Unmasking the Complex World of Cybersecurity and Software Updates

Mandi Rae: 0:01

Thank you for joining us and welcome to today's episode of the audit, where we will be discussing recent headlines in the cybersecurity world. Today's focus will be on the discovery of a new toolkit that targets Apple, mac OS, stolen chat, gpt credentials and the security issues associated with Chrome. You are not going to want to miss this episode, so stay tuned.

Joshua Schmidt: 0:29

We're talking today about data breaches. We're talking about some cybersecurity. In the news Seems like there's always something going on. You wanted to share this graph. What can you tell us about this graph? We were kind of talking about it before.

Scotty Rysdahl : 0:43

So this is just a general graph. There is a citation but I honestly haven't gone to validate it. But it does follow my narrative here, which is that the number of vulnerabilities in software in general has just been following this exponential curve since people started tracking this stuff, like back in the mid-2000s. So at some point 20, some years ago, some researchers and nonprofit organizations devised this thing called CVE, which is the common vulnerabilities and exposures, and it's kind of this whole taxonomy or system of organizing and tracking vulnerabilities in software and computers and even hardware and devices. And anybody really can apply for what's called a CVE, for a specific identifier for a new security issue that they find, and the way that they're formatted is usually the acronym so CVE, dash the year that something was disclosed or identified, dash, and then an incrementing number that basically starts at zero every year every January and cruises up until December 31st and however far we get, however many vulnerabilities are discovered and disclosed, that's where that number ends for the year and then we start over the next year. So we're going to talk about some other articles here in specific vulnerabilities in common software and we'll see some of these CVE identifiers in those articles.

Scotty Rysdahl : 2:10

But just looking at this graph, it's pretty easy to see that as more security researchers and more cyber criminals have been collectively looking closely at software and trying to find ways to exploit it and misuse it to carry out cybercrime and attacks, the more of these things are found.

Scotty Rysdahl : 2:28

The more you look, the more you find, and so you can see on the graph that back in around 2010, it was barely 5,000, and we've five times to that in the whatever in less than 13 years since then. So it's just an amazing explosion, and if you've been a tech user all that time, you've kind of felt this, even if you weren't tracking these numbers. How often do we have security updates that are rated critical for our iPhones? Every time I restart my Chrome browser, it tells me hey, there's a new version you need to install, and usually it's a security update for those more frequent like weekly or even daily sometimes updates. So, yeah, just interesting to see this explosion of just the critical mass of people looking and finding problems in software that can lead to full compromise in data breaches.

Joshua Schmidt: 3:22

Not quite a hockey stick, but it's certainly a ski jump.

Scotty Rysdahl : 3:26

Yeah, I wonder about this year, because if we're about halfway through the year now, we're on track to not make it close to last year, but I would doubt that. So maybe this data is just not quite up to date, but I would guess we'll surpass 20,000 at least and go beyond.

Joshua Schmidt: 3:41

So does this mean you're losing the war, or is it just mean that, like you kind of mentioned, that these vulnerabilities are getting pointed out more readily and more prolifically as we are more aware of what's going on?

Scotty Rysdahl : 3:57

Yeah, that's a good question. I don't think we're losing anything. I think it just really points to more visibility and more eyes on all the tech we use, and just more tech being used. So there's just more applications out there, there's more web frameworks, there's more versions of the iPhone and Android phones, so the tech has exploded in number and the number of people looking for issues, both good and bad, are also growing every year. So maybe that sort of multiplied together gets you this hockey stick.

Mandi Rae: 4:24

I was going to echo that. 10 years ago, think of how many people had a phone in their pocket, and now, I mean at elementary school, they're carrying phones right. So exponentially more devices and software is absolutely what I think is happening.

Scotty Rysdahl : 4:40

Yeah, and I was talking to Josh before you came on, mandy, before we started rolling about kind of how software development has changed over the years too. So 20 years ago there was this very regimented, scheduled methodical releases happened infrequently and they had a lot of changes bundled into them. And nowadays there's like sort of more agile methods of development that lead to just constant delivery, continuous delivery of code to production systems. That makes Microsoft's monthly cadence seem kind of quaint these days. So yeah, no longer are we developing software on year schedules, we're developing it and doing these sprints every few weeks or every month or whatever the case may be for each product. So more code changes leads to more possible vulnerabilities too.

Mandi Rae: 5:29

Really trying to be quick to market with things right. You want to be the first, especially when it comes to the technology arena.

Scotty Rysdahl : 5:35

Yep, yep. There's this whole concept of minimum viable product, right. So don't plan this grand update or this grand application and deliver it in years, just like. Keep iterating as fast as you can to get that next little bit out the door, the next little cheese for the users to nibble on.

Joshua Schmidt: 5:53

Is this just to keep shareholders happy and just getting those numbers continually growing for their user base?

Mandi Rae: 6:00

I think it's to make that money, Josh.

Joshua Schmidt: 6:03

Yeah, of course. Of course. It's just so annoying and it seems to me like a lot of these applications are fine, you know how they are, but if it's a security thing it's something they have to address. They're just kind of weighing out that liability versus the money making risk, right? So it's an article.

Joshua Schmidt: 6:24

I found I thought was interesting. Cyber security researchers have uncovered a set of malicious artifacts that they say is a part of a sophisticated toolkit targeting Apple Mac OS systems. Two of the three malicious programs are said to be generic Python based backdoors that are designed to target Windows, linux and Mac OS systems. The payloads have been collectively dubbed Joker spy Scott. Who comes up with these names? Are they named? Is it like, haha, and there's like a little laughing Joker? You've been hacked by Joker spy, or how do these names come about? Because they're super entertaining.

Scotty Rysdahl : 6:59

Yeah, that takes me back to the movie hackers from 1995 or whatever. Angelina Jolie, where every time there's a virus launched like, a little smiley face with a pirate patch goes and chomps its way across the screen.

