Cybersecurity News: DDoS Attacks, Public Library Breach, Phishing and More

Speaker 1: 0:00

All right, well, welcome to the audits. Today I'm joined by Nick and Josh and we're going to talk about security in the news, so we've got a couple articles that we'll talk through and just wanted to say thanks to the listeners who are joining us. This is our first time going live. We'll see how it goes. First time for everything, first time for everything. Yeah, josh, was there a place you wanted us to start?

Speaker 2: 0:27

Yeah, I just also wanted to call out that this episode will be recorded and edited and then we will be publishing it in a few weeks. So if you missed the live stream today, don't worry. You can find all of our episodes on all the streaming platforms, especially Apple Podcasts and Spotify, as well as YouTube if you want to watch the video as well. So we'll jump right into it. We're going to kind of just do a popcorn style news episode where we're talking about some current events and getting Nick and Eric's expertise on the matters we're going to start with.

Speaker 2: 0:58

Cybersecurity. Attack on Seattle Public Library impacts multiple tech systems and online services. So this came out on the 28th of May. The Seattle Public Library was dealing with what it called a ransomware event impacting its technology systems on Tuesday, causing disruptions to a number of online services offered by the library. In reading this, eric, this must be something akin to what you're dealing with on a regular basis in your job, and I wondered if you had any insights on this and kind of shed some light on the situation for our listeners.

Speaker 1: 1:31

Yeah, you know it's unfortunate that this happened.

Speaker 1: 1:34

Right, you know, kind of one of the common denominators where a public entity is available to people from all different backgrounds children, adults, what have you and to attack something like this is, you know, it's unfortunate that it happens.

Speaker 1: 1:56

I've worked in the public sector space, consulted in that space for a while and it looks like they were able to get into the areas of the network that would impact those services that would go out over the internet.

Speaker 1: 2:14

So that's one of the things that we've typically tried to do is separate, when we're working with public infrastructure like that, separate out the really public facing devices like the, the machines that you would see when you go into a library and if you wanted to work on a resume or what have you, you could. Some libraries have things like 3d printers or other things that the public can come in and use, and in one of the scenarios we would use certainly had good malware or anti-malware on the machines, but every night we would just refresh those machines. So, using technology called deep freeze, it would just essentially rebuild those machines, because if you don't do that, people are attempting to install all sorts of things on those computers and I had one instance where two women came into the library, put a USB drive in the machine and were attempting to join that machine to a botnet.

Speaker 1: 3:26

So we had some alarms that went off from a malware perspective that this was happening. It had blocked it, but we were able to get some information about the USB device. We worked with other libraries in the vicinity and had seen that these two individuals had tried to do it to other libraries as well. Once the alerts went off on the detection systems, we then worked with property management to pull the video footage so we could actually see who it was.

Speaker 1: 4:02

The footage wasn't great, but we could identify the two individuals and then really we're looking for patterns of behavior where they were coming in and we didn't see that they had had come back after that and do this, which again pretty unfortunate, because that could have been pretty bad if they did gain a foothold on that library and then that library certainly might be trusted by other public entities. An IP address coming from the library connecting to a city or county or state agency. It might not be.

Speaker 3: 4:45

Do we know what the point of attack was, what the point of entry was here?

Speaker 1: 4:49

They were trying to join the machines to a botnet.

Speaker 2: 4:52

Okay. So, in this instance here in the Seattle Public Library. It said this is a ransomware event. What's a ransomware event for normies like me or non-cybersecurity professionals? How would you explain that to someone at a Thanksgiving table?

Speaker 1: 5:07

Yeah, ransomware is simply. It's a way of locking the machine, encrypting the machine, so that the IT organization would have to go through either a recovery event to restore services to those machines or, in some cases, if they're unable to do that, then rebuild the environments. Or what the malicious actors are looking for is to pay the ransom so that the machine could be unlocked Really it's unlocked. Really, it's financially motivated. Ransomware is just one of the attack factors that malicious actors use in order to monetize their attacks.

Speaker 3: 5:53

This is happening more and more each day. We hear about these, unfortunately, in the news a lot, but there's no way to know for sure, if you pay the ransom, if you're actually going to get your data back right. We don't know that for sure. Right, we're working off, hopefully well, not much goodwill of the attackers, but you know, if you pay the ransom, who's to say they're actually going to unlock that data, right? So you do run that risk as well.

Speaker 2: 6:18

What kind of data is actually tied up in a public library that would be of value to a hacker? I mean, isn't it just like, because you know my library records is just a bunch of children's books and you know Clifford the Big Red Dog and Peppa Pig, you know?

Speaker 1: 6:33

So is that something like people should be concerned about, or Well, I think anytime a threat actor can get access to private information that's valuable to them so being able to correlate names, addresses, phone numbers, other sensitive information that would be stored at the library, and then potentially pivoting into deeper areas of the Seattle system right, so pivoting, getting a foothold in that environment and then potentially going deeper into payroll systems or HR systems or what have you. In this case, it seems like the threat actors were looking to maybe cause the ransomware event to happen. That would be visible and it could potentially get them some relatively quick money if Seattle decided to pay that ransomware because they couldn't restore services fast enough. So sometimes we see that in public areas, where they're going to go after things that have broad public visibility in order to make a large impact, Maybe the entity will pay the ransomware to make it go away.

