Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:01
I went and saw some family that I hadn't seen for
0:03
a long time and everyone commented
0:05
on the mustache and I was just like Every
0:08
time someone gives me a good compliment, it's just like another
0:10
reason not to shave it off But every
0:13
other day, I'm just like I'm gonna get rid of it. I hate this thing
0:16
And everyone's like no, you look so good. There was there
0:19
was a
0:21
Thought of shaving it on stage at
0:23
Way West. That was an ask.
0:26
I was like, I would have done that but
0:27
I Do it do a bounty
0:30
for charity like the the Mohawk condos
0:34
Clean shave in for charity Yeah,
0:36
people do it. Actually, I'll be honest
0:39
I used to be a streamer and I had people
0:41
that came into my stream and was like hey for
0:43
a donation Would you shave your beard and hair
0:46
when I had a beard that was like down to here and
0:48
hair that Yeah, straight streamer
0:51
or streaker streamer I
1:01
Just imagine like a streaming
1:03
streaker you wear you guys on you as
1:05
you're running like you have the drone that
1:08
follows you Fundraiser
1:15
for that I
1:19
Will
1:23
break into your broadcast Going
1:27
straight into the quad I
1:29
shaved my head once as a sophomore
1:32
high school I was stupid
1:34
and did it in the middle of winter Never
1:38
never shave your head in the middle of winter stuff gets
1:40
real cold real quick I did
1:42
that on swim team and I did also
1:44
did a Mohawk for
1:46
For Defcon for my Mohawk con I'm
1:49
pretty sure the swim team one isn't out there. But the other
1:51
Mohawk con one is out there It's
1:54
the way it looks like you're saved cuz
1:56
uh, crypto ham is here Listen
2:00
I'm gonna tryptotize this Listen,
2:02
don't ask questions. That's fair.
2:05
We're live by the way after yeah, we're live We
2:07
thought I was gonna have to run the news that was kind
2:09
of it's gonna go straight downhill real quick
2:11
Why don't we just finish each other's?
2:14
sentences
2:15
great job Who's
2:20
playing violin Yeah,
2:23
let me let me send a DM. That's
2:25
all like I live with the professional viola player
2:28
or something
2:29
That was that was some good. Oh sent
2:31
you just released that's gonna They
2:34
already know the people who are good at OS and
2:36
already knew So
2:39
did anybody actually read the news there was there was some
2:41
good stuff some crazy stuff Yeah,
2:43
well not all of it, but I like
2:46
whatever was like the top stories They
2:51
weren't in there Where
2:55
where's our traffic weather and sports Yeah,
2:58
we have your
3:00
password Kelly you take
3:02
the scores
3:05
Maybe Don't
3:09
pick any Hawkeye games that's for sure. Oh
3:11
I'm a badger fan and it's it's
3:14
been a season that tests our Loyalty.
3:17
All right. I just keep that in the under Brian.
3:20
I got tired of you not letting me borrow your time
3:22
machine So I had to go steal another one Is
3:26
it excellent a time machine? Okay, so
3:28
not a time machine, but I got the space thing down
3:31
if you operate it wrong I
3:32
thought oh you're gonna swear I thought you're gonna like to
3:34
a TARDIS right when you said that or something I know we wait
3:38
Give me a sec
3:42
You know theory that if I fly
3:44
it fast enough in the right direction I could
3:46
go back in time But
3:48
you're already oh you're
3:49
you're in a galaxy and along Yeah,
3:52
you're going to galaxy. I'm gonna part
3:54
so by the time I fly with you Yes,
3:57
it might time travel might have happened. We'll
3:59
figure it
3:59
it out. Alex, I'm really glad
4:02
you're here today because you and
4:04
I are the clean shaving club today. Oh
4:06
yeah, yeah. Well
4:08
and the mannequin. And
4:10
the mannequin. We'll remain our
4:12
one holdout for
4:13
facial hair.
4:15
Is it hunting season?
4:17
Is that why we got so much facial hair going on
4:19
today?
4:21
I can't speak for everybody else but I know for
4:23
us chubby people, it hides the roles. I
4:26
agree with
4:28
the mustache. I agree with
4:30
the mustache to look like Ted Lasso
4:33
for Halloween. Great job. And to also look like
4:35
Ted Lasso for the... Kiss
4:38
for everyday life. Everyday life,
4:40
yeah. Just looking like Ted Lasso. My
4:42
dream, just being happy. I'm wearing a bunch of
4:44
Ted Lasso-esque books so I'm always happy
4:46
and not criticizing people trying to give them
4:48
their best life, right? But remember,
4:51
the key point was you can't always be that
4:53
way
4:54
or you go nuts.
4:55
Yeah, sometimes you need a little bit of what it
4:57
looked like. What, did you actually watch the show?
4:59
I just watched the trailer. Oh yeah, dude,
5:01
the show was amazing. I've
5:05
also been watching that, or I watched that Severance.
5:07
Oh, Severance is red. Shrinking
5:10
is like the second version of Ted Lasso.
5:12
It's like, you know,
5:15
it came out in that one, I think. It's Station Seagull
5:17
and a few other Harrison
5:20
Ford's in it. Did anybody check
5:22
out Monarch yet? No,
5:25
it's pretty good. The first two episodes are
5:27
pretty good. I
5:29
was watching Silo and I just like can't
5:31
bring myself to care about it anymore. Like I
5:33
watched the first two episodes and I was like, I
5:35
don't care if these people live or die. I'm over
5:38
it. This
5:42
is so hard for me to watch shows
5:44
when they come out. I'm the kind of person
5:46
I'm like, I gotta know what happens. You
5:48
want to binge it? Like you want to know what's bingeable?
5:51
Yeah, there are very few shows that get
5:53
me to watch as they come out. Dude, I
5:56
missed that though. Like back in the day where you
5:58
watched a show and nobody could think you had a good time. Had to
6:00
watch it an episode there wasn't reruns like
6:02
the one that always comes to mind is lost right
6:05
like no one knew What was going on in that show?
6:07
It was one of the creators knew what was going on. Yeah But
6:13
when you got the school the next day and you're like everybody's
6:15
like polar bear That's
6:20
why everybody had VCRs You know
6:26
That was when I figured out my computer could do
6:29
TiVo did anybody have a cable
6:31
capture card on their computer that was We
6:40
got one minute till we start this thing for real
6:42
you're watching us you're like what the hell
6:44
they talking about Where's the news? That's cuz
6:47
we haven't gotten there yet
6:48
Pre-show
6:50
why are we doing pre-show Ryan? Did you did you accidentally
6:52
click the button just be honest? No, he's
6:54
a definitely he told us he was doing it and everything
6:57
Wow Over here with a
6:59
big pile of firewood and a big lighter and
7:01
just gonna light it on. Yeah starting
7:04
to flame We
7:06
started that flame at 420
7:08
not that that means anything You
7:13
just had to bring it up noop dog is
7:15
coming this week We
7:18
get Snoop Dogg on the card. That's my that
7:20
would be an interesting podcast. He'd
7:22
be like security. I don't know We
7:26
don't talk about security anyway, it works out Be
7:30
gangster security. That's
7:32
true. That's true. We don't talk about security.
7:35
We talk about the new
7:38
Are
7:42
you taking this or are you gonna hand it off to wait again? I don't
7:45
care you can hand it to me You
7:48
got them one. It's all good
10:00
get stuck across the middle of it. That's
10:02
the first one is great. The ransomware
10:04
SEC filing? Yeah, so for anyone
10:07
that doesn't do that, this one hit a lot
10:09
of news like this hit my feed without
10:11
me coming to the show which nothing else ever does.
10:14
But basically, Alfie
10:16
ransomware group filed an SEC complaint
10:19
against a company called Meridian Link for
10:22
not disclosing their breach to the SEC.
