The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics.
IT Audit Labs provides your organization with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization.
The Audit - Presented by IT Audit Labs
Cybersecurity News – CrowdStrike, TikTok, and Ransomware Trends
Stay informed with The Audit, your go-to podcast for the latest in cybersecurity insights, best practices, news and trends. In this month's news episode, we tackle the most significant developments shaping the industry today.
We'll cover:
- The latest insights from CrowdStrike on evolving cybersecurity threats
- The impact of the Supreme Court ruling on cybersecurity regulations
- The massive 10 billion password leak and how to protect your organization
- Guard Zoo malware targeting military personnel in the Middle East
- How AI is transforming proactive cybersecurity measures
- Best practices for password management and multi-factor authentication
- The role of AI in optimizing and simplifying policy management in organizations
New episodes air every 2 weeks -- Don't miss out on expert insights that will help fortify your defenses against emerging cyber threats.
#Cybersecurity #AI #TechNews #ITSecurity #Malware
Welcome to the Audit presented by IT Audit Labs. I am your producer, joshua Schmidt. I'm joined today by Nick Mellom and Cameron Berkland. We're here to chat about the news today. We're going to talk today about CrowdStrike. We're going to talk about Apple's new OS Sequoia, the DOJ, an FTC suit, tiktok, and we might even get into a conversation about password managers. But first I wanted to do a little icebreaker and ask you guys if you have done anything fun this summer. We're kind of in the dog days of summer here. So first week of August is over. Have you done anything fun or you got any big plans for the fall, nick?
Speaker 2:Well, I'm just going to shout out that it's super hot in texas so I've been staying inside a little bit more. Uh, august is the worst, worst month, so it's consistently around 100, which thank god for ac, but uh, I don't haven't done anything. Probably notable um, but I did get um just on tuesday. Uh, starlink, starlink internet, that's the satellite internet for backup, so I've been toying with that, so I've kind of been using that as the backup, especially if any systems go down, just as a secondary device. But I guess that's just my notable tech fun that I've had over the past week.
Speaker 1:The reason I ask is I just got back from a camping trip so we took our two daughters out into the woods. We did two nights. We were thinking about extending it to a. The reason I ask is I just got back from a camping trip so we took our two daughters out into the woods, we did two nights. We were thinking about extending it to a third night in northern Minnesota, but we were pretty well exhausted by the end of the second day. Full day in the woods. But there's nothing better than swimming in a lake, in a nice crisp, clean northern Minnesota lake. It's one of my favorite things to do. I also like to paddle the canoe around and listen to the loons late at night by the campfire. Uh, it's a lot of work getting the car loaded up and everything and packed up and all the food. It's quite the list, but it's always worth it when we get there and, um, yeah, but now I'm home, back to work. How about you, cameron? You got any big plans this fall or done anything of note this summer?
Speaker 4:Yeah, I mean, I feel like my summer has been like. Just it feels like it's going away. It's already so cold today I'm wearing a sweater here. Yeah, it does feel like.
Speaker 1:Minnesota. It's actually kind of refreshing though.
Speaker 4:Well, that's true, because it was a little unbearably hot for a little bit there, and yeah. So I've just been. I feel like I'm running to some family event every weekend and now everything's just gone by so quickly. I'm trying to recoup what's left of summer. You know I want to try to do something, so I'm hoping to go out. My grandma lives on a lake up here. She has a pontoon, so I want to try to get out there at least a couple weekends this summer the water's still warm.
Speaker 4:The water's still warm but I saw that the algae is starting to come out, so it's getting a little dirty.
Speaker 2:That will happen the summer is dwindling for you guys are you a state fair guy, cameron?
Speaker 4:oh, I have gone probably twice in my life, wow okay and I was thinking about going this year, but I don't have anybody to go with yet. I haven't found anybody that wants to go, so I might not end up going.
Speaker 1:I'm good with kids you could help us with our crew. You want to come with us, Nick. Sorry, what were you saying?
