,whereas a company just running
their own servers in their ownlocations maybe don't have the
maturity or the expertise or themoney to put in the same kinds
(27:46):
of protections.
So I think most of the bigcloud providers like Amazon and
Microsoft they don't reallypublish directly like the
physical locations of their datacenters.
You can find them and they'lltell you generally where they
are.
You know they're in Virginia,they're in Oregon, they're in
the Bay Area of California, butif you ever go, look at some of
(28:09):
these places it's like amilitary outpost.
There's multiple layers ofrazor wire fences.
There's humans with the kindsof weapons you would expect
patrolling 24-7.
There's biometric multi-factorauthentication to get into the
facility.
Every person's access is basedon the job that they have.
So the security guard on theoutside can't necessarily get to
(28:31):
the data center floor.
On the inside, each cabinet islocked and secured and there's a
short list of people who canget to it.
So is your data secure out inthe cloud, maybe more secure
than your company could manageto keep it in your own offices.
Mandi Rae (28:50):
But again, the threat is the people.
So everything Scott's saying isright they are absolutely
securing our data, but if yourpassword's summer 2022 and
you're using it across multiplethings and you end up getting
fished or something, then that'swhere you have a compromise.
Joshua Schmidt (29:10):
How did you know my?
Mandi Rae (29:11):
password.
Scotty Rysdahl (29:15):
It's right there on the list of the top 10
worst passwords from 2022.
Mandi Rae (29:18):
Your dog's name yeah.
Scotty Rysdahl (29:22):
So it's a trade-off.
You do get a lot of securityjust by being a customer of AWS
or Microsoft Azure or GoogleCloud Platform, but you're also
voluntarily putting yourself inthose watering hole locations
where everybody else is keepingtheir data, so it makes the
reward from compromising thosethings a lot more lucrative.
Mandi Rae (29:45):
You knew more about data centers than anyone I've
ever talked to.
Scotty Rysdahl (29:50):
They're pretty cool.
Actually, I'm glad I don't workin one, because really it's
just like working in a warehousefull of noisy machines of any
kind.
Mandi Rae (29:56):
That you can't touch, can't do anything with you
can't touch.
Yeah, I wouldn't mind being theguy walking around with a gun,
though That'd be pretty tightgig.
Well, security there, physicalsecurity.
Scotty Rysdahl (30:05):
Yeah, I mean, you could wear a camel jumpsuit
in your day-to-day mandate and Idon't think anybody would
complain.
It'd be epic, I may even start.
Mandi Rae (30:14):
You know, as I was reading through that article,
something caught my eye, but I'mcoming into it very naive, but
it was talking about how itmentioned how Raccoon was one of
the primary impulse dealers.
So it said.
A further analysis has revealedthe majority of logs containing
chat GPT accounts have beenbreached by the notorious
(30:35):
Raccoon.
What do you guys know aboutRaccoon?
Because I looked it up andthere's some other interesting
things going on with them.
Is it a person?
Is it a process?
Is it a?
What is it?
Joshua Schmidt (30:50):
Well, I'm going to throw this up, yeah.
Mandi Rae (30:54):
That's a great idea.
Scotty Rysdahl (30:57):
Actual photo of this is young yeah.
Mandi Rae (31:00):
Yeah, so does anyone.
Scott.
Do you know about who's likethe notorious Raccoon Info
Stealer?
Scotty Rysdahl (31:07):
Yeah, so I just in my 30 seconds of Googling
here while we were talking.
So an Info Stealer in generalis a type of malware.
So it's not a person, it's aprogram.
It's a virus, right, and theway that the purpose of them
typically is to infect acomputer and just kind of hang
out and wait to see what typesof valuable information they
(31:31):
might be able to pull out of thepassword saved in your browser,
the text on your screen rightwhen you go to your online
banking account, credit cardnumbers that you enter into
Amazon or whatever.
So they're typically they'remeant to just hang out quietly
and then look for certainactivity happening on the screen
in memory specific programsthat are launched, that sort of
(31:53):
thing and just send that stuffback to Stalingrad or whatever
for resale and reuse bywhoever's behind this thing.
