Speaker 1: 0:04

All right and we're live. It's Friday, july 12th, and we're doing another news episode today all things cybersecurity news. You're listening to the Audit presented by IT Audit Labs. As usual, we're joined by Eric Brown, ciso at IT Audit Labs, and Nick Mellom, and we're going to chat about a few articles that piqued our interest today. But before we jump into it, how are you guys doing today?

Speaker 2: 0:28

Doing well, Josh? Yeah, thanks. I'm at an undisclosed location today, so bear with me on the technology.

Speaker 3: 0:37

CIA safe house. Yeah, I'm also doing well.

Speaker 2: 0:41

Well, nick, you know it's interesting in just kind of in some of the things that we've been talking about recently. I learned that josh was an aficionado of a couple of things outside of music, right? Oh boy, yeah, here it comes one of those being us and conspiracy theories.

Speaker 3: 1:08

Okay.

Speaker 2: 1:09

So I was asking Josh, josh, I forget how we were talking about this, but one of the things that we were talking about was there was recent reporting and declassification of UFOs and how now they're not called UFOs anymore, I think they're. Then they went to like what? Something aerial phenomenon or something UAPs.

Speaker 2: 1:35

But then it changed because there were some that were not aerial like they're going in and out of the water and there was some sort of news around military pilots that had identified some of these objects and maybe some of their unique trajectories. Had you heard about that?

Speaker 1: 1:55

Of course, yeah, of course. The biggest piece of news recently was last October, when David Gersh testified before Congress about his experience. Oh no, oh no, yep, get them on, boys, hit us with the facts.

Speaker 3: 2:17

Josh Hit us with the facts.

Speaker 1: 2:18

Military guy. So pretty credible, pretty credible. So I have to preface my interest in UFOs because I grew up in a very remote part of the state, overlooking Lake Superior, and people see quite a few things out on the lake that they can't explain because, you know, it's very dark up there. You can see the firmament very well.

Speaker 2: 2:40

But isn't there like an Air Force base up there?

Speaker 1: 2:42

Well, there's a few airports. I mean, I think that there's some activity coming from Duluth, maybe across the border. I know there's a lot of airplane traffic monitoring the Canadian border being just two hours from the Canadian border. So take that for what you will. I'm really blushing because you guys have your tinfoil hats ready. That's amazing we're going to do. You guys have your tinfoil hats ready. Amazing, we're going to do. A full on tinfoil hat episode.

Speaker 3: 3:08

We're in full support of you, Josh. We just want to make sure our mind's dead clear for the best of our clients.

Speaker 1: 3:14

You might want to keep those on for a couple of the articles we have selected for today.

Speaker 2: 3:20

So any UFO stories Josh.

Speaker 1: 3:23

Well, I have seen one UFO. When I was a child with my mother, we were driving down Highway 61 in Grand Marais and, yeah, unidentified flying object, just what it sounds like, not saying it was aliens, but it was certainly an identified flying object.

Speaker 3: 3:42

So it came over our car. What did it look like?

Speaker 1: 3:45

Well, it was dark so it was just lights. And as we traveled down the highway it kind of followed the car above the tree line and didn't make any noise. It was probably a few hundred feet away from our car. So it wasn't a helicopter we would have heard that and it was flying way too slow to be an airplane, like maybe one that you might be flying.

Speaker 2: 4:12

Haven't you seen anything strange?

Speaker 1: 4:14

up there in the sky, eric, when you're flying around. I haven't, unfortunately, have you ever heard of?

Speaker 2: 4:17

a phenomenon called St Elmo's fire. I know the movie, but I don't know the phenomenon.

Speaker 1: 4:22

Yeah, I have a friend that's a pilot for Southwest and it's some sort of a weather phenomenon where I think there's like glowing, there's like a glowing texture or something like that, that maybe you can show up on the airplane or in the sky. So maybe that's what I saw. You know, maybe it was some kind of a weather phenomenon, but it's always piqued my interest also a big fan of horror movies. So another thing that sent my mind going wild on that when I was a kid was, uh, the movie fire in the sky. Have you ever seen it? I don't think I have super creepy movie. Um, it's probably one of the the top ufo, uh alien movies out there. Um, I highly recommend it. I think it came out in the early 90s. It's based on a true story. Freaked me right out when I was a kid, that kind of being scared plus being super interested in that. That's where I'm coming from.

Speaker 3: 5:19

What did you guys say? That UFOs are called now UAPs. What does it say?

Speaker 2: 5:25

unidentified aerial phenomenon got it, but I think they're changing that because they're in the water now to uh. Yeah, that would be a separate.

Speaker 1: 5:34

I think that's underwater phenomenon or something like that. I'm not. I'm not quite up on the on the.

Speaker 2: 5:40

Have you seen the movie?

Speaker 1: 5:41

contact jody foster of course, yes, that's a great, great movie.

Speaker 3: 5:45

That's a good one. Well, we all know Signs, remember Signs with Mel Gibson.

Speaker 2: 5:49

Oh speaking of M Night Shyamalan. Right, the movie Sixth Sense, awesome movie, great movie, and then they all kind of went downhill from there. So do we think M Night Shyamalan actually wrote Sixth Sense, speaking of conspiracy theories?

Speaker 1: 6:06

Who think m night shamlon actually wrote six cents speaking of conspiracy theories. Now, no, I'm, you know. Yeah, I've kind of lost my interest in him. My favorite director right now is robert eggers. I don't know if you've seen the witch or, uh, the north yes, I have.