Speaker 2:No, I was just going to say that we haven't made it to the Texas State Fair yet, but I think we're going to try this year. I think it's in October and it's almost a month long, so I'm looking forward to doing that. The big fair I would say down here, closer to Houston, is the rodeo in February, which is basically another state fair. Good times, a lot of crowds. So it's kind of get what you want, walk around, see what you want to see and that's that.
Speaker 1:Do you have a belt buckle Nick?
Speaker 2:I don't. I have not earned one yet, so I might have to jump in the ring with the rodeo clowns. You have to get one the ring with, uh, with the rodeo clowns.
Speaker 1:You have to get one as the size of like a pancake I'll see what I can do before uh, our next live all hat no cattle. I got a hat it's downstairs no belt buckle stetson.
Speaker 2:Uh no, you know, I can't remember what uh resistal, I think that's how they say it. Yeah, you got to have some boots too probably.
Speaker 1:Oh yeah, Multiple pairs. That's a standard issue for Texans, I suppose.
Speaker 2:Standard issue. Yeah, you got to have a good pair of boots, good one for around the house doing some chores and another pair to take the wife out. Take the cats out, yep, take the cats for a walk. You need a good pair of boots.
Speaker 1:I always thought it was cool those rattlesnake boots that have the actual rattlesnake or the cobra or maybe the python or cobra or something that actually have the snake on the toe. You can get any flavor of boot you could ever want, we got to get a pair of those for Eric to be walking around the office with. Let's get that project underway, a early christmas gift or something that's on you, man?
Speaker 2:I think you got the outlets for that down there, so we can put the it out of labs logo on the side of the there you go, made out of snake skin for sure he'll be in on it all right.
Speaker 1:Well, I hope he's listening. Uh, yeah, eric's taking the day off today, so I hope I hope he's resting up. Um, we're going to jump right into it. So cyber security company crowdstrike has published published its root cause analysis detailing the falcon sensor software update crash that crippled millions of windows devices globally. I'm sure we all know someone that had a rough flight or a delayed vacation. So it gets a little technical here and I'm going to rely on you guys to break this down for us. So it says the channel file 291 incident, as originally highlighted in its preliminary post incident review, has been traced back to the content validation issue that arose after it introduced a new template type to enable visibility into the detection of novel attack techniques that abuse named pipes and other windows interprocess communication mechanisms. That goes right over my head. Can one of you guys jump in and break down what's going on here and what this article is talking about?
Speaker 4:yeah, I think we can talk about this a little bit. So essentially with the way the CrowdStrike Falcon works, is it needs like the lowest level of access to the system possible to be able to fully see everything that's going on for visibility purposes. So it runs as a driver, it runs in the kernel. What this ends up meaning is that any code that it executes it's kind of up to it to validate it right. Usually normal application on the system is going to have checks and balances, whereas where the CrowdStrike agent is running, it's kind of running unchecked, right. It's up to itself to check it.
Speaker 4:And what CrowdStrike was doing was pushing out sort of updates to these devices. And it was doing it. They were validating everything on their end, but what ended up happening was their validation process didn't catch this one little thing and they pushed it out to all customers at once. The update wasn't actually tested on any live systems, they just put it through their proprietary validation process and then pushed it out to everybody all at once and sort of found out what would happen in a real world scenario. As it happened.
Speaker 2:It says further down the article, here too, where it it you know, opposed to the 20 supplied content yeah Right, that's Nick's paragraph, right there versus the 21 that were in this update, and the 21st portion of it was the one that actually crashed the, the systems, yep, yep.
Speaker 4:So to get a little more technical with it, ultimately what happens was an out-of-bounds. So the CrowdStrike agent was expecting 20 input fields, right, and it reserved enough memory for those 20 and um. The new update required 21. So it read past that memory that it had reserved that 21st, pushed it outside of the reserved memory and that's what caused the crash. And since it's running in the kernel, there's essentially um, it essentially just has to take down the whole system, right?
Speaker 2:which, which is unfortunate, obviously. That's why we kind of use that method of, let's say, you have one big square and then you have a square in the center right, and the square in the center is like the kernel right, where you have the keys to the kingdom. You have systems like Falcon running in there, what you want most secure, and everything outside of that center box is going to be like office. You know, teams work things like that and if they fail in the outer ring, it just brings on that application. And that's what we want, right, we want those lower game for ones. They can fail outside and that's fine that we can troubleshoot it.