Mandi Rae (32:04):
So that really reminds me of some of our
earlier podcasts about personalinformation security and how we
talk about as a best practice.
I totally get it.
It is convenient to save yourpassword in your browser, but
don't I totally get that puttingyour credit card and having
that saved so that you can makethose impulsive online purchases
.
It's so easy.
(32:25):
But don't do it Like.
These are exactly the kinds ofthings that are out targeting
innocent people.
Well, raccoon isn't just doingthat.
So if you've got any moreimages of Raccoon as a threat
actor, I found it reallyinteresting.
There's an article aboutmalvertising, which was kind of
a new term.
(32:46):
I mean, I know malware andadvertising, so now we're doing
a mashup.
So new malvertising campaignsvia Google ads to target users
searching for popular software,and so how interesting you do a
Google search for some software.
The ads are popping up.
(33:06):
You go with one of the top,most popular ones and guess what
?
They're going to redirect yourtraffic from a benign site.
They're going to have youdownload a malicious file.
I wanted to talk a little bitabout that, targeted ad
campaigns being kind of one ofthe new things to be worried
about.
Or is this an all the timething?
(33:27):
Malvertising Scott.
Have you ever used?
Scotty Rysdahl (33:31):
that word?
Yeah, it's one of my leastfavorite cybersecurity port
mantues, is that how you say it?
Yeah, but yeah, it's exactlysort of what you described,
mandy.
It's leveraging very, verycommon ad networks, ad resellers
like Google.
Google is not a technologycompany, right, they're an
(33:52):
advertising company.
That's what they do, and so ifyou, as a malicious person, want
to get your tax in front of theright people, google is happy
to help you with that.
Right, they maybe don't intendto, but their business is
targeted advertising.
So if I want to sell a new dietpill, I don't want to spend a
(34:13):
bunch of money putting it infront of people who aren't
looking for diet pills.
I'm going to have Google put itin front of people who search
for diet pills Osempic, whateverthe case may be and then my
that's a hot one right now too,scott, good call, it is super
hot.
Mandi Rae (34:28):
Yeah, yeah, seo, osempic, osempic, osempic.
Scotty Rysdahl (34:33):
I see all those commercials in my nightmares,
may cause hallucinations andinternal bleeding.
Mandi Rae (34:39):
Now it's going to cause targeted ads on your
screen.
Scotty Rysdahl (34:41):
Right, right, especially now that we're saying
it out loud.
Mandi Rae (34:44):
If you that's why I said it three times my Alexa's
going to grab it.
No, I'm going to start seeingtargeted ads too.
If you scroll down, I thinkthere's a really-.
This first graphic is reallycool to kind of explain it and
sorry if I was speaking over you, scott, but down a little
further they kind of show youcan see where the threat actor
is lurking in this timeline typeformat.
Scotty Rysdahl (35:05):
Yep.
So yeah, if they can use theirUse a little bit of money to put
ads in the right people, like,let's say, they're targeting
people who use Enterprises whouse a particular kind of
software, right, maybe like SAPor QuickBooks or something.
So maybe, if they know thatthey have a way to attack
(35:26):
QuickBooks I guess this is areally bad example maybe but
they would target those mal adsas to those search results which
you can kind of see in thefirst diagram up there, and then
they would, you know, googleoffloads the click right.
So somebody clicks on the ad inthe search results, they
(35:46):
offload it, they send it to theultimate destination and then
the attackers, like it's showinghere, are able to you know sort
of launder that click throughwhatever intermediary points are
needed to kind of make Googleor whoever not really care where
the ad is going, but thenultimately land at a malicious
(36:06):
page that maybe is meant to looklike QuickBooks or look like
whatever it is that the targetis.
And then I don't think we'vetalked about the Chrome
vulnerabilities yet.
Mandi Rae (36:18):
But that is a nice segue.
Scotty Rysdahl (36:20):
There you go, man.
You have three steps ahead.