Joshua Schmidt: 7:11

Dennis Nedry on Jurassic Park. You didn't say the magic word.

Scotty Rysdahl : 7:18

I wish that's how information security had developed over time, that we got more interactive and colorful.

Joshua Schmidt: 7:25

There's still time for that.

Scotty Rysdahl : 7:26

Yeah, if anything, they've gotten more stealthy and less visible, I would say, With the exception of ransomware, where there's kind of like that flare for the theatrical. You know, like you get a ransom note on your desktop and it's they have that chance to kind of like bully you a little bit right there. Would they tell you that they have your data?

Joshua Schmidt: 7:45

Yeah, so all you hackers listening, all you hackers listening to this. We need a little more Steven Spielberg production in these, in this malware.

Scotty Rysdahl : 7:54

Yeah, just go on five or and spend 30 bucks and get some freelancer to honestly, if you're into that.

Mandi Rae: 8:01

I think we've talked previously on prior podcasts about CrowdStrike and are they the ones who do a really great job connecting a little bit of anime graphics to vulnerabilities and exploits they find.

Scotty Rysdahl : 8:15

I don't know if you're familiar, but there's some write ups where they like have, yeah, like professional, whatever iconography or kind of characters almost built into their their analysis right.

Mandi Rae: 8:27

I love the aesthetic of that. I mean, it's what makes security kind of sexy.

Scotty Rysdahl : 8:31

It is, yeah, along with what Josh mentioned, which is how things kind of get named, and that wasn't always the case. You know, again, 10, 15 years ago, vulnerabilities were just called by their CBE name. So we had CBE 2010, 115, you know, and those identifiers are still used. But nowadays, if something's really big, it'll get some funny hackery name, you know, and as far as who comes up with them, it's usually either the research team who kind of uncovers it first. They get to name it. So it's like finding a star or something.

Scotty Rysdahl : 9:02

Yeah, it is very much like that. Yeah, sometimes they do take clues from the malware. So there's this whole process called reverse engineering, where the researchers will take the malware, they'll put it in kind of a little safe sandbox environment and they'll pull it apart and watch how it works, and they can retrieve some kind of artifacts from how it was coded, how it was written, and so you'll find things in there like the languages, the human languages that the hackers, the developers used. Often they're Russian or whatever, and so they'll find little like tidbits, little keywords, and they'll name things after that and then, of course, like hacker groups themselves get these funny names like fancy bear, and I forget what North Korea is is now Lazarus maybe is one of them.

Scotty Rysdahl : 9:52

So, yeah, they even named the gangs, you know, with these kind of cool theatrical names too. So yeah, like Mandy said, it's sexier than you know software engineering or other sub disciplines of IT, because we kind of have the cloak and dagger aspect to it.

Joshua Schmidt: 10:09

Meanwhile, behind the scenes at Lazarus, it's such a really nerdy dude sitting sitting at a big chair, not so much to the computer, but they're probably driving Lambos, you know, in.

Scotty Rysdahl : 10:21

Europe because that's how it works these days.

Mandi Rae: 10:23

Okay, I was gonna say unshowered working in a dingy basement, but their daytime hours are probably super fun.

Joshua Schmidt: 10:31

In a gaming chair with a 24 pack of Mountain Dew.

Mandi Rae: 10:35

Exactly.

Joshua Schmidt: 10:36

Joker spy. So you know I'm a normie, that's my job on this podcast as well as producing, but you know, I thought you know Apple was kind of the gold standard in security and as far as personal computing goes. You know, is this kind of a new thing or has this been going on for a while and just been not been brought to my attention?

Scotty Rysdahl : 10:59

Well, it's not new. So when somebody finds a vulnerability, if they're a bad guy, they'll oftentimes find a way to use it directly or maybe to resell it on the dark web or whatever they can find customers. If you want to up your game as a seller or distributor of those types of digital weapons, you can group them together and you can categorize them by which product they attack, which software they impact. And so, just like you can go to Costco and buy your peanut butter by the barrel, you can do that with exploits. So you can get a whole kit that bundles all these different things together, the starter kit for cybercrime almost, and it'll include kind of a curated set of related or even just totally different exploits that you can use to carry out cyber attacks.

Scotty Rysdahl : 11:55

And it's another great example of this diversification of cybercrime, where in the old days maybe it was the same person that found a flaw, exploited the flaw and then carried out the attack and retrieved or stole data. But nowadays it's like one person does the fines to the vulnerability, another person collects vulnerabilities or buys them and puts them into an easy to use kit, and then yet another person licenses that kit out to cyber criminals who actually want to carry out the attacks. They even run help desks these days to help their affiliates, as they're called, use these weapon kits for their own gain. So it's really amazing how far it's matured. You can get text-based support if you're a virus buyer or a toolkit buyer, and somebody will helpfully chat away and tell you what you're doing wrong. And oh yeah, did you make sure that you filled this variable in with the domain that you're trying to attack, or whatever the case may be? Yeah, it's a weird world.

Mandi Rae: 12:58

It's crazy. I think my first reaction in reading this was like come on Apple. Much like you, I think Macs weren't targeted as frequently as a Windows or Linux-based machine or at least that was my thought, as Macs just seemed more protected. I just read another article in PCMag about the migraine vulnerability that Microsoft found that where Apple was allowing attackers to perform arbitrary operations on Macs, they were hiding malicious files in the monitoring tools and expanding the scope of the malware to attack the system's kernel. They were bypassing the SIP. It's just like come on Apple, what are you doing? I hate the critical bug fixes on my phone. I hate that we're not thinking about things and testing things thoroughly before getting them out into the public.