10:24
So it's like,
10:25
honestly, it's pretty funny
10:27
and kind of like in a way where it's like,
10:30
hey, we already made you mad. Let's make you even more mad.
10:33
I guess my question is, what is
10:35
like the motive? Why? Why do that?
10:39
How much does the SEC find
10:42
people? What did they say? Does anybody
10:44
remember? 350? 350 grand? No,
10:47
I'm just kidding. 350? I
10:51
think it depends on the scope
10:53
and all that stuff. So what
10:56
I first thought is what if this just causes like
10:58
everyone who's publicly traded just immediately
11:00
get hacked? It's like and then
11:03
right and then everyone's just like pay me or else you're gonna
11:05
have to pay this amount? Like will security
11:08
get a rise real quick because of this? Is
11:10
it supposed to be like they won't submit you to the SEC
11:13
if you do pay the ransom? Yeah,
11:15
yeah. Yeah. That's what it's
11:18
about. It's my whole patching as a service
11:21
model, right? We hack you and then we
11:23
tell you you're hacked and we're gonna tell
11:25
the SEC and unless you pay us
11:28
and if we do pay us, we'll at least patch you. So when we
11:31
get out, you won't get hacked that way. So do
11:33
we think that the default defense of most of
11:35
these companies, which is we didn't know, we
11:37
didn't know we were hacked, we're still working on the details,
11:39
we're investigating, like do you think that's gonna work in this
11:42
case? I also noticed the SEC
11:44
find like disclosure window is really
11:46
short, right? It's only like four days.
11:49
Four days. Four days to report it. So
11:51
but you still have to report breach. Kelly, do
11:53
you know what it is
11:56
to say like report breach? Like that's
11:58
what the SEC is but what's like
11:59
definition for it if you know. If
12:02
anyone
12:03
is playing
12:10
this grey area right now, where
12:13
we used to say, is it an incident,
12:15
is it a breach, while the SEC
12:17
is getting tired of companies waiting until
12:19
it says it's an actual breach. So
12:22
anything that seems suspicious and
12:25
that's a big umbrella and there's
12:27
a few more specifics but they're trying
12:29
to close down that grey area between
12:32
something suspicious, an incident and a breach.
12:35
Hmm, interesting.
12:36
Click the link, it's a breach. Yeah,
12:39
really, every time we get the password on a customer, we're
12:41
going to start reporting them to the SEC. No, I'm
12:44
just kidding. I don't know. What is it
12:46
about it? As a pen test
12:48
team, could you be like, oh, look,
12:50
we saved you $350,000 because now you're not
12:52
going to get five minutes. I like how you're
12:54
sticking with that number that I just completely
12:56
made up. Right. That
12:59
sounds like a good round number, right? For like most smaller
13:01
companies, it's a decent chunk of change. The bigger corporations,
13:03
not going to matter but... All I know, what
13:06
I know about the SEC, I mostly know from watching
13:08
the documentary about Bernie Madoff which is that
13:10
as long as you look like you're fine,
13:14
they'll just let you off the hook. That's
13:16
what I've learned. So maybe the fine is like actually $3.50
13:19
as long as you have taken the
13:21
right people out to dinner or whatever. Yeah,
13:23
and I think Corey, you're right with
13:25
the, it's not just the fine, it's the scrutiny.
13:28
So there may be a lot of companies that are like, well,
13:30
the fine we can pay but it's the SEC
13:33
turning over every rock that we go,
13:35
okay,
13:35
that's a problem because... Audits
13:38
are expensive. Audits are expensive
13:40
and then you just, it's a bad look and
13:42
companies that are being
13:44
hit by ransomware
13:46
might also have a few other things that
13:49
aren't getting done that they don't really want the SEC
13:51
looking into.
13:52
So what we should do, let's just start
13:54
this service called SEC. We'll
13:57
sell this to the SEC where we just keep an eye
13:59
on the... I'm an eye on the Alfie ransomware group and
14:01
anytime they breach someone we'll just notify
14:04
them. So then we're just fighting up the middleman. Our
14:07
friends in the chat
14:09
that character mentioned
14:11
that he said the magic
14:14
words material impact and
14:16
I think that's kind of what's got everybody worked
14:19
up about this is now
14:21
companies have to determine if there's material
14:24
impact and it may actually
14:26
I know sometimes it feels kind of
14:28
hard on the security engineers and honestly
14:30
now we have to kind of send
14:33
it over the wall to the legal team and say okay
14:36
there may or may not be material impact
14:38
and at that point they have to determine
14:41
if it's actually a breach an Incident and
14:44
I think that's kind of what makes this such a sticky
14:46
wicket is not material impact
14:48
And again, I always have to say this. I'm not a lawyer
14:51
and I don't
14:51
play on TV either Well,
14:54
let's just here's some nice little rule of thumb
14:56
in the chat Here's it. Here's a little rule
14:58
of thumb for our friends
15:00
out there if you're negotiating with ransomware
15:03
actors It's a material impact
15:06
I think it's safe to say that If
15:09
you've gotten that it telegram invite
15:11
to that Alfie telegram
15:14
you're gonna go eat that material you need
15:16
to Well
15:19
Whenever I look at this article, I just like
15:22
and just the whole thing It's like the
15:24
two kids that get in trouble
15:27
But and the ones like yeah, but he did something way
15:29
worse like look at this like don't look
15:31
what I did Look what I'm doing
15:34
Do
15:37
you
15:37
remember that old cliche when we were younger snitches
15:40
get stitches
15:41
Yeah,
15:43
I get what the SEC is trying to do
15:46
by making the company's report in
15:48
to give Like openness of
15:50
everything but at the same time it seems
15:52
all they're doing is giving the attackers another
15:55
Way to start extort the companies. Yeah
15:59
You don't want to admit it then give us more money
16:02
now Oh,
16:02
but it's a fake it's it's not really a
16:04
way to extort them because in a day if they're considering
16:07
paying then it's like They're already it's
16:10
too it the SEC is gonna find out if they
16:12
pay for sure You
16:16
have any have any whistleblower
16:19
like payouts Oh Totally
16:26
not for him so they do
16:28
someone has Graham and chat or a
16:31
cloth boy. I just know that's that's a Grammy,
16:33
it's grand I just like out of it. No,
16:35
it's fine Thought
16:38
boy says how do you even report a breach
16:40
to the SEC? Do you just add them on Twitter? SEC
16:43
probably not gonna pay for the Twitter API. So
16:46
It's gonna guess that you you have to be a ransomware
16:49
group to report things to them They probably
16:51
have like an intern. They have a form. It's like the FBI
16:54
tip hotline or whatever. It's a Google sheet
16:59
Yeah, when I saw this article
17:01
like and I know I shared this in the
17:04
In the chatter in our notion there is that I was
17:06
remembering an article that I shared in
17:09
July a brought up in July with
17:12
The yeah, I
17:14
posted that it's like, okay,
17:15
you know 2022 North Carolina says
17:17
we're not gonna pay a ransom where anymore 2023 they
17:20
get shut down by ransomware and there's
17:22
a line in there that says,
17:24
you know When the law was passed last year
17:27
some worried it would effectively serve as an additional
17:29
way for the gangs to export victims
17:32
That they'd say hey you paid
17:34
you paid us
17:36
You're not allowed to pay us so now you're in trouble and
17:38
I know at the time it was
17:40
the well our ransomware groups really going to
17:43
leverage the law
17:45
in order to put further pressure
17:48
pressure on their victims and I Guess
17:50
that was up for debate now then but now
17:52
we're seeing that. Yeah, they are going to leverage
17:55
the
17:56
You know the legal arm of what
18:00
out there in order to put additional
18:14
mustache
18:18
and put the mustache in charge of the office of
18:20
the whistle blowers.