So then they know that wheneverthe ultimate landing page is
for this attack that the peoplewho get there are primed to
already, you know, either bevulnerable through, let's say, a
browser exploit or, you know,download, like it says here,
download grammarlyzip thatcontains the malicious content,
(36:46):
whatever it is.
So what better way to get yourvirus out there than through
Google, you know, the most usedwebsite on the Internet, to
target it with the most advancedad targeting technology on the
planet?
Mandi Rae (36:57):
It's just feeding into this whole thing.
Threat actors have it easythese days.
Scotty Rysdahl (37:03):
Yeah, these Fortune 500 companies will do
all the work for them.
Mandi Rae (37:06):
Exactly.
Scotty Rysdahl (37:07):
Yeah, but to Mandy's point earlier, josh,
this is another reason that youwant to look into an ad blocker,
because this is pretty commonand just like there are targeted
versions of these attacks,there are untargeted versions of
these attacks, drive bydownloads, as they call them,
where people just sort of end upat a malicious website.
And if you had a little moresecurity you know automation,
(37:28):
looking at the places thatyou're going on the Internet,
behind the scenes you can avoida lot of those kind of sketchy
parts of the Internet.
Joshua Schmidt (37:38):
I like hanging out in sketchy areas though.
Mandi Rae (37:41):
Go to the dark web.
Scotty Rysdahl (37:42):
Yeah, yeah, you can do that.
You just got to bring the rightsort of you know prophylaxis.
Joshua Schmidt (37:49):
So, on that note , you know what are some great
ad blockers, or what can I andother people do to block ads and
, to you know, secure ourselveseven further?
Mandi Rae (38:02):
I was going to say I'll let you answer, but I'd
love to drive people to checkout our personal information
security series.
It was a four part podcastseries Comes with checklists.
We go through ad blockers.
We also talk about other thingslike how to keep kids and teens
safe.
It looks really deep into yourpersonal security and the things
(38:23):
you do banking.
Talk about cookies.
Cookie Is it Ghost?
Is that the name of it?
I'm trying to think of the onethat.
Let me look and see what I have.
Joshua Schmidt (38:39):
Is this an app you're running like a VPN,
essentially, or is it?
It's a privacy ad blocker.
Mandi Rae (38:47):
I say ghost just because it looks like it's part
Pac-Man ghost but part Snapchatfigure, you know.
So I just never really know.
Scotty Rysdahl (38:57):
Yeah, that one's good.
There's Adblock Plus, which hasbeen kind of the standard
browser-based adblocker for along time it's.
They all have their pros andcons, but, yeah, putting
something right in the browseris a great way to go.
I know Google, for their part,has been fighting a war against
adblockers, for reasons youmight imagine, for a long time,
(39:18):
and I think Chrome is going inthe direction of not supporting
a lot of those things anymore.
That's probably a whole episodein itself.
But if adding extensions toyour browser isn't the way to go
and there are security pitfallswith that too, because that
whole ecosystem is also fraughtwith, you know, mal, mal
(39:38):
extensions and things-Malvertising.
Yes, I really like that word.
But there are easier and harderways to do it.
That can get pretty geeky.
There's a free project calledPiehole.
I'm sure, mandy, you've heardabout this before.
Mandi Rae (39:56):
I mean I use the word Piehole quite a bit these names
keep getting better.
Scotty Rysdahl (40:00):
This is why we're in Infosec.
Mandi Rae (40:02):
Nothing's more fun.
Scotty Rysdahl (40:03):
Yeah, so Piehole is something that you
actually install on like alittle computer or a big
computer, whatever you have inyour home, and it sits on your
local network and it sort ofsits in the middle between you
and the internet, sort of like aVPN or a proxy, but different,
and it maintains its own listsof bad sites and it'll just
transparently, without anyinteraction with you, it'll just
(40:26):
kind of swap down thoseattempts to go to sites that it
knows are bad, which is prettycool.
If you don't have the interestor the technical expertise to
set something like that up,there are free services, like
Cloudflare has one.