Joshua Schmidt: 13:52

I've been complaining to Scott for several weeks now, mandy, about an issue I recently had which was really a pain in the butt. I updated automatic update on my modern-man menu M1 Mac and it rendered my Final Cut Pro app completely useless because of the third-party software that I have on my computer for audio engineering and audio editing. There's probably 30 or 40-plus third-party apps on my computer plugins and these plugins were stalling Final Cut Pro on startup to the point where it would crash my computer and it just kept crashing my computer and there's been no yeah and I got to the boss level of the IT department at Apple where they took over my computer and the guy already. By the time I got to the boss level, the guy already had the answer. He knew what he was getting into when he took me on. He was basically like we already stopped collecting data on this issue. So either we're going to do an update soon or we're not and we're going to wait until these third-party developers catch up to what we just did.

Joshua Schmidt: 15:02

But it flabbergasted me, because this is an Apple product on an Apple computer. They didn't even put in a backstop where I could bypass these plugins and just force run this app. So you're telling me I can't even use this app today. I got stuff to do, I have deadlines and now either my choices are to partition my hard drive and reinstall Final Cut Pro on my partition hard drive so that it's not running into any of these plugins, which to me sounds like a nightmare as a non-techy kind of person, or to downgrade to a, and I don't even know how to do that. I'm sure there's ways to back up on the version of the OS that I was using, which could create other problems, right?

Mandi Rae: 15:48

I was going to say. I think that's the catch 22. If you're up to date on the latest fixes, then things start to break right Because, like you said, not everybody's caught up, whether it's Apple or somebody else. However, if you wait, then you're not patching these vulnerabilities. You're living with these bugs that they have found, and so you've got to find that common middle ground. Scott, what would be your recommendation? Just understanding what Josh is saying? I mean, I think it's happened to all of us.

Scotty Rysdahl : 16:18

Yeah, we had discussed this earlier before we started rolling too, and I was just sharing that. It's the same in the enterprise. Microsoft releases their monthly set of patches and they often break things in production. They break critical systems sometimes, and Microsoft treats their customers like their first or second round of beta testers. Here's the code. Go for it.

Mandi Rae: 16:43

I don't want to be your pilot.

Scotty Rysdahl : 16:45

I know, and we're paying for that privilege right To run their bleeding edge code, but there's really no choice. So Microsoft puts it on their customers to have their own update procedures. So start with a sample group of your systems workstations, servers, whatever the case may be. Do the updates, wait a week or two, then roll it out to everybody else and every organization has their own staggered process for doing that. But yeah, at the end of the day, just because something gets officially released as stable doesn't mean it is. Yeah, I don't know. I wish I had a better answer.

Mandi Rae: 17:26

You wish Josh well knows. So would you tell people, do we update right away, ernie, wait a minute.

Scotty Rysdahl : 17:34

Yeah, my answer would be different depending on what the update is. So if you're talking about major updates so going from Windows 10 to Windows 11, for example, wait, wait at least a year Don't be an early adopter for new major versions of things. They're not meant to be production ready when version 11.0 comes off the factory. Wait a year and let Microsoft or whoever figure their stuff out. But for minor versions and security patches you really do have to keep pace. And then again it's back on the customer, and in Josh's case he doesn't have three M1 MacBook Pros to test his updates on. So for consumers they just get screwed sometimes.

Joshua Schmidt: 18:13

Yeah, and the cost of these plugins is sky high. I mean anywhere from a cup, $20, $30 up to thousands of dollars for some of these audio suites, whether it's orchestral strings, and kick it into the thousands of dollars. So when those things don't work, and then not only do they not work on something you're working on now, but if you have to go back to an old session of a song that I was working on for the Olympics, for example from three years ago, that's not going to work either. So what a lot of my cohorts do is just not update and they stay way behind the crest of that wave and they just take the security risk in order to have the workflow be there for them when they need to. And I can do that. My last MacBook I just stopped updating it, I just turned off at one point because I know I can get another year or two out of it. At like year, five Updates are off. It's just going to be that way until it dies. And now it has a big bulge in the middle of it and doesn't sit quite level. So I don't know if it's even safe to me to say anymore yeah, don't bring it on an airplane. I don't know how that lithium battery is doing, but OK. Well, that was fun.

Joshua Schmidt: 19:27

Yeah, let's go on to the next article, unless anyone else has anything to add. It's always fun to talk about AI and chat GPT, and so this article grabbed my attention. Do a little intro to what I found here. It looks like over 101,000 compromised open AI chat GPT account credentials have found their way onto a Lysset Dark Web Marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground Group. Ib said in a report shared with Hacker News. So you know. Normie question. What are they referring to being stolen when they're talking about logs? Are the malicious actors stealing the questions and the request users are prompting into chat GPT for the outputs, or is this just log in information and personal information?

Scotty Rysdahl : 20:31

So it says in the article there that some of it was stolen credentials, so it's presumably usernames or emails and passwords. Usually when you store a password in a database that's connected to the internet or anywhere, you don't store it in its normal form. You store what's called the hash of it, so it's a one directional cryptography. So it's like encrypting something without the option to decrypt it by design, and then that version of it is what's checked every time somebody logs in. And the point is that when they get breached and the hacker grabs these 100,000 credentials, they have kind of the scrambled version. It's unique to what the real password is, but it's scrambled to the point where they can't just say, oh, it's my Toyota truck 7.7, and then go try to breach other accounts belonging to the same person. So it's meant to kind of limit the blast radius, as they say, of any particular breach. But yeah, if chat logs, chat GPT logs, were also stolen, that would be those interactions between the customers and the AI. So write me a job description.

Scotty Rysdahl : 21:42

Write me a resume, clean up my resume, and so the input and the output of those interactions between humans and the AI. If those are stolen, you can only imagine what kind of sensitive information would be in there, like I mean everything from embarrassing personal stuff about hair loss, who knows, to those weird conversations that we've all had with AI to try to see what it's capable of. Talk to me like a pirate, just kind of the weird things that you do. Two very sensitive trade secrets and source code for applications that programmers at different companies are trying to have the AI help them debug, for example. So the most sensitive trade secrets just about could end up in these systems, which is obviously bad for the customers who are affected.