18:22
So
18:27
they do have a whistle blower program and
18:30
the max amount of money you can get is five
18:32
million. It's
18:35
established presumption, it's lawyer
18:37
speak so I may be absolutely reading it wrong.
18:40
But they can pay you whatever they want. Yeah
18:42
pretty much. This is
18:44
a quick google fu whistle blower
18:47
SEC stuff. But at
18:49
what level do you have to get a t-shirt? You
18:52
get a free t-shirt or
18:54
what about like a nice little like commemorative
18:58
whistle? If you got a special edition t-shirt
19:00
for turning someone in and you wear that like to Defcon
19:02
like only like five people. That would
19:05
be awesome. You're just like where'd you get that shirt?
19:07
Oh if you're a whistle blower you
19:09
get this shirt. Oh okay. That's
19:12
a lot of secret. I
19:14
know that was a
19:17
lousy t-shirt. Yeah.
19:20
So in that North
19:22
Carolina town, I mean we already like touched
19:24
a little bit on it but like basically,
19:27
I mean I thought ransomware groups are better than this. I thought
19:29
they don't target local and government
19:32
stuff. I mean not depends on the ransomware
19:34
group. Yeah
19:37
also North Carolina last year banned all
19:39
government entities from paying ransoms. That's gonna make
19:41
this a little awkward. That was the thing that
19:43
I said is that it's like they banned making the payments
19:46
and then
19:47
not completely shut down the following
19:49
year.
19:50
Well only Cornelius to shut down. There's at
19:52
least three more cities in North Carolina. We
19:56
don't know of them but they're there. Yeah I
19:59
mean I will say I am a little bit,
20:01
this is one of the things where I get when the companies have
20:03
big PR departments that basically make it so that
20:06
they say all the words, but nothing is actually
20:08
indicated by what they're saying. This is like the
20:10
opposite. They're like, anything that requires
20:13
staff to access files located on our
20:15
servers, which are in the process of being scanned.
20:17
I have more questions than answers.
20:20
What do you mean being scanned? What are
20:22
you scanning for? And also, what
20:25
files do people need to access on servers? I'm
20:27
concerned. So, yeah,
20:30
ransomware is bad.
20:31
Okay.
20:32
Can we go, how about we shift
20:35
this over to a faster news
20:37
article about some Swifties shutting
20:39
down the internet? Oh, yeah, I thought this was good. So
20:42
this is gonna be Taylor Swift talk in the misinformation
20:44
village next year at Def Con. No, I'm just kidding. But
20:48
really though, kind of, right?
20:51
So Wade, you know this story? Yeah, so pretty
20:53
much what happened. So Taylor Swift is in Brazil
20:55
right now doing the eras tour,
20:57
right? Making that money. And her
21:00
location of the hotel got leaked. So
21:03
in order to try to hide the leak, the Swifties
21:05
took action and started posting all over
21:08
Twitter several different tags. So we can
21:10
see one here. Trying to make it so
21:12
if you were looking for the leak, it would be incredibly
21:14
hard. You wouldn't be able to do it on Twitter, but
21:16
I'm sure there's other ones to find it. Yeah.
21:20
But this is great. I love
21:22
it. Oh, man. And I
21:24
was thinking that like taking the strategy for
21:26
it's like for information security, it's the
21:29
look, if you do something malicious and create a log
21:31
entry, just fill up more log
21:33
entries because blue people
21:35
never find it. So I was
21:37
thinking about there was a tactic, I
21:40
believe the it was
21:43
in France. It was Macron's
21:45
campaign filled their
21:47
emails up full of fake emails. And
21:50
then they got hacked by Russia and
21:53
they were trying to leak stuff. Yeah. You couldn't
21:55
tell what was real and it was fake, right? It is
21:57
an tactic I've heard a lot before, but it is
21:59
a great. tactic and I love it. Little,
22:01
little. Okay the question is did this work? Did
22:04
this act, like did this prevent her, I mean obviously
22:06
we know that she's hopefully safe and sound. She probably just
22:09
bought the hotel and I was like no one else is gonna stay here
22:11
now. Yeah I think all the billionaires
22:13
toured out the arrows but anyway. Yeah
22:16
I feel like this is an interesting tactic
22:18
though. I guess I'm kind of like,
22:21
well they're trying to prevent people from like searching
22:23
for like Taylor Swift location.
22:26
Yeah it'll
22:28
get the low level stuff but if you start
22:31
like time binding it and going
22:33
okay well let's just go back to
22:35
the first instances of it
22:37
from the 18th, search around
22:39
there and you're going to like you know unless they
22:42
deleted it in which case go to like an archive,
22:44
see if it got archived. You know they're gonna find
22:46
that there which is what made me think of
22:49
you know being the blue team in the logs
22:51
that if you just fill up the log with additional entries
22:54
blue teams is going to go back to like that earliest point
22:56
of noise and start there
22:58
and go okay here's the thing that initially happened that
23:00
they were trying to cover up with additional noise.
23:03
It's
23:03
only gonna prevent the lazy people
23:05
from actually talking. It prevents the lazy people exactly. There
23:08
were K-pop groups. Yeah
23:11
there were K-pop groups during the last
23:14
administration that would
23:16
completely stomp these trending hashtags
23:19
that were negative towards
23:21
somebody and
23:23
just that that would become
23:26
now just an excuse to post all these K-pop
23:28
people on the Twitter
23:31
and you wouldn't actually see why
23:33
that hashtag was originally trending. So it does
23:35
work and obviously it's
23:37
going to create an additional
23:39
barrier to somebody to dig
23:41
through all that, find the actual location and
23:44
then action on it. Because I mean
23:46
unless you're in Brazil right there, you're
23:48
not
23:48
gonna catch up with her. Yeah
23:51
man you think don't mess with cats was bad,
23:53
don't mess with the BTS army. That's bad.
24:00
Really? I guess like
24:01
how do you get this ravenous of fans
24:04
like in your support or is it all just like you
24:06
just have a Botnet like I just really
24:08
hope we never know I'd rather not
24:10
know that I do
24:12
imagine have you seen Taylor Swift fans?
24:15
It's a good possibility They're just all
24:17
that obsessed and jumped all over it. Sure.
24:19
Certainly shot up NFL
24:23
Interest and Jersey sales
24:25
and stuff
24:26
What we're saying is we need to release like a
24:28
Christmas album of all like the bhis
24:30
greatest hits And
24:33
then maybe yeah, we're ravenous fans.
24:36
I think it's all yeah, they can't be
24:38
fans of us unless we have Stadium
24:40
tour so I feel like we just got to work the final
24:43
goal of a stadium viewers Are we gonna start doing
24:45
I saw gas places like we like we did
24:47
at Way West We just go to different cities and start
24:49
doing the news from different It's
24:52
our eras tour
24:55
I do think it's an interesting question though.
24:57
How many of that? additional
25:00
information was a real person or how much
25:02
of it was a bot and The
25:04
other question is can we build our
25:06
own bot army to have those ready in case
25:08
we are in a situation like that
25:10
Yes, highly frowned upon but I like
25:12
the idea. I also thought early and get a chance
25:15
to recall it But the whole
25:17
like doxing and giving over real-time locations
25:20
on Twitter Wasn't there some high-profile
25:23
individual that was really upset about Real-time
25:26
location data being posted on Twitter Extents
25:29
that they got this like jet
25:31
tracking
25:33
Taken offline like I you you
25:35
can say the whole of the network Yeah,
25:39
just like this is a dream thing to get rid
25:42
of it and it's like clearly That
25:44
work and there's no real-time doxing
25:46
going on
25:47
on like X anymore
25:49
I have terrible news for everyone Put
25:51
a message in discord that says react to this message
25:53
of your part of our bot army and we got only three reactions
25:56
So we have a lot of work to do So
26:01
okay, I think I need to go back to school
26:03
and I need to learn and how to
26:06
recognize fake news. Apparently this is now
26:08
required for all students in California
26:10
schools. Let's say you're teaching
26:16
this class.