Speaker 3: 6:18

Yeah, what's the second movie?

Speaker 1: 6:19

you said, josh the witch and what the northman?

Speaker 3: 6:22

yes, seen them both yeah, yeah.

Speaker 1: 6:26

So, uh, you know, that's where my interest when the ufo stuff comes from, mostly movies and and being in a small town with not a lot to do and just looking up at the sky a whole lot, I don't know. Speaking of weather events, I guess we already did our icebreaker, but we're kind of dragging out the intro today. But, uh, do you guys have a nick? You were just through a hurricane, weren't you? So I wanted to ask you know what was a weather event that we had a good story to share that might have affected our lives?

Speaker 3: 6:53

are weaker, or a day, oh boy. Well, I can kick it off. Mine was very recent and this wasn't the first one I've been through. I went through two tsunamis in Japan in 2011,.

Speaker 1: 7:09

2012 timeframe and an earthquake there.

Speaker 3: 7:12

So pretty interesting to go through that. But most recently on Monday we got hit by Hurricane Beryl. It hit the coast at Category 1 hurricane and we had like 6 million people or something in Houston without power. We only lost power for like an hour and a half, uh, but we went without internet services for about almost two days. So it was you really learn how much you use and need the internet to stay connected and do anything, cause you also had like no cell service. But uh, we're really lucky.

Speaker 3: 7:45

A lot of people in the area still don't have power. Um, I know they said maybe it'll be take till like monday to restore to restore power. A lot of flooding trees down. So it was, uh, more or less on like a freight train going over the house and or or, uh, if you're in the midwest, a tornado sitting by your house for like almost two hours is the best way I can explain it Sideways winds pelting the windows. So it was I wouldn't say it was scary, but it was a little worrisome, let's say of like, wow, this is like. We're stuck here, don't have power, don't have internet. Just got to ride this thing out.

Speaker 3: 8:22

So it's pretty interesting. Are you looking at Starlink. It's funny you bring that up. I was going to place an order for one because I don't want to be without internet Obviously one for my family if we need to call emergency services. But because the cell towers were down, I had my phone. The way I was able to work on Monday after the storm, tuesday and Wednesday when we didn't have power or Internet, excuse me, was having my phone out in the middle of my yard on like a little nightstand table kind of deal that we have on the patio.

Speaker 3: 8:53

Put it out in the middle of the yard and turn my hotspot on just to get one bar of Internet sat in our master bedroom, which is at the back of the house, sat against the window so I could connect to it. I was able to join meetings. It was pretty spotty but dedicated to the customers to get online.

Speaker 1: 9:11

It's a good thing you're a prepper, Nick. Did you have to bust into your powdered milk stash? No, I still got all that intact.

Speaker 3: 9:17

Before we went down, I was prepared, filled up the vehicles with gas, got some extra bottled water, got my daughter some extra food and, um, I was ready to go. I still got all of my uh, what's it called? Wise, wise company? I think it's called they make the prepper packs. I'm not a crazy prepper, but hey, you gotta have some extra food on the side. And you know what? Maybe I don't know, maybe I don't, because it seems like anytime like this happens, people just buy toilet paper instead of food, so maybe they'll leave the food for me.

Speaker 1: 9:49

How about you, eric? Any weather events that are memorable.

Speaker 2: 9:52

Probably the most memorable. Not really a weather event, but I was in California during an earthquake one time and it was interesting. I was pretty young one time and it was interesting, I was pretty young, but I've certainly been in bad weather but nothing that stands out as really scary or bad.

Speaker 1: 10:14

Although I've experienced a UAP, I've never been through an earthquake, tornado, hurricane, so that's one of the upsides of living in the good old Midwest here in Minnesota. I do remember the storm of 91, though we had a blizzard on Halloween. I was just a little guy dressed up in my Ninja Turtle costume and the snow was up to the shoulders during our trick-or-treating run. So that was mine. I'm glad you're doing well, nick, and I'm glad you're safe and sound. Thanks, al. Family's doing well. Well, let's jump right into it guys. We've covered a lot of territory here already today. Yeah, we're just going to switch gears.

Speaker 1: 10:52

Coming from Spiceworkscom, close to 10 billion passwords exposed in possibly the biggest leak ever. On July 4th, a hacker Obamacare posted a compilation of nearly 10 billion unique passwords on a leading hacking forum. The leak is expected to be built on a prior RockU 2021 compilation of 8.4 billion passwords. So you know, is this something that can be picked up by? You know our Apple security feature. If we're using an iPhone, is this going to show up? Is it time to change our passwords? This is another good call for a Bitwarden or a password manager.

Speaker 2: 11:31

What's your guys' take on this? Yeah, multi-factor authentication, of course, is going to be a big help, and then one password to one login login. So if you're logging into whatever service, that password should be unique and separate from any other password that you use for any other service, and really the only way to do that is with a password manager. It's really hard to remember more than a handful of passwords, but you could have a couple hundred or even thousands of passwords and that password manager. You mentioned one Bitwarden. There's a couple others that are good as well, but that's really the best thing that you could do.

