Listen to the latest updates, developments, and insights into the world of cybersecurity. Learn how to protect yourself against the ever evolving threat of cybercrime from leading talk radio shows and premium podcasts.
iOS 14 & Android 11 Security Features
"What has changed against the best interests of smartphone users is the nature of today's threat landscape. It is far more active than ever. So smartphone users need to get all the help that they can get from their Os. Okay. So to this end, we now have android eleven, which brings billions of its users those who can upgrade and all those who purchase android eleven devices in the future more control over their security and privacy than they've had before and yes, it's unfortunate that such control is necessary but it's better to have it I would say the not at this point and you know. It's not like super intrusive anyway. Okay. So what's new and android eleven? One time permissions android eleven get a useful feature that IOS has had for some time. This allows users to grant APPs single use access to their devices, more sensitive permission such as location, microphone, and camera. We're seeing variations of this on different platforms. For example, what permission might be semi permanent users will be reminded after a while that such and such an APP still has such and such a permission and asked whether they. The APP, should retain it or not, which is you know sort of a nice compromise between immediately removing it and and sort of being. Kinder and gentler. So. android eleven will now autonomously revoke permissions. in addition to having the single use android eleven has the ability to autonomously revoke permissions for long unused APPs. It could be a bit of annoyance though those permissions can always be granted but this is sort of part of working to keep the casual user more safe while attempting to minimize the impact of enforcing that safety in general. We'll be talking here about this notion of minimum required permissions that that's always a good idea. We've talked about how firewalls flipped from once blocking, known a problem ports to blocking everything and only opening the ports which are known to be needed to have. To Be Open. In what I think is a huge win for android eleven. DOS will also be getting incremental updates. Google has increased their plug and play stores integration on Android Eleven, allowing those devices to directly download and install critical os security patches as modules instantly, just like an APP from Google servers. We we we talked about the plan for this a long time ago. The idea that the the US would get modular is and the Google. Would not have to force you know these. It would only be made available through the long oem loop to to a third party and hopefully to the end user but rather be delivered as part of the APP store. You know much more like the apple model has always been and that's now here. So boy I think that's going to be a huge welcome improvement. And it would sure be nice for everybody to be able to get eleven. I'm not sure you know how far back. Eleven will be made available to. US But. Once you get there, you have a chance of being kept current, which is. Fabulous. Also it tightens up an APPS right to obtain location information when it's in the foreground versus moving into the background, we'll talk about Ios, which has done some interesting things. There as as well when an APP requests permission to access the user's location android eleven initially, only grants for ground location permission that is while the APP is in use actively if the APP additionally desires access to location information while it's in the background, such APPs will now be required to produce a separate and independent permission request does not all just lumped together into location services and granting the permission is not as simple as quickly clicking. Yeah. Okay. Whatever No. Now to enable background location access users must go to a settings page and set an allow all the time option for the APPS location permissions and even to obtain such permission setting google will now be requiring their APP developers to explain why their APP needs background location access at all just wanting it just because that's no longer going to be enough in order to get it. So a bunch of, nice, improvements in android. Eleven. It's clear. They're all GONNA help improve user security. Especially, the from the store updates which I just think that's GonNa make a world of difference for so many for the security of so many android users. Yes there's more for the user to do it requires more. Involvement from the user but I think that's that's necessary as we go forward. And as for Iowa's fourteen. The list of. UPDATES and improvements I scanned through it. It is overwhelming. And, as you know being IOS user myself, I'm beginning to feel more and more as though I barely know how to use advice in my pocket, Oleo. Crazy I saw you jumping around A. Those it's yeah with my customizing things and locking things in place and it's like, okay, I mean it really it's not the phone that Steve Jobs gave us all those years ago. The Nice thing is you don't actually have to do any of that stuff and most important improvements are what you already talked about same with an Android, which is it now pops up warnings and let you know what's going on so and you'll get that matter. What
Cloud security best practices and tips
"I WanNa talk today in our pre show discussion you said that you're interested in talking about the strengths and pitfalls of cloud security practices. And what can be done to protect business across multiple platforms so we've had a couple of club professionals on in the past and the show and I wanted to talk about your current work around security. So what are some of the top issues around cloud security that you don't think are being taken seriously enough at the moment? Yeah I. think There's A. There's an interesting problem which is you know this pithy saying that while cloud is just your stuff running on somebody else's compute right and it's like well, and then then you get this, you get, you get this concept of the shared responsibility model thrown at you. It's like well, the cloud provider will handle their part and then I'll give you kind of. Controls to handle your part. At and so he you know intrinsically feels a lot like that's just like my on Prem staff where some infrastructure team does with the infrastructure on ideal with with things in my environment the problem is that it is actually quite dissimilar in a number of different ways. If. You think about uncrowned infrastructure has been pretty stable for a pretty long period of time there isn't there isn't. Every six months, the entire technology portfolio, dozen turnover, right and. Services get rolled out a new concept enrolled out in it in the cloud. If you think about aws if you think about Azure, if you think about TCP there cannot going toe to toe with each other trying to create these new services also daily basis it's all CIC de- deployed immediately. You don't have. You don't have any notion of a stable set of infrastructure that where did you can choose to remain on for like six months or a year? And then on top of that, these entire ecosystems are pretty damn complex at this point like if you if you look at. Identity in the cloud if you look at what you have to get right in the cloud if you look at You Know How you do entitlement and other kinds of things and understanding the interconnects under the cloud. We have gone it took US fifteen years of going through Microsoft. Windows. Ecosystems to finally understand all the underpinnings hot as how do you feel credentials? Have you how do you do all these things? That understanding just doesn't exist in the cloud, and so you have a complex fast-moving ecosystem. Right. You have attackers who simply have to get you know attack template right once it's entirely reusable. Me Think about the capital one attack last August that was. In the news it was an attack on Capitol one it was an attack, it was an aws template attack. Affected one hundred companies of which capital one just happen to be one of the hundred companies right and so the notion of once you find a key his applicable to. Blast radius. Is. Pretty. Across the customers And and given the complexity systems complex is always in the disadvantage of the right because you can't get your head wrapped around exactly what all the inter-plays are, what your tax services are. Yes. Yeah. Trying to attacker just has to find one way to run a gauntlet that we'll get through even twenty percent of their customers because of our. Defenses. So I think this is the problem is, is that you have very complex systems and we're still in the early stages of China deal with coming up with preventive technologies like if you think about holid- posture, management, security posture management's this is all about like sitting your preventive. Like Basically in in the realm of building national lines right and. On the on side, we've already shifted over the past five or six years towards detection response in as an adjunct to prevention, and yet we're just beginning to build the prevention building blocks. This is. I think the issue. Okay. Yeah. So yeah. So what what is your ideal business protection scenario across you know cloud platforms and stuff if you could wave the magic wand what what does this whole endeavor looks like in terms of? Yeah say. There are few things that he'd definitely kind of want to do. You WanNa limit the number of cloud platforms you expose yourself. I. Think There's a business side that says, Hey. You know if he build stuff so we can be on GDP azure and aws than wherever else ride them we have a lot of. Negotiating leverage in negotiating with those various providers as are all bills. Walk we go. Hey, you know. If you're not going to give me a good deal go over here in run more of my workloads over here. The problem is that that that? Each of these cloud platforms has unique attack surface. right, and so the more of them you expose yourself to the harder you make it to collectively wrap your head around. Around these systems and so I'd have a lot of people are trying to do is really wrap their workloads. With, a protective rapper and say, well, you know this can run any kind of hostile environment. I have my productive wrap around that. Turns out not to be quite true because if you get something, I mean if you root Kevin Thank. You Root Kit at the PC you can be as secure as you think, right if somebody's busy sitting. Controlling your entire University of your perception of Reality Yeah doesn't work so. Few. Try. And and if you need, you need leverage from a business perspective, you know get onto to cloud platforms. Don't allow every part of the business, pick its own thing, and then just end up having to support it in the guise of business agility. So trying standardized trying to of bring it down by bring it down to a set of services that you use. On the SAS side. which is the other kind of cloud trend I ride as obviously you know running your own applications in the cloud versus just. Going to vendor having them run the obligation for you definitely focus on things like soft compliance focused on the manageability. And the audit trail supply because you'd be surprised, you look at different collaboration software that's in the cloud and the difference between integrate enterprise grade and not enterprise bray is finally comes down to okay. Are there good audit trails? Do they arrive at a reasonable time period or does does he sa say well, within twenty four hours we'll know something we'll let you know if something goes wrong. Do you have the kind of find main controls where you can express all you want? So I think those are the two things you look at the adoption of cloud and ultimately. Basically comes down to where's your data. Think about the data and think about the access method that data? Everything else is. Secondary and tertiary. So focused yourself around the data and how it is accessed, who you wanNA give access to. As you're thinking about cloud winnow down the track of things that you're using because. Each, thing is a snowflake and brings its own unique attack surface
VPNs in Tehrans crosshairs
"Sister the US cybersecurity and infrastructure security agency has warned in a joint issued with the FBI that threat actors based in Iran have increased their exploitation of known vulnerabilities in virtual private networks. VPN Use has spiked during the pandemic and the attackers are taking advantage of the expanded attack surface. Federal agencies are being targeted. So, our private sector organizations mostly in healthcare technology, financial insurance, and the media. The attackers are making much use of three web shells, tiny China chopper, and Chunky. And tunneling. Tools F. R. P. C. and Chisel with F. R. P. C. used over port seventy, five, fifty, seven. Ceasar and the FBI I note that the Iranian threat actors use end Gronk a great deal, and this may appear as TCP port four forty-three connections to external cloud based infrastructure. The, two agencies offer some advice for mitigating the risk. These campaigns present they come down for the most part to sound digital hygiene. If you haven't patched for the tricks, CV e two, thousand, nine, hundred, thousand, nine, hundred, ninety, seven, eighty, one, vulnerability do so CISA. Alert a twenty, thirty one a offers some recommendations in this regard. You should also as a matter of routine audit, your configuration and patch management programs. The agencies also recommend monitoring network traffic for unexpected and unapproved protocols. They recommend using multi factor authentication and implementing the principle of least privilege with respect to data access, and of course, keep software up to date. You can read the whole thing yourself in Cisa a twenty, dash two, five, nine, A.
