July 29, 2024 • 57 mins
Join us for the July 2024, live news episode of 'The Audit', where we cover the latest cybersecurity threats, ransomware updates, and AI advancements.
In this news episode, we tackle some of the most pressing cybersecurity issues of the month. Ever wondered how a ransomware attack could shut down a public library? We dive into the recent attack on the Seattle Public Library and explore a massive $37 million phishing scam that hit Coinbase Pro users. We also unravel the sophisticated gift card fraud by the Moroccan cybercrime group Storm 0539.
But that's not all. We discuss the potential threat of DNS bomb DDoS attacks and the intriguing use of Flipper Zero devices to hijack event wristbands. And for those interested in the intersection of law and cybersecurity, we examine the implications of the Supreme Court's recent ruling on cybersecurity regulation.
Amidst all the tech talk, we find time to ponder the existence of UFOs and share some personal stories about unexplained phenomena.
In this episode we’ll cover:
- Seattle Public Library ransomware attack and its impact
- $37 million phishing scam targeting Coinbase Pro users
- Moroccan cybercrime group Storm 0539's gift card fraud
- Potential threat of DNS bomb DDoS attacks
- Flipper Zero devices hijacking event wristbands
- Supreme Court's ruling on cybersecurity regulation
Stay ahead of cyber threats and AI innovations by watching the full episode. Don’t forget to like, subscribe, and share your thoughts in the comments!
#Cybersecurity #Ransomware #AI #TechNews #Phishing #ITSecurity #CyberLaw
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
All right and we're live.
It's Friday, july 12th, andwe're doing another news episode
today all things cybersecuritynews.
You're listening to the Auditpresented by IT Audit Labs.
As usual, we're joined by EricBrown, ciso at IT Audit Labs,
and Nick Mellom, and we're goingto chat about a few articles
that piqued our interest today.
But before we jump into it, howare you guys doing today?
Eric Brown (00:28):
Doing well, Josh?
Yeah, thanks.
I'm at an undisclosed locationtoday, so bear with me on the
technology.
Nick Mellem (00:37):
CIA safe house.
Yeah, I'm also doing well.
Eric Brown (00:41):
Well, nick, you know it's interesting in just kind
of in some of the things thatwe've been talking about
recently.
I learned that josh was anaficionado of a couple of things
outside of music, right?
Oh boy, yeah, here it comes oneof those being us and
(01:06):
conspiracy theories.
Nick Mellem (01:08):
Okay.
Eric Brown (01:09):
So I was asking Josh , josh, I forget how we were
talking about this, but one ofthe things that we were talking
about was there was recentreporting and declassification
of UFOs and how now they're notcalled UFOs anymore, I think
they're.
Then they went to like what?
(01:30):
Something aerial phenomenon orsomething UAPs.
But then it changed becausethere were some that were not
aerial like they're going in andout of the water and there was
some sort of news aroundmilitary pilots that had
identified some of these objectsand maybe some of their unique
(01:52):
trajectories.
Had you heard about that?
Joshua Schmidt (01:55):
Of course, yeah, of course.
The biggest piece of newsrecently was last October, when
David Gersh testified beforeCongress about his experience.
Oh no, oh no, yep, get them on,boys, hit us with the facts.
Nick Mellem (02:17):
Josh Hit us with the facts.
Joshua Schmidt (02:18):
Military guy.
So pretty credible, prettycredible.
So I have to preface myinterest in UFOs because I grew
up in a very remote part of thestate, overlooking Lake Superior
, and people see quite a fewthings out on the lake that they
can't explain because, you know, it's very dark up there.
You can see the firmament verywell.
Eric Brown (02:40):
But isn't there like an Air Force base up there?
Joshua Schmidt (02:42):
Well, there's a few airports.
I mean, I think that there'ssome activity coming from Duluth
, maybe across the border.
I know there's a lot ofairplane traffic monitoring the
Canadian border being just twohours from the Canadian border.
So take that for what you will.
I'm really blushing because youguys have your tinfoil hats
(03:03):
ready.
That's amazing we're going todo.
You guys have your tinfoil hatsready.
Amazing, we're going to do.
A full on tinfoil hat episode.
Nick Mellem (03:08):
We're in full support of you, Josh.
We just want to make sure ourmind's dead clear for the best
of our clients.
Joshua Schmidt (03:14):
You might want to keep those on for a couple of
the articles we have selectedfor today.
Eric Brown (03:20):
So any UFO stories Josh.
Joshua Schmidt (03:23):
Well, I have seen one UFO.
When I was a child with mymother, we were driving down
Highway 61 in Grand Marais and,yeah, unidentified flying object
, just what it sounds like, notsaying it was aliens, but it was
certainly an identified flyingobject.
Nick Mellem (03:42):
So it came over our car.
What did it look like?
Joshua Schmidt (03:45):
Well, it was dark so it was just lights.
And as we traveled down thehighway it kind of followed the
car above the tree line anddidn't make any noise.
It was probably a few hundredfeet away from our car.
So it wasn't a helicopter wewould have heard that and it was
flying way too slow to be anairplane, like maybe one that
you might be flying.
Eric Brown (04:12):
Haven't you seen anything strange?
Joshua Schmidt (04:14):
up there in the sky, eric, when you're flying
around.
I haven't, unfortunately, haveyou ever heard of?
Eric Brown (04:17):
a phenomenon called St Elmo's fire.
I know the movie, but I don'tknow the phenomenon.
Joshua Schmidt (04:22):
Yeah, I have a friend that's a pilot for
Southwest and it's some sort ofa weather phenomenon where I
think there's like glowing,there's like a glowing texture
or something like that, thatmaybe you can show up on the
airplane or in the sky.
So maybe that's what I saw.
You know, maybe it was somekind of a weather phenomenon,
(04:43):
but it's always piqued myinterest also a big fan of
horror movies.
So another thing that sent mymind going wild on that when I
was a kid was, uh, the moviefire in the sky.
Have you ever seen it?
I don't think I have supercreepy movie.
Um, it's probably one of thethe top ufo, uh alien movies out
there.
Um, I highly recommend it.
(05:04):
I think it came out in theearly 90s.
It's based on a true story.
Freaked me right out when I wasa kid, that kind of being
scared plus being superinterested in that.
That's where I'm coming from.
Nick Mellem (05:19):
What did you guys say?
That UFOs are called now UAPs.
What does it say?
Eric Brown (05:25):
unidentified aerial phenomenon got it, but I think
they're changing that becausethey're in the water now to uh.
Yeah, that would be a separate.
Joshua Schmidt (05:34):
I think that's underwater phenomenon or
something like that.
I'm not.
I'm not quite up on the on the.
Eric Brown (05:40):
Have you seen the movie?
Joshua Schmidt (05:41):
contact jody foster of course, yes, that's a
great, great movie.
Nick Mellem (05:45):
That's a good one.
Well, we all know Signs,remember Signs with Mel Gibson.
Eric Brown (05:49):
Oh speaking of M Night Shyamalan.
Right, the movie Sixth Sense,awesome movie, great movie, and
then they all kind of wentdownhill from there.
So do we think M NightShyamalan actually wrote Sixth
Sense, speaking of conspiracytheories?
Joshua Schmidt (06:06):
Who think m night shamlon actually wrote six
cents speaking of conspiracytheories.
Now, no, I'm, you know.
Yeah, I've kind of lost myinterest in him.
My favorite director right nowis robert eggers.
I don't know if you've seen thewitch or, uh, the north yes, I
have.
Nick Mellem (06:18):
Yeah, what's the second movie?
Joshua Schmidt (06:19):
you said, josh the witch and what the northman?
Nick Mellem (06:22):
yes, seen them both yeah, yeah.
Joshua Schmidt (06:26):
So, uh, you know , that's where my interest when
the ufo stuff comes from, mostlymovies and and being in a small
town with not a lot to do andjust looking up at the sky a
whole lot, I don't know.
Speaking of weather events, Iguess we already did our
icebreaker, but we're kind ofdragging out the intro today.
But, uh, do you guys have anick?
You were just through ahurricane, weren't you?
(06:46):
So I wanted to ask you knowwhat was a weather event that we
had a good story to share thatmight have affected our lives?
Nick Mellem (06:53):
are weaker, or a day, oh boy.
Well, I can kick it off.
Mine was very recent and thiswasn't the first one I've been
through.
I went through two tsunamis inJapan in 2011,.
Joshua Schmidt (07:09):
2012 timeframe and an earthquake there.
Nick Mellem (07:12):
So pretty interesting to go through that.
But most recently on Monday wegot hit by Hurricane Beryl.
It hit the coast at Category 1hurricane and we had like 6
million people or something inHouston without power.
We only lost power for like anhour and a half, uh, but we went
without internet services forabout almost two days.
(07:33):
So it was you really learn howmuch you use and need the
internet to stay connected anddo anything, cause you also had
like no cell service.
But uh, we're really lucky.
A lot of people in the areastill don't have power.
Um, I know they said maybeit'll be take till like monday
to restore to restore power.
A lot of flooding trees down.
(07:54):
So it was, uh, more or less onlike a freight train going over
the house and or or, uh, ifyou're in the midwest, a tornado
sitting by your house for likealmost two hours is the best way
I can explain it Sideways windspelting the windows.
So it was I wouldn't say it wasscary, but it was a little
(08:15):
worrisome, let's say of like,wow, this is like.
We're stuck here, don't havepower, don't have internet.
Just got to ride this thing out.
So it's pretty interesting.
Are you looking at Starlink.
It's funny you bring that up.
I was going to place an orderfor one because I don't want to
be without internet Obviouslyone for my family if we need to
call emergency services.
But because the cell towerswere down, I had my phone.
(08:39):
The way I was able to work onMonday after the storm, tuesday
and Wednesday when we didn'thave power or Internet, excuse
me, was having my phone out inthe middle of my yard on like a
little nightstand table kind ofdeal that we have on the patio.
Put it out in the middle of theyard and turn my hotspot on just
to get one bar of Internet satin our master bedroom, which is
at the back of the house, satagainst the window so I could
(09:02):
connect to it.
I was able to join meetings.
It was pretty spotty butdedicated to the customers to
get online.
Joshua Schmidt (09:11):
It's a good thing you're a prepper, Nick.
Did you have to bust into yourpowdered milk stash?
No, I still got all that intact.
Nick Mellem (09:17):
Before we went down , I was prepared, filled up the
vehicles with gas, got someextra bottled water, got my
daughter some extra food and, um, I was ready to go.
I still got all of my uh,what's it called?
Wise, wise company?
I think it's called they makethe prepper packs.
I'm not a crazy prepper, buthey, you gotta have some extra
food on the side.
(09:38):
And you know what?
Maybe I don't know, maybe Idon't, because it seems like
anytime like this happens,people just buy toilet paper
instead of food, so maybethey'll leave the food for me.
Joshua Schmidt (09:49):
How about you, eric?
Any weather events that arememorable.
Eric Brown (09:52):
Probably the most memorable.
Not really a weather event, butI was in California during an
earthquake one time and it wasinteresting.
I was pretty young one time andit was interesting, I was
pretty young, but I've certainlybeen in bad weather but nothing
(10:13):
that stands out as really scaryor bad.
Joshua Schmidt (10:14):
Although I've experienced a UAP, I've never
been through an earthquake,tornado, hurricane, so that's
one of the upsides of living inthe good old Midwest here in
Minnesota.
I do remember the storm of 91,though we had a blizzard on
Halloween.
I was just a little guy dressedup in my Ninja Turtle costume
and the snow was up to theshoulders during our
(10:34):
trick-or-treating run.
So that was mine.
I'm glad you're doing well,nick, and I'm glad you're safe
and sound.
Thanks, al.
Family's doing well.
Well, let's jump right into itguys.
We've covered a lot ofterritory here already today.
Yeah, we're just going toswitch gears.
Coming from Spiceworkscom, closeto 10 billion passwords exposed
(10:57):
in possibly the biggest leakever.
On July 4th, a hacker Obamacareposted a compilation of nearly
10 billion unique passwords on aleading hacking forum.
The leak is expected to bebuilt on a prior RockU 2021
compilation of 8.4 billionpasswords.
So you know, is this somethingthat can be picked up by?