Joshua Schmidt: 22:32

Like, can I mix my C Alice with my pro Zach?

Scotty Rysdahl : 22:36

Exactly seriously. Bing now is using open AI for search results, right. So imagine if that data is in there. You get all sorts of potentially very sensitive, just normal everyday person type questions that, yeah, probably shouldn't be shared with the world, right, this article is from June 20th, but I imagine and maybe the article says that I didn't see it in there, but that these actually were stolen back in March when the open AI data breach happened. So it seems like this article is just saying it's news now because these things are being posted on the internet, right, so the breach happened months ago. Now we're seeing these things for sale out in the darker parts of the internet.

Mandi Rae: 23:17

Dark Web is like the upside down.

Scotty Rysdahl : 23:21

Yeah, yeah it very much is.

Joshua Schmidt: 23:22

It seems like there'd be a ton of information to parse through to find anything valuable, especially if a lot of the chat GPT answers that I've received or the prompts that I've given it and then it spits something out are very long depending on what the prompt is. But I'm sure there's systems in place that can skim through that, looking for keywords and whatnot, to identify personal information things that might be of value. Is there something that you're aware of that? That because not only are people using these but businesses have started to adopt these into their workflow. I think that's part of the bigger part of the issue, like sensitive information that they're putting into these things without thinking about security ramifications.

Mandi Rae: 24:12

That's what Scott was mentioning earlier. Yeah, it's the proprietary data that they're looking for.

Scotty Rysdahl : 24:17

You can see the footnote there at the bottom of the screen. Employees enter classified correspondences or use the bot to optimize proprietary code. So that's exactly the worst case scenario for the customers there. Chat GPT standard configuration retains all conversations. This could inadvertently offer a trove of sensitive intelligence to threat actors.

Joshua Schmidt: 24:35

So this seems like something that might be inherently a problem with AI. Because of the nature of it learning from, based on the logs that is keeping of conversations. It seemed like it would be even more vulnerable to this type of hacking and gleaming some of this value from these things since it has to save so much data, so many conversations. Is AI more valuable to hackers in the long run because of the nature of it storing all of these conversations?

Scotty Rysdahl : 25:09

Yeah, I think what you just said is the key point. It's not really that it's AI, it's that the conversations are stored. It's kind of back to this idea about where does your data live. So 10, 15 years ago, everybody's data lived in their own data centers, on their own servers in the offices, and so there was this kind of clear perimeter to every organization's network and kind of digital footprint, and it often corresponded to the physical perimeter that they have their offices, their least data center space.

Scotty Rysdahl : 25:40

But now, in the intervening time, we've all moved to the cloud and our data lives in data centers owned by just a few big players, along with everybody else's data, and so when breaches happen out in those places, depending on the type of cloud service that we're talking about, the impact is potentially bigger, and there's just a lot of.

Scotty Rysdahl : 26:04

It's kind of like the watering hole idea, where all these animals come to this one place to drink, and so that's a place for predators to go and attack. So if it was possible to host your own version of OpenAI which I think is something they do offer or are going to be offering, just like any other retail IT product if you could take that and put it in your own environment, the risk of this kind of breach goes down significantly because your data is not out there with everybody else's data. I'd imagine that you'd pay a premium for that private hosted version of service, but the same is true of the cloud. The more you want to have control over where your data lives and how it's secured, the more money you're going to pay for that privilege if you're trusting it to some third party.

Joshua Schmidt: 26:50

So are these clouds safe with our sensitive information? Because, for one, don't post my children on Facebook, for example. To each their own. That's just not something I was comfortable with. But I know they're on a cloud because I'm storing all my photos on my phone and whatnot. So how safe are these clouds? In comparison? Some of these apps like ChatGPT and things like that?

Mandi Rae: 27:18

I mean, I don't think anything is safe anywhere.

Joshua Schmidt: 27:20

Do you?

Mandi Rae: 27:21

have a strong password. Do you use MFA two-factor authentication?

Scotty Rysdahl : 27:26

Yeah, that's a good answer. I would say it depends. It depends what security protections are in place and one of the benefits of the cloud is that they're dedicated to doing this type of hosting hosting, whereas a company just running their own servers in their own locations maybe don't have the maturity or the expertise or the money to put in the same kinds of protections. So I think most of the big cloud providers like Amazon and Microsoft they don't really publish directly like the physical locations of their data centers. You can find them and they'll tell you generally where they are.

Scotty Rysdahl : 28:02

You know they're in Virginia, they're in Oregon, they're in the Bay Area of California, but if you ever go, look at some of these places it's like a military outpost. There's multiple layers of razor wire fences. There's humans with the kinds of weapons you would expect patrolling 24-7. There's biometric multi-factor authentication to get into the facility. Every person's access is based on the job that they have. So the security guard on the outside can't necessarily get to the data center floor. On the inside, each cabinet is locked and secured and there's a short list of people who can get to it. So is your data secure out in the cloud, maybe more secure than your company could manage to keep it in your own offices.

Mandi Rae: 28:50

But again, the threat is the people. So everything Scott's saying is right they are absolutely securing our data, but if your password's summer 2022 and you're using it across multiple things and you end up getting fished or something, then that's where you have a compromise.

Joshua Schmidt: 29:10

How did you know my?

Mandi Rae: 29:11

password.

Scotty Rysdahl : 29:15

It's right there on the list of the top 10 worst passwords from 2022.

Mandi Rae: 29:18

Your dog's name yeah.

Scotty Rysdahl : 29:22

So it's a trade-off. You do get a lot of security just by being a customer of AWS or Microsoft Azure or Google Cloud Platform, but you're also voluntarily putting yourself in those watering hole locations where everybody else is keeping their data, so it makes the reward from compromising those things a lot more lucrative.

