All posts by jerry

Defensive Security Podcast Episode 268

 

Stories:

https://www.scmagazine.com/feature/incident-response/why-solarwinds-just-may-be-one-of-the-most-secure-software-companies-in-the-tech-universe

https://www.computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic

https://www.bleepingcomputer.com/news/security/hackers-impersonate-cybersecurity-firms-in-callback-phishing-attacks/

https://www.cybersecuritydive.com/news/microsoft-rollback-macro-blocking-office/627004/

jerry: [00:00:00] All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett.

Andy: Hello, Jerry. How are you, sir?

jerry: great. How are you doing?

Andy: I’m doing good. I see nobody else can see it, but I see this amazing background that you’ve done with your studio and all sorts of cool pictures. Did you take those.

jerry: I It did not take those. They are straight off Amazon actually. It’s.

jerry: I’ll have to post the picture at some [00:01:00] point, but the pictures are actually sound absorbing panels.

Andy: Wow. I there’s jokes. I’m not going to make them, but anyway, I’m doing great. Good to see ya..

jerry: Awesome. Just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers. But as you are apt to point out, they could be for the right price.

Andy: That’s true. That’s true. And that, and by the way, what that really means is you’re not going to change our opinions. You’re just going to to hire them.

jerry: Correct. right. Sponsor our existing opinions.

Andy: Someday that’ll work.

jerry: All right. So we have some interesting stories today. The first one comes from SC magazine dot com. The title is why solar winds just might be one of the most secure software companies. In the tech universe.

Andy: It’s a pretty interesting one. I went into this a little.

Andy: Cynical. But there’s a lot of [00:02:00] really interesting stuff in here.

jerry: Yeah there, there is, I think

jerry: What I found interesting. A couple of things. One is very obvious. That this is a. Planted attempt to get back into the good graces of the it world. But at the same time, It is very clear that they have made some pretty significant improvements in their security posture. And I think for that, it deserves a.

jerry: A discussion.

Andy: Yeah, not only improvements, but they’re also.

Andy: Having these strong appearance of transparency and sharing lessons learned. Which we appreciate.

jerry: Correct. The one thing that I so we’ll get into it a little bit, but they still don’t really tell you. How. The thing happened.

Andy: Aliens.

jerry: Obviously it was aliens. They did tell you what happened. And so in the. Article here they describe this the [00:03:00] CISO of solar winds describes that the attack didn’t actually. Change their code base. So the attack wasn’t against their code repository. It was actually against one of their build systems.

jerry: And so they were the adversary here. Was injecting code. At build time, basically. So it wasn’t something that they could detect through code reviews. It was actually being added as part of the build process. And by inference the head. Pretty good control. At least they assert they had good control over their

jerry: source code, but they did not have good control. Over the build process and in the article they go through. The security uplifts they’ve made to their build process, which are quite interesting. Like they I would describe it as they have three parallel. Build channels that are run by three different teams.

jerry: And at the end of, at the [00:04:00] end of each of those, there’s a comparison. And if they don’t. They don’t match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building.

jerry: The same set of code. They should end up with the same final. Final product. All of the systems are are central to themselves. They don’t commingle. They don’t have access to each others. So there should be a very low opportunity for for an adversary to have access to all three.

jerry: Environments and do the same thing they did without being able to detect at the end, when they do the comparison between the three builds, whether it’s a novel approach. I hadn’t thought about it. It seems.

jerry: My first blush was, it seemed excessive, but as the more I think about it, It’s probably not a huge amount of [00:05:00] resources to do so maybe it makes sense.

Andy: Yeah.

Andy: And also, they mentioned that three different people are in charge of it. And so to corrupt it. Or somehow injected. Into all three would take. Somehow corrupting three different individuals, somehow some way.

jerry: Yeah, they would have to clue the three teams would have to collude.

Andy: Yeah.

Andy: Which. Is difficult.

jerry: Yeah.

jerry: Yep. Absolutely.

jerry: So they actually I haven’t looked into it, but they actually say that they’ve open sourced their their approach to this the multi kind of multi what I’ll just call multi-channel build. I thought that was. Interesting.

jerry: So There’s a, it’s a good read that they talk about how they changed from their prior model of having one centralized SOC under the. The company CISO to three different SOCs that monitor different. Different aspects of the environment. They went from having a kind of a part-time.

jerry: Red team to a [00:06:00] dedicated red team who’s focused on the build environment. I will say the one. Reservation I have is this kind of feels maybe a little bit like they’re fighting the. The last war. And so all the stuff that they’re describing is very focused on. Addressing the thing that failed last time.

jerry: And, are they making equal improvements in other areas?

Andy: Could be, I would say that.

Andy: They’re stuck in a bit of a pickle here where they need to address. The common question is how do you stop this from happening again? That is. That is what most people are going to ask them. It’s what the government’s asking them. That’s what customers asking them. And so there. There’s somewhat forced, whether that’s the most.

Andy: Efficient use of resources, not to deal with that problem right there. They have no choice. But I also feel like a lot of the changes they met, build change to their build process. I would catch. A great many other supply chain type. [00:07:00] Attack outcomes.

Andy: It seems to me.

jerry: Fair. Fair enough.

Andy: It’s also interesting because a lot of these things are easy to somewhat. Explain. I bet there’s a lot of devil’s in the details if they had to figure out, they mentioned that they did. They halted all new development of any new features for seven months and turned all attention to security.

jerry: Yeah, so it sounded like they moved from I think an on-prem. Dev and build environment to one that was up in AWS so that they could dynamically. Create and destroy them as needed.

Andy: Yeah, it’s. It’s an interesting, the fundamental concept that this article is saying is, Hey, once you’ve been breached, And you secure yourself.

Andy: Do you have a lower likelihood of being breached in the future. Are you like Dell? You have the board’s attention. Now you have the budget. Now you have the people now have the mandate to secure the company.

Andy: And is that true?

jerry: think it is situational. that there are some, [00:08:00] I’m drawing a blank. I think that’s one of the hotel change. don’t want to say the wrong name, but I I believe that there are. There are also instances. We’re readily available. Where the contrast true. Like they just keep getting hacked over and over.

Andy: And I sometimes wonder if that has to do with the complexity of their environment and the legacy stuff in their environment. If you look at a company like, I don’t know anything about solar winds, but I’m guessing. You know that there is somewhat of a. Fairly modern it footprint that. Maybe somewhat easy to retrofit as opposed to, hotel chain.

Andy: Probably some huge data centers that are incredibly archaic in their potential architecture and design and.

jerry: That’s a good point. It’s a very good point. It’s a different, it’s very different business model, right?

Andy: And they talked about how they’re spending, they’ve got three different tiers of socks now outsourcing two of them. They’re spending a crap ton of money on security.

jerry: Yes.

Andy: Whether with CrowdStrike watching all their end point [00:09:00] stuff. They mentioned it here. I’m sure that CrowdStrike appreciated that. Their own. Tier three SOC. They’ve got a lot of stuff and they also talking to that now their retention rates for customers are back up in the nineties, which is pretty, pretty good. So I don’t know. Yeah. Clearly this is a PR thing.