Speaker 3: 8:03

I think Eric already already touched on it. But you know, for me, in a situation like this at a public library, I think it's more of a, you know, ok, we got in here and this is maybe not the end point. We want to get to greater systems. You know, like Eric said, hr, you know, maybe it's legal where more PII, phi stuff lie, and they happened. Their point of entry was the library. Ehi stuff lie, and they happen. Their point of entry was the library. They got in there and now they can jump somewhere else. But by default here there's PII.

Speaker 3: 8:30

They might have credit card information for late fees, whatnot? I think a lot of times a library or a county or whoever, they'd probably defer that to a vendor. Right, they take that tech debt so they don't have to hold any credit card information. No, pci, they don't have to be PCI compliant or anything like that. But to me I see it as a bigger worry that they're probably trying to jump to another system. We don't know how long they've already been in the library system to have that time to bump up against other portions of the network. So I'd be curious to see a review A how long were they in there? What information do they have access to? It sounds like everything in the library and were they able to get somewhere else, so a little pretty scary that you know how much time they had in the system at a broader scale, either in this environment or a different environment.

Speaker 1: 9:27

From a user perspective, Josh, you bring up the Thanksgiving table conversation and not to sound like a broken record, but reuse of username and password. So if you're a member of the library and you're logging in online to check out a book or what have you, or use the services, it's not using that same username and password on other sites, so that username and password would be compromised here but not anywhere else. If you were reusing or if you were using a different password for different sites and you could do that with a password manager.

Speaker 3: 10:04

It just shows how important using different passwords for different systems, if you have a login at the library, to keep those things separated, like Eric's talking about, use a password manager because you just can't undersell or oversell. How important that is, no matter where you're logging into, whether it's just a public library or not. So there's a lot of takeaways here for sure.

Speaker 1: 10:25

And it's probably the same thing, Josh right, Lock your credit, use a password manager. If you did those two things, you would be pretty safe.

Speaker 2: 10:34

I think that's great practical advice. I still need to shore up my own security a little bit, but We've all got work to do.

Speaker 2: 10:41

Yeah, we all have a little bit of work to do and it's hard staying on top of it, right? It's always changing. Yeah, every time I turn around, I have a new account somewhere, even just for the simplest stuff. Now they want you to log into everything, or just the interactivity with technology. One of my least favorite, I have to say, is going to a restaurant and having a QR code for the menu. If you're a restaurant owner and you're listening to this, please stop. I don't go to the restaurant to look at my phone. I don't know, I'm not a guy that takes pictures of his food. I want to go there and talk and have a beer and have fun. I mean, unless it's a you like take pictures of your cats.

Speaker 2: 11:17

Yeah.

Speaker 3: 11:19

I'm allergic, Nick.

Speaker 1: 11:21

Nick, you're taking pictures of your meals, aren't?

Speaker 3: 11:25

you Didn't that come up before oh yeah, I bring in the lighting rig. Got it all lighted perfectly, you know, got it all looking good and make all my relatives, or whoever I'm out to eat with, make them wait to take that first bite.

Speaker 2: 11:37

Yeah, gastronomical influencer and cat enthusiast.

Speaker 3: 11:40

I don't know all those social turns. Thanks for that update.

Speaker 2: 11:48

Hey, I just want to give a shout out to the people watching live. There's been a few people coming and going. If you're interested in this topic and you have a question, please drop it in the chat, give us a like, give us a subscribe If you're listening to this. After the fact, you can always connect with us by leaving a comment on the YouTube video. So I just want to give a shout out there and we're going to keep things moving. Nick picked out an article talking about crypto Coinbase users, how fraudsters stole 37 million from Coinbase Pro users. A convincing phishing page and some over the phone. Social engineering allowed a group of crooks to steal over 37 million from unlucky Coinbase Pro users and, from my understanding understanding reading this article coinbase pro has been sunsetted. You know that was like a pay to pay to have like extra analytics on coinbase or kind of a back-end access to some uh, some analytics. I suppose. Um, what did you get out of this article, nick? What can we take away from this and? Um, what's to be learned here?

Speaker 3: 12:42

yeah, from my understanding it is sunsetted, I think, for for me, the article is shocking. A because 37 million no matter who you are, that's a large sum of money, but it just shows really how easy it can be if you're not paying attention. This could be used across any website, any platform, whether it's healthcare or a job. We've done many different reviews for organizations where we can stand up a website very quickly, make it just look like the correct one. I think it's incredibly shocking to me that people are not paying more attention with something like Coinbase, with so much money involved, right? So what's essentially happening here is the organization was able to stand up a Web site, or a front of the Web site and look exactly like Coinbase users logged in, they, you know, were able to get their credentials and then they were able to go log into the Coinbase proper to actually, you know, remove money, move money around. So there's a lot of takeaways, but I think for me, the biggest one is, you know, even if you're going to the app, well, I would recommend using the application right On your phone. That's probably the safest way to go about it. If you're using anything online, you're more susceptible to, you know, attack here, but I think it shows down a little bit further.