Mandi Rae: 29:45

You knew more about data centers than anyone I've ever talked to.

Scotty Rysdahl : 29:50

They're pretty cool. Actually, I'm glad I don't work in one, because really it's just like working in a warehouse full of noisy machines of any kind.

Mandi Rae: 29:56

That you can't touch, can't do anything with you can't touch. Yeah, I wouldn't mind being the guy walking around with a gun, though That'd be pretty tight gig. Well, security there, physical security.

Scotty Rysdahl : 30:05

Yeah, I mean, you could wear a camel jumpsuit in your day-to-day mandate and I don't think anybody would complain. It'd be epic, I may even start.

Mandi Rae: 30:14

You know, as I was reading through that article, something caught my eye, but I'm coming into it very naive, but it was talking about how it mentioned how Raccoon was one of the primary impulse dealers. So it said. A further analysis has revealed the majority of logs containing chat GPT accounts have been breached by the notorious Raccoon. What do you guys know about Raccoon? Because I looked it up and there's some other interesting things going on with them. Is it a person? Is it a process? Is it a? What is it?

Joshua Schmidt: 30:50

Well, I'm going to throw this up, yeah.

Mandi Rae: 30:54

That's a great idea.

Scotty Rysdahl : 30:57

Actual photo of this is young yeah.

Mandi Rae: 31:00

Yeah, so does anyone. Scott. Do you know about who's like the notorious Raccoon Info Stealer?

Scotty Rysdahl : 31:07

Yeah, so I just in my 30 seconds of Googling here while we were talking. So an Info Stealer in general is a type of malware. So it's not a person, it's a program. It's a virus, right, and the way that the purpose of them typically is to infect a computer and just kind of hang out and wait to see what types of valuable information they might be able to pull out of the password saved in your browser, the text on your screen right when you go to your online banking account, credit card numbers that you enter into Amazon or whatever. So they're typically they're meant to just hang out quietly and then look for certain activity happening on the screen in memory specific programs that are launched, that sort of thing and just send that stuff back to Stalingrad or whatever for resale and reuse by whoever's behind this thing.

Mandi Rae: 32:04

So that really reminds me of some of our earlier podcasts about personal information security and how we talk about as a best practice. I totally get it. It is convenient to save your password in your browser, but don't I totally get that putting your credit card and having that saved so that you can make those impulsive online purchases. It's so easy. But don't do it Like. These are exactly the kinds of things that are out targeting innocent people. Well, raccoon isn't just doing that. So if you've got any more images of Raccoon as a threat actor, I found it really interesting.

Mandi Rae: 32:41

There's an article about malvertising, which was kind of a new term. I mean, I know malware and advertising, so now we're doing a mashup. So new malvertising campaigns via Google ads to target users searching for popular software, and so how interesting you do a Google search for some software. The ads are popping up. You go with one of the top, most popular ones and guess what? They're going to redirect your traffic from a benign site. They're going to have you download a malicious file. I wanted to talk a little bit about that, targeted ad campaigns being kind of one of the new things to be worried about. Or is this an all the time thing? Malvertising Scott. Have you ever used?

Scotty Rysdahl : 33:31

that word? Yeah, it's one of my least favorite cybersecurity port mantues, is that how you say it? Yeah, but yeah, it's exactly sort of what you described, mandy. It's leveraging very, very common ad networks, ad resellers like Google. Google is not a technology company, right, they're an advertising company. That's what they do, and so if you, as a malicious person, want to get your tax in front of the right people, google is happy to help you with that. Right, they maybe don't intend to, but their business is targeted advertising. So if I want to sell a new diet pill, I don't want to spend a bunch of money putting it in front of people who aren't looking for diet pills. I'm going to have Google put it in front of people who search for diet pills Osempic, whatever the case may be and then my that's a hot one right now too, scott, good call, it is super hot.

Mandi Rae: 34:28

Yeah, yeah, seo, osempic, osempic, osempic.

Scotty Rysdahl : 34:33

I see all those commercials in my nightmares, may cause hallucinations and internal bleeding.

Mandi Rae: 34:39

Now it's going to cause targeted ads on your screen.

Scotty Rysdahl : 34:41

Right, right, especially now that we're saying it out loud.

Mandi Rae: 34:44

If you that's why I said it three times my Alexa's going to grab it. No, I'm going to start seeing targeted ads too. If you scroll down, I think there's a really-. This first graphic is really cool to kind of explain it and sorry if I was speaking over you, scott, but down a little further they kind of show you can see where the threat actor is lurking in this timeline type format.

Scotty Rysdahl : 35:05

Yep. So yeah, if they can use their Use a little bit of money to put ads in the right people, like, let's say, they're targeting people who use Enterprises who use a particular kind of software, right, maybe like SAP or QuickBooks or something. So maybe, if they know that they have a way to attack QuickBooks I guess this is a really bad example maybe but they would target those mal ads as to those search results which you can kind of see in the first diagram up there, and then they would, you know, google offloads the click right. So somebody clicks on the ad in the search results, they offload it, they send it to the ultimate destination and then the attackers, like it's showing here, are able to you know sort of launder that click through whatever intermediary points are needed to kind of make Google or whoever not really care where the ad is going, but then ultimately land at a malicious page that maybe is meant to look like QuickBooks or look like whatever it is that the target is. And then I don't think we've talked about the Chrome vulnerabilities yet.

Mandi Rae: 36:18

But that is a nice segue.

Scotty Rysdahl : 36:20

There you go, man. You have three steps ahead. So then they know that whenever the ultimate landing page is for this attack that the people who get there are primed to already, you know, either be vulnerable through, let's say, a browser exploit or, you know, download, like it says here, download grammarlyzip that contains the malicious content, whatever it is. So what better way to get your virus out there than through Google, you know, the most used website on the Internet, to target it with the most advanced ad targeting technology on the planet?

Mandi Rae: 36:57

It's just feeding into this whole thing. Threat actors have it easy these days.