They're worldwide DNS networks,which we're going to get back
into the techie weeds here.
(40:46):
There's also one called Quad9.
But all you have to do is yougo into, like your internet
modem, so the Comcast modem orwhatever it is that you have, or
you could even just do it oneach of your devices and you
change what's called the DNSserver and without spending a
lot of time on this.
Dns servers are what turn nameslike yahoocom into numerical
(41:08):
internet addresses that internetcan use to get traffic and
bring it back to you.
Right, so you can use theseservices to do that translation
for you, and they're not justdoing the translation, they're
also doing their own like threatchecking against the results
that they return to you.
So this is by far the easiestway to do that is to use
Cloudflare, use Quad9, and justhave your whole home.
(41:32):
Use that to resolve internetnames into internet addresses,
and then you don't even have tothink about it.
And if you go to a site that'ssort of blacklisted or disallow
listed, it'll just flash up apage saying, hey, this is a bad
page, you shouldn't go here.
So yeah, I don't know.
Do we add things to show noteslike this so people can use some
(41:53):
of those resources?
We could throw some of those inthe notes.
Huh, you throw it in the chat,yeah we're on the website.
Yeah, yeah, I will.
So yeah, depending on yourtechnical acumen, there you go
com.
Yeah and hey, if you wanted apersonal security review, it
Audit Labs has done those.
We've gone to people's housesand set up little network
(42:13):
security devices like this forpeople who are like VIPs, you
know.
So the CEO of a company mightbe worth spending a couple
hundred bucks to protect even intheir home.
Or if you're just someone whohas a particular threat that
they are concerned about, youknow, maybe you've had a stalker
, maybe you've whatever.
Whatever the case may be, itAudit Labs can offer that
(42:34):
service.
We're happy to come in and do alittle home security hygiene
inspection and give you sometips.
There's the plug.
So I think we are.
Joshua Schmidt (42:46):
Piehole, shut your piehole.
Tm.
That reminds me of the one onSilicon Valley.
What was the company?
Have you guys ever watchedSilicon Valley?
Their company was Pied Piper.
Yep, I love that.
Scotty Rysdahl (43:03):
Yeah, you know what we should do?
A whole episode on like cybersecurity portrayals in media.
That's actually a pretty funtopic and we could show some
clips and laugh about it.
Mandi Rae (43:14):
There's so many movies and so many shows.
I think we recently did asocial media poll just talking
about like, have you guys?
Oh, I won't even bring it up.
Eric would be so upset if wetalked about the new season of
Black Mirror but I want toencourage everybody to watch the
new season episode one, andlet's do a podcast about it
Really digs into data privacy toa crazy extent, but it's
(43:39):
incredibly entertaining, yep.
Joshua Schmidt (43:42):
I would like to do that too, and also maybe even
talk about some of our favoritemovies.
Scott, you mentioned hacker,hackers, yep.
Scotty Rysdahl (43:52):
Swordfish, the Matrix, what else is?
Joshua Schmidt (43:54):
I was at the lawnmower man.
Scotty Rysdahl (43:59):
Oh yeah, Hellraiser 2 or 3 takes place in
like the metaverse.
I think Red U Player 1 is agreat one if you haven't seen
that yet.
Joshua Schmidt (44:08):
I have not seen that yet.
Mandi Rae (44:10):
Yeah, I was thinking about the social engineering
happening in shows, even justregular network like White
Collar, right Blacklist or yeah.
Scotty Rysdahl (44:24):
Mr Robot.
Mandi Rae (44:25):
Yeah, mr Robot is like my favorite.
Yeah, good, call out.
Joshua Schmidt (44:30):
Well, there you go.
Scotty Rysdahl (44:32):
Even in a new episode.
Joshua Schmidt (44:34):
I was reading a Dean Koontz book and it was like
then I ate my Doritos, or Likewhat.
This is oddly specific Severalmentions of different products.
This has got to be placed inhere intentionally.
Yeah, cool, so let me pull thisup.
The last article we want totalk about is Cromin.