Andy: But at the same time, I really do appreciate. A company that’s gone through this sharing as much as they’re sharing because the rest of us can learn from it.

jerry: Yeah, absolutely.

Andy: And the other thing it’s interesting because I look at this, cause I work for software company now. And it’s a small company. It’s nothing the size of these guys. And we don’t have the resources these guys have, but. I think about how many points in our dev chain. Probably could be easily corrupted in a supply chain attack.

Andy: That they’re stopping with their model. That, I wonder what. What could I do? Like how much of this could you do on a budget? There’s a huge amount of people environment here. There’s a huge amount of. Of red tape and [00:10:00] bureaucracy and checks and balances that must add tremendously to the cost.

Andy: Probably slow things down a little bit, probably gonna, would get pushed back. If you just tried to show up at your dev shop and say, Hey, we’re doing this now without having gone through this sort of event. So what I’m dancing around here is the concept of culture. Have, post-breach, you now have a culture that is probably more willing to accept what could be perceived as draconian security mandate over how they do things.

Andy: As opposed to pre breach.

jerry: Yeah. It probably doesn’t scale down very well.

Andy: Yeah.

jerry: With the. The overhead that they’ve poured on. Any, they also. In the article point out that you. It remains to be seen. How well solar winds continues carrying on, but it does, like you said, it does seem like. They’ve they’ve definitely taken this and learned from it and not only learn from it, but also have like we see in this article,

jerry: I’m trying to [00:11:00] help the rest of The rest of the industry learned, which is, by the way, like what we’re trying to do here on the show. Kudos to them.

jerry: For that.

Andy: Yeah. I also wonder how many other dev development shops.

Andy: We’ll learn from this and adopt some of these practices. So they’re not the next supply chain attack. Cause that’s really where the benefit comes.

jerry: Yeah. Yeah, absolutely.

Andy: Yeah.

jerry: All right. Onto the next story, which comes from computer weekly.com and the title here is log for shell on its way to becoming endemic. So the the us government after. Joe Biden’s president Joe Biden’s cyber executive order in, I think it was. 2021. Maybe. Formed this cyber security.

jerry: What is it called? The

jerry: Cyber

Andy: safety review board.

jerry: safety review board. I could remember the S.

Andy: Yeah.

jerry: Which I think was modeled after the [00:12:00] NTSB or what have you. But they released this report last week, which describes. What happened in, or at least their analysis of what happened. In the log4j. Incident that happened last year. And. So I have mixed. Mixed emotions.

jerry: About this one. You know that one of the, one of the key findings is that. Open source development. Doesn’t have the same level of maturity and resources that, that. Commercial software does. And, on the one hand, one of the promises of open source was, many eyes makes.

jerry: Bugs. Very shallow. Which I think we’ve seen is not really holding water very well. But I think the other problem is it’s asserting that. Open source developers are uniquely making security mistakes in their development. [00:13:00] In the last I checked every single month for the past 20 plus years. Microsoft releases.

jerry: Set of patches For security bugs in their software and they are not open source. And so I, I think it w what’s a little frustrating to me was they didn’t. It feels like they didn’t address the elephant in the room. Which was not necessarily that the. Th that the open source developers here did

jerry: a bad job. They didn’t understand how to. Code securely. It’s self-evident that they made a, they made some mistakes. But the bigger problem is the fact that it was rolled up into so freaking many. Other open source. In non open source packages in and multi-tiered right. It’s.

jerry: Combined into a package that’s combined into another package. That’s combined into another package. That’s. [00:14:00] Combined into this commercial software. And the big challenge we had as an industry. Was figuring out where they, where all that stuff was. And then even after that Trying to beat on your vendors.

jerry: To come to terms with the fact that they actually have log4j in there environment, and then having to make these like painful decisions do we stop using. For instance, VMware, because we know that they have yet that they have log4j and they haven’t released the patch. At the time they have, since, by the way,

jerry: But. Th that is I think that’s the more concerning problem. Not just obviously for log4j but when you look across the industry, we have lots of things like log4j that are. Pretty managed by either a single person or a very small team on a best effort basis. And they serve some kind of important function and they just keep getting.

jerry: Consolidated. And I don’t [00:15:00] think there’s a real appreciation for how pervasively, some of these things. Are being used. They do talk about in the recommendations about creating built in a better bill of material for software, which I think is good. But it’s still, that’s like coming at it the wrong way.

jerry: It seems to me like we need to be looking for hotspots and addressing those hotspots. And I just don’t, I’m not seeing that it’s concerning to me.

Andy: what do you mean by hotspots?

jerry: Hotspots in terms of potentially. Poorly managed or not. That’s not the right way to say it, but less well-managed open source packages that have become super ingrained.

jerry: In the it ecosystem like log4j like openssl has been in some of the other bash, And so on.

jerry: We see this come and go. But at the end of the day I don’t know that we have a good handle on where those things are. So we’re just going to continue to get [00:16:00] surprised when some enterprising researcher. Lifts up a rug that nobody’s looked under before and realizes, oh gosh, there’s this piece of code that was managed by

jerry: a teenager in the proverbial basement. And they’ve since moved on to college and it’s you. It’s not being maintained anymore. Any more, but it’s like being used by By everybody and their dog.

jerry: We don’t seem to be thinking about that problem, at least in that way.

Andy: Yeah, you said something early on in covering this too about how open sources less rigorous and their controls than commercial, but I think it’s very fair to say that. vast majority of commercial applications. Are reusing tons of open source. And their code, right? That.

Andy: The kind of odd implication there is that. Commercial entities write everything from the ground up when that’s not true. Now here’s the flip side. If I’ve got a well known, mature, vetted [00:17:00] package. That does its job well that I can include in my software package. I could potentially save myself a lot of bugs and.

Andy: And vulnerabilities because that package has been so well vetted. In theory, right?

jerry: A hundred percent.

jerry: Yep.

Andy: like writing your own encryption algorithm, bad idea. There’s a whole. Whole litany of people who’ve, edited, ruined because they thought they knew better. And that’s a really hard problem to solve. So I think there’s value in having. Almost like engineering standards of this type of strength of concrete,

Andy: that is reused because it’s a known quantity as opposed to, Hey, we’re just going to invent some new concrete and give it a whirl. I see it a little bit like that. But I agree with you. I also wonder how often.

Andy: Dev shops can spare someone who his whole job is to dig deep into the ecosystem of all the packages they pull in. When they do their development and know the life cycle of those. To the level we’re [00:18:00] talking about versus, Hey, that’s a solved problem. I’d just pull it off the shelf and move on.

jerry: I think that is the very issue as I see it. That is the. Problem because I don’t think most companies have the ability to do that.

Andy: What do you thinking like a curated.