Speaker 3: 14:01

You know exactly what the attackers were doing, you know and how they were doing it and essentially goes over kind of what I was saying just about. You know, recreating the uh, the webpage. But I know from past engagements we've done and I just talked about this a little bit you know, we've set up things from new websites, testing people to see, you know, we might pull them in saying, hey, we're testing a new website, you know, log in, let us know if everything works. What do you guys think of the new headers or new logos? And it gives you an option to maybe vote on those options, you know, and that pulls people in. Also maybe saying, hey, we'll give you some free Chipotle so you can test your you know, food photography skills. And when you do so, you know you'll get a gift card or whatever. And then we as the attackers get their login credentials and we're able to report back on the organization that, hey, we got this many hits. It's just another form of phishing, right.

Speaker 1: 15:09

So we you know this case probably more spear phishing or something like that, as we're directing towards a specific user personnel and, uh, we're getting their credentials nick, that reminds me that the burrito right, your credentials for a burrito um, that that's just kind of. We still talk about that right from the engagement we did with the, with the customer, and I know they talk about it too, right of um, I think that was the most successful fishing campaign that they had seen in a while um to uh, to get people to give their credentials for a gift card for a Chipotle burrito. And then and then, the other one same account that was interesting was the um, the tickets to the amusement park. I was waiting for you to bring that one up, where the phishing email was enticing enough with four tickets to an amusement park and then when the person learned that it was a phishing attack and they weren't going to get the the tickets, the hardest part for them was going back to their family.

Speaker 3: 16:08

We're not actually going to the amusement park and I'm not taking the day off, or, yeah, I think that turned into a bigger situation where they were a little upset that we, you know, essentially we're not playing fair. You know, and I would say to anybody listening you know, we, we want to train as it's the real world right, we want to train as realistic as it's gonna could come to any of your end users. Um, you know, and that might come with some bumps and bruises, like eric was just talking about. Right, you might get a call from hr and say, hey, why did you do that? Well, that's what the attackers are going to do. So unfortunately, yeah, you're not getting the amusement park tickets or the burritos, but it's still incredibly important that we practice these tactics because you know, we certainly know the attackers aren't playing by any rules.

Speaker 2: 16:52

So just for our listeners, that are normies. Like me, you guys are creating these phishing campaigns within organizations to make sure we're shoring up purity and then in social engineering and training the employees on what to look for. And I just had a really you know, kind of interesting phishing attack on my myself, my person. I think I got a text message or an email I think it was a text message saying my UPS package or my FedEx package had been held up in transit and I had to log in to verify my address and credentials. And you know it was really well done. I think it was USPS now come to think of it.

Speaker 2: 17:31

And you know, you know a lot of those things we've talked about looking for. You know typos or just really bad. You know design or just shoddily throwing together websites. This was a really well designed website. And you know, and I think part of the problem is like the fatigue of just the volume of these coming in and then just it just takes that one second where you're kind of half distracted or you know you're doing something with your kids or you're at work and you just want, you know, make that email go away or that problem go away, and they catch you at the right time. So how do you balance training with the fatigue that people are feeling? Because if you send 100 phishing emails, it's just a numbers game, right?

Speaker 1: 18:18

Right, you're going to get in.

Speaker 3: 18:20

I think that's why we see a lot more attacks and breaches. I hate to say the B word, but we see a lot more phishing attacks or something of that nature on Fridays. I think it's just because we think a lot of people are going to be less sharp on a Friday, right, they're already thinking about what they're having for dinner. They're going to the amusement park, you know, tomorrow, whatever it is, you know. So they're much more apt to click on that link. You know like you're talking about, josh, we've all seen that.

Speaker 3: 18:46

I think I've got it from USPS and UPS and Amazon too. Those are familiar ones to me and you know if we're giving any advice before we jump into more information about this. You know, for me it's if I get a text message like that. I have the apps for all three of those, right? So I'll jump into the UPS app and see if the notification is actually there, you know, and if I expect that message and I can check actually the tracking number, if the tracking number matches, that's probably one giveaway. But you know, and if I expect that message and I can check the tracking number, if the tracking number matches, that's probably one giveaway. But you know, if the notification is not in the app, I'm probably not going to click on the link, no matter what.

Speaker 1: 19:21

But you know that's a giveaway and UPS isn't going to email you and say, or text you and say hey, you know, we can't deliver to you.

Speaker 3: 19:31

Yep Set up that informed delivery. You know uh application that they have, so you can get that data there. Josh, you were bringing up some more uh parts about this with more questions and I diverted to some advice.

Speaker 2: 19:44

No, I wanted to go to the advice. Actually, I was going to say I I use that technique of checking my Amazon app when I had received an Amazon scam phishing email. Eric, are there any other like little tips or tricks, like hovering over the URL, or just some simple practical things our users could be doing?