(44:55):
It's vulnerabilities.
During 2022, security weekreported on 456 vulnerabilities,
averaging 38 per month,including 9-0 days.
The high number of flaws neededto be patched poses a simple
question is Chrome safe to use?
Scott, can you first tell uswhat zero days means, because I
keep seeing that.
(45:15):
I think I know what it means,but yeah.
I want to get you clarification.
Scotty Rysdahl (45:19):
Yeah, yeah, it's a common term.
So it's a vulnerability that isdisclosed typically with no
immediately available fix andalso with the knowledge that
it's being attacked in the wild,as they like to say, like
already.
So it's the worst case scenariofor a security vulnerability.
(45:41):
The world knows about it,people are weaponizing it to
carry out cyber attacks and thevendor, the manufacturer of the
software or device, hasn'treleased a fix yet.
So it's like everybody knowsit's a problem and it just runs
wild throughout the internet.
For as long as it takes forpeople to patch and that's
usually not days, it's usuallynot even weeks, it's sometimes
(46:04):
months and even years that ittakes for patches to get to make
it literally around the worldand have full adoption.
And we talked earlier aboutsome of the reasons that might
be.
You know, patches break things.
Patches often require you tohave a support agreement or you
know a current supported versionof a product.
So zero days are bad, butthere's like this whole you know
(46:28):
time period of months where youknow the world catches up with
whatever the released fixeswhenever it's released.
Joshua Schmidt (46:37):
Man, do you use Chrome?
Mandi Rae (46:40):
I do sometimes, but the thing that triggers me about
Chrome is very similar to likewhy I don't like TikTok.
You know how the privacy dataprivacy was in question with the
TikTok user agreement andeverybody was kind of up in arms
in that over this past year andit just kind of made me giggle
because it's like well, what doyou think Chrome is doing?
Like everybody's doing this tomonetize something, and so
(47:03):
they're looking at yourlocations, your searches, your
browsing history, and they'resaying they're all doing this
for, like, personalizationpreferences.
But it's a monster.
So I use it in work andbusiness, but not my favorite
browser.
Joshua Schmidt (47:21):
Do you use Edge, then?
Or what is your go-to Gross?
Mandi Rae (47:28):
Safari or Firefox is what I predominantly use.
How about you?
Joshua Schmidt (47:33):
Well, I've been using Chrome since I got my new
computer.
There's certain things andwebsites that don't work very
well in Safari, like MinnesotaCare, for example.
I don't know why it doesn'tlike Safari and just won't open
certain pages.
But, scott, what do you use?
Scotty Rysdahl (47:52):
I use everything.
It just depends on the context.
So, fun fact, edge is actuallyChrome.
A few years ago, microsoft gaveup on developing their own
in-house browser to some extent,and they took Chromium, which
is the open-source projectthat's developed by Google but
also by people outside of Google, and then they take that source
(48:16):
code and they build Edge usingthat source code.
So, under the hood, chrome andEdge are essentially the same
thing, with littlecustomizations from Google or
Microsoft, depending on whichone we're talking about.
So if something affects Chrome,it's very possible it affects
Edge too.
Mandi Rae (48:32):
I'll have to see if I hate it less now that I know
that, because I don't know ifit's an aesthetic thing or a
functionality thing.
But yeah, not my favorite.
Scotty Rysdahl (48:42):
It's just cool to hate Microsoft's browsers too
, because they're always kind ofa joke.
But if you work in theenterprise, a lot of times it's
mandatory to use Edge especially, or maybe Chrome.
A lot of organizations doenforce standardization so that
they can support fewer thingsfor their customers.
Firefox is great and it's beengreat for a long time.
(49:03):
It's privacy-focused.
It's a nonprofit organizationthat develops it.
It has a really good ecosystemof plugins with things like ad
blockers and privacy.
But just like Josh, you weresaying about MinnesotaCare
because Chrome slash, edge isthe you know elephant in the
room because it has the majorityof users.
That's what most sites aredeveloped for.
(49:25):
So does Safari get the samekind of developer attention and
debugging as Chrome when anycompany is developing a web app?