Chrome tackles Abusive Ads
"Chrome Fortunately will be getting tough on abusive ads. In a posting on get hub. Google's engineer John. Delaney has spelled out the chromium projects, intentions regarding abusive ads. So. First of all modern web pages are a jungle of stuff. So how does chromium the chromium engine determine? For itself what's an ad and what isn't It comes down to something known as add tagging. Chromium is able to detect some ads and the resources they load in the browser. This enables the browser to measure the size, the performance and the count of ads displayed. To its users, it also allows the browser to intervene on the user's behalf when ads run counter to what they decide is the users interest, for example, using crazy amount of resources engaging in some abusive behavior or whatever. So that add detection infrastructure, they call at tagging and it's not very inspired. It works by matching resource requests against a filter list to determine if they're ad requests and in there in a sample that they've got of some code, they show them you like importing the easy list, which of course, is a well known list that's being maintained by a community of a known domain names that are providing ads. So they said any requests. Matching the filter are tagged as adds further requests and some dom elements such as I frames made on behalf of previously tagged scripts are also tagged as ads by the AD tracker. So it's not just it's as images that match the filter. It's if scripts were coming from a a known add source than the things that are essentially descendents of those scripts would also be tagged as ads, which certainly you'd want to have happen. They said I pray will be marked as an ad I frame. If it's your L. matches the filter list if tagged. Is Involved in the creation of the I frame or if it's parent frame is an ad I frame. So you know you can't get can't sneak out of it by creating a frame within a frame and say look I'm not the original one. The mainframe on a page will never be tagged as an add good. and. Then they said any request made within an ad I frame is considered an ad resource request. So drilling down on this one level. We learned that this sub resource filter loads the filter list, and then perform this url matching of any requests against that list it's distributed. That is the filter list is distributed via the component update, which is just part of the chrome installation. So it's be main, it's being kept current constantly, and the same list and component is also used for blocking ads on abusive sites. And those that violate the better ads standard. they explained that each sub resource request in the render process is processed by the sub resource filter before the request is sent from the browser out. So it's not that it blocks things coming back. It never makes the request in the first place. It just you know denies denies it on the from the the page making the request. Okay so you get ads identified as such. How were they treated differently this is where John, explains what they they call the heavy add intervention. A small fraction of ads on the Web us and John Likes the word egregious will see there's a couple of times and egregious amount of system resources. He says these poorly performance ads whether intentional or not harm the user's browsing experience by making pages slow draining the device's battery and consuming mobile data. He says for those without unlimited plans and then he says, in these egregious cases, the browser can upload the offending adds. To, protect the individuals divide. I'm sorry that browser can unload saying wet the browser can unload the offending adds to protect the individuals device resources. He says, this is a strong intervention that's meant to safeguard the users resources with low risk because unloading and add is unlikely to result in loss of functionality of the pages main content. Is as examples of observed at behavior that are intended to be discouraged. Are Note no surprise adds that mine crypto currency. ADDS that load large poorly compressed into is So just sloppy ads ads that loge large video files before a user gesture. Or adds that perform expensive operations in Java script such as decoding video files or seat. CPU Timing Attacks Yeah we don't want those. So Google notes that is not their intention to discourage any specific ad creative formats such as display video ads. So they're trying to be as agnostic as possible. So the user agent, the Browser will unload ads that US and he says again and agreed amount of network bandwidth or CPU usage. We define reaches as using more of a resource than ninety nine point, nine percent of ads as measured by the browser. That's well, you know. So that sets a very high bar says he and he says only adds that have not been interacted with by the user will be unloaded. And here's what's interesting and this is some tech We've never talked about before that's therefore worth mentioning. All unloaded frames will be notified via an intervention report. That the intervention occurred. This feedback is necessary to help advertisers or their AD technology vendors to identify and fix ads that are triggering this intervention. So first of all, just a little bit a little last word on the classification of ads. He says that's left to the discretion of the user agent. For example, chrome detects ads using what we talked about the ad tagging feature. An advertisement is considered heavy if it has not been clicked on by the user and meets any of the following criteria. It uses the main thread for more than sixty seconds total. The or used the main thread for more than fifteen seconds in any thirty second window. So they they said and parental fifty percent utilization over thirty seconds. Or used more than four megabytes of network bandwidth to load resources. So any of those thresholds get crossed the that the new chrome technology will say, nope and just boot the ad it's you know, sorry, you're a bad. And he said that the thresholds above were inspired by the I. ABC's lean standard that's in caps but chosen to but has chosen by looking at crumbs metrics at the ninety nine point ninth percentile of network and CPU usage in ads so again. Most ads are not gonNa Cross that line but those that do, and there are some bye-bye.
Russia, China, Iran having a red hot go at US political organisations
"Going to begin with a bit of a a tragedy in media, which is team at Reuters the security team at Reuters, we're onto an absolutely cracking story. That they had to hurry up and publish because they caught wind that Microsoft we're about to ruin their party time But yeah, they had a fantastic exclusive here about Russian efforts to target the. Biden. Campaign. yes. Reuters are reporting attacks against the same Biden. Campaign of this company called A. S., K. K. Knickebocker. who provide services for them they appear to be based on Microsoft's cloud and coming under attack from the Gi you fancy bit crew going up against you know people involved in the political world the Reuters reporting his focused on this particular organization. But Microsoft's the level of visibility across cloud infrastructure does seem to suggest that actually it's a much wider campaign going on for some time against a number of organizations across political spectrum in the US. Yeah. I mean Microsoft really did release a fair bit of information. It looks like at two hundred organizations targeted by Gi you. They also detect I detected a Chinese stipe backed group IPT thirty one. Basically invalidate email addresses and profile targets sort of doing recon work and they squashed a bunch of domains being used by the Iranians. It's. The contrast between now and two thousand sixteen right way. This stuff is absolutely being taken seriously. I've heard some people say, Oh, well, this is evidence that Russia's trying to interfere in the election. It's not I mean that that could be what they're trying to do but we don't really know what they're up to for all. We know they gathering intelligence. Yeah and the reports that we're seeing a marked swift information describes a whole bunch of attempting to gain access. We don't know what access was gained as a result of these attempts and then what it was used for like those kind of obscure to spot the sort of things that Microsoft reporting Eric you know exactly what you would expect. Right Password Password Reuse credential stuffing type things. Fishing all the usual sorts of techniques that as you said in two thousand sixteen. Worked very effectively and now in twenty twenty, twenty, nineteen, you know we are much better equipped that much much better equipped. To be able to those things, and this is one of the advantages of people moving a lot of this stuff into the cloud is we do get this kind of central visibility in a way that we we just went getting when everyone was using. You know you're here and hotmail there now there's a much more concentrated intelligence, available Microsoft and more. Of An understanding of why it's important to talk about the Microsoft price goes for all of the attempts here and how you know how frequently they were doing force attempts against various accounts and whatever, and they said that we using a pool of approximately eleven hundred Ip's the majority associated with the tall and an amazing service which I interpret that to mean. Mean Tour Exit nerds right and of course if you're seeing like. Hundreds of thousands of filed log attempts from tour exit nods you would think maybe that's how they caught this year. That's a little bit of giveaway. You know obviously being able to you know pull of exit cards are and be able to correlate that there's a pretty strong indicator and it's just kinda funny. I guess in a way because you know illustrating the very deal use nature of talk. Yeah, and Microsoft's advice. Here's a little bit confusing because they like here's enlisted five hundred and thirty net blocks that are associated with this activity and I'm like, do you mean for like? Is this the other ones that want? Already knew about. This other we had language in the release about how they separating forcing from poss- would spraying and you can tell like the fact that they've made a distinction between those things is the result of a really intense. Twain. Various people. That's that'd be my guess. But you know it's good that this stuff is being turned up right Yeah absolutely I. It's good. It's being spotted and being communicated, and also the defensive options for people like things like enable factor indication and monitor failed loggins like those are things that you know in twenty six were actually difficult for people and now you modular Microsoft's licensing from for. Know a much more straightforward for people to do, which is I guess an
David Soto - The Draw of the CISO Position
"You need. You've been into space for while Ed you know coming from I think it's a unique perspective you've got going from the. The Sea so to the adviser and back to the sea like that. That's a really unique perspective to bring. What do you think the what are you keeps you going back to the sea. So role not got I. Just realized I said that like, why would you do that to yourself? Why would you do that to yourself? Man. Gun for punishments of. WanNa. WanNa. Continue. It's I always have this leaf than we can. We can still do better right and it's And I hope. That I am Yeah Glutton for punishment because I'll jump in here, I'll do it, and if I can prove, it can be done than everybody should be able to do it and Bhai though it runs me into hey, here can you take over and do this year? Yes. I do watch how lead by example and I think that's where gives me flipping back and forth also the other portion is it helps to get that experience again of being shoes of jumping over and then being adviser and helping others right I, run a seasonal round table here the few guys board members here in Orange County and we have. I wouldn't say crying session, we have normal session every. And we we go over you know what are the latest issues that were having? What are the things we're having to deal with and it's sometimes it's I opening sometimes it's you know some of us are sitting there going yeah. We we did that. Here's how we fix it. But IT'S A. It's always good I. Feel it's my way of giving back. It's it's interesting to to think about that because Rafi, we just talk last episode You know outgoing from C. so to earn maybe one of the previous episode right see. So to advisory role back. I lose track you know and kind of that. That idea you know like Oh, man, I've I've hit retirement but you know that's a fantastic point to bring up of you know when you start going out and doing that other side you lose touch sometimes with what's really going on you know and and all that expertise and all that stuff you have like i. see it sometimes you know in the development side like man all that great knowledge I had of dot net two point Oh you know isn't as relevant anymore these days it. If you're not going back into it, you lose touch with that and now that experience that got you there. As kind of you know is no longer relevant you know you have to kind of. into. that. Yeah and. If you're not flipping back and forth I think they sometimes, you