(11:19):
You know our Apple securityfeature.
If we're using an iPhone, isthis going to show up?
Is it time to change ourpasswords?
This is another good call for aBitwarden or a password manager
.
Eric Brown (11:31):
What's your guys' take on this?
Yeah, multi-factorauthentication, of course, is
going to be a big help, and thenone password to one login login
.
So if you're logging intowhatever service, that password
(11:52):
should be unique and separatefrom any other password that you
use for any other service, andreally the only way to do that
is with a password manager.
It's really hard to remembermore than a handful of passwords
, but you could have a couplehundred or even thousands of
passwords and that passwordmanager.
You mentioned one Bitwarden.
There's a couple others thatare good as well, but that's
(12:13):
really the best thing that youcould do.
So when I see something likethis, I immediately think you
know, credit freeze, right,making sure that your credit is
frozen.
Making sure that your credit isfrozen.
Not that this directly hasanything to do with threat
actors getting to your credit,but in these sorts of links
there could be a secondaryexposure where social security
(12:37):
numbers are leaked or other PII.
So I'd just like to make surethat the credit's frozen and
then, if you were, if any ofyour accounts were involved in
the breach, that's where you goin and you just change that
password.
So in your password manager youcan just, you know, change the
password that was impacted andyou can use a site like have I
(13:02):
been pwned?
So, since you're sharing yourscreen there, josh, do you wanna
pull up?
Have I been pwned?
And then, if you're justlistening, not able to see his
screen, it's just have I been?
And then P-W-N-E-D, and this isjust a great resource to check
to see if you have an accountthat has been pwned or involved
(13:27):
in a data breach.
So do we have a volunteer tothrow a email address in here?
All right, let me give you oneof mine.
So, eb at b aA-I-Ccom.
Joshua Schmidt (13:45):
I for Fraud in February 2023.
Data alleged to be taken fromthe Fraud Protection Service's I
for Fraud was listed for saleon a popular hacking forum.
Are these all being picked upby?
Like the Apple security feature, eric, when you sign into your
settings and then you go topasswords, right, I don't know
if all of our listeners knowthis, but yeah, just go into
(14:05):
settings, go into password andthen there's security
recommendations and it will showyou all of your emails that
have been compromised.
Eric Brown (14:15):
It will pick them up .
It uses services like this.
Troy Hunt is the curator ofthis have I Been Pwned list and
it would pull up lists that arecurated that would contain
previous breaches, right?
So this one.
It's interesting, right?
Because I never signed up forthis particular service.
(14:36):
So Kent volunteered his emailas well.
We could take a look at thatone.
I might have a few more, butthis eye for fraud is a good one
, just talking about how, whenwe want to maintain a one-to-one
relationship, I don't knowwhich service may have been
(14:56):
picked up by the eye for fraud,since I never subscribed to a
discrete service from thatcompany.
It's an aggregator and Kentjust gave us his.
There's a few in here that arediscrete services that Kent
could go in and change thepassword, and some of these are
(15:16):
quite old.
But, if you look right, I thinkAdobe was in there, canva was
in there, but you could then goin and discreetly change, say,
your Adobe, or was that a Fitbitone or your Fitbit account.
Joshua Schmidt (15:33):
Kent, you're going to have to change your
DatPiff password.
Nick Mellem (15:36):
Get some work to do .
Joshua Schmidt (15:37):
That RAP mixtape can't be getting vulnerable
with the RAP mixtapes.
I'd love to hear that RAPmixtape, by the way.
Maybe we could get a link tothat.
But yeah, this is a greatservice for people to be using,
obviously in conjunction withsome of the other things.
So you're using a passwordmanager, eric, I assume, and
(15:58):
then you're still gettingbreaches or leaks happening with
your credentials.
Eric Brown (16:03):
That account that I?
Yeah, because the passwordmanager is not going to stop you
from getting breached, right,the third parties, where the
things that you're signing upfor are the ones that are having
the security exposure.
So the companies that you'resigning into with your login
credentials are then breached.
(16:23):
So a password manager, the onlything that's going to do is
make it easy for you to changethe login and password for the
particular organization that wasbreached.
Does that make sense?
Joshua Schmidt (16:38):
Yeah, so you have to stay up to date on it
and be checking it andmonitoring the situation.
Eric Brown (16:43):
Yeah, and you want to just continue to maintain
that one-to-one relationship,and by the one-to-one meaning,
for example, with Kent, wherethere was a few here, where this
particular Gmail account wasinvolved in the breach.
If Kent was using the samepassword across multiple sites,
(17:04):
that's where you can get intotrouble, because the malicious
actors are just scooping up allof those you know, the hundreds
of thousands, billions ofaccounts and then they're just
scripting out and brute forcinglogins across multiple sites.
So you just if you know that'soccurring, and you just change
(17:25):
the one that was breached.
You don't have to worry aboutthe other ones.
Joshua Schmidt (17:27):
And from my understanding, these were just
passwords that were leaked.
So the risk would be combiningthis information with previous
breaches and linking thosepasswords to usernames, emails
and such yeah and social nearingright, Nick, Happened on the
4th of July.
Nick Mellem (17:46):
Once again we see another event or a holiday
opportunity for hackers toexploit uh, people kind of being
checked out, I mean I thinkwith the you know, yeah,
obviously, the socialengineering piece you know with,
like open source intelligence,you know they're pretty easy.
It's pretty easy to attachthese passwords.
You know you get the differentaccounts, you know You're able
to correlate where these arecoming from if they want to
(18:07):
carry out an attack.
So, password manager, obviously.
But we always talk about MFA.
Right, if you don't have MFAright now, it's almost 2025,
right, we want to get thatimplemented everywhere.
Even on social media, I see alot of people not using know,
not using MFA for throughFacebook or LinkedIn.
That's so easy to set up.
(18:27):
You know you, you gotta do it.
And for a lot of people, too,they think, well, it's just my
Facebook account or LinkedInaccount.
Well, that might often be wherea lot of people have you know
personal information where youlive, where you work, you know,
so things.
For somebody like me that likesto do social engineering,
that's like a one stop shop forme to formulate you know talking
points to whatever it is Right,maybe I can figure out what
(18:51):
bank you work for or whathospital you work at, and it's
kind of a gold, gold mine ofinformation.
Joshua Schmidt (18:59):
So when you guys see a breach like this come
through the news, are youadvising organizations to take
any actions when you see this,or is it more of just the same
rhetoric of?
Eric Brown (19:09):
getting a password manager.
Joshua Schmidt (19:10):
MFA.
Eric Brown (19:11):
Yeah, hopefully we've gotten in front of it and
we're working on things thatthey can do to stay in front of
this sort of events, becausethese events happen,
unfortunately, more and morefrequently.
So, using tools that arelooking at the curated lists and
making sure that users can'tselect a password that was on a
(19:36):
list previously, or that thepasswords are long enough or, of
course, that they have MFA inplace and certainly MFA is not
infallible Now you have to havethe right kind of MFA.
So it's just unfortunate, right?
We just have to continue tostay on top and continue to
educate and research and learnand make sure that the advice
(19:58):
that we're giving is relevant,because advice that we give
today would be maybe differentthan it was 10 years ago.
Nick Mellem (20:05):
Continue to play offense instead of be reactive
to all these issues.
It just seems like thesearticles just are.
It's a daily occurrence wheresomething is coming up like this
.
Joshua Schmidt (20:14):
Yeah, and so you guys are the experts.
You're sitting down with theseorganizations, walking through
all these types of things whenyou do an assessment, sitting
down with these organizationswalking through all these types
of things when you do anassessment.
Is this kind of part of theinitial assessment when you work
with an organization and anongoing after that?
Eric Brown (20:28):
It depends on the type of engagement we'll have
with the organization.
Certainly, if we're doing moreof a security review or
vulnerability assessment pentest, what have you upfront?
These are some of the thingsthat we'll take a look at and
we'll certainly take a look atit from the attempts to exploit
the organization to really talkwith them about maybe weaknesses
(20:51):
that were in place.
But if it's more of an ongoingconsulting relationship, then
you know we'll certainly doperiodic testing, but along the
way.
You know we'll certainly doperiodic testing but along the
way we'll put practices in placeto help shore up the users from
(21:11):
a policy perspective.
You know we talk aboutadministrative controls,
technical controls, physicalcontrols, where an
administrative control would behaving a policy that says that
you have to have some form ofMFA in place, that you have to
have a password of certainlength, and some of these things
are regulatory requirements aswell.
But we'll have thoseadministrative controls and then
we'll have the technicalcontrols to make sure that those
(21:33):
things are in place and thatthere's the ability to inspect
the password when the userchanges it, that they're not
changing it to something like asummer 2024 or company name 2024
.
Just making sure that there'sthat good password hygiene in
place.
Joshua Schmidt (21:51):
All right.
Well, let's shift gears to ournext article here.
This is a little bit more highlevel.
Shout out to our listeners.
We have a really excitingepisode coming up with a woman
named Melissa Stivaletti.
We talked a lot about OSINT andpolicies around cybersecurity
in the intelligence community,but this is a high level article
(22:13):
that came out just recently onJuly 8th, the Supreme Court
ruling threatens the frameworkof cybersecurity regulation.
Apparently, the Supreme Courtstruck down the Chevron Doctrine
, which will have a major effecton the determination of
enforcement of cyber regulationsin the US.
So I had to read this article acouple of times to kind of get
my head wrapped around it.
(22:34):
But from a high level.
Do you guys have any insight onhow this ruling will affect
cybersecurity, do you guys?
Nick Mellem (22:41):
have any insight on how this ruling will affect
cybersecurity.
My initial thought, josh, sameas you read it a couple of times
to try to suck it all in, butI'm struggling to form if it's a
(23:05):
good thing or a bad thing otheragencies aren't able to just
craft rules and laws as they seefit.
Where it gives the power backto maybe us or the users or
whoever, to have Congress putrules in place, laws in place,
and that's what's driving theoutlook there versus just maybe
an agency going rogue.
So I think that's the thoughtof maybe it's good, but I think
it could go both ways.
Joshua Schmidt (23:23):
Yeah, other than the expediency, what would be
the benefit area?
Eric Brown (23:27):
You know, with Nick, I kind of see both sides of it,
right.
You know, unfortunately some ofour agencies are more
specialized, like theorganization that's part of
Homeland Security called CISO,which is doing a lot of great
work, hands-on work withcustomers in the public sector,
(23:49):
with customers that havecritical infrastructure.
So water treatment, wastewater,electricity, power generation,
transit, right.
You know're they're workingwith organizations that are
critical to infrastructure.
You know, nick talked aboutpower being out for two days due
(24:09):
to a weather event.
Well, power could be out fortwo days or much longer due to a
cyber event as well, and sisais working hands-on with these
organizations to help themunderstand where their risks are
and certainly to help them havebetter security in place.
Not that they don't want to,but CISA has visibility across
(24:34):
multiple organizations andthey're getting intelligence
feeds from other organizationsin the government sector that
might show oh there's you, us.
That could be concerning on onehand, because leaving it up to
(25:07):
the judicial branch, wheretraditionally there's probably
not as much of an understandingof cybersecurity and information
security at a detailed level asthere is with a specialist
organization like CISA, On theother side of the coin, I see
that some good could come out ofit where you have organizations
(25:32):
like the Bureau of CriminalApprehension, which is a state
organization that interpretsgovernance from the FBI on how
to implement technical controls,and then the BCA is essentially
(25:52):
the they own and managecriminal justice information,
right, so important informationthat comes from the FBI?
Right, the FBI certainly is theorganization ultimately
responsible for this criminaljustice information.
And then the interpretation ofthe BCA at the state level and
(26:13):
then the BCA's interpretationand enforcement within local
agencies sometimes becomesproblematic.
I'll give you a for instancelocal agencies sometimes becomes
problematic.
I'll give you a for instancewhere we've got, say, a virtual
server farm and that consists ofseveral computers in a cluster
and you could have tens ordozens or hundreds of individual
(26:34):
virtual machines, virtualservers, in this cluster of
servers.
Virtual machines could haveencrypted communication between
them, which is good.