Andy: Market of open source tools that are well-maintained.

jerry: Think we’re headed in that direction. I don’t. I don’t love the idea. By any stretch. I’m not saying don’t mean to imply that I do. But. I don’t see a good alternative. And the reason is that, like you said, you want. As a, as the developer of a application, whether it’s open source or not.

jerry: You want to use? You don’t want to recreate something that’s already existing and you want to use something that’s reliable. I think that one of the problems is that. These smaller pieces of open source. Technology like I have a strong feeling that like when the, when log4j started out, they didn’t expect that they were [00:19:00] going to be in every fricking piece of commercial and open source software out there.

jerry: It just happened. It happened.

jerry: over time. And. And.

jerry: I just think there was little consideration on both sides of the equation for what was happening. It was just happening and nobody really was aware of it.

Andy: It’s not like the log4j team was like, gum, use me everywhere. And then, there’s a little bit of, Hey, I wrote this, it’s up to you. If you want to use it, that’s on you.

jerry: Yeah. It’s there. Caveat. Emptor.

Andy: so it’s.

Andy: Yeah, this is. I don’t know. It’s a tough problem. I don’t know. The software bill materials is your solve either. I know a lot of people are talking about it. I know that it helps, but.

jerry: It, I think it, it helps in so much as if you have a, a few as a. Manufacturer of software or even you as a consumer. Have a S bomb that goes all the way down, which by the way, is itself a. Pretty tricky. When something like log4j hits [00:20:00] it becomes much easier to look across your environment and say, yep, I got it there and there.

Andy: Yeah.

jerry: That’s what I have to go fix. By the way, like it’s. You’re also dependent on your close source. Commercial software providers. Also doing a. A similar kind of job. So I think there’s a coming set of standards and processes. That the industry is going to have to, to get to, because this problem isn’t going to go away. It’s going to continue to get worse.

jerry: And somebody is either going to Some enterprising government like Australia or India or the U S is going to stuff a. Solution, none of us would like that our throat, or we’re going to have to come up with something.

Andy: Yeah. You’re not wrong.

Andy: It’ll be interesting to see how it plays out.

Andy: Now that I think the genie’s out of the bottle, you got to assume some of these big cybercrime. Syndicates or whatever term you want to use are attempting to replicate this.

jerry: Oh a hundred percent. A hundred percent, they gotta be looking around saying, what is. [00:21:00] open source components exist in, pervasively and what would be easy ish.

jerry: For me to take over slash compromise so that I could, roll and roll up into as many. Environments as I can, like that would be. Super convenient as a, as an adversary.

jerry: So anyway, there’s lots more to come on that I do think we’re going to see lots of hyper-focus on.

jerry: Source code supply chain, open source. Coming. And I fear that it’s going to. Be largely misguided, at least for awhile.

Andy: Fair enough.

jerry: All right. The next story comes from bleeping. Computer in the, this is a fascinating one. Title is hackers impersonate cybersecurity firms in callback phishing attacks.

Andy: Clever people.

jerry: We have a story here about an adversary or maybe multiple adversaries, who it becomes super enterprising and they [00:22:00] are sending letters to unwitting. Employees at different companies. And I don’t know how well targeted this is. There’s really not a lot of discussion about that, but. In the example they cite they have a letter.

jerry: I think it comes. By way of email. On CrowdStrike letterhead. And it basically says, Hey, CrowdStrike and your employer have this. Have this contract in place, we’ve seen some anomalous activity. You have you and your company. Are beholden to different regulatory requirements and we have to move really fast. We need you to call this phone number and to schedule an assessment. And it. Unlike by the way, a lot of a lot of these things is pretty well written. I would like to think that if I got it. I would say. That’s BS, but like it is really well-written, there’s not, it’s not full of grammatical errors. That kind of makes sense.

jerry: And apparently if you follow the instructions, by the way, [00:23:00] It, the hypothesis is that it will lead to unsurprisingly a ransomware infection because they’ll install a remote access Trojan on your workstation. And then, use that, use that as a beachhead to get into your.

jerry: Your company’s network.

Andy: Yeah. I hate to say it, but another good reason why you shouldn’t let your employees just randomly install software.

jerry: Yes.

Andy: And you have to assume. There’ll be some, this is where I struggled by the way with social engineering training is I really do believe, and it’s not a failure. It’s not a moral failure it’s not an intelligent failure. It’s a psychological weakness of how human beings. Brain’s work that.

Andy: These bad guys are exploiting and they will find some percentage in some certain circumstances. That will fall for these sorts of efforts. And you’ve got to be resilient against that. I don’t think you can train that risk away.

jerry: I, yeah, I would say that it’s [00:24:00] perilous to think that you can train it away, because then you start to think that when it happens, It’s the failure of the person. And actually think that’s the wrong way to think about it. If you have, Obviously. You want to do some level of training?

Andy: Sure.

jerry: Just if for no other reason, you’re obligated to do that by many regulations and whatnot. But, also like you want people to understand. Like what to look for, it’s it helps in the long run, but at the end of the day, like you, we have to design our environments. To withstand that kind of.

jerry: Issue right.

Andy: Yeah.

jerry: if we’re. If our security is predicated on someone. Recognizing that a well-written email on CrowdStrike letterhead. Is is fake. Like we have problems.

Andy: Yeah. If you’re never going to be taken down by one error click on an employee.

Andy: That I think is a problem you need to solve.

jerry: Yeah. And that’s a failure on, on, [00:25:00] on our.

jerry: Like it and security side, not on the employee side.

Andy: Yeah.

jerry: So anyway, be on the lookout. Obviously this is a pretty, I hadn’t heard of this before. It makes total sense in hindsight, but something to be on the lookout for.

jerry: All right. The last story we have comes from cybersecurity. dive.com. One of my new new favorite websites, by the way. The good stuff on there. Title is Microsoft rollback on macro blocking in office sows confusion. So earlier in the year, Microsoft made a much heralded. Announcement. That they were going to be blocking.

jerry: Macros in Microsoft office from anything that was. Originated from the internet. And and that. Was born out by the way, by an apparent. But some researchers have said that. It’s much as two thirds. Of [00:26:00] the. Attacks involving macros has fallen away. So pretty effective control Microsoft last week.

jerry: Now it’s that they were reversing course and re enabling macros. I assume. Because CFO’s everywhere were in full meltdown that their fancy spreadsheets we’re no longer working and obviously we should assume that, the the attacks are going to be back on the upswing. And apparently this is a temporary reprieve. It’s a little unclear when Microsoft is gonna re enable it. But I have a strong feeling that a lot of.

jerry: Organizations have. Taking us taking a breather on this front because Microsoft solved it. For us and now we need to be back on, on the the defensive.

Andy: Yeah, I’m really curious what the conversation was like that Forced them to reverse course, like what broke. That was that big of a deal that was so imperative because this has been a [00:27:00] problem. For at least 15 years with Microsoft.

jerry: yeah.

Andy: least. This was a pretty big win. And now it’s. Kinda get rolled back. So I was disappointed.

jerry: So there are. I think there’s some links in here. You can actually go back and re enable it through group policy settings. Obviously if if you’re so inclined, Probably a really good idea. As a, as an it industry, I think we’re worse off. For this change until they re enable it.

Andy: Yeah. This is without knowing all the reasons behind it. This feels like such a pure example of productivity versus security sort of trade off and playing out in real time.

jerry: Yeah. I can almost guarantee you this what’s going on.

jerry: So that yeah. That is a little concerning. Definitely. Be on the lookout.