Scotty Rysdahl : 37:03

Yeah, these Fortune 500 companies will do all the work for them.

Mandi Rae: 37:06

Exactly.

Scotty Rysdahl : 37:07

Yeah, but to Mandy's point earlier, josh, this is another reason that you want to look into an ad blocker, because this is pretty common and just like there are targeted versions of these attacks, there are untargeted versions of these attacks, drive by downloads, as they call them, where people just sort of end up at a malicious website. And if you had a little more security you know automation, looking at the places that you're going on the Internet, behind the scenes you can avoid a lot of those kind of sketchy parts of the Internet.

Joshua Schmidt: 37:38

I like hanging out in sketchy areas though.

Mandi Rae: 37:41

Go to the dark web.

Scotty Rysdahl : 37:42

Yeah, yeah, you can do that. You just got to bring the right sort of you know prophylaxis.

Joshua Schmidt: 37:49

So, on that note, you know what are some great ad blockers, or what can I and other people do to block ads and, to you know, secure ourselves even further?

Mandi Rae: 38:02

I was going to say I'll let you answer, but I'd love to drive people to check out our personal information security series. It was a four part podcast series Comes with checklists. We go through ad blockers. We also talk about other things like how to keep kids and teens safe. It looks really deep into your personal security and the things you do banking. Talk about cookies. Cookie Is it Ghost? Is that the name of it? I'm trying to think of the one that. Let me look and see what I have.

Joshua Schmidt: 38:39

Is this an app you're running like a VPN, essentially, or is it? It's a privacy ad blocker.

Mandi Rae: 38:47

I say ghost just because it looks like it's part Pac-Man ghost but part Snapchat figure, you know. So I just never really know.

Scotty Rysdahl : 38:57

Yeah, that one's good. There's Adblock Plus, which has been kind of the standard browser-based adblocker for a long time it's. They all have their pros and cons, but, yeah, putting something right in the browser is a great way to go. I know Google, for their part, has been fighting a war against adblockers, for reasons you might imagine, for a long time, and I think Chrome is going in the direction of not supporting a lot of those things anymore. That's probably a whole episode in itself. But if adding extensions to your browser isn't the way to go and there are security pitfalls with that too, because that whole ecosystem is also fraught with, you know, mal, mal extensions and things- Malvertising.

Scotty Rysdahl : 39:40

Yes, I really like that word. But there are easier and harder ways to do it. That can get pretty geeky. There's a free project called Piehole. I'm sure, mandy, you've heard about this before.

Mandi Rae: 39:56

I mean I use the word Piehole quite a bit these names keep getting better.

Scotty Rysdahl : 40:00

This is why we're in Infosec.

Mandi Rae: 40:02

Nothing's more fun.

Scotty Rysdahl : 40:03

Yeah, so Piehole is something that you actually install on like a little computer or a big computer, whatever you have in your home, and it sits on your local network and it sort of sits in the middle between you and the internet, sort of like a VPN or a proxy, but different, and it maintains its own lists of bad sites and it'll just transparently, without any interaction with you, it'll just kind of swap down those attempts to go to sites that it knows are bad, which is pretty cool. If you don't have the interest or the technical expertise to set something like that up, there are free services, like Cloudflare has one. They're worldwide DNS networks, which we're going to get back into the techie weeds here. There's also one called Quad9. But all you have to do is you go into, like your internet modem, so the Comcast modem or whatever it is that you have, or you could even just do it on each of your devices and you change what's called the DNS server and without spending a lot of time on this.

Scotty Rysdahl : 41:02

Dns servers are what turn names like yahoocom into numerical internet addresses that internet can use to get traffic and bring it back to you. Right, so you can use these services to do that translation for you, and they're not just doing the translation, they're also doing their own like threat checking against the results that they return to you. So this is by far the easiest way to do that is to use Cloudflare, use Quad9, and just have your whole home. Use that to resolve internet names into internet addresses, and then you don't even have to think about it. And if you go to a site that's sort of blacklisted or disallow listed, it'll just flash up a page saying, hey, this is a bad page, you shouldn't go here. So yeah, I don't know. Do we add things to show notes like this so people can use some of those resources? We could throw some of those in the notes. Huh, you throw it in the chat, yeah we're on the website.

Scotty Rysdahl : 41:58

Yeah, yeah, I will. So yeah, depending on your technical acumen, there you go com.

Scotty Rysdahl : 42:05

Yeah and hey, if you wanted a personal security review, it Audit Labs has done those. We've gone to people's houses and set up little network security devices like this for people who are like VIPs, you know. So the CEO of a company might be worth spending a couple hundred bucks to protect even in their home. Or if you're just someone who has a particular threat that they are concerned about, you know, maybe you've had a stalker, maybe you've whatever. Whatever the case may be, it Audit Labs can offer that service. We're happy to come in and do a little home security hygiene inspection and give you some tips. There's the plug. So I think we are.

Joshua Schmidt: 42:46

Piehole, shut your piehole. Tm. That reminds me of the one on Silicon Valley. What was the company? Have you guys ever watched Silicon Valley? Their company was Pied Piper. Yep, I love that.

Scotty Rysdahl : 43:03

Yeah, you know what we should do? A whole episode on like cyber security portrayals in media. That's actually a pretty fun topic and we could show some clips and laugh about it.

Mandi Rae: 43:14

There's so many movies and so many shows. I think we recently did a social media poll just talking about like, have you guys? Oh, I won't even bring it up. Eric would be so upset if we talked about the new season of Black Mirror but I want to encourage everybody to watch the new season episode one, and let's do a podcast about it Really digs into data privacy to a crazy extent, but it's incredibly entertaining, yep.

Joshua Schmidt: 43:42

I would like to do that too, and also maybe even talk about some of our favorite movies. Scott, you mentioned hacker, hackers, yep.