They could be stored with theirdata at rest, stored in
encrypted hard drives and thedata coming off of those systems
backed up and encrypted andstored that way, immutable,
(26:57):
off-site.
What have you right?
All good things, all goodthings from a hygiene
perspective, but yet the BCAwill come and tell you that you
cannot co-mingle.
And again the BCA in the stateof Minnesota would come and say
you cannot co-mingle yourvirtual machines that contain
CGIS data in with virtualmachines that don't, so you
(27:21):
can't have this commingledenvironment.
Well, it doesn't make any sense, right?
Everything is already encryptedin transit at rest.
So you have network policies inplace that don't allow
communication or movement ofdata between those machines.
It's like they're alreadyseparate and you're using
encryption to separate them.
(27:43):
They would postulate that youstand up a completely separate
virtual environment, which onpaper doesn't sound like a big
deal, but that could meanmillions of dollars to an
organization's IT department,where now you have to stand up
and manage this completelyseparate VM infrastructure.
You've got to pay for licensing, You've got to pay for all of
(28:04):
the things associated withmanaging that environment.
Well, I would rather take thatmillion dollars, or whatever
that investment was, and spendit on potentially education,
other security tools, other waysto prevent the threat actors
from doing harm in anorganization.
It's just it's wasted money inmy opinion, and I don't like the
(28:25):
BCA's interpretation in thestate of Minnesota of FBI's
governance on how to managevirtual machines and again, it's
state by state could bedifferent in other states.
Joshua Schmidt (28:37):
It seems like, you know, pace of technology and
cybersecurity is moving so fastit's hard for our lawmakers and
the bureaucracy and the machineto kind of work at the pace of
technology.
So something that we're goingto stay on top of is this
something you guys are going tosee how it plays out in your
day-to-day jobs, or do you haveany kind of projections on how
(28:58):
this will affect your day-to-daywork?
Nick Mellem (29:00):
I think there's going to be a lot of situations,
like Eric was just explaining.
Right, there's going to be alot of turbulent air where we're
trying to figure out which waythese organizations are going.
Like we said, it's going to begood or bad, so we'll see.
It's going to take a little bitof time for things to change.
I don't think we're going tofeel it for a little bit.
It's going to take a little bitof time, so we'll see what
(29:23):
happens.
You know, I guess my other fearis going to be you know, it's
going to get caught up in courtsystems, right?
All these bigger organizationsare going to spend time instead
of shoring up their organization.
They're going to fight it,right?
So there'll be a lot of timespent in courts and we'll have
those issues which probablywon't affect us directly for a
while, but probably a lot ofunnecessary situations are going
(29:43):
to come up out of it.
So it's good and bad, but we'llsee what happens.
I think it's going to take awhile before we see any ripples
of this effect.
Joshua Schmidt (29:52):
Sounds like another case of the lawyers
coming out ahead in thissituation.
Good job security?
Probably so.
So, nick, I see you're wearingyour military green today.
We got a military adjacentarticle for you, buddy.
Nick Mellem (30:05):
Just for you.
Yeah, I thought this one wasreally interesting, yeah so did
I, and I pulled this up.
Joshua Schmidt (30:10):
I immediately thought of you.
Guard Zoo malware targets over450 Middle Eastern military
personnel.
This is coming from the HackerNews, one of our favorite sites
to grab these articles from.
This came out July 9th.
Military personnel from MiddleEast countries are the target of
an ongoing surveillance wareoperation that delivers an
Android data gathering to a cultguard zoo.
(30:30):
The campaign, believed to havecommenced as early as October
2019, has been attributed to aHouthi aligned threat actor
based on the application lurescommand and control c2 server
logs, targeting footprint andthe attack infrastructure
location, according to lookoutnick.
Let's start with you know.
My question was, first of all,what was your cyber security uh
(30:54):
experience in the military?
Was that something that wastalked about frequently?
I mean, you guys have yourphones on you just like
civilians, or um, is thissomething that's being chatted
about constantly, or what's the?
Nick Mellem (31:05):
Yeah, I would say well, this was 12, 13 years ago.
In the grand scheme of things,not very long, but in the
cybersecurity world that'sbasically a lifetime.
So a lot of things have changed.
But going back to when I was in, yeah, when we were on local
military bases local militarybases, friendly bases right, you
had your phone, had servicejust like you would as a
(31:29):
civilian.
But when we deployed to theMiddle East Afghanistan, kuwait,
iraq, you know, so on and soforth you could bring your phone
, but either you had to takeyour SIM card out or location
services had to be turned off.
Most of the time the commandwould make you, you know, you
had to take a SIM card out Backthen.
We're moving to eSIMs now, orthat's the way most of the
(31:51):
phones are, you know.
So we had physical SIMs, thentook them out and they
physically checked this.
So right, and what this articleis getting at here is they're
uploading the software.
It sounds like it's mainlyAndroid, but once the software
gets on the phone, they're ableto get location services and
many other things.
(32:12):
Well, the fear to me, and why wedid it during my time of
service, you know, overseas, incombat zones was A.
They can figure out movement,movement, how often we're doing
it.
When we're doing it, when welike to operate, you get all the
tactics, um, that we like, and,and the same is for the, uh,
the friendly forces it sounds ofthe middle east in this article
(32:34):
, um, and it allows them, youknow, for cyber attack, physical
attackes, all those differentthings that come into it.
So there's a you know, it's anoverwhelming amount of fear with
something like this, becauseyou can't protect it.
Well, you can protect it with,with software, right, to get rid
of this, and I think Google hasremoved it from the play store,
(32:56):
um, I read this article orblocked, uh, blocked it from use
, but it sounds like there'squite a few different
applications that are doing this.
But the fear is, you know,they're getting the actual
locations where the people areand that's wherever they go.
So you fear for your loved ones, and we know that you know
these, these nation state actors, terrorists, wherever you want
(33:18):
to classify them, as they'regoing to use all this
information, you know, againsttheir adversary, which you know
are trying to fend them off, andthey're going to use all that,
and they're getting this throughthrough WhatsApp, right, and a
lot of people use that, you know.
So there's a lot of fear hereon what could actually happen,
right For, like I already said,loved ones, military tactics,
and where bases are located,where they entry and exit points
(33:40):
, egress points.
So this is chock full of a lotof worrisome information that's
getting out.
Joshua Schmidt (33:48):
Sounds like a threat that the military needs
to stay on top of.
They're using WhatsApp and itsounds like a social engineering
type of attack.
Right, they also mentionedtelemetry data.
What is telemetry data?
Is that kind of triangulatingyour position to figure out
where you're moving and all thatfingerprint dust or whatever we
(34:08):
want to call it that you canpick up on to gather more
information?
Nick Mellem (34:12):
Yeah, I think it's all that.
I think it's all thatinformation that I was kind of
speaking on with you know,location tactics where bases are
things like that.
And what they mentioned httpflood attack, oh look, I didn't
actually realize that they wereusing the actual flood attack,
but I think it's like the, thescripting, where they're, you
know, using the actual scriptfrom the browser and they're
(34:34):
able to go different placeswithin your phone.
So I think it's like a lot whattheir way they're using.
Joshua Schmidt (34:39):
It is like lateral movement, uh, with the
device yes says this wasoriginally marketed as commodity
malware for the one-off priceof three hundred dollars.
So this is something that'ssitting on one of those hacker
forums or you can just purchaseand, um and on a previous
episode they mentioned, uh, oneof our guests mentioned that
they may even have like an itdepartment for some of this
(35:00):
malware that you can purchase.
Nick Mellem (35:01):
So do you guys like a jump box right?
They're able to jump fromdifferent device to different
devices.
Eric Brown (35:08):
I think what they were referring to in in that
particular instance wasbasically just a ddos attack, so
distributed denial of serviceusing the http protocol, so
basically taking a machineoffline through lots of http
traffic to that machine, or thatdevice and we talked a little
bit about that on our last newsepisode as well.
Joshua Schmidt (35:28):
That man in the middle ddos attack.
Yeah, you can check that lastepisode out for more information
on that.
Um, you know, and they wereeven using these military style
uh icons, you know, to kind ofgrab people's attention.
So a concerted effort to attackthat community.
Maybe you guys could give us alittle insight of what other
types of fallout Nick, you'dmentioned some of the things,
(35:51):
but maybe Eric, you could chimein on a high level what types of
fallout can be imagined from anattack like this?
Eric Brown (35:59):
Well, yeah, just to continue on with what nick was
saying, I think we're seeing hasbeen certainly evident in the
ukrainian war with with russia,where both sides were leveraging
the individual's personalmobile devices to understand
(36:20):
where they were physically andthen launching attacks against
those locations.
So it's, you know, humans areconducting tactical or kinetic
warfare and humans, as we know,are the weakest links in
cybersecurity.
So, having that mobile device onyou and maybe what if you
(36:44):
didn't obey what command said,right, and you have another
phone that you haven't destroyedthe SIM card or disabled the
SIM card, and it sucks, right,war sucks.
You want to get a message home,let your loved ones know you're
going to sneak a message out.
Well, that can put a lot ofpeople at risk and if you're not
(37:05):
well steeped in cyber orwell-educated, you don't
understand those risks.
You don't know how, you knowjust having your phone on could
beacon out a location.
So just, and then I'm sure Nick, you know, can talk about how
the education that you know thathe went through while he was in
, but just the education thatpeople who are maybe closer to
(37:27):
the frontline, or deliveringservices to the frontline you
know, red Cross or ancillaryservices that aren't maybe
directly military, could impactthe lives of military personnel
by just having personal deviceson them and moving through areas
of conflict, because they couldbring that attention to areas
(37:50):
where attention is not wanted.
Joshua Schmidt (37:52):
Super interesting.
That's a heavy topic and, Nick,did you have anything to add to
that?
You kind of mentioned thatthere was some talk around that,
but just do.
Is it much more prevalent thesedays?
Do you stay in touch with anyof the other people that are
still in the military and kind?
Nick Mellem (38:08):
of talk.
I do, yeah, I do, we.
We don't often, you know, talkabout cybersecurity per se, but
I think, you know, going back toat least my time, I don't think
we talked about it nearlyenough.
Right, we were all focused onour job, you know, in and out of
the Middle East, butcybersecurity certainly wasn't
one of our main focuses.
You know, we had our badgesright with a little cat card on
(38:30):
it.
You use it to badge into themachines and that was really
kind of the extent of thecybersecurity training.
Besides that log in, log out,password, you know, protection
piece.
That was besides email andphishing.
Those are kind of the only twothings we really talked about.
So you know, I would assume,especially nowadays it's been 10
, 12 years that with how muchmore we're connected on that,
(38:53):
they're doing much more in-depthtraining just because of how
much more technology has come upand how much more we're
connected, of how much moretechnology has come up and how
much more we're connected.
Joshua Schmidt (39:02):
Yeah, as we progress our technology, maybe
this next article will be of aidto our military personnel at
some point, but we'd be remissnot to talk about AI at least
once an episode.
We haven't brought up the catthing yet, so I'm a little sad.
So you guys better, if we'redoing the tinfoil hat thing,
maybe the tinfoil hat thing istaking the place of the cat
(39:25):
jokes.
We're so excited about thetinfoil hat thing I know Gold
star for you guys.
Eric Brown (39:33):
We still didn't get enough out of Josh, because Josh
could pontificate for quite awhile on some of these
conspiracy theories and UFOs.
Joshua Schmidt (39:41):
We better pace ourselves on that one.
Eric Brown (39:42):
I gotta get more prepared he got shy on us, nick
that's right, we all do as longas we are on that topic.
Joshua Schmidt (39:50):
Briefly, you know, one thing that I do think
is really interesting about theuap phenomenon, as there's been
plenty of military personnelthat have reported those things
shutting off, you know nuclearfacilities um, there's tons of
stories about you know peopleworking at military bases and
and seeing these things on radaror visually, uh reporting them
(40:11):
from an uh a fighter jet, forexample, and then confirming
that on radar.
Lots of interesting stories.
Whether they're true or not,I'll leave that up to the
listener.
But uh stories, whether they'retrue or not, I'll leave that up
to the listener.
Nick Mellem (40:25):
But you know we could only be so lucky to be
protected by the grays.
Speaking of the next episodewith the hat.