Speaker 2:If it's running in the kernel like crowd strike falcon, it there's no way around it. It craps everything out, uh, everything goes dark. So that's why everybody was getting the blue screen and even if you didn't get the blue screen, you were still affected, um, and we saw this in all healthcare. You know flights, um, I know even a family member of mine this is, you know, not a critical system but was going to their service provider to get a new cell phone, not knowing that this happened because they're not in the tech industry, and there was a big sign on the door that said basically, we can't help you, so go home. And I'm sure we all have people that were affected by it. But I think that's the basis, josh, of what had happened, what Cam and I were just talking about.
Speaker 1:So lots of people affected and probably still dealing with it now was this like worst case scenario, or could it have been worse, because it seemed to be really disruptive, you know, across the entire globe I think this was pretty worst case for this um and I.
Speaker 2:This was as real as it gets, obviously, because so many things were down critical systems and this was a real life tabletop exercise that people were flung into in the middle of the night and I think people thought it was either a cyber attack or you know an outage that they were having, you know, overnight. Overnight people, IT guys, gals, you know, were flung into action and had to start troubleshooting things right away. So I think this is as real as it gets. I think a lot of people were thinking we were under attack. Right, we're in World War III was kicking off systems were going down all over the place. But, uh, got anything to add to that Cam?
Speaker 4:Yeah, no, it's. Um, it's pretty crazy how that one little thing ended up causing such a huge domino effect. It took down some critical systems and caused an incredible amount of disruption.
Speaker 4:And there's been a lot of, I would say, criticism of Microsoft, and maybe even CrowdStrike as well, on having that kernel level access. For that reason Right, because obviously there was some validation, some checking that should have happened. That didn't. I think this was ultimately preventable, but it happened, and so now we kind of have to, we have to go back and look at how could this be prevented, ideally, I think. Some people say that there should be a sort of api for these things. Right, like we don't do, we really need to have the falcon sensor running in the kernel, like as a driver. Shouldn't it have some sort of api to be able to access the system and prevent that kind of level of damage? Or I mean, at the same time, crowdstrike should probably do a little better with their testing methodology and make sure that they're not pushing out updates to every single customer at the same time without any real-world validation.
Speaker 2:Yeah, it was. No matter which way you cut it. There's probably going to be a lot of after actions on how we can prevent these things from happening. But you know, I agree with Cam. Does it actually need kernel-level access? That's something we need to discuss. But I think, flinging into action, you know a lot of industries you know found, you know they're strong individuals that were ready to react to this. Cam and I work for a pretty big organization that we were involved with remediation Cam more so than I for all the downed computers and sending them to the techs on the ground at the site, because we had essentially strike teams out to, you know, bring back servers and everything that was affected. And then we also had, let's say, 2,500 to 3,000 machines, blue screen. Yeah, we had to set up locations for individuals to come in and rectify this. Luckily, I'm remote and I did not get affected with the blue screen, so I was able to help pretty quickly getting those BitLocker keys to come back online. But, cam, you were boots on the ground, correct?
Speaker 4:Yeah, so for me I guess it ended up similar with what I. What what happened to me was I had my workstation shut down overnight, so when I had booted it up in the morning, it had already been reverted, and so I wasn't. I didn't end up being affected by that blue screen, so I was able to hop online. By the time I was up, it was like 7am at that point, so people were already, you know, in calls and trying to figure things out. Luckily, I was able to get online. Wasn't able to get onto the network, of course, because VPN wasn't working. I was able to use Teams and Outlook, and that's about it.