Andy: Indeed. We’ll see what happens to be continued. Stay tuned.

jerry: To be continued. And that is [00:28:00] that is the story for tonight. Just one little bit of editorial. I spend a lot of time during the week reading. Different stories, all kinds of Google alerts set up for For different security stories and whatnot to help pick what we talk about on these podcasts.

jerry: And. It is amazing to me. How many. Stories that are Couched asnews are actually. Basically marketing pieces.

Andy: Yeah.

jerry: It’s I know that we’ve talked about this in the past, but it is alarming. I actually gotten to the point now where I dropped down to the end to see what they’re going to try to sell me before I get too invested in. The

Andy: I look at who wrote it. And if they’re like not a staff writer, if they’re like contributing writer from, chief marketing officer from blah, blah, blah, I’m like, Nope.

jerry: Yeah.

Andy: I very quickly just. Stop reading it. If it’s something written by an employee of a vendor or some variety. [00:29:00] And I don’t mean to be that harsh about it. It’s just.

Andy: There’s a bias there that they believe their own marketing. And their own dog food and they’re clearly pushing the problem. They know how to solve.

jerry: Yeah, they’re characterizing. The problem is. Something offerings can solve.

Andy: Right.

jerry: And, and I think it’s a. It’s certainly an understandable. Position, but I. I’m concerned that as a industry,

jerry: Where do we go to get actual best practices. Because if you’re, if everything you read is written by a security vendor who wants. The best practices are install crowdStrike install red Canary install. McAfee installed

Andy: you bring up an interesting. You bring up an interesting side point, which is. I’m seeing some movement in the cyber insurance industry that they’re basically saying. At the broadest level for those that are less sophisticated. These are the three EDRs. We want you [00:30:00] to have one of and if it’s not one of these three, you don’t get premium pricing.

jerry: Oh, that’s interesting.

Andy: And you’re like, wow. Especially because it’s such a blanket statement. And so many environments are different and I’m. I’m not passing judgment on the efficacy of those three vendors, which is why I’m not saying them. It’s more, that’s feels like a very.

Andy: Lack of nuanced opinion that, Very blunt instrument being applied there.

jerry: Yeah, and It also.

jerry: Ignores like a whole spectrum of other stuff that you should be doing in.

Andy: That’s just their EDR. Table-stakes right. And which is all coming very much from ransomware. They’re just getting their ass kicked the ransomware payouts. And so they’re like what is what will stop ransomware?

jerry: Fair enough. That’s a fair. That’s a fair point.

Andy: Back to your point about, So many marketing pieces being masquerading as InfoSec news, I think is very true. And on that note, I want to thank today’s sponsor of Bob’s budget, firewalls.

jerry: [00:31:00] We proudly have I think we’ve cleared 10 years of no No vendor sponsorship. No sponsorship of any kind, other than a donation.

Andy: Yes, which we appreciate.

jerry: All right. is the show for this week. Happy to have done two weeks in a row now. Got to make a habit of this.

Andy: I know this is great. I appreciate it.

jerry: All

Andy: all four listeners that we still have.

jerry: I moved to a commercial podcasting hosting platform. And so we get actually now get some metrics and we have about

jerry: About 10,000 ish.

Andy: Wow.

jerry: Or so.

Andy: counting the inmates that are forced to listen as part of their correction.

jerry: No see see

jerry: think actually because That’s a one to many thing so there’s probably like one stream is forcing like maybe 500 people. To listen.

jerry: And then when they do crowd control, like that could be thousands of

Andy: That is true.

Andy: I was quite [00:32:00] entertained. And really proud of you when I found out that your voice. Was found to be one of the best tools to disperse crowds.

jerry: Hey, we all have to be good at something right.

Andy: It is up there with. Fire

jerry: Yeah. Yeah.

Andy: neck and neck. Better than tear gas. I, are you aware of this better

jerry: I was not aware that I had overtaken tear gas.

Andy: It’s impressive. My friend, you should be proud.

jerry: I, I am.

Andy: should be proud.

jerry: am. I’m going to go tell them.

jerry: All

Andy: All right.

jerry: Have a good one, everyone.

Andy: Alrighty. Bye.

jerry: Bye.

Defensive Security Podcast Episode 267

Defensive Security Podcast Episode 267

 

Links:

https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

https://us-cert.cisa.gov/ncas/alerts/aa22-187a

https://www.zdnet.com/article/these-are-the-cybersecurity-threats-of-tomorrow-that-you-should-be-thinking-about-today/

jerry: [00:00:00] Alright, here we go. Today is Sunday, July 10th, 2022. And this is episode 267 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always. Is Mr. Andrew Kellett.

Andy: Good evening, Jerry, how are you? Good, sir.

jerry: I’m doing great. How are you doing?

Andy: I’m good man. It’s hot and steamy in Atlanta. Tell you that much.

jerry: Yeah. I ‘ve been back for a month from my beach place. And I think today’s the first day that we’ve not had a heat advisory. [00:01:00]

Andy: Yeah, that’s crazy.

jerry: which it has been brutally hot here.

Andy: Now, when you say beach place, you might have to be more specific, cause you’ve got one like seven beach houses now.

jerry: Well, the Southern most beach house. Yes.

Andy: Yeah. One is the Chateau. One’s technically a compound.

jerry: One’s an island,

Andy: that’s.

Andy: We’re going to have to probably name them because. They’re tough to keep straight.

jerry: They definitely are. Yup.

Andy: But, I, for one. Appreciate your new land barronness activities. And look forward to.

Andy: Jerry Landia being launched and seceding from the United States.

jerry: Hell. Yeah. That’s right.

Andy: I’ll start applying for citizenship whenever I can.

jerry: Good plan. Good plan. All right. A reminder. We should probably already said this, but the thoughts and opinions we expressed on the show are ours and do not represent those of our employers.

Andy: But for enough money, they could

jerry: yeah. Everything is negotiable. [00:02:00] All right. Couple of really interesting stories crossed my desk. Recently and the first one comes from the US department of justice of all places. And the title here is Aerojet , Rocketdyne agrees to pay $9 million to resolve false claims act allegations.

jerry: Of cybersecurity violations in federal government contracts. So the story here is that there’s this act, as you could probably tell by the title called the false claims act that permits an employee of a company who specifically does business with the US government to Sue the company under the false claims act claiming that the company is misrepresenting itself in the execution of its contracts. And if that [00:03:00] lawsuit is successful, the person making the allegation, basically it’s a whistleblower kind of arrangement. The person making the allegation gets a cut of the settlement. And so in this particular case the whistleblower received $2.61 million dollars of the $9 million.

Andy: Wow. So his company. In theory was lying on their security controls. And he found out about it or knew about it. And was a whistleblower. About it is getting 2.61 million.

jerry: Correct. Correct.

Andy: Have to go check everything in my company. I’ll be right back.

jerry: I’m guessing that his lawyers will probably take about 2 million of the 2.61, but, Hey, it’s still.

jerry: still. money, right?