Joshua Schmidt (40:31):
Oh yeah, I'm gonna get a hat.
All right, yeah, but you know,speaking of advanced technology,
how can I make security moreproactive and less reactive?
This is coming from SC Media orSC Magazine dot com.
In November 2022, the widerworld suddenly became aware of
the power and potential ofartificial intelligence as chat
(40:52):
GPT was made available to thegeneral public.
Practitioners were alreadyfamiliar with automation machine
learning, which they had beenusing for many years in the
forms of security orchestration,automation response and static
and dynamic application securitytesting tools.
The addition of AI that canlearn from its own mistakes and
(41:13):
incorporate experiences into itslearning model promises to
greatly accelerate cybersecurityprocessing and implementation,
as well as reinforce defenseagainst new attack techniques
that are also using AI.
So you know, are you guys usingany AI tools right now, or is
there anything coming down thepipe that you're excited about?
Eric Brown (41:32):
Yeah, I mean I could probably talk like for an hour
about this one in particular.
Joshua Schmidt (41:38):
The top one, the newest one or your favorite,
but in particular the top one,the newest one or your favorite.
Eric Brown (41:43):
Well, rather than that, maybe I'll just say that,
because it's hard to pick justone right.
Companies are integrating,let's put AI in quotes in their
tools and saying it's AI.
But I think we have to takejust a half a step back, maybe,
and just talk about what is thedifference between, maybe, true
(42:08):
AI and what ChatGPT may be like,which is a form of AI.
Ai in that it's doing,essentially, it's just doing
predictive language, so it ispredicting out what the next
word in the sentence will be,using millions, billions,
(42:31):
trillions of data inputs.
So you know just the sentencehow AI can make security more
proactive and less reactive.
Right, Like it wouldn't makesense if those words were not
arranged in that particularorder.
There might be a few differentnuanced orders you could put
them in, but if you just jumbledthose words up, the sentence
wouldn't make sense.
(42:52):
But generative engine likeChatGPT is going to, having had
indexed trillions of sets ofdata, is going to know how to
form that sentence to what itbelieves to be the most
prevalent of its training.
(43:14):
I was ready to go, I was goingto put my hand on it.
So where I like AI is to takethe things like policy right, so
an organization could have 20,30, 40, 50 different policies
(43:38):
and being able to interact withthose policies through a chat
feature.
So like to be able to ask aquestion of the policies and
then get an answer from thegenerative AI that has
essentially ingested thosepolicies just discreetly for
(44:00):
that organization.
That's pretty helpful, right?
So, like what do I need to knowif I'm going to go on vacation
to France, or can I take mycompany laptop to Russia, for
instance?
And it would.
As these engines get better,they're going to be able to
(44:24):
interact with you to make yourexperience as a user better.
You know, today you'd have tolike well, where does my company
keep the policies?
I got to go find that.
Now I got to go read the travelpolicy.
Oh, it doesn't say anythingabout technology.
Now I got to go read thetechnology and governance policy
.
Right, you know, you could spendhalf a day just reading policy
and they're not always writtenin the most user-friendly
(44:46):
language.
And then you've got tounderstand what that means.
And then you've got to knowwell, okay, I'm going on a trip.
I think I have to submit a form.
Where's that form?
Right, you can spend half a dayjust trying to find out how you
go on vacation and take yourtechnology with you.
Where, in an ideal, maybe moreAI-friendly world, I'm going to
(45:06):
France for vacation.
What do I need to know to takemy laptop with me?
Well, you know, then, ifthere's a form that the company
wants you to fill out, it couldpresent you with a link to that
form and kind of the steps thatyou need to take in order to go
on that vacation and present itin a very user-friendly format.
Nick Mellem (45:26):
I love that one.
I was just going to say Joshwas going to jump in.
I think I've talked about thisin a previous episode.
One of the, I guess, more coolways I've seen a 911 call center
using this information is theyhave all these different
operation procedures thatthey're doing when they're
ingesting 911 calls.
You know, there's all this newtechnology that they're using to
(45:47):
call, text, video chat withusers calling in 911, made for a
structure fire.
They're giving peopleinstructions how to do CPR.
You know all different kinds ofthings, but the turnover rate
is so strong in those industries.
You know, let's say for a 911call center that you might get
somebody new that's on theovernight shift or what have you
(46:09):
.
Maybe they don't have all thesupport they need for a smaller
County or something for anystate and AI.
This is kind of really similarto what Eric's talking about,
but what they're doing isthey're able to have this
library of information at handwhen they get a call, instead of
a panic or not knowing what todo, they can simply put in a
couple of key words and, boom,ai pulls up.
(46:31):
Okay, this is step one throughfive.
This is what you should do.
This is how you lead themthrough this.
This is what you should do here,and it's you know, instead of
spending, you know, three to sixmonths potentially getting
somebody up to speed to be a youknow, really sharp at their job
, they can spend much less handson time freeing somebody else
up for other functions.
(46:51):
So I think that that reallygoes speaks to all industries,
especially in IT.
Right, we're constantlylearning and moving and can
learn things that way, but forwhat I'm speaking of, it's
making you know somebody, that'syou know, new to an industry,
and something as important asfirst responding.
Ai is really giving them powerto be quicker and that benefits,
(47:14):
you know, the individuals orthe citizens of those counties.
Joshua Schmidt (47:18):
That's great, yeah.
And you know, it seems like thegeneral thrust of this article
was that shift in makingcybersecurity less reactive and
more proactive.
You know, I know a lot of timeswe're dealing with things after
they've already happened, butdo you see this technology kind
of weaseling out?
You know problems that we mightnot see just by doing an
(47:40):
assessment, for example, ormaking that a lot faster to do
your assessments or your pentesting.
Nick Mellem (47:46):
Really, when I look at this article and just by
looking at the header or thetitle, I'm seeing things like
manpower, know-how, differentthings like that, and it goes
back to what I was just talkingabout.
Well, you might have somebodyon an overnight shift or
somebody that's scanning a bigblocks chunks of data, right,
(48:06):
that firewall is bringing in.
Or you just did an assessment.
Well, this takes the humanelement out of it for error, for
reporting, and you're able togo through big chunks of data
much quicker and hopefully thatputs us on the offense versus
the defense to make changesquicker.
You know, maybe we we didn'tsee you know a common or best
(48:28):
practice used in a firewallsituation or wherever.
Wherever have you?
You know we're able to makethose changes much quicker
because we found it and it's notalways just left up to human
error.
Eric Brown (48:40):
I'll give you two for instances on this.
And the blue team side ofsecurity is mostly reactive
today, unfortunately, right, anevent happens and then how
quickly can you respond to thatevent to protect the
organization, that event?
To protect the organization.
And, of course, as theorganization increases in
(49:01):
maturity, you're doing thingsproactively to lessen the type
of events that can occur.
But where this could go iswhere you have AI that is
constantly looking across yourenvironment and then proactively
(49:23):
telling you things that you maynot be aware of.
And I'll just pick a reallycheap for instance where it
could say you could get an emailor a text message or a Teams
message or whatever that sayssecurity engineer, teams message
(49:51):
or whatever that says you know,security engineer, did you know
that your perimeter is allowingconnections in from Iran?
And over the last X amount oftime you've had X number of
attempted connections from Iran?
Iran's a level four country,attempted connections from Iran.
Iran's a level four country.
General organizations aren'tallowing level four countries to
connect to them for obviousreasons, mostly nation state.
But today we would have towrite queries and look across
(50:17):
anywhere from three to more thana dozen different places to
understand if we're allowingcommunications to come in from X
country, x organization, x IP,whatever right and proactively
getting that information.
Do you know that you have Xnumber of IPv6 IP addresses,
(50:40):
making connections outbound,right?
That might be something thatyour organization doesn't want?
Well, you'd have to.
You know, the security engineeris going to kind of go through
their checklist of okay, hereare the things that I'm doing on
my weekly, monthly, quarterly,whatever check, and sure it may
be scripted out.
It may not be scripted out, butwe as humans still have to come
(51:00):
up with what are the thingsthat we're going to evaluate for
our security, for ourorganization.
And having some general AIplaybooks that are taking best
practices, applying itthemselves to your organization
and then providing reporting asan overlay would be an awesome
place to go.
(51:22):
But I don't think we're thereyet because we're still dealing
with discrete tools Like youhave an endpoint tool, you have
a firewall tool, you have anemail tool and you have
governance tool and alldifferent tools not likely by
the same organization.
So there isn't that overarchingviewpoint to be able to help
(51:44):
you identify where you may haverisk across your organization.
Joshua Schmidt (51:48):
Awesome, we got one more tinfoil hat question
Get your tinfoil hats back on.
This is AI related.
Will this spark an AI arms race?
Because obviously threat actorsare using AI as well.
So who's staying ahead of whohere?
Spark and AI arms race, becauseobviously threat actors are
using AI as well.
Sure, so you know who's stayingahead of who here, yeah, no, no
.
Eric Brown (52:06):
Let me jump in on this one, nick, and I know
you've probably got a good onetoo, but I just saw this
yesterday I think where one ofthe companies that we work with
got a QR code delivered in aphishing message.
One of the tools caught it, oneof them didn't, and it was
(52:29):
interesting because the QR codein itself there was no malicious
links in the email, just the QRcode.
The QR code was a call toaction to scan the QR code to
you know, to do something right.
So if you ran that QR code, ifyou ran that email through a VM,
(52:55):
say you opened it in a VM, in asandbox, because you wanted to
test where that QR code wasgoing, it did direct us out to a
benign site, I think it shot usout to eBay.
But if you opened that QR codeup on a mobile device, then it
(53:17):
sent you to a Microsoft loginpage.
So from an attack factorstandpoint, I was like that's
really cool.
It's detecting if it's beingexamined by a virtual machine,
which certainly the ways inwhich the threat actors are
crafting know.
(53:38):
We're seeing that more oftenwhere they know they're going to
be scanned.
So they're using we'll call itAI to determine what's scanning
them.
It's, you know, it really islooking at what's the makeup of
the computer that's running thechecks or that's doing that
sandbox work.
But then it was cool becauseit's you know, this one involved
(54:00):
both social engineering andsome technical work.
Where the social engineering is, let's break out of that walled
garden.
Right, the threat actor ispresumably going to know that an
organization has decent emailsecurity, but the security on
the user's mobile device isprobably not as good.
So let's break them out oftheir organization's walled
(54:24):
garden and let's go to theirmobile device.
So I kind of thought that onewas cool more of a quote unquote
(54:44):
AI forward tool and was able todetect that this was a
potentially malicious email andblock it.
Nick Mellem (54:47):
That is really cool to hear, Eric.
Actually and I was, when youwere talking about the QR code,
the only thing I could thinkabout was how much Josh hates
menus at restaurants from QRcodes.
Joshua Schmidt (54:57):
I thought you were going to say the QR code
brought you to Rick Astley video.
Never going to give you up.
I thought you were going to getRick rolled.
But if I can find a way to hackall the menus with QR codes and
change them to Rick rolls, Iwould do that.
That would be a time well spent, I believe.
So, hey guys, we're at an hourhere right now.
It's been a really funconversation.
(55:18):
Is there anything else that youwanted to chat about today?
Eric Brown (55:20):
before we wrap things up, Did you have any
comments on that AI side ofthings, Nick?
Nick Mellem (55:25):
Oh, I mean just to add on to it.
I mean, I think it's inevitablethat we're going to they're
going to keep on getting better,right.
But the arms race is going tobe really interesting to play
out and and really I think itprobably benefits us, right.
It benefits the users.
If we get more players into thespace, we're going to see
better tools more quickly, forinstance, like Eric you were
(55:49):
talking about, with emailphishing, things like that, and
for people like me doing socialengineering it might not be as
good, because we might getdetected a lot earlier.
Joshua Schmidt (55:59):
Great information.
Yeah, well, I love doing thesenews, uh, news episodes with you
guys, and we had a chance to golive today Again.
Um, this, this episode will beedited and then also published
as a regular episode on ouraudio only formats.
Um, spotify we have video onSpotify now.
Uh, we're hosting videos so youcan log into your Spotify
(56:21):
account and give us a five-starrating.