Speaker 2:Yeah, I got a very frantic call from one of our colleagues pretty early in the morning and you definitely thought something big was kicking off and the frantic voice was well warranted. So there's still so much cleanup to do. I think the biggest question that we're dealing with is how do we prevent it, but we could probably talk about this for a whole episode. It's been affecting industries all over the world and, as we know, crowdstrike is heavily involved with Microsoft and it's going to continue, probably continue that way, but just affecting so many different industries. The scary thing is, like the healthcare industry right On surgical tables or whatever people that use computer access for, whatever the reason might be, in those situations we certainly want to safeguard those industries. Not that they're more important, you know, than others, but critically life-saving devices right running on software like this is is rather scary yeah, no, I agree, and it's um also important to mention, uh, what crowd strikes changing after this some changes they've started implementing.
Speaker 4:I don't believe they're going to be rolling out updates like these anymore to all customers. Some customers have staging environments. Uh right, this update obviously did not utilize any of that, so now you're going to have the opportunity to actually apply the update to a set of development systems, for example, before it takes down your entire network. I think CrowdStrike is going to take that a little more seriously.
Speaker 2:I think it's kind of alarming too, just to show show that you don't have to be in the IT industry to understand this but just how easy this was to happen. Right, it was an update. It ran out of memory when it was doing the update and it brought so many industries to their knees that require the software Well, require a computer, I should say, because it brought everything down. So just showing how easy it is to bring those things down shows the weakness that you can have, right, especially for a critical infrastructure. Like you know, we have an article that we could discuss later about the water industry. Right, critical infrastructure like that goes down. That's, running this kind of software is, you know, very alarming yep, and that's.
Speaker 4:That's the big takeaway. I've heard from a lot of people outside of the cyber security industry as well, as you know, if it took this one little thing to take down so many stuff like, or so much stuff. How vulnerable are we, you know, and how easy is it for like a nation state to do something like this in a malicious manner?
Speaker 2:Right, yep Insider threat. You know you think about all those things. If it was as easy to push an update to bring it down and have that kind of effect, you know we need to to work on. You know policies, procedures, know how, having these conversations regularly and we you know we had a real life tabletop exercise, but I think, doing this more regularly right In a, in a practice environment. What are we going to do if this happens? This situation happens again. You can use this, as you know, instruction, or look at this to an after actions report on what happened, and then you know practice right, let's use this as an example. And how are we going to spring into action next time something like this happens? Hopefully it doesn't. I feel like we should be preparing like this is possible every day. So I just think this is a good example to practice on what we should be doing day in and day out. If you're in the, especially if you're in the IT industry.
Speaker 1:It seems to me that, as Cameron said, it could have been prevented. It was a preventable situation. But my mind goes to just the ingenuity of human error is so vast that it's hard to account for everything. I was just talking to a buddy who lives in Arizona and they have the self-driving cars there right and you can take, and they have the self-driving cars there right and then you can take the taxi with, you know, the self-driving car and these cars are still making mistakes and they're still learning and gathering that data.
Speaker 1:But you know, the conversation revolved around it had gotten pulled over, you know, by a police, no one in, you know, no one in the driver's seat, because it had made a bad move. It was waiting in an intersection or something like that that it thought someone was crossing but there was no one there. So the car was sitting in the intersection or something like that. But it's kind of hard to account for all of the crazy ways things can go wrong when there's just an infinitesimal amount of amount of opportunities to fail. So but yeah, crazy that this little human error that seemingly could have been prevented caused such a big, dramatic outage. And I hope, I hope you know that it, you know, kind of informs people going forward that you know to be on top of these things a little bit better, or yeah, don't roll out your updates to everybody. I'm I'm really quite surprised to hear that.
Speaker 2:Well, if we're going to, if we're going to do it, let's. Let's not do it on a Friday, let's schedule this for like a Tuesday or something.
Speaker 4:Yeah, that was definitely the best part. It was on a Friday.
Speaker 1:Do you think some of that is the climate that we're in of just rolling things out, letting the people do be the beta?
Speaker 4:yeah, and I mean crowd strike's, always trying to be on the bleeding edge. Right, you know they're trying to stay competitive so they don't want to fall behind speaking of which, that segues us to our next article perfect segue yeah, perfect segue to yet another iteration of Mac OS.
Speaker 1:This is the time of Sequoia Yep, I think they have so many updates rolling out they're going to run out of California-type names to call their OS.