Speaker 2: 12:15

So when I see something like this, I immediately think you know, credit freeze, right, making sure that your credit is frozen. Making sure that your credit is frozen. Not that this directly has anything to do with threat actors getting to your credit, but in these sorts of links there could be a secondary exposure where social security numbers are leaked or other PII. So I'd just like to make sure that the credit's frozen and then, if you were, if any of your accounts were involved in the breach, that's where you go in and you just change that password. So in your password manager you can just, you know, change the password that was impacted and you can use a site like have I been pwned?

Speaker 2: 13:03

So, since you're sharing your screen there, josh, do you wanna pull up? Have I been pwned? And then, if you're just listening, not able to see his screen, it's just have I been? And then P-W-N-E-D, and this is just a great resource to check to see if you have an account that has been pwned or involved in a data breach. So do we have a volunteer to throw a email address in here? All right, let me give you one of mine. So, eb at b aA-I-Ccom.

Speaker 1: 13:45

I for Fraud in February 2023. Data alleged to be taken from the Fraud Protection Service's I for Fraud was listed for sale on a popular hacking forum. Are these all being picked up by? Like the Apple security feature, eric, when you sign into your settings and then you go to passwords, right, I don't know if all of our listeners know this, but yeah, just go into settings, go into password and then there's security recommendations and it will show you all of your emails that have been compromised.

Speaker 2: 14:15

It will pick them up. It uses services like this. Troy Hunt is the curator of this have I Been Pwned list and it would pull up lists that are curated that would contain previous breaches, right? So this one. It's interesting, right? Because I never signed up for this particular service. So Kent volunteered his email as well. We could take a look at that one. I might have a few more, but this eye for fraud is a good one, just talking about how, when we want to maintain a one-to-one relationship, I don't know which service may have been picked up by the eye for fraud, since I never subscribed to a discrete service from that company. It's an aggregator and Kent just gave us his. There's a few in here that are discrete services that Kent could go in and change the password, and some of these are quite old. But, if you look right, I think Adobe was in there, canva was in there, but you could then go in and discreetly change, say, your Adobe, or was that a Fitbit one or your Fitbit account.

Speaker 1: 15:33

Kent, you're going to have to change your DatPiff password.

Speaker 3: 15:36

Get some work to do.

Speaker 1: 15:37

That RAP mixtape can't be getting vulnerable with the RAP mixtapes. I'd love to hear that RAP mixtape, by the way. Maybe we could get a link to that. But yeah, this is a great service for people to be using, obviously in conjunction with some of the other things. So you're using a password manager, eric, I assume, and then you're still getting breaches or leaks happening with your credentials.

Speaker 2: 16:03

That account that I? Yeah, because the password manager is not going to stop you from getting breached, right, the third parties, where the things that you're signing up for are the ones that are having the security exposure. So the companies that you're signing into with your login credentials are then breached. So a password manager, the only thing that's going to do is make it easy for you to change the login and password for the particular organization that was breached. Does that make sense?

Speaker 1: 16:38

Yeah, so you have to stay up to date on it and be checking it and monitoring the situation.

Speaker 2: 16:43

Yeah, and you want to just continue to maintain that one-to-one relationship, and by the one-to-one meaning, for example, with Kent, where there was a few here, where this particular Gmail account was involved in the breach. If Kent was using the same password across multiple sites, that's where you can get into trouble, because the malicious actors are just scooping up all of those you know, the hundreds of thousands, billions of accounts and then they're just scripting out and brute forcing logins across multiple sites. So you just if you know that's occurring, and you just change the one that was breached. You don't have to worry about the other ones.

Speaker 1: 17:27

And from my understanding, these were just passwords that were leaked. So the risk would be combining this information with previous breaches and linking those passwords to usernames, emails and such yeah and social nearing right, Nick, Happened on the 4th of July.

Speaker 3: 17:46

Once again we see another event or a holiday opportunity for hackers to exploit uh, people kind of being checked out, I mean I think with the you know, yeah, obviously, the social engineering piece you know with, like open source intelligence, you know they're pretty easy. It's pretty easy to attach these passwords. You know you get the different accounts, you know You're able to correlate where these are coming from if they want to carry out an attack. So, password manager, obviously. But we always talk about MFA. Right, if you don't have MFA right now, it's almost 2025, right, we want to get that implemented everywhere.

Speaker 3: 18:19

Even on social media, I see a lot of people not using know, not using MFA for through Facebook or LinkedIn. That's so easy to set up. You know you, you gotta do it. And for a lot of people, too, they think, well, it's just my Facebook account or LinkedIn account. Well, that might often be where a lot of people have you know personal information where you live, where you work, you know, so things. For somebody like me that likes to do social engineering, that's like a one stop shop for me to formulate you know talking points to whatever it is Right, maybe I can figure out what bank you work for or what hospital you work at, and it's kind of a gold, gold mine of information.

Speaker 1: 18:59

So when you guys see a breach like this come through the news, are you advising organizations to take any actions when you see this, or is it more of just the same rhetoric of?

Speaker 2: 19:09

getting a password manager.

Speaker 1: 19:10

MFA.

Speaker 2: 19:11

Yeah, hopefully we've gotten in front of it and we're working on things that they can do to stay in front of this sort of events, because these events happen, unfortunately, more and more frequently. So, using tools that are looking at the curated lists and making sure that users can't select a password that was on a list previously, or that the passwords are long enough or, of course, that they have MFA in place and certainly MFA is not infallible Now you have to have the right kind of MFA. So it's just unfortunate, right? We just have to continue to stay on top and continue to educate and research and learn and make sure that the advice that we're giving is relevant, because advice that we give today would be maybe different than it was 10 years ago.