26:18
Give me the PowerPoint like syllabus.
26:22
What is the first section? Where
26:24
is it from? Credible source, right? That's
26:27
first. That's wrong. I don't know. Don't trust American
26:30
news, right? Try
26:35
to go an external course. I
26:39
like the idea
26:42
of this class but I know it's gonna be done
26:45
horribly wrong.
26:46
I think of this more as like if you see someone
26:48
shitposting all over LinkedIn, right? And then
26:50
people are commenting on it and making it big and
26:53
then you go to their LinkedIn and you realize they've just been shitposting
26:55
like, oh that's a bot. Okay, but you found it. My
26:57
biggest concern about this is that
26:59
it's gonna be covering only media that the
27:02
kids never use anyway. So we have several
27:04
newspapers here and we're gonna have to read each one. The
27:15
other thing that's just like kind
27:16
of hard facts is that like I would
27:18
personally say as a whole like the
27:20
whole world of like vertical video and
27:23
most like short-form video content in general
27:26
is pretty hard to say is like reliable
27:28
sources at all and that's just gonna
27:30
be a hard fact for them to swallow of like,
27:33
yeah, basically anything on TikTok probably
27:35
not reputable. When
27:38
someone puts me something on TikTok, I'm like, why
27:40
are you believing TikTok? Like, give
27:42
me a professional with like a PhD at the
27:44
end of their name or at least like... Not to say
27:46
they're hard. Get somebody from YouTube. Not
27:50
to say there aren't necessarily... Not
27:52
to say there aren't reputable creators on TikTok. I
27:54
mean, I guess that would be the section is like investigate
27:57
the creator themselves.
27:59
What are their interests?
27:59
What are there you like honestly,
28:02
you know how we have like for election like
28:04
for politicians? We have like transparency reporting
28:06
data on like who who Lobbies
28:09
for them. Where do they get their funding like all this stuff? We
28:11
might need to start doing that for youtubers It's like
28:14
this guy don't try to eat get paid
28:16
by you know This entity like trying
28:18
to uncover that kind of stuff because I feel
28:21
like that's really where it's going is who's taking the biggest
28:23
Payout to say whatever opinion, you know,
28:25
that's that's where it's going, right? This class
28:27
would have done a lot better if it was just like how to
28:29
identify biases And how to
28:31
like not just in yourself, but in others
28:33
right? I
28:38
don't know But uh, there's
28:40
a lot of good resources out there and I think once you
28:42
usually can do that and try to see where they're trying to push
28:44
you towards right and That's
28:47
probably where this class is going. Does it say how
28:49
old the students are going to be k through 12? Like
28:52
yeah Freaking
28:54
all the way down to like hey, it's
28:56
not gonna be oh, I'm sorry. Oh, I
28:59
it's like I have
29:00
Like when it was one of my kids
29:02
let's in Kiernan Garren. They said that that was one
29:04
of the new things they're doing Is
29:06
the distinction between fiction and non-fiction?
29:09
um, and now I have like my daughter at home
29:12
being like she's like watching stuff on tv and bs
29:14
like
29:15
That's fiction like because dogs can't
29:17
talk and it's like yeah, you're right. And
29:19
I was also like What
29:22
they learned they learned It's
29:25
like I was like, you know, like this is just gonna completely
29:27
wreck that whole like santa
29:29
clause tooth fairy Easter body
29:31
type of narrative there because the kids get to go like
29:34
We're playing cool. Yeah, like we're
29:37
we're questioning like our news sources there. It's
29:39
like I I really don't think that somebody
29:41
Let's talk about the bible. Oh wait, no
29:43
too soon Yeah,
29:46
no, I also do think uh, like
29:49
my other reaction to this is like let's be real
29:51
Are the kids really the ones who need
29:53
this? No, they're not.
29:56
Well, we gotta start with some way right like
29:58
I guess like, take
30:00
the sanitary, like, to get your driver's license,
30:02
you have to look at two news articles, okay?
30:06
The US has recently invested
30:08
highly into public transportation now because
30:10
no one can get their driver's license that shortly
30:13
after they do. Every one of your driver's license
30:15
expired, you must take a class on
30:17
media literacy and like, yeah,
30:19
it's all, yeah. I mean, it gets into like,
30:22
I genuinely don't think that most younger
30:24
people would have trouble identifying this kind of stuff
30:27
is on
30:28
being, but like, really, I
30:30
mean, I don't know, this article does
30:32
quote some study that like, apparently under
30:34
the age of 30, there's a higher likelihood
30:37
of identifying things. I don't know. Well,
30:40
there's...
30:41
Go ahead, wait.
30:43
In college, I think like, my second or
30:45
first year at junior college, I actually took a media
30:47
studies class and they talked a lot
30:49
about not just like, biases in the news,
30:51
but how to like, look past and what they're trying to
30:54
actually talk about. And it's not just news articles,
30:56
but actual movies and stuff like, if
30:58
you look into this movie, I remember we used
31:01
the Dark Knight as a reference. And someone
31:03
wrote a whole essay on how the Dark Knight directly
31:06
relates to the Iraq War. And I was like,
31:08
how the heck did you get that? And
31:10
but looking, doing that practice
31:12
and trying to understand that type of stuff, even
31:15
if it is using works of fiction where dogs
31:17
talk and try to understand where they're going with it
31:19
is pretty important, I would say, at that lower
31:21
level. But yeah, the Santa Claus is going
31:23
to go right out the window. They're going to be like, everyone
31:25
but Santa. And so, okay.
31:29
This is interesting because like,
31:31
apparently, so they're quoting Ormsby,
31:34
which I'm sorry, I don't have the person's full name, but
31:36
basically,
31:38
they teach concepts like lateral reading,
31:40
which is comparing an online article to other sources,
31:43
reverse imaging, searching online
31:45
to trace a photo to its original source. Wow,
31:47
that's some OSINT stuff. I mean,
31:49
that's like real,
31:51
you know, lesson plans and things.
31:53
I think that like, so the other example
31:56
they give is like, they were students
31:59
during this is like during COVID, but I guess students
32:01
were presented with three articles, a
32:03
tabloid New York Post article and a scientific
32:05
article, and they were asked to choose which is
32:08
the most reputable and they chose the New York Post article 90%
32:10
of the time. Like, oh gosh.
32:14
I'd also like to point out like Corvus
32:16
is saying in chat,
32:17
a lot of kids actually do need to hear this
32:20
these days. I have to admit my
32:22
young daughter doesn't
32:24
know that the thing it's like until I said
32:26
it to her, she didn't know that the things she saw on TV
32:29
were not real. She thought all
32:31
that stuff was actually real.
32:33
So
32:34
we think it's common sense at this point, but
32:36
it kind of isn't unfortunately.
32:40
And I think it is actually
32:42
important that kids become aware of,
32:44
hey, there are people that are going
32:46
to lie to you on a regular basis out there.
32:49
Yeah, I don't have any question.
32:52
Yeah. I completely agree
32:54
with you. Like with my oldest daughter,
32:56
like I'm always talking to her about
32:58
like different things she sees on YouTube or whatever,
33:00
but they speak with such
33:03
like
33:04
emphasis and like
33:06
they know what they're talking about. Yeah.
33:09
Anybody watching it is like,
33:11
oh yeah, well they might look at they're so
33:13
confident. They know what they're talking about. It must be true.
33:16
Right.
33:17
And especially with the younger generation, they
33:19
don't understand like, go
33:21
research. That's what I tell her.
33:23
I said, go look it up. See if it's
33:25
real. Like check to find out. And
33:28
so, yeah, they just see this person
33:30
as.