Speaker 2:I love how they explain it, where they're talking about. All the engineers get into a van or whatever. They talk about this in their keynotes and they do whatever. They come up with these names. It obviously a joke, but it's pretty fun yeah it's, it's catalina, now it's sequoia. What was it like they didn't have animal names. They've got all kinds of things yeah, tiger leopard snow leopard, leopard. Yeah, that's what I was thinking about.
Speaker 1:Wasn't there one? That was this wine country recently, like sedona? No, that's, that's, that's no, there was one like that.
Speaker 2:You can't think of it what's the one? Weird one called maverick. I think that was a while ago that was the only one I can remember that wasn't a place or an animal yeah, well, at any rate.
Speaker 1:Um, we're on sequoia now, I guess, so I have to keep a close eye on my updates. I have mine turned off on my Mac just because I don't want to be running into any issues, but we'll talk about that in a second. Apple's new Mac OS, sequoia, tightens gatekeeper controls to block unauthorized software. Apple on Tuesday announced an update to its next generation Mac OS version that makes it a little more difficult for users to override gatekeeper protections. Gatekeeper is a crucial line of defense built into macOS, designed to ensure that only trusted apps run on the operating system. When an app is downloaded from the outside of the app store and open for the first time, it verifies the software is from an identified developer. A couple of things I want to throw at you guys, and maybe we can pass it back and forth a little bit.
Speaker 1:There was the first thing I mentioned of, you know, just rolling out these continual security updates, seemingly because it's the patching of vulnerabilities and whatnot.
Speaker 1:In this case, you know, with third party software, you can run into the problem, which I have frequently, of getting an automatic update on my computer and then trying to sign into a recording software or maybe you're a gamer I'm sure this happens to gamers or any kind of third-party software that might require some hardware or some firmware and those developers aren't on the ball or just don't have the budget or aren't aware that there's an update being rolled out and all of a sudden it renders your software unusable.
Speaker 1:It happened to me with Final Cut Pro. I was, you know, bellying up to the office computer here for a little editing work and, lo and behold, the Final Cut Pro would just not open after my last update. It would roll through all my third-party plugins which are meant for, you know, audio editing and whatnot, and then it would just stall, ended up getting to the boss-level IT people at mac where they take over your computer to figure out what's going on. And the guy had already you could tell he had already done like 200 of these calls that week and he was just like, yeah, we already have it documented, so you're just gonna have to wait until they update. And I'm like, really I can't work on my project today.
Speaker 1:There's no you don't have a worker for me yeah, because on logic pro and some of the other at you know um proprietary apps, they have at least like a command period. You know, while you're booting up, where you can get around up. You know, scanning third-party software, sure, but they didn't have that, or still don't um seemingly have that for final cut pro. So that's the first problem, right? Have you guys run into anything like that? I mean, I know you're not a Mac user, cameron Do you find that on Microsoft products as well?
Speaker 4:Yeah, I only use Windows. Ultimately. I can't say I've ran into anything specifically like that, but I think it is. You know it has a lot to do with the separate ecosystems. Like Apple wanting to keep everything locked down secure, microsoft has to keep things a little more open, I would say, because of all the you know the larger amount of users that are using their software. Windows is designed to be compatible with a larger number of devices. You know that sort of thing.
Speaker 2:So I this seems like a very much an apple thing to me, at least at first glance I've run into this issue but it's kind of because of my own doing, and I say that because I like to run the beta software. So, like I have the latest beta software on my phone, I on my Mac, right now that I'm on, I'm on Sequoia the beta software to test the new things out. It's running very smooth. But on the Mac I haven't had any issues. But on my phone I've had some, you know, apps that I use daily. Every now and again If you update to the newest beta it, they don't open right, they just crash right away. Update to the newest beta it they don't open right, they just crash right away.
Speaker 2:Luckily, none of those have been critical, but I haven't had anything directly affect me, like you're talking about, josh. But I think a lot of times what I see and this is, you know, going back years and years is, let's say, on an iphone you open it up and you had the new software install overnight and the next day or the day after that you might get a quick update that said, oh, we have to patch something. There's a security patch for something we found in the latest update, so they're quickly going to another update. So it's not directly affecting an application, but it kind of goes back segueing to CrowdStrike. These updates come out so quick and they have to patch something that just came out.