No, probably not.
And Firefox is even more of anafterthought because it has a
smaller slice of the user pie.
Joshua Schmidt (49:40):
You know, most people like me aren't thinking
about these things in the sameway that you folks are.
So that's my role in thispodcast, but hopefully I'll
learn a few things as we keepgoing.
But yeah, I don't think mostpeople are thinking about this.
You know, like I mentionedpreviously, most of my cohorts
aren't even updating their OS,let alone worrying about things
(50:03):
like this.
So, yeah, it's quite shocking.
It's quite shocking.
Why is such a big company likeAlphabet having these issues?
It seems to me from readingthis article that it's a money
thing.
Once again, the security kindof falls into a secondary or
tertiary spot in terms ofpriority, below rolling out the
(50:27):
shiny new things they talk aboutin this article, and that's
just to capture market share.
That has really nothing to dowith with anything else other
than money.
Scotty Rysdahl (50:41):
Yeah, so there's a graphic that you find
in the IT world from time totime and it's sort of like this.
I remember it as a triad.
I could look it up, but it'slike a triangle, and so there's
security on one point, featureson another point, and then like
ease of use on the third point,and so your product is always
(51:02):
going to find itself somewherewithin that triangle, and if
you're closer to one point,you're farther away from the
other two, and so if there's afinite amount of developer time
that you have to dedicate tosomething, what are you going to
do?
What are you going toprioritize Features, ease of use
or security?
And every software developmentmanager has to make that
(51:25):
decision, you know, and so oftenfeatures and ease of use get
prioritized and security gets abackseat because it doesn't get
across to the consumer as abenefit like the other two do.
Mandi Rae (51:40):
Until there's a breach.
Until there's a breach and theynever.
I think that was really wellstated.
And then everyone cares.
Scotty Rysdahl (51:44):
And then everyone cares and says how dare
you not prioritize security?
Yeah it's an impossible battleto win.
Joshua Schmidt (51:51):
So what can we do to stay safe on these
browsers?
We might have already mentionedthis, but if we could give
people a couple bullet pointsfor the shorts and the reels and
let people know what can we doto stay safe on these browsers?
Scotty Rysdahl (52:07):
Well, in general, security is best
applied in layers, right?
Just like an onion or an ogre,you don't trust any one thing to
keep you safe.
You layer on the protection tomake it harder for any one
attack to be ultimatelysuccessful, right?
So keep your browser updated isalways good advice.
Use antivirus or PC securitysoftware that is capable and is
(52:33):
well regarded.
So nowadays that's things likeEDR and XDR, which are kind of
the next gen antivirus andthey're not just looking for bad
files, they're looking for badbehaviors, things like that.
So use a good personal securityproduct like that.
Store your passwords in apassword manager that's secure,
so that even if someone were tocompromise your computer, it
(52:55):
would be hard to access thosecrown jewels, that really
important, sensitive informationthat you have.
Don't reuse your passwords fromsite to site, right.
Have secure passwords that areseparate for each site.
So if one site gets compromised, like the open AI thing, those
hackers don't immediately haveaccess to all of your other
services too.
Before you even hear about thishack I think someone mentioned
(53:16):
this earlier, I don't rememberhow it came up but delete data
that you don't need, right?
So a lot of corporations willhave retention policies, right?
So if you don't need emailsolder than two years, if that's
company policy, just delete them, and then, if you get breached,
the hacker has less data thatthey can extract and misuse, and
(53:38):
that goes for personal stufftoo.
If you don't need digitalcopies of your bank records
forever, store them offline,print them up, put them in a
filing cabinet.
So yeah, just look for layers,look for different ways to
increase your overall security.
It's a cumulative thing, andthe more that you do, the harder
it's going to be for somebodyto ultimately get to something
(54:01):
that really disrupts your life.
Mandi Rae (54:03):
That was really good.
Scotty Rysdahl (54:04):
Thanks.
I've given that speech likeonce a month for my entire
career.