Andy: That’s crazy. It reminds me, it’s probably a lot of our listeners are too young for this, but. The days of the business software Alliance about turning in your employer for using pirated software, that you could get a cut of that, but not in the you [00:04:00] know seven figure range.

jerry: Yeah, this is really quite interesting. And what’s more interesting is that there is apparently some indication that the US government may expand the scope of this to include non government contracts and including. Perhaps even like public companies. Under the jurisdiction of the securities and exchange commission. I don’t think that’s ah codified yet.

jerry: Probably just ah hyperbole at this point, but holy moly. It really really drives home the point that we need to, do what we say and say what we do.

Andy: So what were the gaps or what were the misses that they said they had.

jerry: have done a little bit of searching around. I didn’t go through all of the details in that case. Because it was a settlement, there may not be an actual Details available, but I’ve not been able to find the specific details of of what they were not doing.

Andy: Yeah. did [00:05:00] go and I cause. I was very curious about this and did do a bunch of searching and found some summaries of the case and some of the legal documentations, and it looks like. The best I was able to get into is there was a matrix of 56 security controls. Or something around those lines, don’t quote me on that and that the company only had satisfactory coverage of five to 10 of them.

jerry: Oh, wow.

Andy: And there was another one where they did a third-party pen tests who got into the company in four hours. It looks like there’s a bunch of Unpatched vulnerabilities. So it’s in legalese, right? So it’s a little tough to translate into our world at times.

Andy: But I’m actually quite curious and I might want to do some more research trying to figure out what exactly were the gaps and I guess at the end of the day, they agreed to these things contractually. And just didn’t do them.

jerry: Correct. That’s the net of it.

Andy: This is primarily if you’re doing business with the government, the us government.

jerry: Correct. Do you have a government contract?

jerry: Yeah for now. And I do think that over time, like I said, my [00:06:00] understanding is that the scope of this may make increase.

Andy: This is, I really feel like this is huge. This could open the door.

Andy: I mean because you and I both know how often those contractual obligations and the way you answer those questions is a little squishy.

jerry: Yeah. Yeah. Optimistic, I think. I think optimistic might be.

Andy: That’s fair. That’s fair. But it’s also interesting trying to have, federal judges navigate this very complex world. Yeah, that’s it. That’s a crazy story. We’ll see where that goes.

jerry: So anyway, it really highlights the point about being very honest and upfront with with what we’re doing. And if we commit to doing something, we need to do it.

Andy: Yeah, it just gets fuzzy when there’s business deals on the back end of that answer.

jerry: No, I could completely agree.

jerry: All right. The the next story also pretty interesting. Also comes from a us government agency. This one comes [00:07:00] from CISA the cybersecurity and infrastructure security agency. I hate the name. I really wish they come up with a different name. It’s the word security way too many times. Anyway that the title here is North Korea state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sectors.

jerry: That from a, from a actual actor standpoint or threat actor standpoint, there’s not a ton a ton of innovation here. They’re not doing anything super sophisticated that we don’t see in a lot of other campaigns, but what is most interesting is that the government, the US government has attributed this particular campaign to North Korea. And North Korea is, one of the most, perhaps the most heavily sanctioned country in the world for the us government. And so if you, as a an entity in the US somehow support an [00:08:00] organization or a person or entity in North Korea, you can be subject to penalties from the U S government.

jerry: And the point here is if you are a victim of this ransomware campaign and you pay the ransom, you may run a foul of those sanctions and that could end in addition to whatever penalties you might come into as a result of of the breach you may actually run into some pretty significant additional penalties as a result of supporting the north Korean government.

Andy: Well, that is an interesting little problem isn’t it?

jerry: Yes, it is. Yes, it is.

Andy: What you need is a shell company. To run your ransomware payment through.

jerry: I have a feeling is a lot of that going on in the world.

Andy: we saw some shenanigans with like lawyers doing it as a proxy and with using. In essence [00:09:00] privileged communications to hide it. At least allegedly in some previous stories we’ve covered. But that’s an interesting problem. Yeah. I can see how that would be a challenge. Maybe if you only paid the ransomware, like in bulk wheat shipments.

jerry: a barter system.

Andy: Because we send them food.

jerry: That’s true.

Andy: That’s allowed.

jerry: so you recover your data by paying in humanitarian aid.

Andy: I think Twinkies for data is a perfect campaign. We should launch.

jerry: I don’t even know what to say.

Andy: Either pay three Bitcoin, which is now probably worth like 30 bucks. I don’t know, I haven’t checked lately or.

Andy: Two semis full of Twinkies.

jerry: But how are you going to get to Twinkies to them? That’s what I want to know.

Andy: They have ships. They make ships that they go on and they go across the sea and then they take them off the ships. Did you not read the books I gave you?

jerry: Oh, geez. Showing my ignorance. I will say that there are some recommendations down at the bottom. Some [00:10:00] of them are interesting and things that you haven’t seen a lot of recommended before. But a lot of them are just the normal run of the mill platitudes. Only use secured networks and avoid using public wifi networks. Consider you using an installing a VPN.

jerry: No, I get so tired of the, you should consider doing X. Well, okay. I considered it.

jerry: You should consider not using administrative rights for your users. Okay. I considered it.

Andy: Well, and the real problem here is that ransomware is not one threat. It is the outcome of.

jerry: Exactly.

Andy: Yeah. That’s why the ransomware defense is an interesting problem. Unless you’re actually just trying to stop the. Pure encryption component of it. How that ransomware starts could be highly varied.

jerry: It’s the end link in the chain, right? Because as, they talk about earlier in the [00:11:00] advisory here. This particular Maui ransomware is actually pretty manual. It actually has to be, apparently be launched. By hand. With the command line. So whoever is whoever the threat actor is, they found some way into the system and you can infer. Assuming that the CISA actually has that kind of insight. You can infer by reading through their recommendations, how they think the north Koreans are getting in there using RDP that’s exposed to the internet and then moving laterally using user credentials who have administrative rights and so on. So you can infer based on what they’re saying not to do to see probably how it’s being propagated, but sometimes it’s a little difficult to understand, with these kinds of recommendations how much of it is the result of actual observations and just yeah, we have this list [00:12:00] of good hygiene practices. And we think this is what you should be doing.

Andy: Yeah. I think the problem is that. True. Ransomware defense is highly varied based on the. Individual company’s stance platform, environment, situation. And it’s very difficult to roll that into a couple paragraphs in a generic article.

jerry: Yeah. Yep. Absolutely.

jerry: So anyway don’t get ransomwared and if you do. Don’t pay off the north Koreans because you’re going to get a double whammy.

Andy: I still don’t quite understand how the north Koreans are launching these from their Commodore 64s. But maybe we’ll talk about that in another show.

jerry: It is a fair question, how they’re coming into possession, but I would expect it’s coming in via countries like China and Russia where they may not have that sanction in place. .

jerry: Which by the way, I think is how there, cause you, you would ask the same question. Well, how are they getting internet access? My, my understanding is it. It is [00:13:00] coming through China.

jerry: So the last story today comes from ZD net and the title here is these are the cybersecurity threats of tomorrow that you should be thinking about today.