do lose touch of some of it. Right? Not all of it but some it because some of the things that you take for granted like the political issues that we end up dealing with in the role, right you lose touch with not in it for so long. Right and it's how to get consensus across everybody. You may think by time you've been out of it for a while ago. I could have. You just do it this way and it's like now things have changed a little. I think we start asking the questions. Why can't you just do whatever like why is it so hard because I have to have seven indeed meetings before anybody listen to me it's like I think I think goes back adopted together. We used to joke about layers eight nine of the US I model management and budget. Oh Man. Oh, those layers yes we used to joke about that one. Even back. So give you an idea back when I was at some life even riding I'm there I remember I used to have constant meetings and people will be like you just do this and it just works and I'm like, no, you don't realize I have to get everybody on one side Wail and get them actually hitting the whale in that side. So it will turn gradually and they'll just take us time to get there because without getting consensus and without getting the pain for the whale the well, just keep going straight. There's no reason for her. and. That's I feel is one of the biggest hurdles that we ended up over having overcome. That's that's the truth I mean it's. The status quo can be shockingly difficult thing to overcome even in a world where we watched the news every day, and it's some some Some you know exploit don crazy somebody gets hacked. Somebody gets shamed another you know CEO is called before Congress like you think every would buddy would be cybersecurity crazy making it their number one priority and yet. Right. Yeah. No, it's making it. A priority across is just no, it's a they see it as utility right then. That's exactly how they hidden but by so I just like `electricity is in everything that we have in her doing same with security should be in everything that is done and that's how we should be teaching the CEO's and the CIO's and the board. Hey, look we're through everything and everybody's a member
Cyber Power Index highlighting Australian Governments gaps in cyber capability
"Like any INFO Technology Sector security has plenty of indexes flooding around or get. Indexes collided by vendors and people trying to sell things to us I thought this for Senate index was. Useful because it doesn't come from I accompany product. It say independent academic attempt to benchmark Com, sub security capability and intent from nation sites It appealed to make per couple of reasons may not have had A to do with Bill Center in the past spend a little bit of Thanh. Talking to their academics in previous roles and particularly locked the way that This report sets metrics that up designed to objectively major subsidy maturity in nations So it says what are the kind of things that we could judge the intent of a nation in the obscurity spice and one of the kind of things that we could use to objectively major capability. And it tells an interesting story in Australia Australia's categorized in the higher intent, low capability quadrant and the reason for that is because when the the objective metrics this reporter applied to the statements made by by government ministers by government departments, entities about what our intent is. Assab security spice. Where about the most ambitious nation in the world for ask security attend? But. Then when you look at what our actual capabilities against that intent on again measured in a series of objective metrics. We fold anti sixteenth in that space. So, FA May that told a pretty familiar story because this over promising on delivering stories. One that I think is familiar to a lot of. People in the Strand security sector. In the context of these trying government's actions since the twenty six, Day sub, security strategy. A lot of announcement to be my bet when you follow up way those announcements. In the years after that have been made you say less deleted then was announced to the media. Will what's on the industry? Kodak in the two thousand, sixteen strategy that was undefended at least out of the Prime Minister's office. This one is looking out at a ten years. The two thousand twenty strategy is looking at at the ten year timeframe. And proposing one point six, billion, dollar funding. Backdrop, but a lot of that is going into law enforcement and as you say might be into that capability. What's your take on the strategy itself? Overall as you say, it's it's another announcement is on the strategy whether it's not as another thing but certainly yet your thoughts on the strategy itself and where maybe else we could have been in twenty twenty from the twenty six danes strategies. Have you have you seen that the two thousand twenty strategy's building on the twenty, sixteen or? Taking a completely new direction. While the that, you can certainly say the why the two thousand twenty strategy is reaction to experience the twenty six strategy That the twenty sixteen subsequently strategy had a very large number of of objectives and Nisha announced under it. I think the government found the experience of trying to implement those very large number projected initiatives again, adopted under outcome Tambo's prime ministership around the breathing bruising exercise because the twenty twenty strategy dramatically rationalize is temptation I'm say that the broad spread of of initiatives and objectives under the strategy a kind of a toddler. Your decide that the Gospel confessed about ninety percent of the funding. Associated with these twenty twenty strategy he's allocated to security agencies So it goes into building. Capabilities with particularly the is day but also other security agencies on. Enforcement agencies like the the I pay, and that's well and good We have I think outstanding internationally recognized capabilities within is. and this is the conduct that you have to keep investing in order to. Maintain those capabilities in my time that that international ranking. Suppose big Criticism that that libraries had is one that we've been exploring for at the loss twelve months and that's really When you look at security policy to strike the problem is the ability to project those capabilities out of the silos of how defense and security agencies. To the problems in Australia Com in terms of lifting a bench, mock the baseline up security security. Brazil and Sada resilience across the Australian government trying economy You know there's a lot of examples of that. Wall is day is absolutely world standard. Saab resiliency combined entities is as at the government's own description reminding at relatively low levels. you know the is days top full became mandatory in the. Seventies ago now. had a slew of a straight national ordered office inquiry since then. when you type them all up on like twenty nine percent of Kamal entities compliant with all the top four. Seven years after theoretically became mandatory say interesting. Is Connect between very high capability. Inside Is Day lower levels of saga resilience and more broadly throughout government not to sign story that we see in the corporate sector unites now at banks and Al. Telcos, absolately will class intends to their sub security posture. But you only have to sort of take one stiff through the down. In the I six navy top fifty. And you start seeing. Very, different levels of resilience.
Kevin Magee of Microsoft Canada on where the cybersecurity industry may be headed
"Where do you think we're headed when when you look towards the horizon? In terms of thinking of the continued professionalization of cybersecurity. Becomes more and more essential, less exotic a part of every business. What do you think the future holds for us well I hope we don't ever lose the art and make it into a complete science would be my number one comment on that it's it's not like other industries and we try and graft our thought processes and how we define our industry on. Other. Industries, we call you know people in technology architects or engineers. Maybe we need our own vocabulary to describe what we do, I and I. Think we need to You've really step back in see where we want to take our industry and those of us that have been in while and have been around have had the benefit of lots of great mentors and lots. Of folks that helped us up the ladder and it's incumbent on us to really do that for the next generation, help them up the ladder and a lot of times they feel like they can't reach out to someone with a big title like mine or whatnot. One of the greatest joys of my day is spending some time with a student or someone who is passionate. About our industry in in helping, guide them or introducing some a new book that they should read or not to them to enable them on their career and I. think There's a lot of folks like me out there that would love to have those discussions. Have those have those interactions and pay it forward because someone helped them get to where they are as well.
Job hunting tips for cybersecurity professionals
"I WANNA jump from you know your your career to sort of general talk of career because obviously we have you know a career. Person Who's WHO's WHO's on podcast is is giving you know cybersecurity career advice and so forth. So I WANNA start with the big question that's you know keeps coming up on every podcast I'm sure you've asked head asked before but what are your thoughts on these so called cybersecurity skills gap or shortage? The is a conundrum. So like I said, I have degree not gonna mix I. Really Big. It's fine the bigger and I'm sitting gone it. If you really have cyber security skill gap, why is it so difficult at times higher somebody. So the first thing that I would ask is this, what is your definition of a cybersecurity professional when you're talking about a skills gap? If I have a seller who was selling services better cybersecurity special what about a project manager? Who is an IT project manager who is now working for a project that I'm dealing with installing June radar our sin at is that a savage professional or we talk about people that I like to say her keyboard eaters somebody doing the volmer ability scan. So staring eyes on glass or so that is doing pen testing or read. Those cyberspace? We need to figure it out and I recently saw a threat on leap. Dan. In a guy made really like point he goes, Hey, listen for short three million jobs one percent of the population of the United States and statistically speaking Nelson probably a hundred and fifty million professionals. So really. Two percent of the population are GONNA be in information security. Short much I really buy. So for same statistics everywhere that are just lies down licenses except I do not believe we have skills gap of three million people in cybersecurity with that. said I absolutely believe we have a skills gap. In what I consider the true cybersecurity keyboard beater the vulnerability near here. The is on last the ship somebody's comedy from Asia in hitting my system they should and then I have to escalate it threat hunting astronaut. Yeah I, think we need to understand what are we talking about wit cybersecurity nationals, but there is a gap in certain areas. Yeah and you know I think that's one of the things that we've discussed also that I've learned just by doing this podcast is that there's the cyber security is such a vast range of job types, job opportunities, and especially skills and backgrounds. You know there's so many jobs that we've talked about like risk assessment or. You know you know threat modeling or things like that. That don't need any real keyboard beating experience necessarily if your problems oliver if you can you know explain things to the client. Well, if you're good writer like you're you can get into the industry and so I think maybe there's also a perceptual issue people say, well, at loved jump over to cybersecurity but I don't I don't know how to do all that computer stuff but there's there's so many jobs that are not don't have anything to do with that aspect of it. I I had a lady reach out to me She's in Canada. She is an accountant auditor and she wants to get over to cyber. My wife actually does cyber security is well, she's on the compliance side and so interesting dinnertime compensation about her day were, and I told this this Canadian lady, it's easy topping over it's like if you were to fixing. Will work for Toyota. An audit is you know what compliance is. Now about ISO twenty, seven, O one in. Our region is yeah, right. So. Don't think it is great Great Point. Christopher audience don't think because you're doing something today that it doesn't correlate to Cyber Security Rahm. Yeah I had a a guy out here yesterday detailing my car is really nice. Very personable acid one you can get cybersecurity he likes meat while he's good with hands you know inspected lacking I need to know a little bit more about it, but I can certainly find places for him to go help work in the help desk. A great place to start because you see everything find out what's what's your favorite candy and the Columbus Door
Are We Approaching A Cyber Security Investment Bubble?