Mandi Rae (54:07):
I'm not giving you anything money to add to it.
Scotty Rysdahl (54:10):
Oh, the DNS filtering.
So do use Cloudflare or Quad9for your personal devices and
your home network to letsomebody else worry about what
good and bad sites are, and soyou can kind of browse a little
more carefree.
Joshua Schmidt (54:25):
I'd like to schedule my.
Scotty Rysdahl (54:26):
IT Auto Lab assessment now.
We'll probably give you one onthe house.
Joshua Schmidt (54:33):
This is something I thought was really
interesting kind of ties in toour conversation today and then
also my world, which is thismusic world how Billy Corgan
paid off a hacker who threatenedto leak the new Smashing
Pumpkins song.
So I guess this is becomingmore and more common in the at
least the top 1% of the musicworld Taylor Swift's, smashing
(54:58):
Pumpkins, those top levelmusicians I think there's most
musicians wouldn't care ifsomeone leaked their song before
, if it got more plays onSpotify or any kind of attention
.
But this seemed like a big dealto Billy because he actually, I
think, paid a hacker to getinvolved, to hack the hacker or
(55:19):
the hacker.
It stole several songs and wasblackmailing him essentially
that they would leak the songs.
So I think this is going tobecome even more relevant to the
cybersecurity world, for evenmusicians, especially the top
tier ones, like I mentioned,hiring security firms to keep
(55:40):
their data safe.
I've also actually even heard ofinstances of stealing ideas and
going into top level producerslike Max Martin, who does Ed
Sheer.
He just he's done pretty muchevery hit for the last 10, 15
years.
But if you can hack into MaxMartin's you know Pro Tools
(56:01):
computer at his studio, whatkind of hits can you steal, you
know?
Or DJ Khaled what?
What do you?
What can you get?
You know how much fun wouldthat be for a hacker right and
then also be able to sell thatinformation to other producers,
or you know, or blackmail therecord label right, the same
thing happened, boy, like 10years ago now, right In the big
(56:24):
Sony hack.
Scotty Rysdahl (56:25):
you guys remember that Sony got breached
in like 2011 or something andthe people, the attackers behind
it, were sort of blackmailingthem and they were going to
release you know I think, if Iremember right it was that movie
Joe Rogan and and what's hisname, who go to North Korea and
(56:45):
hang out with Kim Jong-il.
You guys?
Remember this movie oh oh yes.
Joshua Schmidt (56:53):
Was it James Franco or something he's from?
Mandi Rae (56:55):
Knocked Up, I can see him yeah.
Scotty Rysdahl (56:56):
James Franco yeah, it wasn't Pineapple
Express, but it was around thattime.
Joshua Schmidt (57:00):
It was the same guy Seth Rogan and James Franco.
Mandi Rae (57:03):
Yes, there you go, thank you.
Scotty Rysdahl (57:05):
The interview.
The interview yeah, so that wasone of the movies that was
stolen, I think, in that breach,and the hackers released it or
threatened to release it orwhatever.
So just yeah, like the Korganexample, it almost doesn't
matter.
You know what industry it's in,everything's digitized nowadays
and everything has value.
So if you can break insomewhere, you find what's of
(57:25):
value and then you can extortand sell and and it doesn't even
have to be tangible orstreamable.
Mandi Rae (57:32):
Sometimes it's just proprietary data, sometimes it's
emails where people are sayingthings that they shouldn't be.
Scotty Rysdahl (57:38):
Yeah, the golden age of data breaches is
still here.
Mandi Rae (57:44):
So protect what's important to you and call IT
Audit Labs or go toitauditlabscom.
Joshua Schmidt (57:51):
And shut your piehole.
I'm sorry, I'm not going tostop saying that today.
This was a really funconversation.
I know we kind of wandered allover the place, but I think
that's great.
Mandi Rae (58:07):
You can stay up to date on the latest cybersecurity
topics by giving us a like anda follow on our socials and
subscribing on Apple, spotify orwherever you source your
podcasts.
More information can be foundon itauditlabscom.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.