Scotty Rysdahl : 43:52

Swordfish, the Matrix, what else is?

Joshua Schmidt: 43:54

I was at the lawnmower man.

Scotty Rysdahl : 43:59

Oh yeah, Hellraiser 2 or 3 takes place in like the metaverse. I think Red U Player 1 is a great one if you haven't seen that yet.

Joshua Schmidt: 44:08

I have not seen that yet.

Mandi Rae: 44:10

Yeah, I was thinking about the social engineering happening in shows, even just regular network like White Collar, right Blacklist or yeah.

Scotty Rysdahl : 44:24

Mr Robot.

Mandi Rae: 44:25

Yeah, mr Robot is like my favorite. Yeah, good, call out.

Joshua Schmidt: 44:30

Well, there you go.

Scotty Rysdahl : 44:32

Even in a new episode.

Joshua Schmidt: 44:34

I was reading a Dean Koontz book and it was like then I ate my Doritos, or Like what. This is oddly specific Several mentions of different products. This has got to be placed in here intentionally. Yeah, cool, so let me pull this up. The last article we want to talk about is Cromin. It's vulnerabilities. During 2022, security week reported on 456 vulnerabilities, averaging 38 per month, including 9-0 days. The high number of flaws needed to be patched poses a simple question is Chrome safe to use? Scott, can you first tell us what zero days means, because I keep seeing that. I think I know what it means, but yeah.

Joshua Schmidt: 45:18

I want to get you clarification.

Scotty Rysdahl : 45:19

Yeah, yeah, it's a common term. So it's a vulnerability that is disclosed typically with no immediately available fix and also with the knowledge that it's being attacked in the wild, as they like to say, like already. So it's the worst case scenario for a security vulnerability. The world knows about it, people are weaponizing it to carry out cyber attacks and the vendor, the manufacturer of the software or device, hasn't released a fix yet. So it's like everybody knows it's a problem and it just runs wild throughout the internet.

Scotty Rysdahl : 45:57

For as long as it takes for people to patch and that's usually not days, it's usually not even weeks, it's sometimes months and even years that it takes for patches to get to make it literally around the world and have full adoption. And we talked earlier about some of the reasons that might be. You know, patches break things. Patches often require you to have a support agreement or you know a current supported version of a product. So zero days are bad, but there's like this whole you know time period of months where you know the world catches up with whatever the released fixes whenever it's released.

Joshua Schmidt: 46:37

Man, do you use Chrome?

Mandi Rae: 46:40

I do sometimes, but the thing that triggers me about Chrome is very similar to like why I don't like TikTok. You know how the privacy data privacy was in question with the TikTok user agreement and everybody was kind of up in arms in that over this past year and it just kind of made me giggle because it's like well, what do you think Chrome is doing? Like everybody's doing this to monetize something, and so they're looking at your locations, your searches, your browsing history, and they're saying they're all doing this for, like, personalization preferences. But it's a monster. So I use it in work and business, but not my favorite browser.

Joshua Schmidt: 47:21

Do you use Edge, then? Or what is your go-to Gross?

Mandi Rae: 47:28

Safari or Firefox is what I predominantly use. How about you?

Joshua Schmidt: 47:33

Well, I've been using Chrome since I got my new computer. There's certain things and websites that don't work very well in Safari, like Minnesota Care, for example. I don't know why it doesn't like Safari and just won't open certain pages. But, scott, what do you use?

Scotty Rysdahl : 47:52

I use everything. It just depends on the context. So, fun fact, edge is actually Chrome. A few years ago, microsoft gave up on developing their own in-house browser to some extent, and they took Chromium, which is the open-source project that's developed by Google but also by people outside of Google, and then they take that source code and they build Edge using that source code. So, under the hood, chrome and Edge are essentially the same thing, with little customizations from Google or Microsoft, depending on which one we're talking about. So if something affects Chrome, it's very possible it affects Edge too.

Mandi Rae: 48:32

I'll have to see if I hate it less now that I know that, because I don't know if it's an aesthetic thing or a functionality thing. But yeah, not my favorite.

Scotty Rysdahl : 48:42

It's just cool to hate Microsoft's browsers too, because they're always kind of a joke. But if you work in the enterprise, a lot of times it's mandatory to use Edge especially, or maybe Chrome. A lot of organizations do enforce standardization so that they can support fewer things for their customers. Firefox is great and it's been great for a long time. It's privacy-focused. It's a nonprofit organization that develops it. It has a really good ecosystem of plugins with things like ad blockers and privacy. But just like Josh, you were saying about MinnesotaCare because Chrome slash, edge is the you know elephant in the room because it has the majority of users. That's what most sites are developed for. So does Safari get the same kind of developer attention and debugging as Chrome when any company is developing a web app? No, probably not. And Firefox is even more of an afterthought because it has a smaller slice of the user pie.

Joshua Schmidt: 49:40

You know, most people like me aren't thinking about these things in the same way that you folks are. So that's my role in this podcast, but hopefully I'll learn a few things as we keep going. But yeah, I don't think most people are thinking about this. You know, like I mentioned previously, most of my cohorts aren't even updating their OS, let alone worrying about things like this. So, yeah, it's quite shocking. It's quite shocking. Why is such a big company like Alphabet having these issues? It seems to me from reading this article that it's a money thing. Once again, the security kind of falls into a secondary or tertiary spot in terms of priority, below rolling out the shiny new things they talk about in this article, and that's just to capture market share. That has really nothing to do with with anything else other than money.

Scotty Rysdahl : 50:41

Yeah, so there's a graphic that you find in the IT world from time to time and it's sort of like this. I remember it as a triad. I could look it up, but it's like a triangle, and so there's security on one point, features on another point, and then like ease of use on the third point, and so your product is always going to find itself somewhere within that triangle, and if you're closer to one point, you're farther away from the other two, and so if there's a finite amount of developer time that you have to dedicate to something, what are you going to do? What are you going to prioritize Features, ease of use or security? And every software development manager has to make that decision, you know, and so often features and ease of use get prioritized and security gets a backseat because it doesn't get across to the consumer as a benefit like the other two do.