"So it's been interesting because. From the sale side of things where I sit. As a C. So we're getting hit. All over on the sale. And it seems like there's so many companies out there so much investment happening and some folks feel like there's a potentially cyber bubble as it relates to investing what? What's your what are you seeing? What's your prediction there? Yeah you know. First of all, there's there's no way to a really predictable obviously. So anything you kinda assume as is both true and false the same time colleen Schroeder druce, bubble I think at the end of the day there is a significant amount of investment going on in cyber because there's a significant amount of opportunity also because it's it's a long lasting problem You know there's no such thing as secure computer There's no such thing as a secure enterprise and the reality is even in times of crisis when you look at the past six months. Everything has been increased in terms of the number of attacks, the number of people who are going after. Major enterprises who had a whole lot of change and a whole lot of. Adaptations, kind of the new normal and and it's those moments in time where all sudden you know they just the level of. kind of risk associated with doing everyday business become. So you know magnified So the reality is that yes, there's a you know a lot more investment going on, but I think it's for good reason and I think ultimately at the end of the day the truth is that you know. That that kind of investment is going to yield results from a innovation perspective and from an adoption perspective. Every bubble was really about investing in the right things at the right time. I think that the investments that are gonNA stand out and that are gonna be sturdy going to be the ones that will last the test of time. Is there money out there that's you know kind of being I'll call it i. they thrown around for sure. But I wouldn't call it a bubble. That's interesting. You know and it's interesting to with the pandemic Are you seeing folks? You know investors focus on dumping cash into? Maybe, more money into fewer companies or are you seeing you know a little more risk? You. Know I think it depends on the investor and look I know it's terrible answer but I think the reality is Kinda you know unpack it. Look at the major investors that you know. Basically, have been taking in and consolidating and trying to down. It's a very different investment methodology. Then I'll call the lottery ticket style investment. You know they think. More. Often than not is kind of the stalwart of these e. The private equity guys have raised a ton of money right and they have to put money out a mandated to do it. Which I think you know separates out a little bit of kind of what we do on a daily basis makes us a little bit more. Strategically oriented to to not have to deploy capital in that way But when I look at, you know how the investment maybe kind of market trends have shifted. The reality is I think you know you're you're seeing more investment in companies that are GONNA be Easier to to bootstrap right. And that's just been the trend for the past ten fifteen years ride the US to be needed to go raise a dollars to even start a company, and now you start company on a credit card right? So I think that anybody who is deploying capital the typical type investment that you're GonNa make is is much more aligned with where you see kind. Of the return horizon and given the pandemic I think you're GONNA see a lot more investments that are being made are smaller. Investments definitely staying away from alcohol at the stalwart markets as well. Right. So you know not putting money into kind of crowded space is not trying to reinvent the wheel not going after the space not going after know kind of. Major players, right not taking on IBM you know headlong. I. Think. It's. It's much more about how do I find those niche places where I think I see an exit maybe within a five or you know kind of even less year horizon those types of things that I think it'd be more viable in the short term. and. That's really where I see money headed.
Yahoo's Ugly Death
"The name is synonymous with a time when all of our lives were simpler when facebook was an actual books full of students faces computers made weird sounds when the connected to the Internet and downloading a one minute long video can take all night. Eddie tight yet who was one of the four or five most popular websites in the world with billions of views, every month and evaluation well, over one hundred, billion dollars. But as the two thousands turned into twenty tens, the web changed massively and your who was faced with the difficult task of changing with it. Their web portal service model was going out of fashion. We all moved to g mail and Google Search, McCain the front page of the Internet. Despite the fact that ask Jeeves was obviously way better. Many of Yahoo's services remained relatively popular, but they were no longer trendsetting no longer growing and the company's market capitalization dropped to a fraction of what it once was any remnant of the mindshare or what we might refer to as v Cultural. Capital they once held fell off. So to those of us on the outside yeah, who's fall seemed utterly quiet gradual and most of all inevitable but was it really Forget what you think. You know at least for a moment and consider this from the peak of the DOT COM bubble. Some say the beginning of the end for Yahoo to two thousand, eight, their revenue increased tenfold that success was no fluke either as print publishers struggled with the incoming revolution of online advertising, Yahu was very much on top of it. They were positioned Willie enough that when Microsoft attempted to buy the company for forty, five, billion dollars in. Two Thousand and eight CO founder and CEO Jerry Yang swiftly rejected the offer it was over the following few years that things would start to ten at the company transitioned through five different CEOS in just four years, and in the meantime Google took over the Internet. This would seem like the end of the story except in two thousand and twelve yen made arguably the most significant tire in its history and new CEO who could finally get things going again. Marissa Mayer. was distant for such a role from the beginning. Some college students have hard time in the job market, but after completing her degree at Stanford, Marissa was offered fourteen different jobs including teaching Gig at Carnegie Mellon One of America's leading engineering schools and consulting role at Mackenzie. Arguably, the world's premier consulting for the Young Maria turned down both those offers to become the twentieth employees at a fledgling startup called Google. At Google, she was star in fact, there's hundred percent chance you've run into her work. She oversaw the design of Google's homepage. You know the one you use probably ten times a day she was also one of the three people behind Google Edwards. It's difficult to overstate the importance of Edwards to the Internet as a whole and to the company itself to give you some sense of it. Though, at one point Edwards provided ninety six percent of Google's entire revenue. In fact, you could argue that Edwards and by proxy Melissa Samaya was at least partly responsible for the fall of. yahoos revenue multiplied tenfold between two thousand and two thousand and eight in no small part because of their online advertising. But he declined even faster when Google they're smaller competitor designed a better wage, you connect advertisers with users based on search results. Edwards. So, by the principle that if you can't beat him, you should join him Yahoo in two thousand and twelve hired Marissa Mayer. It was bald and popular choice. The company's stock rose two percent. The day of the announcement Meyer instantly became an icon for women in an industry dominated by men. Then, she got to work changing the company culture. She opened an online portal for employee complaints a system whereby any office problem given sufficient votes by employees would be automatically investigated by management. She oversaw a personnel shift which brought remote employees back into the company's offices Fortune magazine put her in their forty under forty list and ranked her as the sixteenth most powerful businesswoman on the planet. In short things were finally looking up for Ya. At least from the outside on the inside, however, the really really inside a very different story was about to be reading.
Ransomware slows down many students return to school, even virtually
"Number of US school district's already stressed by the unfamiliarity of distance learning systems whose used the covid nineteen pandemic has imposed on them are recovering from a range of cyber attacks. A few like distributed denial of service attack. The Miami Dade Public Schools sustained last week were essentially cyber enabled truancy. So easy a teenager could do it. W. P. L. G. sniffed haughtily a lot of teenagers we should note have experienced with bouterse some of it gained in their play of online games. But somewhere seems to have been more common. The case of the Hartford Connecticut Public Schools is representative a ransomware infestation forced delayed opening. Schools in Toledo Ohio and Clark County Nevada were among the larger systems. Similarly affected schools are reopening as they're able but Tuesday's planned first day was for many students disrupted. It's not difficult to see why schools have been appealing targets. ransomware operators are attracted to targets during periods of heightened vulnerability and schools attempting to operate either fully remotely or in some hybrid combination of distance and in-person instruction, present criminals and opportunity they depend upon high availability. They have a large number of users and difficult to control attack surface, and as we mentioned above, remote instruction remains an unfamiliar Process Complex and fraught with unfamiliar Challenges Planning and execution.
DoH coming to Chrome for Android
"Does not going to be able to type it in. DO H. is coming to chrome for. android. Although the desktop releases of chrome? have offered the enhanced security and privacy that many of us love offered by DNS over https. which appeared in chrome three two. Major versions ago? It wasn't added to the IOS or Android wins back then but last Wednesday's chromium blog was titled a safer and more private browsing experience on Android with secure DNS. And I think I would argue that that's a good place to have D- DNS over https. Paraphrasing from Google posting for the sake of Brevity, and to skip a bunch of stuff that we all already know they said. With, Chrome eighty-five. We're extending support of secure DNS in chrome to Android as we did for the launch of D. O. H. on chrome for desktop platforms will progressively roll out do H. on chrome for Android to ensure the feature stability and performance as well as an I think this was significant to help do H. providers scale their services accordingly. As we've talked about the fact that that arguably. Setting up. Persistent. https connections to DNS servers is a significantly more burdensome process for the server than just fielding UDP packets DNS you know traditionally over UDP is incomes a packet and A reply. https involves the whole T. L. S. handshake to set it up, and then you're maintaining persistent session and I don't want to have to do that every time you make a DNS query or a be way slower and nobody wants a performance hit when you get authentication and privacy. But still you're you have to maintain state over at the server end in order to offer this service and that can require the PRI- The providers to scale in order to make that happen. So presumably, there are gonNA be keeping an eye on how well this does and in fact, they talk about that a little bit about the possible need to fall back they they said. android chrome will automatically switch to DNS over https if your current DNS provider is known to support it. And I just hit the space bar by mistake of scrolled. This also applies to your current android private. DNS. That's DNS over. If you have configured one, they said this approach means that we can preserve any extra services provided by your configured DNS service provider such as family safe filtering, and therefore avoid breaking the users expectations making it transparent. They said in this automatic mode chrome will also fall back to the regular DNS service of the users current provider. For example, if you had configured DNS over T. L. S.. In order to avoid any disruption while periodically re trying to secure DNS communication. So presumably, as I said if the provider were become overloaded or stop offering the services for a while, it'll just smoothly drop back to traditional DNS. They said in case this default behaviour isn't suitable to your needs. Chrome also provides manual configuration options allowing you to use a specific provider without. As. Well as the ability to completely disabled feature. They said if you're an IT administrator, chrome will disable secure DNS. If it detects a managed environment via the presence of one or more enterprise policies, we've also added new DNS over https enterprise policies to allow for a managed configuration of security and s and encourage it administrators to look into deploying DNS over https for their users. So anyway, basically, it's what we've what we've seen before. By. well by by chrome and pretty much now, all of the browsers who who are wanting to move their clients and and users from DNS over UDP traditional DNS over to https. So it's just gonNA happen seamlessly chrome will start supporting it if they see that you're using and it comes with a list of known providers. If they see that you've already switched your DNS there than they, they will just upgrade you to. To that provider if that provider is known to offer the service and because it'll be an automatic grade if there's a problem, they'll back you out of it and then in addition once that's provided under chrome for Android, you can also switch it to. Sort of a non automatic mode, provide the IP address and other URL requirements for http or for for D dns over https and start using it so again. To be I think that makes a lot of sense especially when at a mobile devices out roaming around more you're away from home where you're dns has only going essentially never even going. Public at all, it's just to to your own local provider in order to get resolution. So. Good to see this happening, and of course, we've talked about how this is also being rolled out for windows