Speaker 1: 20:01

A lot of those things that you can do. Usually it'll be a malformed header in the email address. I think you got it. If it says it's coming from UPS but it's got a USPS and it's got a Gmail address on it, well, that's probably not legitimate. But they can spoof the email addresses pretty easily. I think it's one of those things where you're not obligated to click on any links. You're not obligated to open email. You don't have to respond to it. So you could not do it. I know it's hard for some people to not react to something that they get.

Speaker 1: 20:38

Send it to your. If you're at a corporation, you could send it to your IT team through the report suspicious email if they do that.

Speaker 2: 20:46

So I'll just forward it to. Nick, because Nick's my IT guy Just forward it to Nick.

Speaker 1: 20:50

Yeah, on the corporate side, if it's really bad, I mean we're you know, nick, to your point, around the Friday afternoon launches, I think in the last six weeks I've probably had to work on Fridays pretty late a couple of those times because of some of the things that came in, because of some of the things that came in, and then, you know, there goes the weekend.

Speaker 1: 21:17

So the volume of attacks, at least that we've seen recently, are really high in email and if you're using Microsoft's incumbent email filtering you're running with scissors because it is not good.

Speaker 1: 21:35

There's other third-party tools that sit in front of it or behind it, but the amount of stuff that we were seeing that were making it through the filter was just egregious and the users don't know. It's really difficult if you're trying to do a job or you're in maybe more of a stressful job and you're trying to deal with customers or what have you, and then you have these emails coming in. You're just trying to respond and it says you know your IT team is going to shut off your email if you don't fill out this form and you click on the form and then the next thing you know you're getting a call from the IT organization saying that your password is reset because you clicked on a link set because you clicked on a link, so I get it. From the user perspective. It can be pretty frustrating of not really knowing what to click on, but when in doubt, just ignore is what I would say.

Speaker 3: 22:23

When in doubt, don't click on it Right.

Speaker 2: 22:26

Okay, we're going to move on from the Hacker News website. It's one of my favorite websites for grabbing these kind of articles. This last week, on the 27th of May, they're talking about Moroccan cybercrime group steals up to 100K daily through gift card fraud. Is this another case of social engineering? I'm not quite sure. I'd like to get your guys' take on this. It says Microsoft is calling attention to a Morocco based cybercrime group dubbed Storm 0539. That's behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks. Well, I guess that answers my question. I guess I should have read the article, but that name is terrible Storm 0539. There's way, way better, way better hacker names. Uh, I'll let you guys take it from there yeah, it's, without a doubt.

Speaker 3: 23:17

You know, for me it's, you know it's fishing, I think. A lot of times you'll get an email or an organization will be an end user and you know it'll be the boss like, or it'll be spoofing to be you know the manager or whatever, asking them to go buy a hundred. Or you know whatever 20 itunes gift cards, or you know whatever 20 iTunes gift cards. But then you know, further down the instructions, that instructions that explains scratch off the back and then send me, you know, a picture of the pin and the number, Right? So you know, I think that's similar to what they're doing here. They're baiting people into doing you know something nice for somebody.

Speaker 3: 23:52

Hey, you know I'm running out of time, I'm in a meeting, whatever it is, and can you go buy these gift cards? I want to give them out at you know our luncheon next week or whatever. And then you know, scratch off the back, send a picture so I can do whatever, Right? And you know, maybe the receptionist or whoever has been tasked to do this, they're thinking, oh, you know the big wig, he needs me to do something, or she needs me to do something, whatever it is, and they're going to just do it without asking questions. So we see that a lot. You know that's. That's things we've done, you know in testing and you know doing reviews of different, many different organizations, and I think that's probably what the tactic is here.

Speaker 3: 24:36

Aren't gift cards like one of the top currencies of the black market, or just because they're untraceable cash? Yeah, exactly, and I think that's where they have websites dedicated to buying, you know, those gift cards. You might buy a Home Depot gift card. You get a $250 Home Depot gift card and you get it for you know, $100 off or something like that. Right, because they've now they've just cleaned that money, right, and that's. They don't care about the loss because that's all coming back to them and, like you said, josh, it can't be traced.

Speaker 2: 25:00

I think it's interesting learning about cybersecurity as I've been producing the podcast how the phishing people, the hackers, really capitalize on holidays, weekends, current events. It says it says here that this was first spotlighted by Microsoft in mid-December. You know linking these engineering campaigns ahead of the year and holiday season. So you know they're getting set up, they're getting ready for this. You know just the volume of people online shopping and just more of a tax purpose. What can we do, eric, to kind of mitigate this type of thing from happening to our loved ones?

Speaker 3: 25:41

Nothing Best advice.

Speaker 2: 25:43

Don't use gift cards, perhaps.