We'd love to hear your feedbackon the audit on Spotify, as
well as.
YouTube Like, subscribe, shareand comment, and if you have any
future articles that you'd likeus to talk about, feel free to
shoot them into the comments oremail me at jschmidt at
itauditlabscom, also takingrequests for guests.
(56:43):
If you have an interestingtopic that you'd like to discuss
on the show, please reach onout to me.
You've been joined today byNick Mellum and Eric Brown from
an undisclosed location.
My name is Joshua Schmidt, I'ma producer and tinfoil hat guy.
You've been listening to theAudit.
Thanks for joining us livetoday and hope to see you soon.
Eric Brown (57:04):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, or all our security
control assessments rank thelevel of maturity relative to
(57:28):
the size of your organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest.
Thank you.
All right and we're live.
It's Friday, july 12th, andwe're doing another news episode
today all things cybersecuritynews.
You're listening to the Auditpresented by IT Audit Labs.
As usual, we're joined by EricBrown, ciso at IT Audit Labs,
and Nick Mellom, and we're goingto chat about a few articles
that piqued our interest today.
But before we jump into it, howare you guys doing today?
Eric Brown (00:28):
Doing well, Josh?
Yeah, thanks.
I'm at an undisclosed locationtoday, so bear with me on the
technology.
Nick Mellem (00:37):
CIA safe house.
Yeah, I'm also doing well.
Eric Brown (00:41):
Well, nick, you know it's interesting in just kind
of in some of the things thatwe've been talking about
recently.
I learned that josh was anaficionado of a couple of things
outside of music, right?
Oh boy, yeah, here it comes oneof those being us and
(01:06):
conspiracy theories.
Nick Mellem (01:08):
Okay.
Eric Brown (01:09):
So I was asking Josh , josh, I forget how we were
talking about this, but one ofthe things that we were talking
about was there was recentreporting and declassification
of UFOs and how now they're notcalled UFOs anymore, I think
they're.
Then they went to like what?
(01:30):
Something aerial phenomenon orsomething UAPs.
But then it changed becausethere were some that were not
aerial like they're going in andout of the water and there was
some sort of news aroundmilitary pilots that had
identified some of these objectsand maybe some of their unique
(01:52):
trajectories.
Had you heard about that?
Joshua Schmidt (01:55):
Of course, yeah, of course.
The biggest piece of newsrecently was last October, when
David Gersh testified beforeCongress about his experience.
Oh no, oh no, yep, get them on,boys, hit us with the facts.
Nick Mellem (02:17):
Josh Hit us with the facts.
Joshua Schmidt (02:18):
Military guy.
So pretty credible, prettycredible.
So I have to preface myinterest in UFOs because I grew
up in a very remote part of thestate, overlooking Lake Superior
, and people see quite a fewthings out on the lake that they
can't explain because, you know, it's very dark up there.
You can see the firmament verywell.
Eric Brown (02:40):
But isn't there like an Air Force base up there?
Joshua Schmidt (02:42):
Well, there's a few airports.
I mean, I think that there'ssome activity coming from Duluth
, maybe across the border.
I know there's a lot ofairplane traffic monitoring the
Canadian border being just twohours from the Canadian border.
So take that for what you will.
I'm really blushing because youguys have your tinfoil hats
(03:03):
ready.
That's amazing we're going todo.
You guys have your tinfoil hatsready.
Amazing, we're going to do.
A full on tinfoil hat episode.
Nick Mellem (03:08):
We're in full support of you, Josh.
We just want to make sure ourmind's dead clear for the best
of our clients.
Joshua Schmidt (03:14):
You might want to keep those on for a couple of
the articles we have selectedfor today.
Eric Brown (03:20):
So any UFO stories Josh.
Joshua Schmidt (03:23):
Well, I have seen one UFO.
When I was a child with mymother, we were driving down
Highway 61 in Grand Marais and,yeah, unidentified flying object
, just what it sounds like, notsaying it was aliens, but it was
certainly an identified flyingobject.
Nick Mellem (03:42):
So it came over our car.
What did it look like?
Joshua Schmidt (03:45):
Well, it was dark so it was just lights.
And as we traveled down thehighway it kind of followed the
car above the tree line anddidn't make any noise.
It was probably a few hundredfeet away from our car.
So it wasn't a helicopter wewould have heard that and it was
flying way too slow to be anairplane, like maybe one that
you might be flying.
Eric Brown (04:12):
Haven't you seen anything strange?
Joshua Schmidt (04:14):
up there in the sky, eric, when you're flying
around.
I haven't, unfortunately, haveyou ever heard of?
Eric Brown (04:17):
a phenomenon called St Elmo's fire.
I know the movie, but I don'tknow the phenomenon.
Joshua Schmidt (04:22):
Yeah, I have a friend that's a pilot for
Southwest and it's some sort ofa weather phenomenon where I
think there's like glowing,there's like a glowing texture
or something like that, thatmaybe you can show up on the
airplane or in the sky.
So maybe that's what I saw.
You know, maybe it was somekind of a weather phenomenon,
(04:43):
but it's always piqued myinterest also a big fan of
horror movies.
So another thing that sent mymind going wild on that when I
was a kid was, uh, the moviefire in the sky.
Have you ever seen it?
I don't think I have supercreepy movie.
Um, it's probably one of thethe top ufo, uh alien movies out
there.
Um, I highly recommend it.
(05:04):
I think it came out in theearly 90s.
It's based on a true story.
Freaked me right out when I wasa kid, that kind of being
scared plus being superinterested in that.
That's where I'm coming from.
Nick Mellem (05:19):
What did you guys say?
That UFOs are called now UAPs.
What does it say?
Eric Brown (05:25):
unidentified aerial phenomenon got it, but I think
they're changing that becausethey're in the water now to uh.
Yeah, that would be a separate.
Joshua Schmidt (05:34):
I think that's underwater phenomenon or
something like that.
I'm not.
I'm not quite up on the on the.
Eric Brown (05:40):
Have you seen the movie?
Joshua Schmidt (05:41):
contact jody foster of course, yes, that's a
great, great movie.
Nick Mellem (05:45):
That's a good one.
Well, we all know Signs,remember Signs with Mel Gibson.
Eric Brown (05:49):
Oh speaking of M Night Shyamalan.
Right, the movie Sixth Sense,awesome movie, great movie, and
then they all kind of wentdownhill from there.
So do we think M NightShyamalan actually wrote Sixth
Sense, speaking of conspiracytheories?
Joshua Schmidt (06:06):
Who think m night shamlon actually wrote six
cents speaking of conspiracytheories.
Now, no, I'm, you know.
Yeah, I've kind of lost myinterest in him.
My favorite director right nowis robert eggers.
I don't know if you've seen thewitch or, uh, the north yes, I
have.
Nick Mellem (06:18):
Yeah, what's the second movie?
Joshua Schmidt (06:19):
you said, josh the witch and what the northman?
Nick Mellem (06:22):
yes, seen them both yeah, yeah.
Joshua Schmidt (06:26):
So, uh, you know , that's where my interest when
the ufo stuff comes from, mostlymovies and and being in a small
town with not a lot to do andjust looking up at the sky a
whole lot, I don't know.
Speaking of weather events, Iguess we already did our
icebreaker, but we're kind ofdragging out the intro today.
But, uh, do you guys have anick?
You were just through ahurricane, weren't you?
(06:46):
So I wanted to ask you knowwhat was a weather event that we
had a good story to share thatmight have affected our lives?
Nick Mellem (06:53):
are weaker, or a day, oh boy.
Well, I can kick it off.
Mine was very recent and thiswasn't the first one I've been
through.
I went through two tsunamis inJapan in 2011,.
Joshua Schmidt (07:09):
2012 timeframe and an earthquake there.
Nick Mellem (07:12):
So pretty interesting to go through that.
But most recently on Monday wegot hit by Hurricane Beryl.
It hit the coast at Category 1hurricane and we had like 6
million people or something inHouston without power.
We only lost power for like anhour and a half, uh, but we went
without internet services forabout almost two days.
(07:33):
So it was you really learn howmuch you use and need the
internet to stay connected anddo anything, cause you also had
like no cell service.
But uh, we're really lucky.
A lot of people in the areastill don't have power.
Um, I know they said maybeit'll be take till like monday
to restore to restore power.
A lot of flooding trees down.
(07:54):
So it was, uh, more or less onlike a freight train going over
the house and or or, uh, ifyou're in the midwest, a tornado
sitting by your house for likealmost two hours is the best way
I can explain it Sideways windspelting the windows.
So it was I wouldn't say it wasscary, but it was a little
(08:15):
worrisome, let's say of like,wow, this is like.
We're stuck here, don't havepower, don't have internet.
Just got to ride this thing out.
So it's pretty interesting.
Are you looking at Starlink.
It's funny you bring that up.
I was going to place an orderfor one because I don't want to
be without internet Obviouslyone for my family if we need to
call emergency services.
But because the cell towerswere down, I had my phone.
(08:39):
The way I was able to work onMonday after the storm, tuesday
and Wednesday when we didn'thave power or Internet, excuse
me, was having my phone out inthe middle of my yard on like a
little nightstand table kind ofdeal that we have on the patio.
Put it out in the middle of theyard and turn my hotspot on just
to get one bar of Internet satin our master bedroom, which is
at the back of the house, satagainst the window so I could
(09:02):
connect to it.
I was able to join meetings.
It was pretty spotty butdedicated to the customers to
get online.
Joshua Schmidt (09:11):
It's a good thing you're a prepper, Nick.
Did you have to bust into yourpowdered milk stash?
No, I still got all that intact.
Nick Mellem (09:17):
Before we went down , I was prepared, filled up the
vehicles with gas, got someextra bottled water, got my
daughter some extra food and, um, I was ready to go.
I still got all of my uh,what's it called?
Wise, wise company?
I think it's called they makethe prepper packs.
I'm not a crazy prepper, buthey, you gotta have some extra
food on the side.
(09:38):
And you know what?
Maybe I don't know, maybe Idon't, because it seems like
anytime like this happens,people just buy toilet paper
instead of food, so maybethey'll leave the food for me.
Joshua Schmidt (09:49):
How about you, eric?
Any weather events that arememorable.
Eric Brown (09:52):
Probably the most memorable.
Not really a weather event, butI was in California during an
earthquake one time and it wasinteresting.
I was pretty young one time andit was interesting, I was
pretty young, but I've certainlybeen in bad weather but nothing
(10:13):
that stands out as really scaryor bad.
Joshua Schmidt (10:14):
Although I've experienced a UAP, I've never
been through an earthquake,tornado, hurricane, so that's
one of the upsides of living inthe good old Midwest here in
Minnesota.
I do remember the storm of 91,though we had a blizzard on
Halloween.
I was just a little guy dressedup in my Ninja Turtle costume
and the snow was up to theshoulders during our
(10:34):
trick-or-treating run.
So that was mine.
I'm glad you're doing well,nick, and I'm glad you're safe
and sound.
Thanks, al.
Family's doing well.
Well, let's jump right into itguys.
We've covered a lot ofterritory here already today.
Yeah, we're just going toswitch gears.
Coming from Spiceworkscom, closeto 10 billion passwords exposed
(10:57):
in possibly the biggest leakever.
On July 4th, a hacker Obamacareposted a compilation of nearly
10 billion unique passwords on aleading hacking forum.
The leak is expected to bebuilt on a prior RockU 2021
compilation of 8.4 billionpasswords.
So you know, is this somethingthat can be picked up by?
(11:19):
You know our Apple securityfeature.
If we're using an iPhone, isthis going to show up?
Is it time to change ourpasswords?
This is another good call for aBitwarden or a password manager
.
Eric Brown (11:31):
What's your guys' take on this?
Yeah, multi-factorauthentication, of course, is
going to be a big help, and thenone password to one login login
.
So if you're logging intowhatever service, that password
(11:52):
should be unique and separatefrom any other password that you
use for any other service, andreally the only way to do that
is with a password manager.
It's really hard to remembermore than a handful of passwords
, but you could have a couplehundred or even thousands of
passwords and that passwordmanager.
You mentioned one Bitwarden.
There's a couple others thatare good as well, but that's
(12:13):
really the best thing that youcould do.