33:37
Yeah, the class will not differentiate whether
33:39
Santa is misinformation or you
33:41
know, fake news. Oh, that's yeah, that's always. It's
33:43
almost as if some of these people are snake
33:45
oil salesmen.
33:46
Oh, oh, we could
33:49
do a conference about that. You
33:53
do have the gap here that I was coming up with
33:56
wanting to make mention of is like, you have the gap
33:58
here of
33:59
homeschooling.
33:59
So if you've ever like if you've seen
34:02
some of these documentaries, I know
34:04
It's in red flag.
34:05
Yeah, I mean you said you sit there and say it's like
34:07
a lot of them They just homeschool their
34:09
kids because they're like, oh the school's not teaching them the right
34:11
stuff That's cool. You're on their heads with a bunch of misinformation.
34:14
They're homeschooled just watching stuff
34:17
off of YouTube So these
34:19
programs are great, but they're not going to really,
34:22
you know reach the people that know no No, I'm
34:24
going is really good for getting your kids to
34:26
believe in your cult though Hey, I'm
34:28
gonna speak on this one too because I did
34:30
in school my kids at one point. Um Homeschooling
34:35
Has a bad rap
34:37
and I will agree that there are
34:40
definitely benefits to sending your kids to school My kids
34:42
do go now The social aspect
34:44
is definitely harder to take care of if you homeschool
34:46
them But not everybody that homeschools
34:49
their kids just has them sit in front of a TV and
34:51
watch YouTube to do it I Said
34:55
what you saw like yeah, I had
34:57
to spend Andrew Callahan did
35:00
a did a series on this
35:02
for like I think like this place rocked or something
35:05
and you saw that with the kids just
35:08
There are some really crappy ones out there I
35:10
like it's in a program where I had to spend
35:12
like two grand every year to buy the curriculum
35:15
and then learn it Unfortunately, we don't have
35:17
an anti-siphon subscription level for
35:19
homeschooling
35:22
I don't know anything about English, but I
35:24
know how to reverse engineer a packet. Okay
35:29
Anyway, let's let's get this train back on
35:31
track want to talk about breaches
35:35
Let's talk about screen
35:37
connect remote access. Let's talk about this cuz
35:39
I actually want this is something that like
35:41
is personally relevant to me
35:43
So basically the article is that hackers
35:45
have breaching healthcare organizations using screen
35:47
connects
35:48
which basically is you know a rat
35:50
for remote access tool, but
35:52
One that I would consider more reputable
35:55
or like there could be legitimate uses for
35:57
it, right?
35:58
So
35:59
essentially, I mean Yeah, basically
36:01
this is an article published by huntress.
36:03
They spot the attack seeing them on endpoint
36:06
Essentially, I mean does anyone know a lot about
36:08
screen connect by chance
36:09
we use it.
36:11
Okay.
36:11
Yeah, that's fine mean Yeah,
36:14
the one one bad thing about screen connecting a lot
36:16
of the other ones is that you can have multiple
36:19
instances installed to the same
36:21
machine so We
36:24
we actually it's it's kind of tricky
36:26
because obviously we're looking for detections
36:29
of those kind of tools But we
36:32
also have to kind of have had a conversation
36:34
of do we allow or ignore
36:37
screen connect? How can we help
36:39
me tighten that up? But right also
36:42
that you know, it does kind of come
36:44
down to Okay, how did they get on it?
36:46
You know, who did they talk into it? there's
36:49
the there's the human element because
36:52
it's not like they're just dropping a Dropping
36:55
the agents on a on an endpoint
36:57
and boom your hacked it's you know, hey,
37:00
I need you to go to this website for me, and you get
37:02
a type in this code and
37:03
And now I'll fix your computer
37:06
or whatever they're working on so we're one
37:08
interesting thing about this attack in particular is that they're
37:10
actually using the product as Licensed
37:13
by another company that they compromised, right?
37:15
So it's like instead of going out and like
37:18
purchasing the product for themselves because you know Okay,
37:20
why see and money and all that stuff there
37:22
they did like they took over a company's You
37:25
know screen connect instance and then they're deploying
37:27
it maliciously But it looks legitimate because
37:30
I guess it looks semi legitimate because it's related
37:32
to one of their you know potential business
37:34
partners
37:35
The reason it's relevant to me is because on a
37:37
tactical level This is what threat
37:40
actors or advanced threat actors are using now
37:42
more than ever They're using these like living
37:44
off the land of a dial legitimate
37:46
things it would blend in that don't really fit
37:49
into the category of like shell code
37:51
or c2 or those kinds of things and Potentially
37:54
could lead to long-term persistence
37:57
because companies don't scan Oh scan
37:59
all the service for malware. Okay, we're good. Turns
38:01
out the screen connect, the tool that you thought you were supposed
38:04
to have, is the actual malware. And
38:06
this is actually, we've seen this go as far as
38:09
being used using EDRs
38:11
as like persistence mechanism.
38:13
Like having malicious either
38:16
creating API keys in EDRs
38:18
and using them to run commands or do whatever. Or you
38:22
know, just being in the console
38:24
running commands on every system, even air gapped
38:26
or I guess whatever, not air gapped, but you
38:28
know, out of band systems you can't access,
38:31
you could just run commands on them, right? So
38:33
there's
38:34
any that's gives the beginning but...
38:36
There is the recent Cyber Work On,
38:39
is that a good threat and Cal conference
38:41
if anyone's looking. It just recently happened though.
38:43
And one of their big subjects was the use
38:45
of lay of the land tools and tactics,
38:48
right? And how that's growing bigger and bigger
38:50
and as a detection engineer, that stuff's usually
38:52
pretty hard to detect. You have to know
38:54
your internal, like your
38:56
internal team and the tools they're using
38:58
very well. And like you're saying,
39:01
if they were actively using Screen Connect, there's
39:03
no way you're going to know what's different than a false
39:05
positive and a true positive with that. So
39:08
you really have to sure up and maybe
39:10
block all the connections to the other ones if you can or
39:12
periodically scan if you don't have
39:14
some type of application whitelisting for any
39:16
of those tools, right? But I was...
39:18
But I've got to step in here guys.
39:20
If you look at the bottom of the article, it's an
39:22
unmanaged on-prem device.
39:25
Connectwise weighed in on the
39:27
article. So I
39:30
appreciate the technical
39:32
details we're talking about here but we also
39:34
have to look at cyber hygiene and
39:36
the healthcare organization wasn't practicing
39:39
good cyber hygiene.
39:40
That's a good point. That's
39:43
almost required in most healthcare environments
39:45
though. Like I mean not necessarily
39:47
practicing bad hygiene but like having unmanaged
39:50
devices. You're not gonna put EDR on
39:52
your like MRI machine and void the warranty. It's
39:54
like ten million dollars or whatever. I
39:55
don't know, right? I think the bad part is more
39:58
the it hasn't been updated in...