Mandi Rae: 51:40

Until there's a breach. Until there's a breach and they never. I think that was really well stated. And then everyone cares.

Scotty Rysdahl : 51:44

And then everyone cares and says how dare you not prioritize security? Yeah it's an impossible battle to win.

Joshua Schmidt: 51:51

So what can we do to stay safe on these browsers? We might have already mentioned this, but if we could give people a couple bullet points for the shorts and the reels and let people know what can we do to stay safe on these browsers?

Scotty Rysdahl : 52:07

Well, in general, security is best applied in layers, right? Just like an onion or an ogre, you don't trust any one thing to keep you safe. You layer on the protection to make it harder for any one attack to be ultimately successful, right? So keep your browser updated is always good advice. Use antivirus or PC security software that is capable and is well regarded. So nowadays that's things like EDR and XDR, which are kind of the next gen antivirus and they're not just looking for bad files, they're looking for bad behaviors, things like that.

Scotty Rysdahl : 52:45

So use a good personal security product like that. Store your passwords in a password manager that's secure, so that even if someone were to compromise your computer, it would be hard to access those crown jewels, that really important, sensitive information that you have. Don't reuse your passwords from site to site, right. Have secure passwords that are separate for each site. So if one site gets compromised, like the open AI thing, those hackers don't immediately have access to all of your other services too.

Scotty Rysdahl : 53:12

Before you even hear about this hack I think someone mentioned this earlier, I don't remember how it came up but delete data that you don't need, right? So a lot of corporations will have retention policies, right? So if you don't need emails older than two years, if that's company policy, just delete them, and then, if you get breached, the hacker has less data that they can extract and misuse, and that goes for personal stuff too. If you don't need digital copies of your bank records forever, store them offline, print them up, put them in a filing cabinet. So yeah, just look for layers, look for different ways to increase your overall security. It's a cumulative thing, and the more that you do, the harder it's going to be for somebody to ultimately get to something that really disrupts your life.

Mandi Rae: 54:03

That was really good.

Scotty Rysdahl : 54:04

Thanks. I've given that speech like once a month for my entire career.

Mandi Rae: 54:07

I'm not giving you anything money to add to it.

Scotty Rysdahl : 54:10

Oh, the DNS filtering. So do use Cloudflare or Quad9 for your personal devices and your home network to let somebody else worry about what good and bad sites are, and so you can kind of browse a little more carefree.

Joshua Schmidt: 54:25

I'd like to schedule my.

Scotty Rysdahl : 54:26

IT Auto Lab assessment now. We'll probably give you one on the house.

Joshua Schmidt: 54:33

This is something I thought was really interesting kind of ties in to our conversation today and then also my world, which is this music world how Billy Corgan paid off a hacker who threatened to leak the new Smashing Pumpkins song. So I guess this is becoming more and more common in the at least the top 1% of the music world Taylor Swift's, smashing Pumpkins, those top level musicians I think there's most musicians wouldn't care if someone leaked their song before, if it got more plays on Spotify or any kind of attention. But this seemed like a big deal to Billy because he actually, I think, paid a hacker to get involved, to hack the hacker or the hacker. It stole several songs and was blackmailing him essentially that they would leak the songs. So I think this is going to become even more relevant to the cybersecurity world, for even musicians, especially the top tier ones, like I mentioned, hiring security firms to keep their data safe.

Joshua Schmidt: 55:42

I've also actually even heard of instances of stealing ideas and going into top level producers like Max Martin, who does Ed Sheer. He just he's done pretty much every hit for the last 10, 15 years. But if you can hack into Max Martin's you know Pro Tools computer at his studio, what kind of hits can you steal, you know? Or DJ Khaled what? What do you? What can you get? You know how much fun would that be for a hacker right and then also be able to sell that information to other producers, or you know, or blackmail the record label right, the same thing happened, boy, like 10 years ago now, right In the big Sony hack.

Scotty Rysdahl : 56:25

you guys remember that Sony got breached in like 2011 or something and the people, the attackers behind it, were sort of blackmailing them and they were going to release you know I think, if I remember right it was that movie Joe Rogan and and what's his name, who go to North Korea and hang out with Kim Jong-il. You guys? Remember this movie oh oh yes.

Joshua Schmidt: 56:53

Was it James Franco or something he's from?

Mandi Rae: 56:55

Knocked Up, I can see him yeah.

Scotty Rysdahl : 56:56

James Franco yeah, it wasn't Pineapple Express, but it was around that time.

Joshua Schmidt: 57:00

It was the same guy Seth Rogan and James Franco.

Mandi Rae: 57:03

Yes, there you go, thank you.

Scotty Rysdahl : 57:05

The interview. The interview yeah, so that was one of the movies that was stolen, I think, in that breach, and the hackers released it or threatened to release it or whatever. So just yeah, like the Korgan example, it almost doesn't matter. You know what industry it's in, everything's digitized nowadays and everything has value. So if you can break in somewhere, you find what's of value and then you can extort and sell and and it doesn't even have to be tangible or streamable.

Mandi Rae: 57:32

Sometimes it's just proprietary data, sometimes it's emails where people are saying things that they shouldn't be.

Scotty Rysdahl : 57:38

Yeah, the golden age of data breaches is still here.

Mandi Rae: 57:44

So protect what's important to you and call IT Audit Labs or go to itauditlabscom.

Joshua Schmidt: 57:51

And shut your piehole. I'm sorry, I'm not going to stop saying that today. This was a really fun conversation. I know we kind of wandered all over the place, but I think that's great.

Mandi Rae: 58:07

You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing on Apple, spotify or wherever you source your podcasts. More information can be found on itauditlabscom.