So when I see something likethis, I immediately think you
know, credit freeze, right,making sure that your credit is
frozen.
Making sure that your credit isfrozen.
Not that this directly hasanything to do with threat
actors getting to your credit,but in these sorts of links
there could be a secondaryexposure where social security
(12:37):
numbers are leaked or other PII.
So I'd just like to make surethat the credit's frozen and
then, if you were, if any ofyour accounts were involved in
the breach, that's where you goin and you just change that
password.
So in your password manager youcan just, you know, change the
password that was impacted andyou can use a site like have I
(13:02):
been pwned?
So, since you're sharing yourscreen there, josh, do you wanna
pull up?
Have I been pwned?
And then, if you're justlistening, not able to see his
screen, it's just have I been?
And then P-W-N-E-D, and this isjust a great resource to check
to see if you have an accountthat has been pwned or involved
(13:27):
in a data breach.
So do we have a volunteer tothrow a email address in here?
All right, let me give you oneof mine.
So, eb at b aA-I-Ccom.
Joshua Schmidt (13:45):
I for Fraud in February 2023.
Data alleged to be taken fromthe Fraud Protection Service's I
for Fraud was listed for saleon a popular hacking forum.
Are these all being picked upby?
Like the Apple security feature, eric, when you sign into your
settings and then you go topasswords, right, I don't know
if all of our listeners knowthis, but yeah, just go into
(14:05):
settings, go into password andthen there's security
recommendations and it will showyou all of your emails that
have been compromised.
Eric Brown (14:15):
It will pick them up .
It uses services like this.
Troy Hunt is the curator ofthis have I Been Pwned list and
it would pull up lists that arecurated that would contain
previous breaches, right?
So this one.
It's interesting, right?
Because I never signed up forthis particular service.
(14:36):
So Kent volunteered his emailas well.
We could take a look at thatone.
I might have a few more, butthis eye for fraud is a good one
, just talking about how, whenwe want to maintain a one-to-one
relationship, I don't knowwhich service may have been
(14:56):
picked up by the eye for fraud,since I never subscribed to a
discrete service from thatcompany.
It's an aggregator and Kentjust gave us his.
There's a few in here that arediscrete services that Kent
could go in and change thepassword, and some of these are
(15:16):
quite old.
But, if you look right, I thinkAdobe was in there, canva was
in there, but you could then goin and discreetly change, say,
your Adobe, or was that a Fitbitone or your Fitbit account.
Joshua Schmidt (15:33):
Kent, you're going to have to change your
DatPiff password.
Nick Mellem (15:36):
Get some work to do .
Joshua Schmidt (15:37):
That RAP mixtape can't be getting vulnerable
with the RAP mixtapes.
I'd love to hear that RAPmixtape, by the way.
Maybe we could get a link tothat.
But yeah, this is a greatservice for people to be using,
obviously in conjunction withsome of the other things.
So you're using a passwordmanager, eric, I assume, and
(15:58):
then you're still gettingbreaches or leaks happening with
your credentials.
Eric Brown (16:03):
That account that I?
Yeah, because the passwordmanager is not going to stop you
from getting breached, right,the third parties, where the
things that you're signing upfor are the ones that are having
the security exposure.
So the companies that you'resigning into with your login
credentials are then breached.
(16:23):
So a password manager, the onlything that's going to do is
make it easy for you to changethe login and password for the
particular organization that wasbreached.
Does that make sense?
Joshua Schmidt (16:38):
Yeah, so you have to stay up to date on it
and be checking it andmonitoring the situation.
Eric Brown (16:43):
Yeah, and you want to just continue to maintain
that one-to-one relationship,and by the one-to-one meaning,
for example, with Kent, wherethere was a few here, where this
particular Gmail account wasinvolved in the breach.
If Kent was using the samepassword across multiple sites,
(17:04):
that's where you can get intotrouble, because the malicious
actors are just scooping up allof those you know, the hundreds
of thousands, billions ofaccounts and then they're just
scripting out and brute forcinglogins across multiple sites.
So you just if you know that'soccurring, and you just change
(17:25):
the one that was breached.
You don't have to worry aboutthe other ones.
Joshua Schmidt (17:27):
And from my understanding, these were just
passwords that were leaked.
So the risk would be combiningthis information with previous
breaches and linking thosepasswords to usernames, emails
and such yeah and social nearingright, Nick, Happened on the
4th of July.
Nick Mellem (17:46):
Once again we see another event or a holiday
opportunity for hackers toexploit uh, people kind of being
checked out, I mean I thinkwith the you know, yeah,
obviously, the socialengineering piece you know with,
like open source intelligence,you know they're pretty easy.
It's pretty easy to attachthese passwords.
You know you get the differentaccounts, you know You're able
to correlate where these arecoming from if they want to
(18:07):
carry out an attack.
So, password manager, obviously.
But we always talk about MFA.
Right, if you don't have MFAright now, it's almost 2025,
right, we want to get thatimplemented everywhere.
Even on social media, I see alot of people not using know,
not using MFA for throughFacebook or LinkedIn.
That's so easy to set up.
(18:27):
You know you, you gotta do it.
And for a lot of people, too,they think, well, it's just my
Facebook account or LinkedInaccount.
Well, that might often be wherea lot of people have you know
personal information where youlive, where you work, you know,
so things.
For somebody like me that likesto do social engineering,
that's like a one stop shop forme to formulate you know talking
points to whatever it is Right,maybe I can figure out what
(18:51):
bank you work for or whathospital you work at, and it's
kind of a gold, gold mine ofinformation.
Joshua Schmidt (18:59):
So when you guys see a breach like this come
through the news, are youadvising organizations to take
any actions when you see this,or is it more of just the same
rhetoric of?
Eric Brown (19:09):
getting a password manager.
Joshua Schmidt (19:10):
MFA.
Eric Brown (19:11):
Yeah, hopefully we've gotten in front of it and
we're working on things thatthey can do to stay in front of
this sort of events, becausethese events happen,
unfortunately, more and morefrequently.
So, using tools that arelooking at the curated lists and
making sure that users can'tselect a password that was on a
(19:36):
list previously, or that thepasswords are long enough or, of
course, that they have MFA inplace and certainly MFA is not
infallible Now you have to havethe right kind of MFA.
So it's just unfortunate, right?
We just have to continue tostay on top and continue to
educate and research and learnand make sure that the advice
(19:58):
that we're giving is relevant,because advice that we give
today would be maybe differentthan it was 10 years ago.
Nick Mellem (20:05):
Continue to play offense instead of be reactive
to all these issues.
It just seems like thesearticles just are.
It's a daily occurrence wheresomething is coming up like this
.
Joshua Schmidt (20:14):
Yeah, and so you guys are the experts.
You're sitting down with theseorganizations, walking through
all these types of things whenyou do an assessment, sitting
down with these organizationswalking through all these types
of things when you do anassessment.
Is this kind of part of theinitial assessment when you work
with an organization and anongoing after that?
Eric Brown (20:28):
It depends on the type of engagement we'll have
with the organization.
Certainly, if we're doing moreof a security review or
vulnerability assessment pentest, what have you upfront?
These are some of the thingsthat we'll take a look at and
we'll certainly take a look atit from the attempts to exploit
the organization to really talkwith them about maybe weaknesses
(20:51):
that were in place.
But if it's more of an ongoingconsulting relationship, then
you know we'll certainly doperiodic testing, but along the
way.
You know we'll certainly doperiodic testing but along the
way we'll put practices in placeto help shore up the users from
(21:11):
a policy perspective.
You know we talk aboutadministrative controls,
technical controls, physicalcontrols, where an
administrative control would behaving a policy that says that
you have to have some form ofMFA in place, that you have to
have a password of certainlength, and some of these things
are regulatory requirements aswell.
But we'll have thoseadministrative controls and then
we'll have the technicalcontrols to make sure that those
(21:33):
things are in place and thatthere's the ability to inspect
the password when the userchanges it, that they're not
changing it to something like asummer 2024 or company name 2024
.
Just making sure that there'sthat good password hygiene in
place.
Joshua Schmidt (21:51):
All right.
Well, let's shift gears to ournext article here.
This is a little bit more highlevel.
Shout out to our listeners.
We have a really excitingepisode coming up with a woman
named Melissa Stivaletti.
We talked a lot about OSINT andpolicies around cybersecurity
in the intelligence community,but this is a high level article
(22:13):
that came out just recently onJuly 8th, the Supreme Court
ruling threatens the frameworkof cybersecurity regulation.
Apparently, the Supreme Courtstruck down the Chevron Doctrine
, which will have a major effecton the determination of
enforcement of cyber regulationsin the US.
So I had to read this article acouple of times to kind of get
my head wrapped around it.
(22:34):
But from a high level.
Do you guys have any insight onhow this ruling will affect
cybersecurity, do you guys?
Nick Mellem (22:41):
have any insight on how this ruling will affect
cybersecurity.
My initial thought, josh, sameas you read it a couple of times
to try to suck it all in, butI'm struggling to form if it's a
(23:05):
good thing or a bad thing otheragencies aren't able to just
craft rules and laws as they seefit.
Where it gives the power backto maybe us or the users or
whoever, to have Congress putrules in place, laws in place,
and that's what's driving theoutlook there versus just maybe
an agency going rogue.
So I think that's the thoughtof maybe it's good, but I think
it could go both ways.
Joshua Schmidt (23:23):
Yeah, other than the expediency, what would be
the benefit area?
Eric Brown (23:27):
You know, with Nick, I kind of see both sides of it,
right.
You know, unfortunately some ofour agencies are more
specialized, like theorganization that's part of
Homeland Security called CISO,which is doing a lot of great
work, hands-on work withcustomers in the public sector,
(23:49):
with customers that havecritical infrastructure.
So water treatment, wastewater,electricity, power generation,
transit, right.
You know're they're workingwith organizations that are
critical to infrastructure.
You know, nick talked aboutpower being out for two days due
(24:09):
to a weather event.
Well, power could be out fortwo days or much longer due to a
cyber event as well, and sisais working hands-on with these
organizations to help themunderstand where their risks are
and certainly to help them havebetter security in place.
Not that they don't want to,but CISA has visibility across
(24:34):
multiple organizations andthey're getting intelligence
feeds from other organizationsin the government sector that
might show oh there's you, us.
That could be concerning on onehand, because leaving it up to
(25:07):
the judicial branch, wheretraditionally there's probably
not as much of an understandingof cybersecurity and information
security at a detailed level asthere is with a specialist
organization like CISA, On theother side of the coin, I see
that some good could come out ofit where you have organizations
(25:32):
like the Bureau of CriminalApprehension, which is a state
organization that interpretsgovernance from the FBI on how
to implement technical controls,and then the BCA is essentially
(25:52):
the they own and managecriminal justice information,
right, so important informationthat comes from the FBI?
Right, the FBI certainly is theorganization ultimately
responsible for this criminaljustice information.
And then the interpretation ofthe BCA at the state level and
(26:13):
then the BCA's interpretationand enforcement within local
agencies sometimes becomesproblematic.
I'll give you a for instancelocal agencies sometimes becomes
problematic.
I'll give you a for instancewhere we've got, say, a virtual
server farm and that consists ofseveral computers in a cluster
and you could have tens ordozens or hundreds of individual
(26:34):
virtual machines, virtualservers, in this cluster of
servers.
Virtual machines could haveencrypted communication between
them, which is good.
They could be stored with theirdata at rest, stored in
encrypted hard drives and thedata coming off of those systems
backed up and encrypted andstored that way, immutable,
(26:57):
off-site.
What have you right?
All good things, all goodthings from a hygiene
perspective, but yet the BCAwill come and tell you that you
cannot co-mingle.
And again the BCA in the stateof Minnesota would come and say
you cannot co-mingle yourvirtual machines that contain
CGIS data in with virtualmachines that don't, so you
(27:21):
can't have this commingledenvironment.
Well, it doesn't make any sense, right?
Everything is already encryptedin transit at rest.
So you have network policies inplace that don't allow
communication or movement ofdata between those machines.
It's like they're alreadyseparate and you're using
encryption to separate them.