Speaker 1:So there's a lot going on here. But yeah, you get the update when you wake up in the morning and you're like on version 0.3 before lunchtime, right, the other workaround I kind of forgot to mention this. Some of my buddies had the same issue. They were literally having to uninstall their OS and then go install a prior iteration of the operating system just to get their apps to work. I was not willing to go there because I just seems like way too much you just wanted to wait it out yeah, I just seemed like something could go wrong.
Speaker 1:although I'm pretty, uh, pretty diligent about backing up all my data I usually do too, yeah, since I have so much um, so many sessions and things like that that that I just can't lose or I might need to reference two years from now or three years from now I store all my sessions on two external hard drives and a cloud, and I really try to take two or three times a year to go through all my data and make sure that it's backed up at least twice.
Speaker 1:But, yeah, that's not really helpful if you can't open up the app.
Speaker 2:So that's good practice, though, to do that.
Speaker 1:Yeah Well, cameron the other, you kind of brought up that it's kind of all in the ecosystem and I think that's another one of the issues or could be seen as an issue right. It's like now there's kind of this gatekeeping you know, pun intended around what can be accepted onto the App Store, what can you actually use on your Mac. If you're a Mac user, you probably are okay with that to some degree, but you might run into an instance where you want to use something that's not approved by the powers that be on the Apple side of things and that could be politically. That could just be for edging out competition for their own apps. It's kind of probably a mix.
Speaker 2:They are going through a little bit of an issue right now with major entities trying to sue them for this, so there is probably some fruit to that.
Speaker 1:It's probably more cost effective for them to kind of ride that edge though. Right and like just be the cutting edge, and if they have to take on a couple of lawsuits, so be it. You know, we'll kind of figure it out as we go. Yeah Well, here's something I hope we don't have to deal with forever, but it seems like we might. Uh, nick and I are parents, so this is something that's, you know, hits close to home for us.
Speaker 1:Good to know, though, the DOJ and FTC sued TikTok for violating children privacy laws. As of August 3rd this came out the US Department of Justice, along with the Federal Trade Commission, filed a lawsuit against popular video sharing platform and TikTok for flagrantly violating children's privacy laws in the country. The agency claims to the company knowingly permitted children to create TikTok accounts and to view and share short form videos and messages with adults and others on the service. Yikes, I don't use TikTok often. I do post a few things on there and then immediately scrub it from my phone. But one of my first questions for you guys was, like you know, we know this is not just TikTok, you know violating these things. Why do you think that we see so much about TikTok? Maybe not as much these days about Facebook and Instagram Because Zuckerberg was getting a lot of heat until TikTok really took off. I feel like he's been a little bit more low key.
Speaker 2:I think you're onto something there, and TikTok is casting a shadow over a lot of these other applications and really for all the wrong reasons, it's always in the limelight for something and with all the users of all ages, it's like the cool thing is to have a TikTok and do the kids do their dances or whatever they do. I don't use TikTok myself, but I think that's a lot of the reason we hear it. Tiktok was also just like in front of Congress. I think it was like what six months ago for these issues like this, and it's alarming that it's involving children, right, I mean, if you're 16, 17, 18, right, you can kind of think for yourself a little bit more. But a lot of these were kids 13 and under utilizing TikTok, harvesting data and whatnot. But there's a lot to chew on for sure here. Yeah, I think.
Speaker 4:TikTok is I feel like it's been in the news just constantly for years now just related to all these privacy concerns and, on one hand, the kind of stuff that TikTok collects is kind of in the nature of the application, right? I think Facebook, google, you know they all have their own versions of TikTok now and I'm sure they all collect similar. You know they all have their own versions of tiktok now and I'm sure they all collect similar um. But I know that one big concern with um tiktok is that it's not based in the united states, or it wasn't in the first place, whereas our you know our facebook and google and stuff that's at least on our own soil yeah, so the conversation really always is shifting to national security.