39:59
Four years part well that voids the
40:02
warranty too That's the thing these
40:04
also people are stuck in but like
40:06
if you update the MRI machine that breaks it and
40:08
that's on you Like you just avoided the warning so
40:11
I mean that's like a tricky thing where like
40:13
they're stuck Yeah,
40:16
these defenses aren't gonna go in at the endpoint level
40:18
They have to go in above that because we know the within
40:21
most healthcare environments the endpoints are off-limits
40:23
for patching and most like Obviously
40:25
it'd be great if the vendors allow you to patch or
40:27
provide patches, but that isn't always the case
40:30
It's almost never the case So that's
40:32
how I see it is like you really have to put these You
40:34
have to put these protections in at the higher level
40:37
and that's where it gets scary of like it's
40:39
a known app that we use I guess
40:42
it's like there might be some burden
40:44
on screen connect to go and investigate malicious
40:46
usage of their tool
40:47
Especially like
40:48
ripping out these accounts that are being abused
40:51
like that really is where that falls. I think is on
40:53
the vendor Acceptable, but on
40:55
the side at least the ID team found that
40:57
machine that they've been missing for the last four years
41:01
You know, they were like, oh we thought
41:04
we got rid of that we thought it was a lease return
41:06
But Corey you're exactly right there. There
41:09
is a balance there because you're right. They're
41:11
not going to be patching machines that are
41:13
in surgical theater But
41:15
the organization I would like to see
41:18
Look at more compensating controls. Maybe
41:21
it's The surgical theater
41:23
is off the network or it's on a different
41:26
network I mean, we don't know
41:28
the whole story here and perhaps the
41:30
organization did have compensating
41:32
controls Maybe they didn't but I
41:34
would at least like to know that that machine is is
41:37
on a risk register Or as part of
41:39
some risk management process
41:42
at the organization as a whole for
41:44
sure I mean, it's also a supply chain Like
41:46
if you have if this machine is managed
41:48
by transaction data systems or whatever and they
41:51
get compromised You have to now
41:53
assume that all those systems across all their customers
41:55
are compromised not that I'm not I'm
41:57
not saying it's not interesting but Really,
42:01
I think it's more interesting to look at this as
42:03
a way that attackers are shifting their tactics
42:06
more than specific things that
42:08
the company victim could have done to prevent
42:10
it. It's more just like, this is what
42:13
attackers are doing now. They're going in, they're
42:15
trying to compromise companies that would
42:17
have, like the MSSs fall
42:20
into this group of companies that
42:22
would have legitimate access
42:24
to lots of other companies through
42:26
channels that they might not be monitoring. That's
42:29
why all the MSSs are terrified
42:32
of this fact. So,
42:34
yeah, I don't know. It's just an interesting tactical shift
42:36
of like,
42:37
now we're not going to go after individual companies.
42:40
We're going to go after companies that manage other companies and then go
42:42
after everything they have.
42:43
So basically don't trust that vendor device in your network,
42:45
I guess is the... Never. Never.
42:48
Oh, the story. Never. Don't
42:50
trust anyone. F-E-T-A. Does
42:54
anyone have any articles they want to
42:57
bring to the table?
42:59
There's one about NORC and WinRAR.
43:01
Is that how you play it? And
43:04
G-O-R-K. Orchid man? NORC.
43:07
It's an okay one just because I've written like,
43:09
detections for it. So
43:14
I like, profiled the shit out of NORC. And
43:16
I'm like, wait a sec, I can just block this at the firewall. And
43:19
I'm like, all right, I'm done. Oh, wait. Oh, you mean
43:21
N-G-R-O-C? You're talking about N-G-R-O-C. N-G-R-O-C,
43:23
NORC, I don't know. I
43:25
got... No. No, no.
43:29
No. It's the price
43:31
interpretation. Okay,
43:35
so N-G-R-O-C, as it's known
43:38
colloquially, or NORC, as it's known
43:40
only by Wade, is basically
43:43
it's a tool that people might be familiar with. It's essentially
43:45
like a reverse tunnel into your network. Essentially,
43:48
it's... So let's say you're a developer, you're running a local
43:51
node server. If you're a developer
43:53
and you're, let's say you're developing a local
43:55
application and you
43:58
want someone to be able to browse that application... on your
44:00
laptop, but you can't just open a port up. You
44:02
can have NGROC open up a port for
44:05
you and the traffic will be redirected through it. So,
44:07
essentially kind of a developer-y focused
44:11
tool, but we've actually used it for years, yeah,
44:13
for similar things to this. Looks
44:16
like it's being attributed.
44:17
Wade, do you wanna talk about what you mentioned?
44:19
You wrote a specific section for it? What is it like?
44:22
Yeah, well, because when you, first you have to see if
44:25
you can install it on your network, yeah, right? Like what type of
44:27
application whitelisting you have? Hopefully they
44:29
can't even install it. But then
44:31
there's specific network traffic that you
44:33
can actually track. It's usually going to their domain.
44:36
So you could say anything going out to that domain. And
44:38
then there's a couple really good threat intelligence lists out there
44:41
that I can't necessarily find right now. That
44:43
have, because NGROC
44:46
is, there's a bunch
44:48
of different versions of this, right? So then that
44:50
opens up the whole like, okay, are we detecting
44:52
all of them? Are we blocking all of them? And
44:55
kind of,
44:57
you need application whitelisting at the long run,
44:59
but
45:00
it's not too hard, but it
45:02
felt like an easy win, at least for the detection
45:04
side. You use it a lot, Corey? So,
45:07
I mean, I don't use it as much nowadays
45:09
because like there's, honestly, from my
45:11
perspective, as like a pseudo, not really
45:13
developer, but someone who has similar situations
45:16
to this, like CloudFlare workers or
45:18
things like, or like the Azure Dev tunnels,
45:20
like there's lots of other better
45:22
replacements for this. And then like NGROC is kind
45:24
of a third-30, like
45:27
less trusted than maybe like Azure would
45:29
be. Although I guess you could argue that's even
45:32
less trusted, but basically,
45:35
I mean, how does this, they're using this
45:37
flaw and they're just tunneling. Yeah, so it's basically
45:39
just they're using NGROC as a C2. So
45:41
the details for this would be like relatively easy,
45:44
right, like you use, because NGROC
45:46
has their own infrastructure.
45:48
Yeah, so you just look for anything based off of them and
45:51
then it's not too hard, but. Of course,
45:53
the Russian hackers were using a free
45:55
version of NGROC, they were not
45:57
paying for it.
45:59
I signed up for it. for the free version and then
46:01
did it myself and then in my own detection,
46:03
I'm like, oh, this is easy. I just went right through
46:06
it. So hopefully, it'll be different.
46:07
Yeah, this one isn't... I
46:09
guess what it is more than anything is just proof
46:12
of the random things
46:14
if you know your exclusions, I
46:16
think is what I would take away from this. If
46:19
you have legitimate uses for NGROC, now
46:21
you need to monitor that more
46:24
closely because we
46:26
know that it's being used for C2. So
46:28
but I will say like from my perspective as the red
46:30
actor or the red teamer, like we
46:33
can tunnel through your network. I promise.
46:35
Like I promise you I can tunnel my way
46:37
out of your network. You
46:40
sound like the guy from men's warehouse right now. We can tunnel
46:43
through your network. I guarantee it. There's
46:45
a way. Like there is a way. So
46:50
I see this as more like an interesting
46:53
thing to talk about, but also like defensive
46:55
depth, right? Like you're... You can
46:57
block all the tunnels. It's not going to happen. No, you
46:59
can't block all the tunnels. It's a low level win if you're
47:01
doing some type of defensive work that isn't
47:04
a hard lift. And honestly,
47:06
nation states are using it. So it's a little
47:09
bit worth it in the long run, even though if
47:11
they... Nation states were using it against,
47:13
I believe it was the Ukraine. So like hopefully
47:15
they're not using it against you. But if they are,
47:18
good luck.
47:19
Let's talk about some botnets getting
47:21
new. Isn't
47:22
that the FBI take out the botnet? Yeah, yeah. There's
47:25
a couple of them, right?
47:26
Or is there just... A really big one that
47:28
they were talking about. Just the IP storm botnet.
47:30
Yeah. Or if storm, I
47:32
don't know. I'm assuming. Or IPS
47:35
storm. IP storm sounded good. IP storm. IP
47:37
storm. Yeah. Yeah, basically the
47:39
US government announced that they took down the IP storm botnet
47:42
and
47:43
they got a guilty plea for the person who was running
47:45
it.
47:46
So I
47:47
guess this is an FBI notice.
47:49
They delivered malware to thousands of Windows,
47:52
Mac and Android devices and Linux.
47:54
Oh my gosh. I thought Linux was free of malware. Why this is impossible.