Andy: Well, hold on. If I’m thinking about tomorrow’s threats today, thinking about today’s threats today.

jerry: Well, you were supposed to think about today’s threats yesterday.

Andy: Oh,

jerry: And you were supposed to think about yesterday’s threats last week.

Andy: I’m gonna have to start over.

jerry: Yeah, well, Look, this isn’t this career. It’s not meant for everybody.

Andy: Is this what they mean by thought leaders?

jerry: I think it is.

jerry: I think it is.

jerry: So the first threat of tomorrow that you need to worry about today. Is quantum threats. And that’s not like the James Bond quantum, right? This is more like the. The quantum computing. Hacking all your public key crypto. Which by the way is going to be here probably sooner than anybody really wants to [00:14:00] admit.

jerry: The world of quantum computing is advancing quite. Quite rapidly. And. I think that the interesting thing to consider is that we’re, we are creating just massive amounts of encrypted data. On a daily basis today. And presumably it’s infeasible to decrypt almost all of it. Because of the complexity.

jerry: But in the near future that won’t be the case. The things that we’re creating today could be relatively easily decrypted using things like quantum computing. So presumably there is enterprising companies and state actors and whatnot, and squirreling away encrypted data. Today.

jerry: That will be encrypted. Somewhere down the line. So at some point. It makes sense for us, like we’re going to have to, I think even before. Quantum crypto because quantum Attacks against cryptography. Becomes [00:15:00] technically feasible. We’re going to have to shift to quantum resistant. Crypto, which is going to be interesting because there it’s you going out on a limb and saying that.

jerry: The quantum resistant crypto that we’re making actually will be quantum resistant because we don’t have the kind of quantum computers that can verify that hypothesis.

Andy: In fact NIST, just put out the beginning of the process to solicit and evaluate. For quantum resistant public key cryptography algorithms.

jerry: Yeah.

Andy: Which I mean, by the way is not a quick process. I think the last time they updated. It took three or four or five years of review. So it’s not a quick. Quick endeavor typically, but yeah. It’s an odd one. And I guess the theory behind this is that quantum computers just do math differently. So all of the time variables.

Andy: Of how long it would take to break a standard encryption today don’t apply or apply very differently to quantum computing than they do to our standard type of computing today.

jerry: Yeah. [00:16:00] Correct. Conceivably a. A well. In properly skilled quantum computer could. Take a, contemporary. Public key crypto and break it, in, in very short time.

Andy: In essence by brute forcing it just much, much, much faster.

jerry: It’s not actually brute forcing. It’s just solving the math.

Andy: Yeah, I. Well, I guess what I’m saying is there’s. There’s nothing inherently weak in the encryption algorithm. It’s the speed of the computing that’s changing.

jerry: It’s the approach.

Andy: You could break it. You could break today’s encryption as well. It just takes a very long time.

jerry: Well, the. The strength in the encryption today comes from the fact that we have to basically just brute force you know trying to factor. Numbers. But in the world. When you get it. To the quantum computing.

jerry: You don’t have to actually brute force. The

Andy: Hmm.

jerry: can just, you can just solve it. Like you don’t. You don’t even, you don’t even have to brute force, so solve it. It [00:17:00] is.

Andy: I gotta be honest. I feel woefully ignorant and naive of these issues, and I clearly need to educate myself because I. I did not understand that.

jerry: It’s well, It’s. It is a

jerry: It’s just very different. It’s a very different thing. It’s not a, like you can’t take a binary computer.

jerry: And compare it to a quantum computer.

jerry: It’s almost like an analog computer. Anyway, it’s very interesting. It’s a, I actually think it’s more closely aligned to. What had been described as the DNA computers, where you can arrange, you can break. Segments of the DNA up and have it have it assemble itself into the answer to a complicated question that you would have a really hard time, answering with a traditional computer. I think it’s closer to that.

jerry: Than it is to like a, an actual binary computer. The concepts are difficult to translate, which says to me like That is by the way, the concern I have as we approach. You creating these [00:18:00] quantum safe algorithms? Like we were like hypothesizing, how. Quantum computing is going to evolve once it the.

jerry: Anyway, that’s.

Andy: Yeah, before we move on to the last thing I’ll say is this feels like the magic black box. That is a bit of a boogeyman because a lot of people don’t understand it. But

jerry: Totally. But it is. it is.

jerry: a practical thing, and it is a responsible thing for us to go and create this, these quantum safe algorithms and start migrating to them.

jerry: With as soon as practical. So I’m just concerned that like how confident can we be that? They’re actually quantum safe. So the next future threat, which I don’t think is actually a future threat, I think it’s like already here is software supply chain attacks. This is, obviously things like what happened with solar winds and Microsoft exchange. And.

jerry: Many others where the threat actors, I think are finding it a lot easier to attack. Purveyors of [00:19:00] software and software as a service companies and in and whatnot. Because if you do that you you can not just attack one company you can conceivably, with one attack yet.

jerry: Access to many different organizations as we saw with Kaseya. And solar winds as well. So yeah, I, I definitely think this is. On the upswing. I fear is it is an industry. Our response to this threat is like more spreadsheets.

jerry: I

Andy: And answer more questions.

jerry: Yeah. I

Andy: no. We have to live off. Look, we need to go back to the pioneer times and we code all of our own software. That’s the only solution Jerry.

jerry: It’s like the Hyundai version of

Andy: Look.

jerry: We have to build it .

Andy: Yeah, I think, yeah. And you can’t download anybody else’s code because you don’t know what’s in it. You have to code it yourself. the only option.

jerry: It’s true. And by the way, building your own encryption is it still irresponsible? So try to figure that one out.

Andy: [00:20:00] I’m kidding. Of course. Yeah, it’s a tough. It’s a tough problem. There’s so much inherent trust that you establish if we’d look back at solar winds and Yeah how many times have you and I said, Hey, upgrades and patches are important. And then that became the attack. Vector. Let’s just hope that becomes a rarity.

Andy: And let’s also hope that. Somebody else gets hit by that before you do, and you have time to react.

jerry: Yeah we just, we have to find a more mature way as an industry of handling this. Threat. There’s some there’s some approaches evolving, like salsa and.

Andy: Yeah.

jerry: And whatnot, but. Still the. From a consumer side, it’s still little more than spreadsheetware are you, or are you not. Salsa. Well, we already know from the first story that people are apt to lie.

Andy: Yeah. To defend yourself from this, I think you could do a lot of threat modeling of, and I’ll go back to the whole concept of least privilege as best you can, but some of these. Software. [00:21:00] Supply chain risks happened because you have no choice, but to have a massive amount of trust granted to some.

Andy: Third-party software.

Andy: Just to function.

jerry: Completely agree, open sources adds another add s another level of complexity there, because. What we see with open sources. And by the way I have no particular aversion to open source thing. The problem we have is that. It’s. It’s apt to be abandoned. It’s easy for it to get handed off from a quote good person to a quote, bad person. It’s.

jerry: Conceivable that a quote, good person goes bad.

jerry: In, in, in many other permutations in it, like they’re so stacked on top of each other some of these open source applications. The feed and even the commercial applications. There’s like tens of thousands of packages. Like how do you.

jerry: How you get your hands around that.