Speaker 2:What are they listening? What are they spying on? So I think a lot of the threat is somebody needs to buy or they want to force a sale of TikTok. It sounds like to somebody like Microsoft or something US stateside. But yeah, I think that's. The big reason, josh at least from my mind, is the buzzword of national security is why this is getting so much more attention yep, and it makes the politicians kind of look like they're doing being hard on china maybe, or at least you know, have that if we want to go there.
Speaker 1:I'm sure that probably could be yes well, yeah, and that's both sides of the aisle too, right it should be yeah, because I mean, ultimately we want our own spyware right, not theirs I'm surprised no one's come up with a competitor yet. You know, I mean there's things that instagram and youtube are doing to well compete.
Speaker 4:Yeah, I mean I feel like there's so many that have copied the format. That's how pretty much all short videos are displayed now.
Speaker 2:You have YouTube has their shorts, instagram has reels. They're all doing it.
Speaker 4:Yep, it's whoever has the best algorithm.
Speaker 1:Yeah, it seems like it's peaked a little bit. I know I did read an article recently that although they have leaned into that short form content, that long format content like our podcast, is still just as relevant and doing well in a different way. You know it's reaching a different audience. You know people sign on to look for different things. I was going to ask if you use TikTok or if you have played around with it.
Speaker 2:I have played around with it, but I don't use it. My wife does. I keep trying to get her to delete it, but they get all their ideas, whatever else for kids' toys, snacks you can get recipes and whatever else. They claim they can learn so much on TikTok, so whatever, but I do not use it personally.
Speaker 4:No, yeah, no, I don't use it either. My parents use it, though. They they really gotten into TikTok. They like the whole. You know it's well. It's a constant stream of content and of course it's perfect. It's always perfectly tailored to the person who's looking at it. You know like the videos are very specifically picked out and there's something that you want to see, so it's easy to just keep swiping, scrolling, watching in the app.
Speaker 2:You're engaged in there. What I was going to say before to me, the big takeaway here right is right, we want to ban to banning tiktok, right, I don't want to get preachy, but I think this just shows that this goes for everything. You have to protect yourself. Right, we're depending on the DOJ and whoever else to potentially ban this. I know some states are even banning it, but it really shows that we need to like, govern what we're doing, not just like, oh, I'm sure they're not doing anything bad with our data or whatever else. Really, it shows like, what, what's going on your kids phones, yada, yada and I think this that segues into the password conversation about logging in and logging out of devices. But, uh, yeah, I think there's a, there's a lot here, like we talked about. I don't foresee it going away anytime soon because it is just a jogger, not of an application. So hopefully something can be, you know, fixed by either a purchase or dissolving it into something else, it being absorbed to Instagram or Microsoft taking it over or something.
Speaker 1:One of the big music companies I can't remember who it was, I'll just leave that out was recently. I can find it on Google, but quick search took all their music off of TikTok and musicians are just freaked out because that's the best way to reach people right now. And I've even heard about people being signed by a record label that won't release their next single or their next album until they manufacture a viral TikTok moment. Oh, that's interesting. Their next album until they manufacture a viral tiktok moment? That's interesting. So, yeah, they are the sense. Rectify that situation or sweeten the deal for them where they're allowing their music back on, I'm sure more money going into the pockets of the corporation, I would assume, um, because I haven't seen any uh, windfall from the artist side of things. But uh, unfortunately.
Speaker 2:But um, wasn't this kind of like vines. Do you guys remember vines back in the day? I never, really ever, used that either, but I thought that it was similar. Right, artists could go on there. Right, they post their music. They get discovered that way. So it just seems like this is maybe just a newer version of that. I could be wrong, just a side thought yeah, no, I think that's a similar idea.
Speaker 4:Vines were limited to, I think, like six seconds and I didn't even use them. I didn't even use it much when it was a thing, and of course then it was gone before I was even able to download the app, basically.
Speaker 1:Was that a Twitter offshoot Vines?
Speaker 4:Yes, I don't know if it started out that way, but I know Twitter definitely acquired it at one point.