Speaker 3: 20:05

Continue to play offense instead of be reactive to all these issues. It just seems like these articles just are. It's a daily occurrence where something is coming up like this.

Speaker 1: 20:14

Yeah, and so you guys are the experts. You're sitting down with these organizations, walking through all these types of things when you do an assessment, sitting down with these organizations walking through all these types of things when you do an assessment. Is this kind of part of the initial assessment when you work with an organization and an ongoing after that?

Speaker 2: 20:28

It depends on the type of engagement we'll have with the organization.

Speaker 2: 20:32

Certainly, if we're doing more of a security review or vulnerability assessment pen test, what have you upfront?

Speaker 2: 20:40

These are some of the things that we'll take a look at and we'll certainly take a look at it from the attempts to exploit the organization to really talk with them about maybe weaknesses that were in place.

Speaker 2: 20:52

But if it's more of an ongoing consulting relationship, then you know we'll certainly do periodic testing, but along the way. You know we'll certainly do periodic testing but along the way we'll put practices in place to help shore up the users from a policy perspective. You know we talk about administrative controls, technical controls, physical controls, where an administrative control would be having a policy that says that you have to have some form of MFA in place, that you have to have a password of certain length, and some of these things are regulatory requirements as well. But we'll have those administrative controls and then we'll have the technical controls to make sure that those things are in place and that there's the ability to inspect the password when the user changes it, that they're not changing it to something like a summer 2024 or company name 2024. Just making sure that there's that good password hygiene in place.

Speaker 1: 21:51

All right. Well, let's shift gears to our next article here. This is a little bit more high level. Shout out to our listeners. We have a really exciting episode coming up with a woman named Melissa Stivaletti. We talked a lot about OSINT and policies around cybersecurity in the intelligence community, but this is a high level article that came out just recently on July 8th, the Supreme Court ruling threatens the framework of cybersecurity regulation. Apparently, the Supreme Court struck down the Chevron Doctrine, which will have a major effect on the determination of enforcement of cyber regulations in the US. So I had to read this article a couple of times to kind of get my head wrapped around it. But from a high level. Do you guys have any insight on how this ruling will affect cybersecurity, do you guys?

Speaker 3: 22:41

have any insight on how this ruling will affect cybersecurity. My initial thought, josh, same as you read it a couple of times to try to suck it all in, but I'm struggling to form if it's a good thing or a bad thing other agencies aren't able to just craft rules and laws as they see fit. Where it gives the power back to maybe us or the users or whoever, to have Congress put rules in place, laws in place, and that's what's driving the outlook there versus just maybe an agency going rogue. So I think that's the thought of maybe it's good, but I think it could go both ways.

Speaker 1: 23:23

Yeah, other than the expediency, what would be the benefit area?

Speaker 2: 23:27

You know, with Nick, I kind of see both sides of it, right. You know, unfortunately some of our agencies are more specialized, like the organization that's part of Homeland Security called CISO, which is doing a lot of great work, hands-on work with customers in the public sector, with customers that have critical infrastructure. So water treatment, wastewater, electricity, power generation, transit, right. You know're they're working with organizations that are critical to infrastructure. You know, nick talked about power being out for two days due to a weather event. Well, power could be out for two days or much longer due to a cyber event as well, and sisa is working hands-on with these organizations to help them understand where their risks are and certainly to help them have better security in place. Not that they don't want to, but CISA has visibility across multiple organizations and they're getting intelligence feeds from other organizations in the government sector that might show oh there's you, us. That could be concerning on one hand, because leaving it up to the judicial branch, where traditionally there's probably not as much of an understanding of cybersecurity and information security at a detailed level as there is with a specialist organization like CISA, On the other side of the coin, I see that some good could come out of it where you have organizations like the Bureau of Criminal Apprehension, which is a state organization that interprets governance from the FBI on how to implement technical controls, and then the BCA is essentially the they own and manage criminal justice information, right, so important information that comes from the FBI? Right, the FBI certainly is the organization ultimately responsible for this criminal justice information. And then the interpretation of the BCA at the state level and then the BCA's interpretation and enforcement within local agencies sometimes becomes problematic. I'll give you a for instance local agencies sometimes becomes problematic. I'll give you a for instance where we've got, say, a virtual server farm and that consists of several computers in a cluster and you could have tens or dozens or hundreds of individual virtual machines, virtual servers, in this cluster of servers.

Speaker 2: 26:39

Virtual machines could have encrypted communication between them, which is good. They could be stored with their data at rest, stored in encrypted hard drives and the data coming off of those systems backed up and encrypted and stored that way, immutable, off-site. What have you right? All good things, all good things from a hygiene perspective, but yet the BCA will come and tell you that you cannot co-mingle.

Speaker 2: 27:08

And again the BCA in the state of Minnesota would come and say you cannot co-mingle your virtual machines that contain CGIS data in with virtual machines that don't, so you can't have this commingled environment. Well, it doesn't make any sense, right? Everything is already encrypted in transit at rest. So you have network policies in place that don't allow communication or movement of data between those machines. It's like they're already separate and you're using encryption to separate them.