Andy: Yeah, that is crazy.

Andy: You brought up up something that reminded me,’ve even seen some very [00:22:00] popular well-known.

Andy: Packages be turned into protest where

jerry: Yeah.

Andy: purposes, by the maintainers for various reasons, it’s rare, but we’ve seen it a couple of times and it’s.

jerry: Over the years we’ve seen. Browser plugins being sold by their.

Andy: Yeah.

jerry: Their author and maintainer to, Malicious. Quasi malicious companies. So it, it happens. And it’s a really difficult. Problem to solve, but we’re going to have to reconcile how to how to solve it eventually.

jerry: The next one is internet of things, making us more vulnerable. Blah, blah, blah, blah, blah. More devices you have on your network. Created by, I think it’s this, it’s a flavor of the same. That same thing, you have these embedded devices, typically lower costs, whether it’s a copier.

jerry: I don’t know a thermometer or whatever. They have crappy firmware. And they get abandoned and they’re still on your network and they become a launching point. And then, they point out in the [00:23:00] article the super famous. I guess infamous story about the Las Vegas casino that was hacked through their.

jerry: Their aquarium thermometer, which is. I don’t know. Something’s wrong there. If that can happen, but I mean there’s stories about, people getting in the wireless networks through Through a smart light bulbs. There’s a lot of stories like that and,

jerry: But I think it’s a similar kind of thing we have to. We have to figure out how to handle that. The one that makes me the most concerned though. Is a deep fakes powering business, email compromise attacks.

jerry: So I actually as a. Kind of an experiment. And I’m recording it with this software now. You can easily buy. You have access, like the average person has access to technology that allows you. Pretty easily to do deep, fake type stuff. And if you think about that in the context of what we’ve seen [00:24:00] with

jerry: The business email compromise where somebody’s parading as the CFO. Asking to transfer money or to change the bank account information. This opens up a whole new world. And especially when you add the layer of a video deep fakes, holy crap. Like having a WebEx. With the person who you think is your boss. And by all means, by all appearances, it is.

jerry: And here you’re talking face to face, virtually face to face with who you think is your boss, giving you an instruction on how to do something or to do something. And it’s. It’s not real.

Andy: Yeah. In fact, Jerry’s, not even here I deep faked jerry’s entire portion of this podcast.

jerry: That’s true. That’s true. I was never real by the way.

Andy: That’s actually not true. Jerry has evolved into a llama. it’s been replaced by a deep fake AI. I’m kidding. No, I don’t mean to make light of this because I think it’s absolutely [00:25:00] legitimate. We, as humans. Have evolved to trust our senses. And identify people visually and audibly. Withreat level. Like we don’t have any built in skepticism that we just inherently trust it.

Andy: And this problem. Is playing on that psychological concept of, we trust our senses when we identify somebody because we’re very good at identifying things. And so the fact that. We have now moved to this digital environment and digital comms, and we can deep, fake this successfully. Is really powerful and dangerous.

Andy: And I can see this wreaking a lot of havoc. Absolutely.

jerry: Yeah, it’s. It, it seems a little scary to me to be honest. And I think we’re going to have to come up with. Better processes.

jerry: Well, you’re gonna have to have a multifactor, like you’re I think we’re going to get to a point. you just can’t trust. [00:26:00]

jerry: just can’t trust.

jerry: that. And by the way, scares the crap out of me. When you think about things like evidence submitted in the court from surveillance cameras. There’s like the, your mind can go in lots of problematic places. But from a, just narrowly from a business.

jerry: Resisting business, email, compromise type things. It really puts on what’s the focus back on having a robust process.

jerry: Where even if you have your boss, the CFO, whoever call you up on a WebEx.

jerry: Like you still have to have some systematic way.

jerry: That requires authentication and whatnot.

jerry: That.

jerry: The person has to prove who they are.

jerry: We just have to do that.

Andy: Yeah, no.

Andy: No matter what you can’t violate the process that.

Andy: Authenticates at multiple levels that this person is who they say they are, and that they’re authorized to do it. Which is difficult, especially for small companies. It’s a lot [00:27:00] of discipline and bureaucratic red tape, but. Otherwise, I just it’s going to get too trivially easy. To fake a phone call from the CEO.

Andy: With a perfect voice representation.

jerry: alone a perfect ah video.

Andy: Right.

jerry: Yeah. Anyway, that’s Something to keep you awake at night. Destructive malware attacks is next. Again I think we’ve we’ve seen this. Quite a lot. We had WannaCry NotPetya. Yeah. And candidly. Like the scourge of the internet right now is ransomware, which I think they’re thinking more like physically damaging, candidly ransomware is I think in this category already.

jerry: So I think we’re, I think we’re already living in this one.

jerry: And then finally the skills crisis. Although I guess I’ll go back one, we’ve talked to in the past about. Some of the forward-looking innovations in [00:28:00] malware, probably moving into firmware.

jerry: And in that may be where we where we see this going next is it does get more destructive for the average organization, but it’s by means of attacking firmware. Like where you can’t recover. Your hardware, you just, you can’t just wipe a system and.

Andy: Yeah. Just bricks, the entire.

Andy: Whatever.

jerry: Right.

Andy: Motherboard level or hard drive level

jerry: Or it’s it. Or it’s it’s infected at a, in a way that just you can’t clean it. You just, you can never reestablish trust.

Andy: You mean like installing windows.

jerry: For instance.

Andy: Sorry. I’m kidding. I’m kidding.

jerry: Yeah. Although I have to on that funny point. So the the author of systemd, for those of you who ah who are Linux nerds like me, the author of systemD recently left Red Hat and moved to Microsoft.

Andy: Aye.

jerry: And so system D has been pretty controversial thing and, cause it’s starting, my, my view is it’s starting [00:29:00] to move Linux into kind of a windows windows mode of operation. And so I think like the next plan. Like order 66.

Andy: Oh,

jerry: right. And system D was like the clones.

jerry: In order 66 is. They’re going to, we’re going to, they’re going to rename systemD to be SVC host.

Andy: So who are the Jedi in this example? Exactly.

jerry: I don’t know, everybody’s bad.

jerry: So there’s no, there’s there’s no. There’s no light side of the force is like the dark and the darker side of

Andy: But with order 66, like they kill all the Jedi. So who are they going to like.

jerry: Oh, that’s the Linux. That’s the Linux people. That’s the people who are using. Using Linux.

Andy: I see.

jerry: Yeah.

Andy: Yeah.

jerry: The only thing left will be ah, will be the windows? Yeah.

Andy: And my one lone copy of OS2 warp that I’m running still.

jerry: That is very true

jerry: Yup.

Andy: It’s a dangerous world. My friend.

jerry: So the the final frontier of risks that we will have to worry about [00:30:00] tomorrow. Is the skills crisis.

jerry: I am. I will sayit a little bit differently. I’m not sure that is the skills crisis so much as. The ability to pay for the skills we need.