Speaker 1: 25:45

I mean this is this was a pretty sophisticated one, with some URL redirection, javascript and and man middle attack. I don't know. These are pretty difficult, right? The CEO fraud that Nick mentioned just having that awareness that that happens within or that is a potential threat vector and educating people in the organization to verify with a phone call. It's the same thing with ACH fraud, where threat actors will try to change bank routing information on contracts and most institutions have in place the need to make a call and verify that information not with the number in the email but with the phone number that they have listed for the account.

Speaker 1: 26:43

We actually saw one this week where an individual at a financial institution had been compromised and in their email signature they were saying if you get a request to change routing information, please call me. But I just thought it was interesting to actually see that in the email signature. I had not seen that before.

Speaker 2: 27:07

How hard is it to get the bad actors out once they're embedded in the system? Are they kind of like cockroaches, where it's just almost impossible to ever exterminate them completely because they're gaining all this access information and kind of maybe squirreling away information for a later attack?

Speaker 1: 27:24

It can be pretty hard depending on where they are right.

Speaker 1: 27:27

So if they're kind of in the outer ring, so to speak, around the in an organization that might use Microsoft's Office services or Google's G Suite of services, if they're into that communication and that connectivity ring, if you will, they're really going to be hitting it pretty hard with phishing campaigns to essentially garner credentials, get into a mailbox, send out more phishing Pretty hard for them to launch ransomware campaigns from that outer ring.

Speaker 1: 28:06

But then once they get inside the organization and they're able to steal tokens, get credentials, to get through the VPN, which there's a checkpoint VPN exploit that's live in the environment that if you're running checkpoint you want to patch that zero day. There's a patch and a hot fix out right now. It came out late April. But once they're into the core of the environment, then it could be really difficult and that's the sort of thing where you're seeing nation states develop that vector. They're going to get into the environment and then they're just going to slowly gain footholds and watch and learn and really set up the attack that they're really going after yeah, this attack here seems incredibly sophisticated.

Speaker 3: 28:59

You know where. They're just changing the email address of delivery. It sounds like this is really hard to detect, right? This tampering can be difficult, takes some time, so you don't know how much they've actually gotten. You know, and I think the fear obviously for the end user is the loss of you know, the PII. Right, they probably got their address, email, probably phone number. You know a lot of information.

Speaker 3: 29:21

I think that's why we just continue to preach a, train your staff but then be, you know, set up alerts on credit karma or something of the nature all the different credit bureaus lock your credit, things like that. I think that's the greater picture here. It's alarming that they were able to get this done. But I think everything that we preach is for that reason, because these attacks happen more than we, you know, want to admit, and I think we find ourselves playing defense a lot instead of playing offense. Right, we're defending against these situations. They're coming up on a Friday afternoon ruining everybody's you know perfectly good weekend or whatever.

Speaker 3: 29:56

But you know, I think all these different things that we continue to talk about through all these episodes, it comes back to these situations, right? These things that are happening behind the scenes, where this might not directly affect the end user, right when you're getting your gift card. You wouldn't even really know until maybe a week later you call the organization and say, hey, I never received this gift card. You wouldn't even really know until maybe a week later you call the organization and say, hey, I never received this gift card, whether it's the physical gift card or it's coming to you in an email. Right, you'd really have no way to know this organization. They might actually be finding out because a user is calling in saying, hey, I didn't receive my gift card. That could tip them off unless they're running which hopefully they are running some sophisticated. You know systems and tools to combat this and actually find alerts that are tampering alerts or something of the nature to tip them off. But yeah, really interesting how they were able to get this done.

Speaker 1: 30:46

You know, the other thing, josh, that you asked at the beginning is what can you do with your family about this specifically? Not a ton at the beginning is what can you do with your family about this specifically? Not a ton. But what you can do is start to have those conversations at the Thanksgiving Day table, like if you got a call from you know little Timmy or little Susie that said they were in Mexico in an accident and they needed you to send them $100 or $1, know, would you do it Right? And having those kind of tabletop conversations is really relevant and you know, in business you do tabletop exercises to talk through a particular scenario at the leadership level, at the technical level. But having that same conversation at home, um, equally valuable, think.

Speaker 2: 31:33

I had a chance to become a gift card warlord myself on tour once. We were sponsored by Taco Bell Feed the Beat, and I think we each received $300 of Taco Bell gift cards all in $5 increments. So I could have been hooking up a little. Timmy in Mexico with the fat burrito coming his way.

Speaker 2: 31:58

But yeah not a big fan of gift cards in general. Once you put your money on there, it feels like a black hole to me. I would rather just give cash or a check or something myself, but are you guys cash guys or um do you credit guys?

Speaker 1: 32:18

What do you? What do you like? You don't like gift cards, josh.

Speaker 2: 32:21

I like to have a mix. I always like to have some walking money. Uh, I don't do the, the, the clip or anything like that, and I'm not, you know, whipping out the flash it out, you know whipping out the flash it out Like a gangster 100 on the outside in a rubber band right.