47:58
Basically using that as a... proxy
48:00
service these are terrifying we've talked about these
48:03
previously on the news they would that
48:05
proxy service then could be used this
48:08
is kind of the new I Guess
48:10
this is like the new definition of what I would call a
48:12
botnet right like
48:13
it's not it's not really like
48:16
It's basically like a D Dossian. It's more you
48:19
it has more utilities than that. Yes, it's
48:21
more about attribution in like IP
48:23
source
48:25
Allocation than it is about DDoS.
48:27
I feel like I don't know what I see storm I
48:29
feel like I should know this but do any of these threat
48:32
actors like offer That
48:34
as a service right like if you had a huge botnet
48:37
and you wanted to masquerade your IP Does
48:39
anyone be like yeah, you can buy our service and go
48:41
through any of our pots? Oh, that was Okay,
48:47
okay
48:50
Sergy Muckin in
48:52
muck sir gay Russian in Moldovian National
48:55
who admitted to creating it between June 2019 to December 2022 he
48:59
pleaded guilty in September. Yeah, it's
49:01
basically apparently can be up to 10 years in prison
49:04
and He apparently earned $550,000 from
49:08
it. So that's it. I guess I
49:10
thought yeah I mean He said he
49:12
made at least that and he has to give up as
49:14
part of the deal and pleading guilty has to give
49:16
up all His bet coin he got from it. Also
49:19
What do you think
49:20
Morris and SEC whistleblower though?
49:22
Maybe
49:25
Maybe yeah, what he should be doing
49:27
and this is what I get a sure services do monitor
49:31
Monitor all the traffic going through the proxy
49:33
and then whistle blow when it's reached traffic Provide
49:38
the service and then whistle blow on the users
49:41
And yeah for those you
49:43
know someone Graham mentioned this in the chat, but
49:46
for those wondering how it worked
49:48
It caught it sort of made news in 2019 because
49:50
it used IPFS for peer-to-peer So
49:53
it's like there's no kill switch for this IPFS
49:56
is like essentially for those
49:58
that don't know it's like a blockchain based file sharing
50:00
protocol that can have many
50:02
different Proxies and nodes and things
50:04
it's essentially designed to be a peer-to-peer But
50:07
it's like can be based on HTTPS so it
50:09
can be Mass we've used IPS
50:12
it when you know when I said I could penalty your network That
50:14
would be one thing I would try there's like
50:16
a million different
50:18
Web front ends for IPFS that
50:20
one of them is gonna be allowed in most networks So
50:23
all right now I got to go in a deep end about IPFS.
50:25
I've never heard of that Thank you
50:27
Wade, thank you
50:33
We can dive into let's go into James article
50:35
because I actually have no clue about this and
50:37
hopefully James you read it It
50:41
intrigues me it it
50:44
kind of kind of kept me away all
50:46
weekend so Microsoft
50:48
finished up ignite last week
50:51
and one of the things they announced on the Kind
50:54
of blue team side is that you can
50:56
now use cyber deception functions
50:59
inside Microsoft defender for endpoint
51:02
so right now they're actually
51:04
Have the ability where you can create an
51:07
alias account that would sit
51:09
inside LSAS and If
51:11
it's tickled or anything like that
51:14
would alert
51:14
There's also it adds a
51:17
host file
51:18
information to fake
51:20
a Fake
51:23
as a different device
51:24
and they're gonna roll out some more things
51:27
related to file
51:29
share Other
51:31
other tactics like that the
51:33
one catch and the one thing that's kind of really frustrating
51:36
Especially on the small business side. This
51:38
is only available inside defender
51:41
p2 So
51:43
if your organization has like
51:45
e5 or whatever you're fine, but you're
51:47
a smaller organization this
51:50
along with some of the other features of Defender
51:53
p2 might be worth the upgrade
51:55
for it.
51:57
And yeah, it's super simple to turn on they
51:59
actually at that FOR Companion, you could Ellipse
52:01
things to, like, create
52:07
the transaction makes your person because you're using
52:11
your server'sphet and make them proper
52:54
but
52:59
they could be early warning or just potentially
53:01
wasting people's time. But
53:03
yeah, I mean, mostly I just feel bad
53:05
for any company that their business model was building
53:08
and selling this Deception technology because they
53:10
just got Microsoft.
53:11
Microsoft did. Well, and so Sherlock.
53:15
Sherlock,
53:15
the Canary tokens
53:17
system is great, but it is
53:20
a pain in the butt to deploy at scale. Even if you
53:22
have the paid version, there's
53:24
no quick way to just, I'm
53:26
going to put a fake password Excel file
53:29
on every computer. You have to do
53:31
some management of those and then the
53:34
honey pots themselves, you have to decide,
53:36
well, where do I put them? So
53:38
now if you have machines that are, you know, work
53:40
from home or remote users,
53:43
they're bringing the honey pot with them at the same
53:45
time. So that
53:46
that Gomer that's sitting there logging
53:49
in with the into the Starbucks, Wi-Fi,
53:52
you know, maybe somebody will
53:54
trip the alert from that.
53:57
So yeah, how many people are going to trip the alert on
53:59
their own because.
53:59
They're looking for their own password, so
54:02
I'm gonna say. I
54:04
had a couple of Canary tokens up
54:06
in shared drives, and all of a sudden, one started
54:08
going off. And it was a regular
54:11
user. I'm like, hey, why are you opening this? He's like, oh,
54:13
I was looking at how to try to reset my password.
54:15
And I found this document that said password, and this
54:17
dude's password's in it, so I tried to log in. I'm
54:19
like, what are you doing? Like, I
54:22
isolated his host right off the bat, just because this
54:24
is too big. Like, this is what you get
54:26
for doing stupid things and looking at other people's passwords. Bad,
54:29
go into timeout. Come out when you have
54:31
a good explanation. That is so tough. So
54:33
one thing that I am interested to see how they do,
54:36
where they don't really mention this a lot, is the lures,
54:38
or the digital breadcrumbs, right? That
54:40
is what I find is the difficult thing to do,
54:43
is to get the attackers to build
54:45
that path to your larger
54:48
deception stuff. Because like James said,
54:50
the Canary tokens are great, but I received
54:53
a large amount of positive sometimes with those.
54:55
So having that be the first stage, and
54:58
then having that either server or domain
55:00
admin, or something be at the second stage, and
55:02
then just luring them in further and further. How
55:06
often do you guys, do you even if you want
55:08
to say this, Corey, do you guys actually see deception
55:10
out there?
55:11
A lot.
55:12
A lot, okay. I mean, again, I'm
55:14
biased because the customers that I work with at Black
55:17
Hills are typically the most mature customers, but
55:19
yes, we see it a decent amount. I
55:21
would say if we don't see it, we recommend that
55:24
customers implement it, even if it's just
55:26
a Kerberosable account that looks really juicy and
55:28
sets off and not break glass alarm. It's my favorite.
55:31
Basic easy stuff, I would
55:33
strongly recommend to customers. And we
55:35
typically, if we don't see it, when you're talking
55:38
about endpoint-based deception, I would
55:40
say that's maybe one in five, one in 10. You
55:43
don't see that many customers
55:45
that are using like, and
55:48
they are really annoying because we'll be running, the
55:51
ones that we've seen, I don't know the specific product, but like
55:53
if you run Bloodhound from a host, it'll just be completely
55:55
fake results. Like it'll be like, it'll
55:57
be completely, it'll hook that
55:59
process. or whatever and just return completely fake
56:01
results to blood hound or sharp hound or whatever.