China closing the "cyber gap" with USA
"Work. This is a write up of research that came out of Harvard's Belfer Center looking really at which countries have their cyber together right and the you know the old understanding that the US is number one and then China is a distant second well, not so distant anymore by the looks of things. Yeah. Always the eater pulling together information about what the capabilities, all of nation actors. Are is pretty difficult thing because it's Sarah kind of secret and they went through the research into this process of identifying you know what are the metrics by which we can judge maturity of these programs in individual countries how effective that capability, what kind of things they do any and built a bunch of Matrix to try and actually put some structure around us and then be able to use open source information and other. Stuff access to to be able to put things together on right at end? Yeah. It's quite an interesting set of work in USA does come out number one still in their assessment, but you know the gap between the US and China is very, very small possible. So there's a bunch of other actors on the that you know. Maybe people don't necessarily think about Switzerland for example, is in the top team his Damn Suedes? Yeah. It was a bunch of bunch of people you wouldn't necessarily expect. But also you know looks at the you know the maturity of the commercial sector of the Swiss. CRYPTO. I mean, that's that's something to point out to right like these rankings dissed not just on offensive capability. It looks offense defense industry the whole the whole Cyber Shebang. Yeah and of course, it makes sense just looking at trying to of capabilities in terms of domestic. Commercial Operations Right I mean, they've got such a lot of expertise manufacturing hardware building software. You know lots of high tech industry make sense there feeds into a general overall capability as well. But yeah, you know the the so much. Just GonNa Finger in the air staff and it's nice to see you know in the analysis that we know. So it's not see air research is trying to take a structured approach and. The data conner looks it kind of looks like what you expect. You know when they when they go. Yeah. That seems believable which is always a good sniff test you know. Wonkery can sometimes be a bit kind of an water. Where's this actually looks pretty in line with EC Singapore. UC. Vietnam North Koreans Kinda lines up. Yeah. It does and I don't know what this means for our old concepts around symmetry when you really looking at the most powerful countries still being the most powerful in this ranking right? Like wasn't this supposed to be all about symmetry is Iran's program evidence of the CYB. Is, being isometric I dunno anymore. Well, yeah. I mean, know the world's changed it's a little. It's a much more complicated than new onset of things I'm speaking reminiscing these capabilities exercised in a more you know the you know hellenistic geopolitical way not just you know we're using hacking in isolation I was seeing these things done to further national goals and in the context of. The trade stuff, for example, but between China and the US as chess pieces in logic aims which is. You know that changes the traditional kind of take Nicole asymmetry to you know much more balanced
Maryland trying to crack down on ransomware
"Story comes from Delmarva now, which is a publication that covers the Maryland Delaware Virginia area, and this is about the legislators who are introducing a ransomware bill that's going to tighten down the rules when it comes to ransomware UH, some penalties just sort of try to bring this into focus. This was written by Wesley Brown from Capitol News. Service. So we've got some. Maryland legislators, Senator Susan Lee at the Democrat from Montgomery, county sponsored the bill and it sounds to me like what they're doing here is just trying to to put the word out to criminals that even just possession of ransomware would be a crime in the state of Maryland. So this would be a radical change in the law around ransomware and Maryland the way the current statute works is only illegal actually used ransomware. This statute if enacted would criminalize the simple possession of ransomware in less the person possessed it for research purposes. So if you're in an academic setting and you were trying to study different types of ransomware that would not be violation of the statute. But as we do in other areas, the law, oftentimes, we criminalize the possession of something because the threat of the person will use. Whatever that thing is is particularly dangerous. That's why we prohibit in many instances possession of certain types of firearms even if a person does not use the firearm so we're criminalizing somebody for simply possessing what can be very dangerous in Maryland has experienced obviously in dealing with dangerous ransomware right most famously Baltimore City was the victim of a ransomware attack back in May of last year crippled city systems for several months took me awhile to get my water bills. Is Not Fun to get a bill three months later for a per three, hundred dollars is obviously this is a very serious problem and the key with this piece of legislation and I. Think this is something that Senator Lee would agree to is it's a deterrent you want to make it as undesirable as possible for people who are even considering possessing ransomware to realize that their actions would violate this law and they would be subject to pretty significant penalties. I. Think the statute calls for something like a ten thousand dollar fine or five years in prison. As a maximum penalty So it's a misdemeanor, but it's a it's a serious misdemeanor. Yeah. So we are creating this deterrent effect a couple of things noteworthy here one just a shout to one of your colleagues and certainly friend of the the cyber wire, Marcus Rajshekar he testified on this bill he sure did yet. He is a friend of the show also a fellow employees at the Center for Health and Homeland Security Marcus testified on this last year the bill was not enacted in the two thousand nineteen legislative session is all marcus fall just giving marcus. Our back here in two thousand twenty, they have made some changes to the bill to make it more palatable and from what I heard Marcus. The hearing went very well, and there seems to be broad increasing support for this type of legislation largely because. Not, only Baltimore City, but also the smaller city of Salisbury Maryland also suffered a ransomware attack. So there's just more of an awareness for how much of a dangerous to our localities, and this is a proactive measure for there to be a deterrent nothing worth noting on it. Now, if you were going to mention this is that a couple of other states and this is what Marcus mentioned this testimony Michigan and Wyoming have experimented with this approach the approaches. So new that we don't actually have any quantitative research on whether this is an effective deterrent to cyberattacks that remains to be seen. We'll let me play devil's advocate on that a Maryland. Law. Would affect citizens of Maryland. Right do we think that the people who attacked the city of Baltimore were Marylanders I don't probably not what I'm getting at is how much of this ransomware is even coming from within the United States so I agree with your devil's advocate take That's what lawyers do play devil's advocate. A couple of things though that sort of principle is applicable to a lot of different state laws. Okay. You could say white passed a state law in anything because somebody from Virginia could come in and you know do this illegal behavior and then would go beyond our jurisdiction. We we wouldn't be able to catch them. Okay. So it's still a deterrent factor just because the state of Maryland is making a statement, this type of behavior. Is Criminal in nature So sometimes I just simply stating. that. The possession of something is criminal. itself acts as a deterrent that ne'er do well who's thinking about their bank account is almost empty and weighing their options and saying you know I have some computer skills maybe all just spray out ransomware here they may see this and think twice absolutely. Yeah I mean it it's the deterrent effect I think is something that we use for all criminal statutes. In instances where it's the perpetrators are beyond our jurisdiction I think the state of Maryland is just doing what it's what it can in the absence of federal law that criminalizes ransomware and the absence of some sort of you know international law. We can only control what happens within our own borders, and so this is this is a start
The Crypto Security Triangle Concept
"Now in this lesson, I'd like to talk to you about how old cryptos share the same fundamental security principle, but they differ in specific details. So this is important to know because no matter how hard a hacker tries to confuse you as long as you are clear on these fundamental principles that apply to Cryptos. They won't stand a chance against you. So I, called the security triangle because. I think a good way to visualize represented this idea. At the bottom, we have the point of the triangle and that represents the fundamental security principles that old cryptos share. Think of it like the root of a tree that everything stems from. Then as the triangle get wider that represents the increasing differences between the various cryptocurrencies which all share the same route. This fundamental security principle that I'm talking about the old Crypto Shit is that your private key controls you'll crypto It doesn't matter which cryptocurrency a witch crypto asset we talking about. If anyone tells you that they need to know your private key that should immediately ring alarm bells and you should stop immediately and seek help because the is awesome. Wants drafts camping. You know what? They say better safe than. Sorry. So it's all over, he wanted to say in this lesson, I wanted to make a dedicated lesson on this particular topic to guarantee the you hit. If, included this in. The mix of a bunch of different points in the same video than you may have missed it and it's just too important for you to miss. So. Again. What an attack may attempt to do is tell you some story about how this particular cryptocurrency inuits different or based on a different technology, and that's why they need your private key in order to do this and that don't believe. This is. Also where. They're likely to appeal agreed like I said, before by saying that they need your private key in order to make money. Part of you will want to believe that but please don't right just this is not what the risk. If. You do get people saying things like that to you to stop immediately and get help from someone that you trust. And also, who knows what they are doing goes. To how many new cryptos come along they will all shared this fundamental security principle. There would have to be a pretty huge change in the technology for this to change, and if there is I will be talking about it. So stick with me. That's over this lesson
Elizabeth Wharton: Strong shoulders for someone else to stand on
"This, Elizabeth Warren and I am an attorney by training and currently chief of staff at site an Internet startup company. I've always enjoyed solving problems. Nancy drew being some of my favorite books. Growing up early on I thought, I was going to be kind of the. White Knights eight-year District Attorney fighting crime and I realized very quickly after years of high school mock trial competitions that at the end of the day, I did not enjoy it litigation. So, while I knew, I had found my home in the policy legal world. It took me a little while to come upon the technology side. So been a few years on the hill looked around the room and said what's next and saw it everyone who was at that level I thought I wanted to be they all had a law degree. From there went to law school passed the Bar, and of course, answer the sirens call a big law firm. Big. Money big projects. and. Works in finance business in real estate for both a for six years. As I started doing that more friends be in the Atlanta area. Were involved in different technology projects research. And they start asking you questions and. Hey if we're doing this, if we're researching, this is this legal And from there it just snowballs and next thing I know as John Wick and the John Wick movies would say. Are you. Are you back John and eventually he's like, yeah, I guess I am so. You are you are you at technology attorney? Well Yeah I guess I am. there. I've had the good fortune to take diets years of advising businesses. From the outside looking in and helping companies shape their strategy from the legal perspective that I've been able to grow that and now can help companies shape their strategy from the inside looking out. So that's a lot of lot of. It really helps a building in if you have thought five moves ahead as you're doing something. That went surprises come up later it's. It's a lot of fun I. Get to be able to say, Oh, no no, we built that we baked that into the contract ahead of time or yeah, I anticipated I mean one of the best examples is you look at, for example, if I'm working with security researchers, we've got a product that we want to use that says, oh, you can't reverse engineer this software. But. If I know going in that, that's exactly what we're. GonNa do but not from militia standpoint instead we wanna make sure it meets our needs. So knowing how to then go back to the other company and say hey gonNA be honest. Engineering, teams. GonNa reverse us. But we're doing it to protect ourselves. So basically think of it as we're can be deering. Free Quality Assurance Testing, and some folks love you. Because you're like wait you're going to pay US money to use our product and give us. Effective feedback on how to make it better. Yes Steve At. Moon. Ask. Those questions find. Who had brings you joy speaks your interest what sparks your imagination. Look around see who's doing even just a piece of that or part of that and asked them hey, what what about us drove you there or what should I do what I learned and just absorb that information every step of the way I have had someone willing to give their time, their expertise and really just mentoring doesn't quite summit all of supporting cheering me on and I'd like to think that I can just help someone else because you're the adage that a rising tide lifts all ships we didn't get to where we are without the help of others, and so I just like to add drunk shoulders for someone else to stand awning help reach their heights.