Speaker 3: 32:34

I'm not gay, you got it. You got to keep a little bit in the safe. You know the OS stash, you know keep a little bit in the safe just in case you got a bug out. But I'm a credit guy and that's just really for the main reason of you know, if attack happens right. You know the credit card companies are really good these days. They're good about you know responsibility and it's. You know you don't lose your money, um, and it's not quite. You know debit is debit right. Once that money's gone, it can be much more difficult to get it back. So I think, uh, you know, paying for something with a credit card, paying it off right away is is the way I like to handle it.

Speaker 1: 33:07

Josh, I think the main reason is it's hard to buy those cat toys on Chewy with cash.

Speaker 3: 33:13

You can't do it, but you got to have cash around.

Speaker 2: 33:21

To our listeners if you want to give.

Speaker 3: 33:22

Nick a gift we could use probably some more cat toys. Oh, we're also soliciting cat names too.

Speaker 2: 33:25

If you have a good cat name for one of Nick's 50 cats, we still got a few of them to name. We have Mr Meowgi Agar-Allen-Paw. We have Catty Purry Catty.

Speaker 3: 33:35

Purry, that could be top. We'll have to figure out some sort of giveaway. Whoever comes up with the best will send you some swag or something.

Speaker 2: 33:45

Yeah, I still like Captain Sushi. I don't know if that one's sticking quite as well. Speaking of cats, we're back to the hacker news researchers warn of a cat ddos botnet and dns bomb ddos attack technique. Okay, maybe we could just start by breaking down this title. What the heck does this mean, eric? Um, this was one of the articles that you kind of had some interest in. So what? What's all this uh lingo here going on? It's a bunch of d's, b's and c's.

Speaker 1: 34:15

So d dots is distributed. Denial of service, um. So just means a lot of different computers at the same time. So in the first article we talked about a botnet, and then a DNS is just domain name service. It's when computers talk to each other by numbers and humans talk to each other by words. So the DNS is a way of translating words to numbers. So, for example, if you're going to look up wwwitauditlabscom, itauditlabscom is hosted on a web server that is referenceable by an IP address. So in order to, we don't know the IP address off the top of our head, because it'll change from time to time, but we do know the word. So the.

Speaker 1: 35:17

DNS service translates the word into the IP address and we don't have to pay any attention to the IP address. So what this particular article is talking about is there was a theoretical attack where threat actors could potentially recruit and enlist a large number of computers to submit DNS requests over different time intervals, to collide at the same time on a particular target server and essentially overwhelming that server with responses in order to bring it down because presumably it couldn't handle the number of responses. I think we're seeing less and less distributed denial of service because the protections that are in place by the cloud hosting providers Cloudflare, akamai, what have you just? Have really good protection against storm attacks and it's a relatively larger effort to coordinate and launch, but it's still out there. It still could happen.

Speaker 1: 36:33

There's a lot of distributed servers with advertising campaigns and using them to target and generate revenue from ad clicks. But it's probably going down a rabbit hole, I think for this particular thing, not a lot that the individual end users can do. It may be more interesting if you want to learn a little bit more about DNS, for example. The article is kind of cool to read and just how things work behind the scenes. You know, because when we go to the website we're wwwwhatevercom. We're not really thinking about the bits and bytes that happen and how we get that information Along those lines. That might be relevant is we're working on a kind of a teaching lab here over the next couple of weeks focused on DNS. So talking about DNS on a future podcast and then doing a Pi hole build. Which is a Pi hole is a head blocker that rides on Raspberry Pi. So doing this for the home user who can follow along with us, build a Raspberry Pi on their network and prevent some of the ads from popping up, if that's of interest.

Speaker 2: 37:59

We're talking about a news article from the Hacker News. We already read the title. Researchers Warn of Cat DDoS Botnet and DNS Bomb DDoS Attack Technique. The threat actors behind the Cat DDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial of service attacks. Maybe, yeah, nick, if you got something to add to that, or maybe if you could break it down for the normies. What's happening here? What's the risk?

Speaker 3: 38:34

What I was going to bring up and what I've been noticing in the recent I don't know recent years maybe is the uptick in denial of service attacks on public service entities like 911 services dispatcher.

Speaker 2: 38:48

Sorry to interrupt, but what's a denial of service attack?

Speaker 3: 38:51

exactly that's what Eric has been explaining on overwhelming the call center, the servers, right. So in turn it makes you know those services go down. We saw it in Dallas, I think was a notable one. I don't know the specifics on that, but I think the DDoS, the denial of service, was a part of that. And we also saw it at another organization that Eric and I and team worked on and it was able to bring down calling 911. And you know when that happens, it, you know. Obviously that's a giant gap. People aren't able to call for emergency services and it, you know when that happens, the dispatchers they're working off pen and paper now and dispatching over the radio. So that was just something I have noticed over the recent years and I think it's been happening quite often.

Speaker 2: 39:35

And from your standpoint or your opinions, are hackers doing this because there's actually real world, tangible things they can point to like, look, I did that Ha ha ha, kind of because you know they're not necessarily gaining a lot of value, they're just bombing something, so it goes down Right.

Speaker 1: 39:52

I think it's financially motivated right, Just like everything is.