56:04
Ooh, I don't even know. So that,
56:06
I don't know what product is doing that. We've seen that one before
56:08
and it is funny because what we end up doing is just doing
56:10
it. We just run sharp hound through
56:12
like a proxy, you know, like we tunnel
56:15
it in. And I will say like,
56:16
to be perfectly honest, again, we've talked
56:19
about tactics, whatever, we
56:21
are moving to the point of like, essentially,
56:24
as me as the threat actor, I am doing
56:26
my best to never
56:29
touch a managed endpoint at
56:31
any cost. Like I am
56:33
either deploying VMs in Azure, deploying
56:35
VMs in ESAC, putting VMs
56:38
on existing hosts, like guess what, you can just download
56:40
a portable QEMU and just
56:42
run a
56:43
VM.
56:44
Or tunneling traffic, like I don't
56:46
want to touch the managed hosts. The managed hosts are
56:48
the most,
56:49
that is where the security effort has gone
56:52
in for the last like five, 10 years. So
56:54
people, like, companies detect
56:57
everything on their managed hosts pretty well. I haven't done
56:59
a pentest in probably five years where they didn't see any
57:01
traffic on a managed host. But when
57:04
I get into their Azure and deploy a new VM,
57:06
just a completely clean slate, they
57:08
probably won't notice that. And that's also
57:11
what real threat actors are doing too. That's one of the Scattered Spiders
57:13
techniques is like, get into ESX or
57:15
whatever, deploy a VM, that's
57:18
not your beachhead. Like that is where you're operating
57:20
for the rest of the engagement. So just something
57:22
to keep in mind, like deception is really great,
57:24
especially for insider threats or other like, you
57:27
know, it's worth doing, but it isn't
57:29
going to protect you always.
57:31
Even then I have anything else. Another good point
57:33
is, I haven't seen a lot of good deception tactics
57:36
based around cloud stuff. Like
57:38
I just set it up or any blogs about
57:40
it either. So if anyone out there is like a deception
57:42
guy, like if you'd throw a blog about how to like,
57:45
set up deception in AWS, I'd love you.
57:47
The one that I don't know if anyone's
57:49
done this, but the one that would be really awesome would
57:51
be if you did a deception product
57:54
that would
57:54
fake the metadata service in AWS instances
57:57
or other instances. So like it would just give you fake information.
57:59
In the metadata or the yeah,
58:03
it's a Windows 98 computer. You're like what? Yeah,
58:11
you have to you have to make them not too obvious
58:15
but there are some especially the paid versions
58:18
where the advantage to those is you
58:20
can change the
58:21
Characteristics of
58:23
that that honeypot pretty quickly.
58:26
We did a exercise worth With
58:30
a National Guard unit and they
58:32
kept scanning VIP and then we would
58:34
change its personality And
58:37
they'd come back and scan it and then maybe this
58:39
time they were like, oh, hey, it looks like a looks
58:41
like HVAC Why why would HVAC be in the DMZ?
58:44
I don't know but I'm gonna try to run some some
58:46
weird exploits and
58:47
and then they Nothing happens and then they come back
58:50
around like wait, wasn't this IP? Like
58:52
now it's a remote desktop server. What the heck and
58:55
so it's I mean if you could Sit
58:58
there and and mash on the buttons
59:01
and keep them keep them busy That's you
59:03
know, that kind of goes into that annoy and
59:05
a tribute type You know tactics
59:07
that you want to employ against it against
59:10
the threat actor
59:11
Yeah, for
59:12
sure. It's a good anything
59:14
that's integrated into Microsoft products we generally
59:16
get a lot of we see a lot of benefit for
59:18
our customers because Where
59:20
everyone's at everyone has some Microsoft
59:22
licensing whether or not they use, you
59:24
know, everything to its fullest potential Maybe they don't
59:27
but most people do have some
59:29
Microsoft licensing So I
59:31
do think it'd be nice if they rolled this out to lower
59:34
tiers for sure And maybe they will
59:36
in the future but for now, it's
59:38
a good start. But yeah, I
59:40
think that's uh, I
59:41
think that's a good place to call it everyone That's
59:45
it. Have anything last last
59:47
call
59:50
The FCC one was interesting, but I don't
59:52
think it's too important unless anybody wants to talk
59:54
well So so Ryan,
59:56
let's let's cover some you know, what's happening
59:59
at Black Hills
59:59
What's going on? We got any summits coming
1:00:02
up any snake oil? We do. Anything?
1:00:04
We got our snake oil question
1:00:07
mark summit where we
1:00:10
talk about topics that may be snake oil
1:00:12
or may not be snake oil.
1:00:14
The discussion is,
1:00:16
is it snake oil or
1:00:18
not? We're not trying to sell snake oil. We're
1:00:20
trying to decide is it snake
1:00:22
oil? Just
1:00:25
like that K-12 class, that's what we're
1:00:27
gonna do for us. Yes. So
1:00:30
I don't know if, yeah, we did, we saw
1:00:32
a pretty funny comment. I don't know if it made it outside of like
1:00:34
our internal BHIS chats, but some person like
1:00:36
messaged us and was like, thank you so much
1:00:38
for trying to sell snake oil. We were like, wait, what?
1:00:43
Finally summoning being honest about what they're
1:00:46
selling. Yeah,
1:00:50
no, that's not the intention. The intention is
1:00:52
to give people a platform to talk about certain
1:00:55
topics that they either think are snake oil
1:00:57
or aren't snake oil. So I think
1:00:59
it'll make a lot more sense once the talks come
1:01:02
out. Are the talks released yet, Ryan?
1:01:04
We're starting to get them filled out. We
1:01:07
have them picked out. We're
1:01:09
starting to get the schedule filled out this week. Once
1:01:12
the schedule comes out, it'll make a lot
1:01:14
more sense what the summit is really about. But looking
1:01:16
through some of the submissions we got were
1:01:18
things about, this vendor's
1:01:20
good or this vendor's not good or this whole
1:01:23
part of the cyber security industry is bad. That
1:01:25
was some of the good stuff. So
1:01:27
it's more about just having open and honest
1:01:29
conversations about the way that we do things
1:01:32
and whether they're, are they good or
1:01:34
they bad, opening that discussion.
1:01:36
So it's not about vendor bashing necessarily.
1:01:38
It's just about
1:01:40
opening the discussion from the perspective
1:01:42
of
1:01:43
a
1:01:43
rank and file employee or a CSO or
1:01:46
whatever. What is snake oil and what
1:01:48
isn't snake oil? I'm really looking
1:01:50
forward to Graham's or Slothboy.
1:01:52
It's funny he says Slothboy in the chat to the right, but he actually
1:01:55
says Graham in Discord, so whatever. But
1:01:57
I'm really looking forward to his and it's pretty
1:01:59
much based around.
1:01:59
Cyber education and As
1:02:03
someone who's done a lot of education and
1:02:05
is like part of a boot camp that
1:02:08
not really like doesn't really like the boot camp,
1:02:10
but I'm really
1:02:12
interested to what he has to say about it because I really
1:02:14
wanted to do something like that So you better
1:02:16
you better knock it out of the park gram if you don't wow
1:02:19
wait setting the expectation Right
1:02:23
in that talk I want to get on that
1:02:26
If you're anything like me and you write your talk three days
1:02:28
before it is but yeah Um,
1:02:31
I think that's a good place to call it. Thanks everyone for coming
1:02:33
And I guess if you're in the US have a good holiday
1:02:35
week. Otherwise, I have
1:02:37
good week
1:02:38
No, no bummer news articles this week.
1:02:40
It was great. Like we kept it on like a little least
1:02:42
like a level playing ground the whole way I'll
1:02:45
say one more thing about what we're doing this
1:02:47
week. We have a an anti cast happening
1:02:50
on Wednesday But nothing on Thursday
1:02:52
because of course here in the US it's
1:02:54
turkey day. It's Thanksgiving So we're
1:02:56
not we're not working
1:02:57
But so if you want to check out a webcast from
1:02:59
us We have one on Wednesday and I'll put
1:03:02
that link in the chat as well.
1:03:03
All right, and with that everyone See
1:03:06
you Yes
1:03:22
You
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More