Canary's Royal origin story
"Just aim and make that the problem that needs solving what they tell us about how you re right because you actually had a pretty interesting off between. Okay. So we've talked about the thing I'm so sorry this is turned into your life by the way. I mean, look for those of you who are listening I mean you can probably guess that her brain and I. A friends and I'm friends also Hula and I'm friends with Shell like I. Love these guys and I just think the history is is really interesting which is why I'm bothering to draw it out in podcast, but you didn't just go straight from. Straight from post into into things, canary thinks had a previous incarnation. Really. Tell us about that. So. So it's actually interesting because leaving things I knew that we wanted I wanted to try to build a product company. and. My earlier hope was actually slightly more ambitious than that of multiple products ends vision of you just buildings and then split them off and they'll go become companies on their own. And one of the things you figure out as that everything you build actually takes a whole bunch of efforts to get it to market I. didn't know the product that we wanted to build yet. So lost left sense post roll already headed huggy up version of multi go and so he went it's today did on that and made it better and better and better and when I left I had like four or five ideas. One of them was a west of believe it or not. One of them was like, how can we detect badness on this thing? One of them were solving? Remote Password resets as lame as that sounds like the Susan unsolved from a short list of them. And my plan was to find customers could pay me to solve that problem for them with understanding that I could then resell that as a product and and so instead of raising money said I'd go to a customer and say, Hey, this is a big problem for you pay me the bullet for you and after I bullet for them might sell it to other people and so we we tried a few problems and then there's a division in the because one of the first customers that actually did stuff like this fall we built aversion Ibuka version of wikileaks for Ozier, Jazirah. I'm really surprised that you actually a named that because I was prepared to ask you a question about the work you did for I broadcast because this is not something you've really spoken about publicly before is it? No I haven't. Not for a huge secret, but but just because like like generally customer names adjust not what? You did a lot of work for Aljazeera for quite a bit. And I were interfacing with very senior people in that organization. So. So what happened was it started with a friend of mine who worked there said that they needed or they were interested in wikileaks prod program, and this was way early when Wiki leaks was the darling of journalism soap. So you took this is when wikileaks was cool. It wikileaks was cool and all the journalists wanted them and already aljazeera was saying they wanted own platform where people could leak stuff to them. So I spoke to them a little bit and we actually bought a really cool thing for them like like considering when it was. Tells you. It's age it was a Java applet that loads on the client machine. Would negatively tool and natively PGP. Of with the logic that the stuff you want to leak never leaves your machine without being encrypted with a key that's never shown on the Internet. So on your machine gets encrypted and by the time, it reaches the Sava it's natively toward. So the Selva doesn't know who sent it. You can just pull that stuff off the server end up PG peaks update later on and what year was this This was twenty, ten, late twenty ten. So. So it was super cool an and advantage for but. And while I was doing it the whole of Egypt solution habit and I was looking at the at. Aljazeera. Win when Egypt cell. And Up Ultra Zito got taken off the edge and at the time what what I figured out just by accident by being there was that datebook that security meant having a file and here was all that was covering a what was becoming a Adam Spring. But literally, they had zero reveal understanding of security of like everything you can think off flat network and also it's such an interesting business model right? Like like everybody hits the John Lewis but journalists literally have. Some journalists have all the interests of a full blown spies except they publish everything end. Actually vamping up in cotton wool isn't the solution because putting stuff out there is what they do. So, ended up speaking to the general a at the time and. I proposed a bunch of products that I said we could vote for them again with the view to these would be great products A. Outside. And we agreed on a contract where we could hold a bunch of things like how would you know you owned? If you were journalists how would you know that your devices will own stuff like? And the interesting thing is he said look you can do this as long as you come over here to Doha welcome at you. And a at the time it was just my wife and I we said Okay let's let's go do a Doha holiday and see how that works. It turned out to be super interesting. Of An and when I got there, I saw the breath of their problems. And they then went through management changes like a a new data general came in who turned out to be A. Royalty and he was more interested in locking stuff down and at that point I said to them hey, listen he does these projects that we're doing for you but I'll leave. And he said look, can you build also security team and so? Essentially, what I did at that point, and at that point things was just me. So, I had the ability to and I said okay. Hired their team that team up and and something? That's that's not spoken about in the Canadian origin story is after I bought that team and left them like at still periodically. Not so much consult for them as as like give advice to some of the executives like like the head of the new media division or the head of ED Technology Division. and would canetti pitched idea to them of dropping honeypots as as a way to get insight into the new. Satellite Networks and they didn't implement normally they they used to do everything I'd say, and they didn't over two visits and that's when we started to figure the hold on these people want to do it. They just not getting around to doing. And we need to make these. Yeah. The problem that needs solving is is making this thing so easy that people who want to will do it. End. Of the time see sewing them was super interesting because it gives you an interesting view again into the. House coming off ten years of. Ridiculously convoluted hack sense post right because in the position I ended up in like just get involved when it will cool hack. So cool customers and so you end up with these really cool technical problems. And now you walk in an actually your problem is solving. You'll analysts it. Yeah. Journalists in Morocco sharing.
Russian Tries to Hack Tesla
"Almost A. state-sponsored spy story we have something that really happened. And I tease this by quoting our friend Marcus hutchins twitter reaction upon learning of it just to remind everyone marcus is the well known security researcher and reformed cybercrime hacker. You know he actually reformed in his teenage years, but the FBI didn't forgive him for that and of course, as we know his future became uncertain when the FBI grabbed him. In Las Vegas is Logan Airport as he was departing or a preparing to depart for from the US for his home in the UK, following the annual black hat and DEFCON conferences. Well last Thursday. Reacting on twitter to the news of this story which had just broken marcus quite correctly observed he tweeted quote one of the benefits of cybercrime. Is Criminals don't have to expose themselves to unnecessary risk by conducting business in person. Flying into the US Jewish diction to have mel wear manually installed on a company's network is absolutely insane. Unquote. Okay. So what was all that about? A TWENTY-SEVEN-YEAR-OLD RUSSIAN NATIONAL By the name of or. Igla, rich. Crutch. Nikolov. Traveled to the US an attempted to subvert and bribe an employee working at Tesla corporations massive Nevada based gigafactory. Eager. Ultimately agreed to pay the employees one million dollars to plant malware inside Tesla's. Internal Network. The. Good news is the employees reported the offer. To his employer Tesla and then worked with the FBI to build an airtight case and to set up a sting which included having him covertly record face to face meetings. Discussing this, Russian the twenty-seven-year-old Russians proposal in their complaint which followed Egos, arrest and arraignment wit last Tuesday the prosecutors wrote. The purpose of the conspiracy was to recruit an employee of a company to Syrup Tissue, transmit malware provided by the CO conspirators into the company's computer system. EXFILTRATION data from the company's network and threatened to disclose the data online unless the company paid the CO conspirators ransom demand. The complaint said that the malware would be custom developed. Propagate through the company's network. For it to work the group said, it needed the employees to provide information about the employers, network authorizations and network procedures. Correct correct Yakubov said, the malware would be transmitted either by inserting a usb drive into a company computer or clicking on an email attachment containing malware. Ebor explained the infecting computer would have to run continuously for six to eight hours for the malware to move fully through the network. To distract network personnel, a first stage of the malware would perform a denial of service attack while a second stage performed the data exfiltration. When the complaint was initially unsealed last Tuesday the identities of all parties was still confidential being identified only as company A, and C H s one which is their abbreviation for confidential human source number one that is the employees. But last Thursday Elon Musk confirmed that yes. Indeed it was his company that was the target of this whole operation. The charging document with was filed in federal court in Nevada detailed and extensive end determined attempt to infect. Tesla's network the defendant again twenty-seven-year-old Eager E- Gore Vich. Crush Cov allegedly traveled from Russia to Nevada and then met with the unnamed employees on multiple occasions. When Eagles initial five hundred thousand dollar bid failed to clinch the deal. The defendant doubled the offer to one million dollars according to the complaint Crutch Kav wined and dined and boozed up the employees and when discussing especially sensitive details conducted conversations in cars. When FBI agents couldn't conduct physical surveillance in restaurants or bars, the employees recorded them. One meeting occurred on August seventh in a car crutch Cov had rented referring to the employees again as C. H. S. One, the prosecutors described that. Seventh meeting as follows they said during this meeting which the FBI had consensually recorded. Crutch Cov reiterated some of the details of the criminal activity previously proposed to. C.. H.. S. One. Credit Yakubov described the malware attack as he did before. Adding that the first part of the attack, a De dos would be successful for the group in quotes but the victim companies security officers would think the attack had failed. Crutch COBB A and here's some news again listed prior companies this group had targeted. Crutch. Cobb stated each of these targeted companies had a person working at those companies who installed malware on behalf of the group. To ease, C.. H. S ones concerns about getting caught. Crutch Cov claimed the oldest project the group had worked on took place three and a half years ago and the group's Co op de still worked for the company.