Speaker 3: 39:55

I think it's a bit of both Right Financially motivated and get their name on the map, kind of thing. If they can, you know, come out and say, hey, this group was a part of it, I think, I think it's both. But you know, obviously, like Eric saying, you know, financially motivation, financial motivation is probably the biggest one.

Speaker 1: 40:09

Unless there's some sort of like hacktivism going on which you see as well of. You know, like one group doesn't like a particular statement that's being made, then you may see that Certainly attempts around the political landscape with the DNC or the RNC, when those are in town, the you might see defacements or attempted defacements of websites or the transit systems in those particular areas. But that might be less about financial and more so about a state.

Speaker 3: 40:55

Yeah, I think it's something that might this is something that might come up, you know, in November, when the election is going on right. Maybe they're trying to take down a specific you know candidate's website. It could be trying to take down emergency services if a candidate is in that town. Let's say Just something that could correlate to this actual attack as being a bigger issue.

Speaker 2: 41:16

And then the financial side of it. They're asking for some sort of a ransom to kind of let off the pressure or to return the services back to functional.

Speaker 1: 41:25

They could yeah, or they could be using it as part of a multi-staged attack where the DDoS is a distraction, or is setting up something else to happen?

Speaker 2: 41:38

Wow, well, that's crazy. Um, I think that's a good segue to, uh, one of our last articles here this is one I picked out is speaking of, you know, annoying ways to attack people and jam things up. This is a not a news article, but, um, this guy's blog, john Graham Cummings blog Um, I found this on a forum. He's talking about controlling the Taylor Swift era's tour wristbands with the Flipper Zero. And for our audio listeners or people that can't see this picture, what's happening? You may have seen this at a recent sporting event or a concert you've been to. They're handing out these wristbands that have little chips embedded in them and they're programmed with LED lights to become part of the light show. So if you're in a stadium, they're splitting these up into sections and the people in section one might be a blue color and the section two might be red and section three might be white and they can flash them. So long gone are the days of holding up a zippo I was just thinking that.

Speaker 3: 42:41

Or your phone light your flashlight on your phone yeah, which was also very annoying.

Speaker 2: 42:46

Um, I'm a big fan of putting the phone in the bag. I know prince and and several other artists have made people like check their phones before going into the concert and I'm digressing here a little bit but I get very nostalgic passing the concert and I'm digressing here a little bit, but I get very nostalgic Passing a concert, a stadium full of people and no one's on their phone. I mean, how awesome was that?

Speaker 1: 43:05

Josh, what's your take on people coming and going to a live music event and then um got their phone up and they're recording it?

Speaker 2: 43:16

I think it's terrible. It's uh, it's rude to the people behind you, it's obnoxious, and no one cares what event you were at, unless you're a bootleg. The only time I think it's cool is if I'm trying to see a band's unreleased song and someone might have done a bootleg at a show, so I got a little preview of that. But yeah, nothing more annoying than standing behind a middle-aged guy holding his phone up right above your view, filming 10 minutes of two songs that he probably will never watch again. It's just. I don't understand the impulse to do that. They're experiencing a moment and they're removing themselves from it.

Speaker 3: 43:57

It's the same thing too, when you get like somebody might have a wedding and they're removing themselves from it and I don't. It's the same thing too, when you get like somebody might have a wedding and they get their photos back and they've got grandma or grandpa or somebody there their nice picture at the altar or whatever, wherever you are, and somebody is holding up a phone in the middle of the picture. So put your phones away. It's an.

Speaker 2: 44:14

It's an impulse. Um, yeah, uh, it's an impulse. Yeah, I don't know if we're going to be getting away from that soon. It's something I hope to teach my children. Like you know be in the moment, some restraints, self-control, being in the moment. I think that's where the awareness comes in. But I don't think there's a whole lot of attack vectors here other than just being obnoxious. Maybe making a lewd word or a picture into a stadium full of people, which would actually be kind of funny Probably not if you're Taylor Swift or Kanye or whatever, but another interesting use case for the flipper zero.

Speaker 3: 44:47

Are you a Swifty? I think he's definitely a Swifty.

Speaker 2: 44:49

I'm not a Swifty, but I ended up having to play a lot of. I ended up having to learn a lot of Taylor Swift songs for weddings and things like that. So I will say this I do appreciate her as an artist. She's a hardworking lady. I got to meet her briefly in 2016 at the Billboard Music Awards in Las Vegas. She was in the backstage saying hello to every single person and every other artist. I was there supporting my brother and they were largely unknown and she went out of her way to shake everyone's hand and meet everybody so, nick, you don't want to go against?

Speaker 1: 45:22

uh, taylor swift and the swift. That's worse than going against anonymous swifty army.

Speaker 2: 45:26

I'll get you I think that was just an interesting use for the flipper zero.

Speaker 3: 45:30

So we might have to check in with cameron on that one and uh I think it is really cool, josh, because, like you were saying, you know, know, and Eric brought this up too right, activism or whatever you want to say, people could, you know, show their cause right in a stadium, right, that might be a reason to take these over politically, you know, charged, or something like that. So I think there's a lot of reasons to do it. So it's definitely something to keep your eye on, because you know the technology with Flipper Zero, you know it's something you can put in your pocket and you know you've got an attack vector.