Speaker 2: 27:43

They would postulate that you stand up a completely separate virtual environment, which on paper doesn't sound like a big deal, but that could mean millions of dollars to an organization's IT department, where now you have to stand up and manage this completely separate VM infrastructure. You've got to pay for licensing, You've got to pay for all of the things associated with managing that environment. Well, I would rather take that million dollars, or whatever that investment was, and spend it on potentially education, other security tools, other ways to prevent the threat actors from doing harm in an organization. It's just it's wasted money in my opinion, and I don't like the BCA's interpretation in the state of Minnesota of FBI's governance on how to manage virtual machines and again, it's state by state could be different in other states.

Speaker 1: 28:37

It seems like, you know, pace of technology and cybersecurity is moving so fast it's hard for our lawmakers and the bureaucracy and the machine to kind of work at the pace of technology. So something that we're going to stay on top of is this something you guys are going to see how it plays out in your day-to-day jobs, or do you have any kind of projections on how this will affect your day-to-day work?

Speaker 3: 29:00

I think there's going to be a lot of situations, like Eric was just explaining. Right, there's going to be a lot of turbulent air where we're trying to figure out which way these organizations are going. Like we said, it's going to be good or bad, so we'll see. It's going to take a little bit of time for things to change. I don't think we're going to feel it for a little bit. It's going to take a little bit of time, so we'll see what happens. You know, I guess my other fear is going to be you know, it's going to get caught up in court systems, right? All these bigger organizations are going to spend time instead of shoring up their organization. They're going to fight it, right? So there'll be a lot of time spent in courts and we'll have those issues which probably won't affect us directly for a while, but probably a lot of unnecessary situations are going to come up out of it. So it's good and bad, but we'll see what happens. I think it's going to take a while before we see any ripples of this effect.

Speaker 1: 29:52

Sounds like another case of the lawyers coming out ahead in this situation. Good job security? Probably so. So, nick, I see you're wearing your military green today. We got a military adjacent article for you, buddy.

Speaker 3: 30:05

Just for you. Yeah, I thought this one was really interesting, yeah so did I, and I pulled this up.

Speaker 1: 30:10

I immediately thought of you. Guard Zoo malware targets over 450 Middle Eastern military personnel. This is coming from the Hacker News, one of our favorite sites to grab these articles from. This came out July 9th. Military personnel from Middle East countries are the target of an ongoing surveillance ware operation that delivers an Android data gathering to a cult guard zoo. The campaign, believed to have commenced as early as October 2019, has been attributed to a Houthi aligned threat actor based on the application lures command and control c2 server logs, targeting footprint and the attack infrastructure location, according to lookout nick. Let's start with you know. My question was, first of all, what was your cyber security uh experience in the military? Was that something that was talked about frequently? I mean, you guys have your phones on you just like civilians, or um, is this something that's being chatted about constantly, or what's the?

Speaker 3: 31:05

Yeah, I would say well, this was 12, 13 years ago. In the grand scheme of things, not very long, but in the cybersecurity world that's basically a lifetime. So a lot of things have changed. But going back to when I was in, yeah, when we were on local military bases local military bases, friendly bases right, you had your phone, had service just like you would as a civilian. But when we deployed to the Middle East Afghanistan, kuwait, iraq, you know, so on and so forth you could bring your phone, but either you had to take your SIM card out or location services had to be turned off. Most of the time the command would make you, you know, you had to take a SIM card out Back then. We're moving to eSIMs now, or that's the way most of the phones are, you know. So we had physical SIMs, then took them out and they physically checked this. So right, and what this article is getting at here is they're uploading the software. It sounds like it's mainly Android, but once the software gets on the phone, they're able to get location services and many other things.

Speaker 3: 32:12

Well, the fear to me, and why we did it during my time of service, you know, overseas, in combat zones was A. They can figure out movement, movement, how often we're doing it. When we're doing it, when we like to operate, you get all the tactics, um, that we like, and, and the same is for the, uh, the friendly forces it sounds of the middle east in this article, um, and it allows them, you know, for cyber attack, physical attackes, all those different things that come into it. So there's a you know, it's an overwhelming amount of fear with something like this, because you can't protect it. Well, you can protect it with, with software, right, to get rid of this, and I think Google has removed it from the play store, um, I read this article or blocked, uh, blocked it from use, but it sounds like there's quite a few different applications that are doing this.

Speaker 3: 33:05

But the fear is, you know, they're getting the actual locations where the people are and that's wherever they go. So you fear for your loved ones, and we know that you know these, these nation state actors, terrorists, wherever you want to classify them, as they're going to use all this information, you know, against their adversary, which you know are trying to fend them off, and they're going to use all that, and they're getting this through through WhatsApp, right, and a lot of people use that, you know. So there's a lot of fear here on what could actually happen, right For, like I already said, loved ones, military tactics, and where bases are located, where they entry and exit points, egress points. So this is chock full of a lot of worrisome information that's getting out.

Speaker 1: 33:48

Sounds like a threat that the military needs to stay on top of. They're using WhatsApp and it sounds like a social engineering type of attack. Right, they also mentioned telemetry data. What is telemetry data? Is that kind of triangulating your position to figure out where you're moving and all that fingerprint dust or whatever we want to call it that you can pick up on to gather more information?

Speaker 3: 34:12

Yeah, I think it's all that. I think it's all that information that I was kind of speaking on with you know, location tactics where bases are things like that. And what they mentioned http flood attack, oh look, I didn't actually realize that they were using the actual flood attack, but I think it's like the, the scripting, where they're, you know, using the actual script from the browser and they're able to go different places within your phone. So I think it's like a lot what their way they're using.