New Zealand Stock Market Halts Trading Amid Cyber Attack
"Trading on the New Zealand Stock Exchange has. been halted for like a week because, of Adidas, attack and this was this attack was already happening before adamant I recorded last week shy but we didn't talk about it at the time because we weren't sure what the motivation was. The Cross Church massacre terrorist was sentenced last week. So we thought they could have been a political nexus to the attack, but now it looks like fairly standard. Diaz ransom stuff. Standard. Blackmail. But at a pretty big scale, two, hundred gigabits per second is what is saying that they're tapping? At End. Up Pretty significant target the New Zealand Stock Exchange. This is a little bit risky just like the ransomware people who are going after critical national assets things like hospitals where people are GonNa die I think these guys are playing with fire New Zealand's got a pretty serious Intel capability vice country and I wouldn't be shocked if doing things like going after the Stock Exchange ends up with these guys in the real crosshairs. Yes. are able to take down the part of the ends at X. Website that dealt with company announcements and because they couldn't provide. Appropriate access to company information they had to suspend trading, and it's been up and down all week. So it is actually a pretty it is actually a pretty big deal. This one it looks like this is the same crew may be that was pretending to be Russians like a couple of years while pretending to be like fancy bed, we offensive s and is your bitcoins and that was making some people on the receiving end of those emails feel very important for for a time. Ego boost that you give to your victims but yeah, I, don't think this is how the G. R. U. is monetize their activity. No, and it looks like one of the issues here was that ends at was hosting its DNS servers and its content service on the same network, which is usually a good thing to do. We keep on saying this is a very important pieces of infrastructure where people have not thought through and threat model that. Looks like and and I do think you know any organization of reasonable size needs to have security assessments that don't just try to break in into look at traditional intrusion but to think through if dos attack happens, what is the the thin part of your infrastructure? That's GonNa feel I. This is really interesting because you know obviously most of the exchanges probably disconnect from the Internet on private networks on leased. Lines in such But like you said, if they can take down a web service and a website that is critical to the legal operation of the site, then does it matter if the backend servers still operating they have to stop operation overall? Yeah. This attack campaign is also targeting money Graham braintree and other finance services companies, and we have linked through to a write up on zd by Cowan Kim
CISO Accountability Problems with Brandon Dunlap
"In the past I've worked in organizations as a C.. So where you know there's a large outsourcing component to it and you know that was the predecessor signed off on it and I walk in and I've gotten multiple years left in the contract only to realize that maybe the business landscape had shifted or the relationship was sour or the contract wasn't quite what it could ever should've been and that's a that's a tricky spot to walk into right because now you've already seeded essentially a lot of control to say your outsource or you know even when you talk about technology vendors that have been you know heavily invested in May not be. Where they need to be saved for the organization you've asked to takes a long time to either adjust or unwind or modify a lot of this contracts and those relationships, and so having an understanding of what that landscape looks like. is critical and I think we also touched on some of the organizational dynamics and current events happened since we last spoke that have made. Some of my requirements. Well, so I I'm I'm always very wary about walking into a situation. I don't have which is why I tend to look for places they. I'll that the company I go to work for fairly heavily. Now usually requiring some number of months to sort of get to know them how they operate the people that work there etcetera because you don't ever want to walk into a company that sells you this rosy picture of. The amazing job you're going to have with all this great accountability, right you're going to have all this this responsibility and this accountability, and then you go. So I, chain stuff right and they're like well, and then you end up in a situation where you're being indicted. On the show as we for those of you listening you, you know we don't go into current events and we don't really I I hate talking about any specifics of a case but this case Uber and their see so sparked a lot of conversation and that's kind of where we got started. So I WANNA ask Shawn because I'm sure Sean you paid attention to this. How do you feel about what kind of Brandon started where? I just added to it like, Hey, welcome to the company you're being sued. Yeah mean you know That's pretty harsh. way to come into a company and and you make a great point. You know you're given responsibility you're given accountability you're given accountability But you have no ability to control the circumstances around you that lead to it so that that type of scenario is is definitely not. favorable. We're looking at this case and look I. Don't know anything firsthand about this case with dry Sullivan other than whatever ad in the Department of Justice's statement about it and and the allegations made there. But. You know I think it's a bigger. It's a bigger picture that we need to see here. You know going back to target Home Depot Neiman Marcus all the breaches we really. The watershed moment of data breaches back in late twenty, thirteen, early, twenty, fourteen we have been hearing this this same statement all around of somebody's gotta go to jail before things change. Yeah. People have been saying somebody's got to go to jail before things are going to change and cabinet. Well exactly because what they were talking about or your c level. Executives your your CEO. Or Board members people like that is who they keep talking about nobody was really thinking at that time about a C.. So but when you look at the individual facts of this case from what we know. I do think that there's going to be a lot of concern and fear created out of this, but I don't think at the end of the day. This is going to be the norm I think this is more of an outlier situation. Let. This also begs the question you know who actually bears responsibility right in an organization where you you have, you know your traditional Governance Model Board executive leadership, etc. You have a see. So with the title Chief Information Security Officer but they're not sitting necessarily in most cases in the C. Suite, they're not doing in many cases maybe twice a year quarterly at best board board notification some SEASO's I know actually send kind of almost a newsletter update if you will to their board, but they're not sitting at the table and the question is where does the accountability really
The Diversity of Security Challenges in Higher Education
"Now. What is it like? Every year you have a new batch of of students coming on board and they all want to connect to your network I mean what's the? What's the reality of that situation from a security point of view It is a lot of prep-work over the summertime, a lot of you know repair and refine and and. You know replace things that aren't doing well, and then when you know we get about two weeks out from classes starting. which this year is September second. So we're kind of in that zone right now. That's where we're making sure that everything is working. In it in. Its, optimum. Capacity and capability. Following that it's you know let's continue planning for whatever is going to happen next you know we the spring term winter spring term in in January this past year and nobody anticipated. Kobe I I'm not. You know I'm sure that there was an -ticipant because the the fun part of that is we actually did a pandemic tabletop exercise in the division of Information Technology, which is the central a unit on campus. We do that path the fall of twenty and eighteen. So we hit already kind of work through some of the. You know the communications challenges and the organizational challenges so when it came time to do. The transition from online or from in person courses to online courses, we were able to do that in very short time and that included transitioning thirty seven hundred core courses. From in person delivery to online delivery so that really served you well, I and it was the preparation time and it was the understanding. Of what we would need to do and it was also, you know checking those channels you know. I've done some business continuity work in my in my pass and a business continuity plan to just never exercise it's not a plan. It's a bunch of on paper so So we were able to walk through and validate that and that's the kind of work we do during the school year. And we take our you know kind of slowdown period so. Beginning summer you know everybody takes a deep breath and then we exhaling get back to work you know Sometime during the summer I like to encourage my my team to have a little bit of time off. But when September goes in and the students arrive we, we try to work really hard to get him through and then we take it the winter holidays. What what kinds of things are you and your team defending against who? Who's WHO's coming at your network? You know it's the usual array of Fred actors You know think about the things that research is doing. You know we're we're doing. A lot of research in the area of Koga right now, and it's just. Be We have the capability. We have the expertise we have the researchers at want to do that. But we also have school medicine in public health. We also have a school of Nursing School of Pharmacy. So healthcare education is important in that has just a treasure trove highly valuable. Information in it. But we do engineering work, and some of that work is is patentable work. So that's probably attractive We do a lot of business influenced work. we have data science institute which is trying to figure out the the better ways to understand. You know the the magic acronyms of a I in L.. Artificial intelligence. Machine. Learning. And and that's that's attractive information not only that forty four, thousand students twenty three, thousand staff that's a treasure trove of marketable information. You know I always wonder you know someone in a situation like yours where certainly you're going to have some students and I'm thinking of Oh I don't know folks in computer science and other sorts of places who were going to look at you know the the campus system or the university system as you know their own personal playground there that. you know they're gonNA WANNA, test their own skills against yours. I mean I is that an annual thing and and how do you? How do you? How do you not be adversarial? How do you support You know the educational aspects of of those students while still keeping things up and running what's your approach to those sorts of things? Well. So I we we are establishing some really good partnerships with with the Academy with the the the professors and researchers that are interested in studying the cybersecurity arts and sciences. we've had a relationship with the information school. is They're they're part of the College of letters and Sciences and now they're part of what's been amalgam is as the the School of Computing. Data. And Information Studies so CDs. In in in doing that, I, mean, the partnership is if it's data and if it's doing things if it's you know working or arresting or or if it's needing to be analyzed, we have people that are very much interested and so I've had my my department be intentional about establishing those greater relationships we have you know researchers doing anything from identity access. Management Research to data analytics to cybersecurity metrics and then we have others on campus that are doing great work in high throughput. Computing Great Work in in you know engineering the the next greatest you know computer technologies. In other side trips we had We have a researcher that is working on, Thomas Vehicle. Research you know and there's an awful lot of cyber in there too so. Having those kind of relationships is the the real multiplier here, and this is not unusual by the way for university. This is nothing super special. We're doing it's just that You know there's a, there's a lot of cybersecurity programs out there where there you know NSA certified Center for Academic Excellence. Certified and we're GONNA. Get there eventually. I believe But right now we're just supporting the researchers in the courses are being taught. Sue I myself have been a guest lecturer in a one of the business school courses. It has an information security course as part of its core. That's been fun. I enjoy doing. I did a little bit of that as an adjunct University part of my coming here.