Andy: So you think there’s plenty of people out there we’re just not paying in a form.

jerry: I think, yeah, I think so. I think it’s probably naive of me to say there’s plenty of people out there, but there are people out there. My observation is. A lot of organizations have lots and lots of of job openings and they moan and complain about the. The lack of people, but it’s the lack of people who were willing to take the job at the.

jerry: Rate that they’re offering.

Andy: Okay. So is that a. Is that a supply demand problem as well. If there was more supply. To meet that demand. It would. down the pricing.

jerry: yes. I think so. I think [00:31:00] that’s, what’s. To be honest, like one, one of the ways to look at this is, a lot of organizations are.

jerry: Trying to dramatically increase the supply to get the cost to go down. The reality is that there’s a. Like, we’re just don’t have the level of the number of people. We, most organizations don’t have the number of people in the skill level of people they need. But at the same time, I think there’s.

jerry: That’s a symptom. Of a bigger problem that I don’t think that most companies invest the amount of money they need to invest in securing and operating their IT like, I think we’ve just. Like we’re over. We’re overextended. We’re over leveraged. In it, and we’re trying to figure out how to fix it without fixing that.

jerry: Over leveraged situation. That’s just, Jerry’s macroeconomic. Baloney.

Andy: Yeah, see some truth in there though that we.

Andy: We also have [00:32:00] probably a lot of bad practices. And failure to follow best practices for various reasons that were. Compensating for, with other security controls, as opposed to just. things more inherently secure.

jerry: Oh a hundred percent.

jerry: A hundred percent

Andy: Now that’s a complicated thing, there may be very good reasons why we do that. And I’m not saying. I’m trying not to be dogmatic about there’s only one way to do things. I think that’s true. I also think a lot of legacy businesses have so much tech debt. And the cost to say rebuild with best practices are so high.

Andy: I think probably don’t have much choice.

jerry: Absolutely.

Andy: Yeah, I don’t know. It’s interesting problem.

Andy: I do wonder.

Andy: I do wonder if it’s.

Andy: Going to stabilize or we’re always going to be in this scenario.

jerry: It is.

jerry: On the one hand

jerry: There’s a lot of peril in thinking that the patent office is going to close. But on the other hand how much more innovation, like how many more features does your Your word processor need? .

Andy: [00:33:00] Apparently lots.

jerry: Well, I guess I’m like there will always be innovation, but I think the rate of innovation is going to. You’ll start to flatten out a bit. And

Andy: we’ve been saying that for years and.

jerry: Yeah, well, it’s

Andy: law has proved us wrong over and over again. But I hear you like how word process spreadsheets pretty mature, pretty commodity. Like how much more tech do you need in them, but. Heck we’re still debating whether or not macros should be on or off in office by default.

jerry: Oh, gosh, that’s right. Yep.

Andy: No, I hear ya. I just, I also feel like it’s going to slow down soon and feel two old guys talking about getting off their lawns.

jerry: Well, I think it’s, I think the complexity will probably shift around and I think to some extent, what. What might end up happening is we see. We see the devices people have move away. The device’s employees have move away from being kind of general purpose computers to more specialized.

jerry: Like iPad type [00:34:00] devices. Not. Not not like green-screen terminals but less so in less a wave. Or less general computing and more. Specialized, which I think are easier to secure. That just shifts. A lot of the complexity into other parts of the environment your infrastructure.

Andy: Well, going to specialized isn’t that like being more like an IOT. Problem, which also we can’t seem to keep updated and secure.

jerry: Well, that’s true. I guess were.

jerry: Pretty bad all the way around,

Andy: yeah. Sorry, clearly there’s no hope for any of us.

Andy: We’re doomed.

jerry: Yeah.

jerry: All right. Well, I guess we’ll just just keep milking the the machine for awhile. And then we all retire to our private island,

Andy: jerry Landia.

jerry: Anyway I thought this was. Pretty interesting list of things to be thinking about. The most interesting one I thought by far was the was the deep fake threat.

jerry: I wanted to call that out. Anyhow, that is [00:35:00] the show for today. Thank you all for for listening. Sorry. It’s been so long. Life continues. To get in the way of making podcasts. And I, every time I think it’s going to level out and I will be less busy. Something happens.

jerry: Hopefully. Fingers crossed.

Andy: Fair enough, but Hey, I I, we appreciate you guys sticking with us and hopefully still finding some value in the podcast and we enjoy making them when we can.

jerry: Take care, everyone.

Andy: Have a great week.

Andy: Buh-bye.

jerry: Bye.

Defensive Security Podcast Episode 266

https://www.csoonline.com/article/3660560/uber-cisos-trial-underscores-the-importance-of-truth-transparency-and-trust.html

https://thehackernews.com/2022/06/conti-leaks-reveal-ransomware-gangs.html?m=1

https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/

https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

Defensive Security Podcast Episode 265

Google Exposes Initial Access Broker Ties With Ransomware Actors (bankinfosecurity.com)

Okta says hundreds of companies impacted by security breach | TechCrunch

Okta: “We made a mistake” delaying the Lapsus$ hack disclosure (bleepingcomputer.com)

Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code | TechCrunch

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction – Microsoft Security Blog

Sabotage: Code added to popular NPM package wiped files in Russia and Belarus | Ars Technica

President Biden Signs into Law the Cyber Incident Reporting Act (natlawreview.com)

SEC Proposes Rules On Cybersecurity Risk Management, Strategy, Governance, And Incident Disclosure By Public Companies – Technology – United States (mondaq.com)

Defensive Security Podcast Episode 263

https://www.govinfosecurity.com/data-breach-exposes-booking-details-19-million-customers-a-18505

https://www.helpnetsecurity.com/2022/02/11/cloud-security-training/

https://www.bankinfosecurity.com/massive-breach-hits-500-e-commerce-sites-a-18492

https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illicit-use-of-cobalt-strike

https://www.darkreading.com/attacks-breaches/google-cuts-account-compromises-in-half-with-simple-change

Defensive Security Podcast Episode 262

https://www.darkreading.com/edge-threat-monitor/most-common-cause-of-data-breach-in-2021-phishing-smishing-bec

https://www.bleepingcomputer.com/news/security/fbi-shares-lockbit-ransomware-technical-details-defense-tips/

https://www.csoonline.com/article/3648991/dhs-announces-the-creation-of-the-cyber-safety-review-board.html

https://www.darkreading.com/application-security/disclosure-panic-patch-can-we-do-better-

Defensive Security Podcast Episode 261

https://www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/

https://blog.f-secure.com/insight-from-a-large-scale-phishing-study/

https://www.darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers

https://www.csoonline.com/article/3647756/how-to-prioritize-and-remediate-vulnerabilities-in-the-wake-of-log4j-and-microsofts-patch-tuesday-b.html

Defensive Security Podcast Episode 260

https://www.csoonline.com/article/3647209/why-you-should-secure-your-embedded-server-management-interfaces.html

https://www.csoonline.com/article/3646613/cybercrime-group-elephant-beetle-lurks-inside-networks-for-months.html

https://www.zdnet.com/article/when-open-source-developers-go-bad/

https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-rollout-of-january-windows-server-updates/