Speaker 1: 34:39

It is like lateral movement, uh, with the device yes says this was originally marketed as commodity malware for the one-off price of three hundred dollars. So this is something that's sitting on one of those hacker forums or you can just purchase and, um and on a previous episode they mentioned, uh, one of our guests mentioned that they may even have like an it department for some of this malware that you can purchase.

Speaker 3: 35:01

So do you guys like a jump box right? They're able to jump from different device to different devices.

Speaker 2: 35:08

I think what they were referring to in in that particular instance was basically just a ddos attack, so distributed denial of service using the http protocol, so basically taking a machine offline through lots of http traffic to that machine, or that device and we talked a little bit about that on our last news episode as well.

Speaker 1: 35:28

That man in the middle ddos attack. Yeah, you can check that last episode out for more information on that. Um, you know, and they were even using these military style uh icons, you know, to kind of grab people's attention. So a concerted effort to attack that community. Maybe you guys could give us a little insight of what other types of fallout Nick, you'd mentioned some of the things, but maybe Eric, you could chime in on a high level what types of fallout can be imagined from an attack like this?

Speaker 2: 35:59

Well, yeah, just to continue on with what nick was saying, I think we're seeing has been certainly evident in the ukrainian war with with russia, where both sides were leveraging the individual's personal mobile devices to understand where they were physically and then launching attacks against those locations.

Speaker 2: 36:25

So it's, you know, humans are conducting tactical or kinetic warfare and humans, as we know, are the weakest links in cybersecurity.

Speaker 2: 36:38

So, having that mobile device on you and maybe what if you didn't obey what command said, right, and you have another phone that you haven't destroyed the SIM card or disabled the SIM card, and it sucks, right, war sucks. You want to get a message home, let your loved ones know you're going to sneak a message out. Well, that can put a lot of people at risk and if you're not well steeped in cyber or well-educated, you don't understand those risks. You don't know how, you know just having your phone on could beacon out a location. So just, and then I'm sure Nick, you know, can talk about how the education that you know that he went through while he was in, but just the education that people who are maybe closer to the frontline, or delivering services to the frontline you know, red Cross or ancillary services that aren't maybe directly military, could impact the lives of military personnel by just having personal devices on them and moving through areas of conflict, because they could bring that attention to areas where attention is not wanted.

Speaker 1: 37:52

Super interesting. That's a heavy topic and, Nick, did you have anything to add to that? You kind of mentioned that there was some talk around that, but just do. Is it much more prevalent these days? Do you stay in touch with any of the other people that are still in the military and kind?

Speaker 3: 38:08

of talk. I do, yeah, I do, we. We don't often, you know, talk about cybersecurity per se, but I think, you know, going back to at least my time, I don't think we talked about it nearly enough. Right, we were all focused on our job, you know, in and out of the Middle East, but cybersecurity certainly wasn't one of our main focuses. You know, we had our badges right with a little cat card on it. You use it to badge into the machines and that was really kind of the extent of the cybersecurity training. Besides that log in, log out, password, you know, protection piece. That was besides email and phishing. Those are kind of the only two things we really talked about. So you know, I would assume, especially nowadays it's been 10, 12 years that with how much more we're connected on that, they're doing much more in-depth training just because of how much more technology has come up and how much more we're connected, of how much more technology has come up and how much more we're connected.

Speaker 1: 39:02

Yeah, as we progress our technology, maybe this next article will be of aid to our military personnel at some point, but we'd be remiss not to talk about AI at least once an episode. We haven't brought up the cat thing yet, so I'm a little sad. So you guys better, if we're doing the tinfoil hat thing, maybe the tinfoil hat thing is taking the place of the cat jokes. We're so excited about the tinfoil hat thing I know Gold star for you guys.

Speaker 2: 39:33

We still didn't get enough out of Josh, because Josh could pontificate for quite a while on some of these conspiracy theories and UFOs.

Speaker 1: 39:41

We better pace ourselves on that one.

Speaker 2: 39:42

I gotta get more prepared he got shy on us, nick that's right, we all do as long as we are on that topic.

Speaker 1: 39:50

Briefly, you know, one thing that I do think is really interesting about the uap phenomenon, as there's been plenty of military personnel that have reported those things shutting off, you know nuclear facilities um, there's tons of stories about you know people working at military bases and and seeing these things on radar or visually, uh reporting them from an uh a fighter jet, for example, and then confirming that on radar. Lots of interesting stories. Whether they're true or not, I'll leave that up to the listener. But uh stories, whether they're true or not, I'll leave that up to the listener.

Speaker 3: 40:25

But you know we could only be so lucky to be protected by the grays. Speaking of the next episode with the hat.

Speaker 1: 40:31

Oh yeah, I'm gonna get a hat. All right, yeah, but you know, speaking of advanced technology, how can I make security more proactive and less reactive? This is coming from SC Media or SC Magazine dot com. In November 2022, the wider world suddenly became aware of the power and potential of artificial intelligence as chat GPT was made available to the general public. Practitioners were already familiar with automation machine learning, which they had been using for many years in the forms of security orchestration, automation response and static and dynamic application security testing tools. The addition of AI that can learn from its own mistakes and incorporate experiences into its learning model promises to greatly accelerate cybersecurity processing and implementation, as well as reinforce defense against new attack techniques that are also using AI. So you know, are you guys using any AI tools right now, or is there anything coming down the pipe that you're excited about?