(27:43):
They would postulate that youstand up a completely separate
virtual environment, which onpaper doesn't sound like a big
deal, but that could meanmillions of dollars to an
organization's IT department,where now you have to stand up
and manage this completelyseparate VM infrastructure.
You've got to pay for licensing, You've got to pay for all of
(28:04):
the things associated withmanaging that environment.
Well, I would rather take thatmillion dollars, or whatever
that investment was, and spendit on potentially education,
other security tools, other waysto prevent the threat actors
from doing harm in anorganization.
It's just it's wasted money inmy opinion, and I don't like the
(28:25):
BCA's interpretation in thestate of Minnesota of FBI's
governance on how to managevirtual machines and again, it's
state by state could bedifferent in other states.
Joshua Schmidt (28:37):
It seems like, you know, pace of technology and
cybersecurity is moving so fastit's hard for our lawmakers and
the bureaucracy and the machineto kind of work at the pace of
technology.
So something that we're goingto stay on top of is this
something you guys are going tosee how it plays out in your
day-to-day jobs, or do you haveany kind of projections on how
(28:58):
this will affect your day-to-daywork?
Nick Mellem (29:00):
I think there's going to be a lot of situations,
like Eric was just explaining.
Right, there's going to be alot of turbulent air where we're
trying to figure out which waythese organizations are going.
Like we said, it's going to begood or bad, so we'll see.
It's going to take a little bitof time for things to change.
I don't think we're going tofeel it for a little bit.
It's going to take a little bitof time, so we'll see what
(29:23):
happens.
You know, I guess my other fearis going to be you know, it's
going to get caught up in courtsystems, right?
All these bigger organizationsare going to spend time instead
of shoring up their organization.
They're going to fight it,right?
So there'll be a lot of timespent in courts and we'll have
those issues which probablywon't affect us directly for a
while, but probably a lot ofunnecessary situations are going
(29:43):
to come up out of it.
So it's good and bad, but we'llsee what happens.
I think it's going to take awhile before we see any ripples
of this effect.
Joshua Schmidt (29:52):
Sounds like another case of the lawyers
coming out ahead in thissituation.
Good job security?
Probably so.
So, nick, I see you're wearingyour military green today.
We got a military adjacentarticle for you, buddy.
Nick Mellem (30:05):
Just for you.
Yeah, I thought this one wasreally interesting, yeah so did
I, and I pulled this up.
Joshua Schmidt (30:10):
I immediately thought of you.
Guard Zoo malware targets over450 Middle Eastern military
personnel.
This is coming from the HackerNews, one of our favorite sites
to grab these articles from.
This came out July 9th.
Military personnel from MiddleEast countries are the target of
an ongoing surveillance wareoperation that delivers an
Android data gathering to a cultguard zoo.
(30:30):
The campaign, believed to havecommenced as early as October
2019, has been attributed to aHouthi aligned threat actor
based on the application lurescommand and control c2 server
logs, targeting footprint andthe attack infrastructure
location, according to lookoutnick.
Let's start with you know.
My question was, first of all,what was your cyber security uh
(30:54):
experience in the military?
Was that something that wastalked about frequently?
I mean, you guys have yourphones on you just like
civilians, or um, is thissomething that's being chatted
about constantly, or what's the?
Nick Mellem (31:05):
Yeah, I would say well, this was 12, 13 years ago.
In the grand scheme of things,not very long, but in the
cybersecurity world that'sbasically a lifetime.
So a lot of things have changed.
But going back to when I was in, yeah, when we were on local
military bases local militarybases, friendly bases right, you
had your phone, had servicejust like you would as a
(31:29):
civilian.
But when we deployed to theMiddle East Afghanistan, kuwait,
iraq, you know, so on and soforth you could bring your phone
, but either you had to takeyour SIM card out or location
services had to be turned off.
Most of the time the commandwould make you, you know, you
had to take a SIM card out Backthen.
We're moving to eSIMs now, orthat's the way most of the
(31:51):
phones are, you know.
So we had physical SIMs, thentook them out and they
physically checked this.
So right, and what this articleis getting at here is they're
uploading the software.
It sounds like it's mainlyAndroid, but once the software
gets on the phone, they're ableto get location services and
many other things.
(32:12):
Well, the fear to me, and why wedid it during my time of
service, you know, overseas, incombat zones was A.
They can figure out movement,movement, how often we're doing
it.
When we're doing it, when welike to operate, you get all the
tactics, um, that we like, and,and the same is for the, uh,
the friendly forces it sounds ofthe middle east in this article
(32:34):
, um, and it allows them, youknow, for cyber attack, physical
attackes, all those differentthings that come into it.
So there's a you know, it's anoverwhelming amount of fear with
something like this, becauseyou can't protect it.
Well, you can protect it with,with software, right, to get rid
of this, and I think Google hasremoved it from the play store,
(32:56):
um, I read this article orblocked, uh, blocked it from use
, but it sounds like there'squite a few different
applications that are doing this.
But the fear is, you know,they're getting the actual
locations where the people areand that's wherever they go.
So you fear for your loved ones, and we know that you know
these, these nation state actors, terrorists, wherever you want
(33:18):
to classify them, as they'regoing to use all this
information, you know, againsttheir adversary, which you know
are trying to fend them off, andthey're going to use all that,
and they're getting this throughthrough WhatsApp, right, and a
lot of people use that, you know.
So there's a lot of fear hereon what could actually happen,
right For, like I already said,loved ones, military tactics,
and where bases are located,where they entry and exit points
(33:40):
, egress points.
So this is chock full of a lotof worrisome information that's
getting out.
Joshua Schmidt (33:48):
Sounds like a threat that the military needs
to stay on top of.
They're using WhatsApp and itsounds like a social engineering
type of attack.
Right, they also mentionedtelemetry data.
What is telemetry data?
Is that kind of triangulatingyour position to figure out
where you're moving and all thatfingerprint dust or whatever we
(34:08):
want to call it that you canpick up on to gather more
information?
Nick Mellem (34:12):
Yeah, I think it's all that.
I think it's all thatinformation that I was kind of
speaking on with you know,location tactics where bases are
things like that.
And what they mentioned httpflood attack, oh look, I didn't
actually realize that they wereusing the actual flood attack,
but I think it's like the, thescripting, where they're, you
know, using the actual scriptfrom the browser and they're
(34:34):
able to go different placeswithin your phone.
So I think it's like a lot whattheir way they're using.
Joshua Schmidt (34:39):
It is like lateral movement, uh, with the
device yes says this wasoriginally marketed as commodity
malware for the one-off priceof three hundred dollars.
So this is something that'ssitting on one of those hacker
forums or you can just purchaseand, um and on a previous
episode they mentioned, uh, oneof our guests mentioned that
they may even have like an itdepartment for some of this
(35:00):
malware that you can purchase.
Nick Mellem (35:01):
So do you guys like a jump box right?
They're able to jump fromdifferent device to different
devices.
Eric Brown (35:08):
I think what they were referring to in in that
particular instance wasbasically just a ddos attack, so
distributed denial of serviceusing the http protocol, so
basically taking a machineoffline through lots of http
traffic to that machine, or thatdevice and we talked a little
bit about that on our last newsepisode as well.
Joshua Schmidt (35:28):
That man in the middle ddos attack.
Yeah, you can check that lastepisode out for more information
on that.
Um, you know, and they wereeven using these military style
uh icons, you know, to kind ofgrab people's attention.
So a concerted effort to attackthat community.
Maybe you guys could give us alittle insight of what other
types of fallout Nick, you'dmentioned some of the things,
(35:51):
but maybe Eric, you could chimein on a high level what types of
fallout can be imagined from anattack like this?
Eric Brown (35:59):
Well, yeah, just to continue on with what nick was
saying, I think we're seeing hasbeen certainly evident in the
ukrainian war with with russia,where both sides were leveraging
the individual's personalmobile devices to understand
(36:20):
where they were physically andthen launching attacks against
those locations.
So it's, you know, humans areconducting tactical or kinetic
warfare and humans, as we know,are the weakest links in
cybersecurity.
So, having that mobile device onyou and maybe what if you
(36:44):
didn't obey what command said,right, and you have another
phone that you haven't destroyedthe SIM card or disabled the
SIM card, and it sucks, right,war sucks.
You want to get a message home,let your loved ones know you're
going to sneak a message out.
Well, that can put a lot ofpeople at risk and if you're not
(37:05):
well steeped in cyber orwell-educated, you don't
understand those risks.
You don't know how, you knowjust having your phone on could
beacon out a location.
So just, and then I'm sure Nick, you know, can talk about how
the education that you know thathe went through while he was in
, but just the education thatpeople who are maybe closer to
(37:27):
the frontline, or deliveringservices to the frontline you
know, red Cross or ancillaryservices that aren't maybe
directly military, could impactthe lives of military personnel
by just having personal deviceson them and moving through areas
of conflict, because they couldbring that attention to areas
(37:50):
where attention is not wanted.
Joshua Schmidt (37:52):
Super interesting.
That's a heavy topic and, Nick,did you have anything to add to
that?
You kind of mentioned thatthere was some talk around that,
but just do.
Is it much more prevalent thesedays?
Do you stay in touch with anyof the other people that are
still in the military and kind?
Nick Mellem (38:08):
of talk.
I do, yeah, I do, we.
We don't often, you know, talkabout cybersecurity per se, but
I think, you know, going back toat least my time, I don't think
we talked about it nearlyenough.
Right, we were all focused onour job, you know, in and out of
the Middle East, butcybersecurity certainly wasn't
one of our main focuses.
You know, we had our badgesright with a little cat card on
(38:30):
it.
You use it to badge into themachines and that was really
kind of the extent of thecybersecurity training.
Besides that log in, log out,password, you know, protection
piece.
That was besides email andphishing.
Those are kind of the only twothings we really talked about.
So you know, I would assume,especially nowadays it's been 10
, 12 years that with how muchmore we're connected on that,
(38:53):
they're doing much more in-depthtraining just because of how
much more technology has come upand how much more we're
connected, of how much moretechnology has come up and how
much more we're connected.
Joshua Schmidt (39:02):
Yeah, as we progress our technology, maybe
this next article will be of aidto our military personnel at
some point, but we'd be remissnot to talk about AI at least
once an episode.
We haven't brought up the catthing yet, so I'm a little sad.
So you guys better, if we'redoing the tinfoil hat thing,
maybe the tinfoil hat thing istaking the place of the cat
(39:25):
jokes.
We're so excited about thetinfoil hat thing I know Gold
star for you guys.
Eric Brown (39:33):
We still didn't get enough out of Josh, because Josh
could pontificate for quite awhile on some of these
conspiracy theories and UFOs.
Joshua Schmidt (39:41):
We better pace ourselves on that one.
Eric Brown (39:42):
I gotta get more prepared he got shy on us, nick
that's right, we all do as longas we are on that topic.
Joshua Schmidt (39:50):
Briefly, you know, one thing that I do think
is really interesting about theuap phenomenon, as there's been
plenty of military personnelthat have reported those things
shutting off, you know nuclearfacilities um, there's tons of
stories about you know peopleworking at military bases and
and seeing these things on radaror visually, uh reporting them
(40:11):
from an uh a fighter jet, forexample, and then confirming
that on radar.
Lots of interesting stories.
Whether they're true or not,I'll leave that up to the
listener.
But uh stories, whether they'retrue or not, I'll leave that up
to the listener.
Nick Mellem (40:25):
But you know we could only be so lucky to be
protected by the grays.
Speaking of the next episodewith the hat.
Joshua Schmidt (40:31):
Oh yeah, I'm gonna get a hat.
All right, yeah, but you know,speaking of advanced technology,
how can I make security moreproactive and less reactive?
This is coming from SC Media orSC Magazine dot com.
In November 2022, the widerworld suddenly became aware of
the power and potential ofartificial intelligence as chat
(40:52):
GPT was made available to thegeneral public.
Practitioners were alreadyfamiliar with automation machine
learning, which they had beenusing for many years in the
forms of security orchestration,automation response and static
and dynamic application securitytesting tools.
The addition of AI that canlearn from its own mistakes and
(41:13):
incorporate experiences into itslearning model promises to
greatly accelerate cybersecurityprocessing and implementation,
as well as reinforce defenseagainst new attack techniques
that are also using AI.