Speaker 1: 46:03

And wasn't it the attack vector on those? If I'm recalling Josh, it was either infrared, which is how they're getting the colors to change, so Bluetooth infrared or radio signals.

Speaker 2: 46:17

Yeah, and I think there's a couple of different systems that they're using. It's pretty cool because the person that's running this system can fit all of the gear into their suitcase. It's just one box that controls. And then they have a laptop, you know, with with the display showing the layout of the stadium, and I'm sure they can customize it to whatever application they're using it for. But very lean technology and you know something that would have been unthinkable maybe 10, 15 years ago. So pretty cool technology.

Speaker 2: 46:47

I would like to see how this develops and kind of, maybe this will take people off their phones. We can find a way to engage people and make them more part of the show. Perhaps that will go a long way towards keeping people in the moment. But one of my questions was kind of tangential to this is you know, when you're in a large crowd, maybe not thinking about the security of your wristband, but are you guys taking precautions with your credit cards or your cell phones? We've talked a little bit about you know how the Flipper Zero, could you know, maybe set off some notifications on an iPhone and an airplane? What do you guys do when you're at an event like?

Speaker 3: 47:21

that. Well, I think the big one you know that I have the RFID wallet. I think it's a Ridge wallet. So you know that's the big thing for me is keeping all my cards in that, right If I put it in a backpack or whatnot.

Speaker 2: 47:37

How about you, Eric? Are you a Ridge wallet guy?

Speaker 1: 47:40

I do have a wallet that has the RFID protection in it, but I don't know that I'm necessarily concerned about a digital attack Not that it couldn't happen. I'd be more concerned about a pickpocket. So I always carry my wallet and stuff in the front pocket, definitely yeah, definitely for me too.

Speaker 3: 48:02

And I think one thing and this is probably segwaying a little bit, but you know, and I was just, uh, you know, I think I was at the car wash or the gas station, um, last night, and I always find myself, you know, and I have for a while is looking at the actual reader to see if there's been a skimmer put on, you know. So I think it's not directly your question, josh, but I think if there was one other thing advice to give you know people, it's pay attention to where you're actually putting your card right. If you have the option to bump tap, I would do that.

Speaker 1: 48:31

That is always interesting. Where you know you've you've had the places that would take the card, like at a restaurant, and then disappear, come back.

Speaker 3: 48:41

Yes, I think a good way too for that like if Starbucks is a good example is they have a way to pay within their app. Right, you load up the card, they scan the barcode and it takes your credit card out of the equation.

Speaker 1: 48:58

I don't know why we don't do more of that here. It's like a whole process. You go to a restaurant and then they bring you the bill, like it's a secret in the billfold, and then you put your card in there and after everybody argues about who's paying, and then they bring it back 30 minutes later In Europe, it's like all right, I'll take the check and they just bring the reader to you. Tap it done.

Speaker 3: 49:17

You're out of there. That happened to my wife and I last Friday. We went out and they had on the same machine that he's putting the orders into the kitchen. He was able to take payment there. So everything's done right in front of you. I think you see that at like. You know Applebee's, Chili's, things like that. They have the little screen where it's got games on it or whatever for kids or whatever, but it also shows your bill at the end and you pay right on it. So it's great, Great point, Eric. We should start seeing that all over the place.

Speaker 2: 49:45

As long as they don't have the QR code menu, I'm good, I'm in. I'd rather have a crusty dirty. You're all about the experience.

Speaker 3: 49:56

I am, I'm tactile, I like it, I'm in on it.

Speaker 1: 50:00

I have to say, though, I would rather have the QR code than some sort of unclean menu.

Speaker 3: 50:08

I think I'm actually with Eric on this one.

Speaker 2: 50:12

Lunch is on Eric, as usual.

Speaker 3: 50:15

We don't fight over the tabs around here. No, we don't over the tabs around here. No, we don't.

Speaker 2: 50:21

We know who's paying tab at lunchtime at IT Audit Labs. Hey, this has been really fun, you guys, I think, unless you have anything else to add and could wrap it up there. We're just under an hour and thanks to all the live listeners. It looks like we had almost 10, almost double digits. So this is our first one listeners. It looks like we had almost 10, almost double digits.

Speaker 1: 50:37

So this is our first one.

Speaker 2: 50:38

We'd like to have you tell your friends and family about the IT Audit Labs podcast called the Audit. If you like what you're hearing today, you can like, share and subscribe. We're on Apple Podcasts, spotify Podcasts and on YouTube and elsewhere. You can follow us on LinkedIn for more cybersecurity news. My name is Joshua Schmidt. I'm your producer. We are joined by Eric Brown and Nick Mellon. Today this has been our first live cybersecurity in the news episode. Thanks so much for listening and watching. Hope to see you soon.

Speaker 1: 51:09

When we were going to get one of those hairless cats. He's got jumping up on him.

Speaker 2: 51:13

One thing at a time.