Speaker 2: 41:32

Yeah, I mean I could probably talk like for an hour about this one in particular.

Speaker 1: 41:38

The top one, the newest one or your favorite, but in particular the top one, the newest one or your favorite.

Speaker 2: 41:43

Well, rather than that, maybe I'll just say that, because it's hard to pick just one right. Companies are integrating, let's put AI in quotes in their tools and saying it's AI. But I think we have to take just a half a step back, maybe, and just talk about what is the difference between, maybe, true AI and what ChatGPT may be like, which is a form of AI. Ai in that it's doing, essentially, it's just doing predictive language, so it is predicting out what the next word in the sentence will be, using millions, billions, trillions of data inputs. So you know just the sentence how AI can make security more proactive and less reactive. Right, Like it wouldn't make sense if those words were not arranged in that particular order. There might be a few different nuanced orders you could put them in, but if you just jumbled those words up, the sentence wouldn't make sense. But generative engine like ChatGPT is going to, having had indexed trillions of sets of data, is going to know how to form that sentence to what it believes to be the most prevalent of its training.

Speaker 2: 43:14

I was ready to go, I was going to put my hand on it. So where I like AI is to take the things like policy right, so an organization could have 20, 30, 40, 50 different policies and being able to interact with those policies through a chat feature. So like to be able to ask a question of the policies and then get an answer from the generative AI that has essentially ingested those policies just discreetly for that organization. That's pretty helpful, right? So, like what do I need to know if I'm going to go on vacation to France, or can I take my company laptop to Russia, for instance? And it would. As these engines get better, they're going to be able to interact with you to make your experience as a user better.

Speaker 2: 44:29

You know, today you'd have to like well, where does my company keep the policies? I got to go find that. Now I got to go read the travel policy. Oh, it doesn't say anything about technology. Now I got to go read the technology and governance policy.

Speaker 2: 44:39

Right, you know, you could spend half a day just reading policy and they're not always written in the most user-friendly language. And then you've got to understand what that means. And then you've got to know well, okay, I'm going on a trip. I think I have to submit a form. Where's that form? Right, you can spend half a day just trying to find out how you go on vacation and take your technology with you. Where, in an ideal, maybe more AI-friendly world, I'm going to France for vacation. What do I need to know to take my laptop with me? Well, you know, then, if there's a form that the company wants you to fill out, it could present you with a link to that form and kind of the steps that you need to take in order to go on that vacation and present it in a very user-friendly format.

Speaker 3: 45:26

I love that one. I was just going to say Josh was going to jump in. I think I've talked about this in a previous episode. One of the, I guess, more cool ways I've seen a 911 call center using this information is they have all these different operation procedures that they're doing when they're ingesting 911 calls. You know, there's all this new technology that they're using to call, text, video chat with users calling in 911, made for a structure fire. They're giving people instructions how to do CPR. You know all different kinds of things, but the turnover rate is so strong in those industries.

Speaker 3: 46:03

You know, let's say for a 911 call center that you might get somebody new that's on the overnight shift or what have you. Maybe they don't have all the support they need for a smaller County or something for any state and AI. This is kind of really similar to what Eric's talking about, but what they're doing is they're able to have this library of information at hand when they get a call, instead of a panic or not knowing what to do, they can simply put in a couple of key words and, boom, ai pulls up. Okay, this is step one through five. This is what you should do. This is how you lead them through this.

Speaker 3: 46:35

This is what you should do here, and it's you know, instead of spending, you know, three to six months potentially getting somebody up to speed to be a you know, really sharp at their job, they can spend much less hands on time freeing somebody else up for other functions. So I think that that really goes speaks to all industries, especially in IT. Right, we're constantly learning and moving and can learn things that way, but for what I'm speaking of, it's making you know somebody, that's you know, new to an industry, and something as important as first responding. Ai is really giving them power to be quicker and that benefits, you know, the individuals or the citizens of those counties.

Speaker 1: 47:18

That's great, yeah. And you know, it seems like the general thrust of this article was that shift in making cybersecurity less reactive and more proactive. You know, I know a lot of times we're dealing with things after they've already happened, but do you see this technology kind of weaseling out? You know problems that we might not see just by doing an assessment, for example, or making that a lot faster to do your assessments or your pen testing.

Speaker 3: 47:46

Really, when I look at this article and just by looking at the header or the title, I'm seeing things like manpower, know-how, different things like that, and it goes back to what I was just talking about. Well, you might have somebody on an overnight shift or somebody that's scanning a big blocks chunks of data, right, that firewall is bringing in. Or you just did an assessment. Well, this takes the human element out of it for error, for reporting, and you're able to go through big chunks of data much quicker and hopefully that puts us on the offense versus the defense to make changes quicker. You know, maybe we we didn't see you know a common or best practice used in a firewall situation or wherever. Wherever have you? You know we're able to make those changes much quicker because we found it and it's not always just left up to human error.

Speaker 2: 48:40

I'll give you two for instances on this. And the blue team side of security is mostly reactive today, unfortunately, right, an event happens and then how quickly can you respond to that event to protect the organization, that event? To protect the organization. And, of course, as the organization increases in maturity, you're doing things proactively to lessen the type of events that can occur. But where this could go is where you have AI that is constantly looking across your environment and then proactively telling you things that you may not be aware of. And I'll just pick a really cheap for instance where it could say you could get an email or a text message or a Teams message or whatever that says security engineer, teams message or whatever that says you know, security engineer, did you know that your perimeter is allowing connections in from Iran? And over the last X amount of time you've had X number of attempted connections from Iran?