So you know, are you guys usingany AI tools right now, or is
there anything coming down thepipe that you're excited about?
Eric Brown (41:32):
Yeah, I mean I could probably talk like for an hour
about this one in particular.
Joshua Schmidt (41:38):
The top one, the newest one or your favorite,
but in particular the top one,the newest one or your favorite.
Eric Brown (41:43):
Well, rather than that, maybe I'll just say that,
because it's hard to pick justone right.
Companies are integrating,let's put AI in quotes in their
tools and saying it's AI.
But I think we have to takejust a half a step back, maybe,
and just talk about what is thedifference between, maybe, true
(42:08):
AI and what ChatGPT may be like,which is a form of AI.
Ai in that it's doing,essentially, it's just doing
predictive language, so it ispredicting out what the next
word in the sentence will be,using millions, billions,
(42:31):
trillions of data inputs.
So you know just the sentencehow AI can make security more
proactive and less reactive.
Right, Like it wouldn't makesense if those words were not
arranged in that particularorder.
There might be a few differentnuanced orders you could put
them in, but if you just jumbledthose words up, the sentence
wouldn't make sense.
(42:52):
But generative engine likeChatGPT is going to, having had
indexed trillions of sets ofdata, is going to know how to
form that sentence to what itbelieves to be the most
prevalent of its training.
(43:14):
I was ready to go, I was goingto put my hand on it.
So where I like AI is to takethe things like policy right, so
an organization could have 20,30, 40, 50 different policies
(43:38):
and being able to interact withthose policies through a chat
feature.
So like to be able to ask aquestion of the policies and
then get an answer from thegenerative AI that has
essentially ingested thosepolicies just discreetly for
(44:00):
that organization.
That's pretty helpful, right?
So, like what do I need to knowif I'm going to go on vacation
to France, or can I take mycompany laptop to Russia, for
instance?
And it would.
As these engines get better,they're going to be able to
(44:24):
interact with you to make yourexperience as a user better.
You know, today you'd have tolike well, where does my company
keep the policies?
I got to go find that.
Now I got to go read the travelpolicy.
Oh, it doesn't say anythingabout technology.
Now I got to go read thetechnology and governance policy
.
Right, you know, you could spendhalf a day just reading policy
and they're not always writtenin the most user-friendly
(44:46):
language.
And then you've got tounderstand what that means.
And then you've got to knowwell, okay, I'm going on a trip.
I think I have to submit a form.
Where's that form?
Right, you can spend half a dayjust trying to find out how you
go on vacation and take yourtechnology with you.
Where, in an ideal, maybe moreAI-friendly world, I'm going to
(45:06):
France for vacation.
What do I need to know to takemy laptop with me?
Well, you know, then, ifthere's a form that the company
wants you to fill out, it couldpresent you with a link to that
form and kind of the steps thatyou need to take in order to go
on that vacation and present itin a very user-friendly format.
Nick Mellem (45:26):
I love that one.
I was just going to say Joshwas going to jump in.
I think I've talked about thisin a previous episode.
One of the, I guess, more coolways I've seen a 911 call center
using this information is theyhave all these different
operation procedures thatthey're doing when they're
ingesting 911 calls.
You know, there's all this newtechnology that they're using to
(45:47):
call, text, video chat withusers calling in 911, made for a
structure fire.
They're giving peopleinstructions how to do CPR.
You know all different kinds ofthings, but the turnover rate
is so strong in those industries.
You know, let's say for a 911call center that you might get
somebody new that's on theovernight shift or what have you
(46:09):
.
Maybe they don't have all thesupport they need for a smaller
County or something for anystate and AI.
This is kind of really similarto what Eric's talking about,
but what they're doing isthey're able to have this
library of information at handwhen they get a call, instead of
a panic or not knowing what todo, they can simply put in a
couple of key words and, boom,ai pulls up.
(46:31):
Okay, this is step one throughfive.
This is what you should do.
This is how you lead themthrough this.
This is what you should do here,and it's you know, instead of
spending, you know, three to sixmonths potentially getting
somebody up to speed to be a youknow, really sharp at their job
, they can spend much less handson time freeing somebody else
up for other functions.
(46:51):
So I think that that reallygoes speaks to all industries,
especially in IT.
Right, we're constantlylearning and moving and can
learn things that way, but forwhat I'm speaking of, it's
making you know somebody, that'syou know, new to an industry,
and something as important asfirst responding.
Ai is really giving them powerto be quicker and that benefits,
(47:14):
you know, the individuals orthe citizens of those counties.
Joshua Schmidt (47:18):
That's great, yeah.
And you know, it seems like thegeneral thrust of this article
was that shift in makingcybersecurity less reactive and
more proactive.
You know, I know a lot of timeswe're dealing with things after
they've already happened, butdo you see this technology kind
of weaseling out?
You know problems that we mightnot see just by doing an
(47:40):
assessment, for example, ormaking that a lot faster to do
your assessments or your pentesting.
Nick Mellem (47:46):
Really, when I look at this article and just by
looking at the header or thetitle, I'm seeing things like
manpower, know-how, differentthings like that, and it goes
back to what I was just talkingabout.
Well, you might have somebodyon an overnight shift or
somebody that's scanning a bigblocks chunks of data, right,
(48:06):
that firewall is bringing in.
Or you just did an assessment.
Well, this takes the humanelement out of it for error, for
reporting, and you're able togo through big chunks of data
much quicker and hopefully thatputs us on the offense versus
the defense to make changesquicker.
You know, maybe we we didn'tsee you know a common or best
(48:28):
practice used in a firewallsituation or wherever.
Wherever have you?
You know we're able to makethose changes much quicker
because we found it and it's notalways just left up to human
error.
Eric Brown (48:40):
I'll give you two for instances on this.
And the blue team side ofsecurity is mostly reactive
today, unfortunately, right, anevent happens and then how
quickly can you respond to thatevent to protect the
organization, that event?
To protect the organization.
And, of course, as theorganization increases in
(49:01):
maturity, you're doing thingsproactively to lessen the type
of events that can occur.
But where this could go iswhere you have AI that is
constantly looking across yourenvironment and then proactively
(49:23):
telling you things that you maynot be aware of.
And I'll just pick a reallycheap for instance where it
could say you could get an emailor a text message or a Teams
message or whatever that sayssecurity engineer, teams message
(49:51):
or whatever that says you know,security engineer, did you know
that your perimeter is allowingconnections in from Iran?
And over the last X amount oftime you've had X number of
attempted connections from Iran?
Iran's a level four country,attempted connections from Iran.
Iran's a level four country.
General organizations aren'tallowing level four countries to
connect to them for obviousreasons, mostly nation state.
But today we would have towrite queries and look across
(50:17):
anywhere from three to more thana dozen different places to
understand if we're allowingcommunications to come in from X
country, x organization, x IP,whatever right and proactively
getting that information.
Do you know that you have Xnumber of IPv6 IP addresses,
(50:40):
making connections outbound,right?
That might be something thatyour organization doesn't want?
Well, you'd have to.
You know, the security engineeris going to kind of go through
their checklist of okay, hereare the things that I'm doing on
my weekly, monthly, quarterly,whatever check, and sure it may
be scripted out.
It may not be scripted out, butwe as humans still have to come
(51:00):
up with what are the thingsthat we're going to evaluate for
our security, for ourorganization.
And having some general AIplaybooks that are taking best
practices, applying itthemselves to your organization
and then providing reporting asan overlay would be an awesome
place to go.
(51:22):
But I don't think we're thereyet because we're still dealing
with discrete tools Like youhave an endpoint tool, you have
a firewall tool, you have anemail tool and you have
governance tool and alldifferent tools not likely by
the same organization.
So there isn't that overarchingviewpoint to be able to help
(51:44):
you identify where you may haverisk across your organization.
Joshua Schmidt (51:48):
Awesome, we got one more tinfoil hat question
Get your tinfoil hats back on.
This is AI related.
Will this spark an AI arms race?
Because obviously threat actorsare using AI as well.
So who's staying ahead of whohere?
Spark and AI arms race, becauseobviously threat actors are
using AI as well.
Sure, so you know who's stayingahead of who here, yeah, no, no
.
Eric Brown (52:06):
Let me jump in on this one, nick, and I know
you've probably got a good onetoo, but I just saw this
yesterday I think where one ofthe companies that we work with
got a QR code delivered in aphishing message.
One of the tools caught it, oneof them didn't, and it was
(52:29):
interesting because the QR codein itself there was no malicious
links in the email, just the QRcode.
The QR code was a call toaction to scan the QR code to
you know, to do something right.
So if you ran that QR code, ifyou ran that email through a VM,
(52:55):
say you opened it in a VM, in asandbox, because you wanted to
test where that QR code wasgoing, it did direct us out to a
benign site, I think it shot usout to eBay.
But if you opened that QR codeup on a mobile device, then it
(53:17):
sent you to a Microsoft loginpage.
So from an attack factorstandpoint, I was like that's
really cool.
It's detecting if it's beingexamined by a virtual machine,
which certainly the ways inwhich the threat actors are
crafting know.
(53:38):
We're seeing that more oftenwhere they know they're going to
be scanned.
So they're using we'll call itAI to determine what's scanning
them.
It's, you know, it really islooking at what's the makeup of
the computer that's running thechecks or that's doing that
sandbox work.
But then it was cool becauseit's you know, this one involved
(54:00):
both social engineering andsome technical work.
Where the social engineering is, let's break out of that walled
garden.
Right, the threat actor ispresumably going to know that an
organization has decent emailsecurity, but the security on
the user's mobile device isprobably not as good.
So let's break them out oftheir organization's walled
(54:24):
garden and let's go to theirmobile device.
So I kind of thought that onewas cool more of a quote unquote
(54:44):
AI forward tool and was able todetect that this was a
potentially malicious email andblock it.
Nick Mellem (54:47):
That is really cool to hear, Eric.
Actually and I was, when youwere talking about the QR code,
the only thing I could thinkabout was how much Josh hates
menus at restaurants from QRcodes.
Joshua Schmidt (54:57):
I thought you were going to say the QR code
brought you to Rick Astley video.
Never going to give you up.
I thought you were going to getRick rolled.
But if I can find a way to hackall the menus with QR codes and
change them to Rick rolls, Iwould do that.
That would be a time well spent, I believe.
So, hey guys, we're at an hourhere right now.
It's been a really funconversation.
(55:18):
Is there anything else that youwanted to chat about today?
Eric Brown (55:20):
before we wrap things up, Did you have any
comments on that AI side ofthings, Nick?
Nick Mellem (55:25):
Oh, I mean just to add on to it.
I mean, I think it's inevitablethat we're going to they're
going to keep on getting better,right.
But the arms race is going tobe really interesting to play
out and and really I think itprobably benefits us, right.
It benefits the users.
If we get more players into thespace, we're going to see
better tools more quickly, forinstance, like Eric you were
(55:49):
talking about, with emailphishing, things like that, and
for people like me doing socialengineering it might not be as
good, because we might getdetected a lot earlier.
Joshua Schmidt (55:59):
Great information.
Yeah, well, I love doing thesenews, uh, news episodes with you
guys, and we had a chance to golive today Again.
Um, this, this episode will beedited and then also published
as a regular episode on ouraudio only formats.
Um, spotify we have video onSpotify now.
Uh, we're hosting videos so youcan log into your Spotify
(56:21):
account and give us a five-starrating.
We'd love to hear your feedbackon the audit on Spotify, as
well as.
YouTube Like, subscribe, shareand comment, and if you have any
future articles that you'd likeus to talk about, feel free to
shoot them into the comments oremail me at jschmidt at
itauditlabscom, also takingrequests for guests.
(56:43):
If you have an interestingtopic that you'd like to discuss
on the show, please reach onout to me.
You've been joined today byNick Mellum and Eric Brown from
an undisclosed location.
My name is Joshua Schmidt, I'ma producer and tinfoil hat guy.
You've been listening to theAudit.
Thanks for joining us livetoday and hope to see you soon.
Eric Brown (57:04):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, or all our security
control assessments rank thelevel of maturity relative to
(57:28):
the size of your organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest.
Thank you.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.