Getting into security architecture: Careers, skills and ransomware
"I Wanted to talk to you today about because you know cyber work. The big push here is helping people to get started in cybersecurity and who don't necessarily know where to start or don't know what the next steps are in their career. So for listeners who might think you're fresh out of college I WANNA point out that you've been working insecurity for some time between undergraduate studies in recent master's degree. So I guess what I wanted to know, what are you? What were you specifically trying to achieve getting your? Computer Science from Michigan State you know before returning back to the business. sector. So there's a strong strong analytical competent. That is an integral part of any doctoral degree I began my PhD with the objective of owning my critical thinking skills and exploring the truth death of certain areas insecurity because as we know. So we will looked at the ten domains, of CIS SPN that's it. It's everywhere from physical security to cryptography and everything in between your network and I was doing that for for a long time and. It came to a point where I wanted to really truly understand something in depth to the point where you know I could get a PhD in in that area. So so that that that was definitely a motivation motivating factor for me going in. Do you have a sense of how you know the the addition of a PhD like this has has changed job prospects I mean obviously you're using Motorola but like like what what sort of doors does does a graduate level degree like this open for Cybersecurity I personal? Right, so that's a great. in terms of career prospects, it definitely opens up more research opportunities both in academia and industry. Right. Some research opportunities and industry will explicitly ask for a PhD So so it definitely opens those doors talking about industry in particular There are. There are few opposite like I said, there is a few doors that opened up right away. I could have definitely been. I could have definitely been a security architect without getting a PhD but the benefit is more intangible in that. There's elements of my PhD that prepared me for my role today. And allowed a smooth transition. into security architecture all as. You know. Because I play the role of. A playboy tactical and strategist role during my During my work as a security architect and especially the strategic part of the PSG definitely helps them. Okay. So you you mentioned that this is a pre specifically useful thing if you're going to go into a research capacity, is this something that you're looking to pursue as well? Are you looking to because I? Believe you're your emphasis was on ransomware are you are you doing sort of ransomware SORTA research level study of things ransomware right now? Yeah definitely that's a competent of my work and even at Motorola solutions on preparing I'm pursuing them up and so for example, if you know one thing that comes to mind that a PhD would directly help you in in an industry is like if you contributing to. If. You're if you're making if you're. Generating Patent applications that process is very similar to writing for Scientific Journal. So that's something that comes to mind right away that helps me aware PhD helps me in In the industry. Okay. So when we spoke earlier and I just mentioned it just now you said that that ransomware is probably the main focus of your study I believe. So could you tell me a little bit about what you learned about ransomware in this academic context and you know how deeply gone into this topic and what was your specialized area within ransomware? There's a certain aspect of it that really sort of attracted you. So speaking in the. Context is a lot of new things I learned One of them is actually funny. YOU SPEAK OF ACADEMY CONTEXT IN IN ONE thousand nine hundred thousand academy paper. Out in Tripoli Conference where which talked about where where the authors young young talked about crypto viruses that will deploy cryptographic libraries on on hose to perform unauthorized encryption and demand a ransom. In order to provide you with the decryption key. So they predicted the whole thing, one, thousand six, and this wasn't a ransomware in really start to grow around untold to five thousand six as when it started to. Grow. But so so that's always interesting is when when a academy predict some of these things I hadn't time. Reading about it in the academy context, I, notice that there's papers that have done studies on on large samples of ransomware discovered, for example, that ninety two percent of them are not affected right? Because cryptography is hard and and cybercriminals make mistakes all the time and a lot of the times they're scare where where they lock your screen expect you to pay the. Money when they haven't really done any encryption in the background So if you take away all of that fluff, then the h percent are the truly troubling ones and so there's a lot of noise in the cybercrime underground and you know we we get this. We get into this mode of thinking that Cybercriminals have descended from the heavens in terms of their. Skills but but that's not true. You know they make a lot of mistakes
The University of Utah, Jack Daniel's Whiskey, and Carnival Cruise Lines Hit in Ransomware Attacks
"Do the University of UTAH? Jack. Daniels. Whiskey. And Carnival cruise lines all have in common. Well Friday last last Friday. The University of Utah revealed that it had paid a ransomware gang four, hundred and fifty seven dollars. And fifty nine cents. Four, hundred, Fifty, seven, thousand. Yes I got that would have been. Four hundred and fifty, seven, thousand dollars and fifty, nine, hundred, and fifty thousand. Fifty nine dollars. which sort of begs the question or they get that number? Now that I finally got it out correctly, it's probably bitcoin. Nine dollars like half a million bucks. It's like the Bitcoin version thing they probably would. Yes somewhere. BITCOIN that turned out to be that. And what's interesting is that was not to obtain the decryption key for their files. They didn't need it because it turns out that very few of their files were encrypted but rather her and Leo I know this goes to you know the thing that were you just kind of like. Grit your teeth to purchase the promise. From the extortionists. That the student information that had been exfiltrated beforehand while. Yeah that's not be publicly released your Seymour. One this is big. Yeah. Yeah. They're they're they're just they're hoping that the there is honor among thieves and that these guys will keep their word in senators. Word is that if if you want others to pay you yes. That's it. Exactly. If, of course, ransomware gangs or not all the same but and didn't we hear no, it wasn't It was cannon that had some information leaked last week that we reported on and so so Lawrence over at bleeping computer has said that you know they assumed since the jetsons cannon got themselves back up relatively quickly that they had paid the ransom. But now since the extortionists in that instance were leaking the information, maybe cannon had restored from backups and said, Nah, we're not paying your stinking ransom and the bad guy said. Here comes your You know your your private corporate next decade plans for the future. How do you? How do you want that? How how do you feel about that being leaked? Anyway. So the in this case University of Utah explained. That it had dodged a major ransomware incident and that the attackers managed to encrypt only zero point zero, two percent. Of the data stored on their servers. And the university staff was easily able to restore that from backups. However, the ransomware group then threatened to release student related data see they had obtained and exfiltrated. So, the university said after careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventative steps to ensure information was not released on the Internet and again to the extent that such. Can Be ensured. The Cyber Insurance policy pay part of the ransom, and the university covered the remainder no tuition grant donation state or tax payer funds were used to pay the ransom thought that was an interesting explicit statement that they made. They said, the university disclosed that the attack took place a little over a month ago on July nineteenth twenty twenty and the network belonging to the Collar College of social and behavioral science was the victim. So Apparently A. A you know as a sub set of the. Entire Larger University. was where the break in occurred and there must have been some isolation there. So anyway, that is one of the three and presumably they were able to negotiate a cheaper payment in order to you know because they hit the bad guys hadn't managed to get. The bulk of the of the university stuff. But you know they did pay for they promised to not share student data, and as you said Leo, the reason that would be honored as well as you know, nearly half a million dollars. And they want to do. Yeah exactly. You got to build your credibility. Exactly And two other large and notable recent ransomware victims were Brown forman famous for their distillation of Jack Daniel's Tennessee whiskey. And Carnival cruises. The Jack Daniels folks said are quick actions upon discovering the attack prevented our systems from being encrypted. Unfortunately again, we believe some information including employee data was impacted. We are working closely with law enforcement as well as world class third party data security experts to mitigate and resolve this situation. As soon as possible, there are no active negotiations so. In that. So that says it sorta sounds like. Oh, in fact, a that statement from Brown forman came after Bloomberg News reported that it had received an anonymous tip of the ransomware attack a site on the dark web claiming to be run by members of the reveal strain. A ransomware says that it had obtained a terabyte of data from the Louisville Kentucky based. Brown. Foreman the site said that stolen data included contracts financial. Statements Credit Histories and internal correspondence of employees also included were screen shots of file structures documents purportedly taken during the heist. So does look like the pattern we're seeing now is because you know major companies that have the deep pockets who also have the pocket depth to now proactively backup their servers well. So it's possible for the for if if the only thing done was encryption. A golden opportunity to extract a ransom could be thwarted if the if the good guys have backups at. So now what's being done is That data pre encryption is being exfiltrated and stored somewhere. Then the data is encrypted and so we have you know we're we're we're increasingly seeing this two part attack exfiltration that the company desperately does not want to be made public. In case they have backups in which case, they would not otherwise need to pay the extortion. So you know it's not really ransomware as much as it is. Okay. We got copies of all your stuff. Shall we share it with the world? PLANO blackmail.
DoJ gives Uber breach response one star
"Joe Sullivan the former chief security officer of has been charged with obstruction of justice. His fight yet with companies finding out to notify regulators about it's two thousand sixteen dodge. We covered this time. This was the story where you know a couple of hackers breach some systems over I think they they We're going off the individual employees, get accounts soffer. Then using that defined aws creates enough of things like that and then breaking into corporate environments, stealing some data and trying to ransom. And Yeah, this this pair of individuals went after Uber got a whole bunch of daughter out an an Uber Paid D'Amato quote unquote bounty to delete the daughter and said they do make. Legitimate stuff and we talked about it at the time and it was a little bit Kinda unclear exactly. How it unfolded. It was when we didn't see details about what happened until I think it was a year or two later was the change of leadership at Hoover. Then the details came out and yeah that's always been grinding its way through the Aj since then and yes, the guy finally charged. The people go pretty mixed opinions about about this 'cause. You Know Bug bounties and ransoming I'm being held hostage and all those things are they exist on a continuum I'm yeah and those little bit of wiggle on on on the spectrum. Well, there's a little bit of wiggle and then there's this happen here. And mean at the time I've gone back and I've listen to a two thousand seventeen report I actually had an uber supergrass feeding me Info on that one, right. So it was that was a report and it has actually held up pretty well. So what basically happened is that someone got into Esra bucket by as you say, you know targeting like a private get pulling a secret out and getting in there grabbed a whole bunch of data and then tried to shake down the company, and this is where it gets interesting because essentially what they did is they use that payment process. Well, this is what we reported in twenty seven. They use that pilot process to try to essentially docks the attack is now it looks from my reading of the DOJ complains it looks like they didn't actually successfully dachshund through that process, but we're able to a couple months later and I'm not sure if that's because they split the payments because I think they paid off up front and then off again but but look into the day was actually able to figure out the identity of the attack is they physically sent off to. Their their residents and made them sign about a bunch of documents and they retrieved the computers forensically a them and to prove that the data was gone but the point is like once that docs them there was no way. These guys were going to do anything with that data because they would be dimed immediately. Right. So that seems like a pretty good dot com. But where they really screwed up is they did not actually report this to regulate all the FBI end these went on to target companies, which is also something we reported. In, two thousand seventeen. Now, what makes this particularly egregious in the view? The DOJ is that Erba was in the middle of an F. T. C. investigation revolving around a twenty four fourteen data breach and the reason, the FCC. So Cranky, about this is that also involved accessing Dada in S. three buckets. So the DOJ is arguing that this was a cover up on the part of Yuba and when you read through the the complaints. The criminal complaints it looks like a reasonable argument eyesight look they prepared as for the attackers which got them to acknowledge that they never downloaded rubel Datta. When clearly they did further that one hundred thousand dollars was way more than they paid for any other bugs. We actually have some audio here from the US Attorney for the northern district of California. David Anderson Talking about the Sullivan indictment here he is Sullivan did not report the twenty sixteen hack after quired. Instead Sullivan Hid the twenty sixteen hack from the public and the FTC. Under Solvents Direction overpaid the twenty sixteen hackers one hundred thousand dollars in Bitcoin in return for promises not to tell anyone about their hack Sullivan disguised payment by calling it. A Bug bounty of bug bounty can be illegitimate means of compensating so-called white hat hacker who has discovered a security breach but has not exploited. It is not a bug bounty to pay a hacker who has taken your data and is threatening to expose it. Sullivan's desperation to hide the twenty sixteen hack is revealed by the size of a payment. The fact that it was paid to the hackers before he. Even learned of their true names. After the Twenty Sixteen Payment Sullivan reviewed and approved statements to the F. T. C. that failed to reveal the two thousand sixteen hack. When Uber hired new management in twenty seventeen Sullivan deceived them also in their guilty pleas the admitted to hacking other companies using similar techniques to those used in the Uber Hack If Sullivan had promptly reported the Uber Hack those other acts of those other companies may have been prevented at this point. My prediction is Joe. Sullivan's going to have a pretty hard time. Sydney win it's laid out like it is in the complaint does you know thous- look kind of compelling them and you can argue that the outcome that they that Yuba got you know for their customers data was perhaps in the end somewhat of success right? That didn't end up. On the underground somewhere. But yeah, laid out like it is it. It looks Kinda scammy. And Yeah I'm probably