Speaker 2: 49:58

Iran's a level four country, attempted connections from Iran. Iran's a level four country. General organizations aren't allowing level four countries to connect to them for obvious reasons, mostly nation state. But today we would have to write queries and look across anywhere from three to more than a dozen different places to understand if we're allowing communications to come in from X country, x organization, x IP, whatever right and proactively getting that information. Do you know that you have X number of IPv6 IP addresses, making connections outbound, right?

Speaker 2: 50:42

That might be something that your organization doesn't want? Well, you'd have to. You know, the security engineer is going to kind of go through their checklist of okay, here are the things that I'm doing on my weekly, monthly, quarterly, whatever check, and sure it may be scripted out. It may not be scripted out, but we as humans still have to come up with what are the things that we're going to evaluate for our security, for our organization. And having some general AI playbooks that are taking best practices, applying it themselves to your organization and then providing reporting as an overlay would be an awesome place to go. But I don't think we're there yet because we're still dealing with discrete tools Like you have an endpoint tool, you have a firewall tool, you have an email tool and you have governance tool and all different tools not likely by the same organization. So there isn't that overarching viewpoint to be able to help you identify where you may have risk across your organization.

Speaker 1: 51:48

Awesome, we got one more tinfoil hat question Get your tinfoil hats back on. This is AI related. Will this spark an AI arms race? Because obviously threat actors are using AI as well. So who's staying ahead of who here? Spark and AI arms race, because obviously threat actors are using AI as well. Sure, so you know who's staying ahead of who here, yeah, no, no.

Speaker 2: 52:06

Let me jump in on this one, nick, and I know you've probably got a good one too, but I just saw this yesterday I think where one of the companies that we work with got a QR code delivered in a phishing message. One of the tools caught it, one of them didn't, and it was interesting because the QR code in itself there was no malicious links in the email, just the QR code. The QR code was a call to action to scan the QR code to you know, to do something right. So if you ran that QR code, if you ran that email through a VM, say you opened it in a VM, in a sandbox, because you wanted to test where that QR code was going, it did direct us out to a benign site, I think it shot us out to eBay. But if you opened that QR code up on a mobile device, then it sent you to a Microsoft login page. So from an attack factor standpoint, I was like that's really cool.

Speaker 2: 53:25

It's detecting if it's being examined by a virtual machine, which certainly the ways in which the threat actors are crafting know. We're seeing that more often where they know they're going to be scanned. So they're using we'll call it AI to determine what's scanning them. It's, you know, it really is looking at what's the makeup of the computer that's running the checks or that's doing that sandbox work. But then it was cool because it's you know, this one involved both social engineering and some technical work. Where the social engineering is, let's break out of that walled garden. Right, the threat actor is presumably going to know that an organization has decent email security, but the security on the user's mobile device is probably not as good. So let's break them out of their organization's walled garden and let's go to their mobile device. So I kind of thought that one was cool more of a quote unquote AI forward tool and was able to detect that this was a potentially malicious email and block it.

Speaker 3: 54:47

That is really cool to hear, Eric. Actually and I was, when you were talking about the QR code, the only thing I could think about was how much Josh hates menus at restaurants from QR codes.

Speaker 1: 54:57

I thought you were going to say the QR code brought you to Rick Astley video. Never going to give you up. I thought you were going to get Rick rolled. But if I can find a way to hack all the menus with QR codes and change them to Rick rolls, I would do that. That would be a time well spent, I believe. So, hey guys, we're at an hour here right now. It's been a really fun conversation. Is there anything else that you wanted to chat about today?

Speaker 2: 55:20

before we wrap things up, Did you have any comments on that AI side of things, Nick?

Speaker 3: 55:25

Oh, I mean just to add on to it. I mean, I think it's inevitable that we're going to they're going to keep on getting better, right. But the arms race is going to be really interesting to play out and and really I think it probably benefits us, right. It benefits the users. If we get more players into the space, we're going to see better tools more quickly, for instance, like Eric you were talking about, with email phishing, things like that, and for people like me doing social engineering it might not be as good, because we might get detected a lot earlier.

Speaker 1: 55:59

Great information. Yeah, well, I love doing these news, uh, news episodes with you guys, and we had a chance to go live today Again. Um, this, this episode will be edited and then also published as a regular episode on our audio only formats. Um, spotify we have video on Spotify now. Uh, we're hosting videos so you can log into your Spotify account and give us a five-star rating. We'd love to hear your feedback on the audit on Spotify, as well as.

Speaker 1: 56:28

YouTube Like, subscribe, share and comment, and if you have any future articles that you'd like us to talk about, feel free to shoot them into the comments or email me at jschmidt at itauditlabscom, also taking requests for guests. If you have an interesting topic that you'd like to discuss on the show, please reach on out to me. You've been joined today by Nick Mellum and Eric Brown from an undisclosed location. My name is Joshua Schmidt, I'm a producer and tinfoil hat guy. You've been listening to the Audit. Thanks for joining us live today and hope to see you soon.

Speaker 2: 57:04

You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill, you can stay up to date on the latest. Thank you.