Speaker 1:That may have been what tanked it. I actually was on tour in Texas not too far from you, nick, in Austin in 2000. I want to say 2016. We or 15 we met matt king, who was you probably don't remember the name, but he was the the vine star at the time. He had like a video of him in the car like doing this head bob thing with like a funny face, but, um, that's my vine story I do? I do rememberiscope on Twitter.
Speaker 4:Do you?
Speaker 1:remember Periscope? Yep, I may have known some people not saying I did this, but I may have known some people that watched some free boxing matches on Periscope, got on some pay-per-view and that got shut down rather quickly, I believe.
Speaker 2:That was a Twitter Periscope. Wasn't that a Twitter offshoot as well?
Speaker 1:Yeah, I believe it was. It was like a walkie talkie feature social media where you could just video someone instantly and connect, but people were using it to broadcast, like I said, football games and and then you know, you got a hundred thousand people broadcasting a boxing match and then they get shut down and then 20,000 other ones spring up and it was just like a game of whack-a-mole.
Speaker 1:so you know another one of those circumstances where maybe you didn't think through all the consequences before rolling out the software I don't think that's going to change anytime soon, unfortunately I agree.
Speaker 1:But before we change topics and I'd like to segue about the password management, but um, before we segue, let's just remind our listeners what we can do with our kids, at least to keep them safe. I want to give a shout out to our episode. I think it was in the 30s, maybe it was Andre Champagne, or maybe it was even the late 20s.
Speaker 1:We had a guest named Andre Champagne who was a forensic cyber investigator for Cook County in Illinois and a couple of the takeaways that he remembers that I remember from his speech was that you know, if you can help it, don't let your kids be in a locked room or a bedroom with a tablet or a phone or a computer. Put the stuff out in the living room, make it a public space use only for your kids so you can monitor everything that's going on. Because you know, as parents, we all want to have privacy for our children, give them some freedom to to go out into the world and kind of explore, but at the same time it's really our job to make sure that they are not getting preyed upon or in any kind of trouble. So you know, at the end of the day, privacy is nice, but having your kids safe and is probably a better option.
Speaker 1:And nicer, it's even nicer, yeah. So that was one of the takeaways from that. I remember, nick. Do you remember any of the other ones that he had mentioned?
Speaker 2:I don't remember anything that he mentioned, but I think you know one. One of the you know tips that comes to my mind is I think it mentions it in the article here is using the functionalities built into the app to either limit time for the kids on there so limit how much time they can actually spend on that, because Cameron was talking about it, his folks use it and you get that rabbit hole right. You just keep going and you know tick tocks issue with you letting children under 13 use the application. It subjects them to adult content, right, things that you know maybe they shouldn't be seeing or aren't ready to see yet. So I think you know using the functionality, the shared accounts, right, so you can see what they're seeing. You can review, you know, the items that they have already seen or potentially could see.
Speaker 1:And then limiting the time they spend on the app, I think would be two big takeaways for me. How about you, Cameron? Do you got any golden nuggets to share with our listeners?
Speaker 4:No, I think you covered most of what I would say. Ultimately, it's just say ultimately, it's just about limiting the screen time, because it's too easy to sit there for endless amounts of time because the stream of content never ends.
Speaker 1:Yeah, that's on the user side, but also thinking about just on the privacy side.
Speaker 1:I've seen a lot of people and try not to cast and their birthday and what school they're going to, and you know, and it's you're giving them all that information, you're giving everyone all that information and you know at the end of the day the children have no consent over what is being shared. So you know it's almost kind of as a as a benefit to your children. You know as fun as it is to get those likes and that dopamine hit and to share everybody with everyone that your child is cute and growing up and you're doing a great job as a parent. I think it's even cooler to really put their safety and protection first and maybe just share that. My wife and I use an app called Back. Then it's still cloud storage, so we're still careful about what we post on there, but it's only shared with people that we let on there friends and family. It's a great way to share those moments with people but also still have them be a little more private.
Speaker 2:I think that was a good tip, josh, that you brought up censoring what you're putting on there. In the military we were trained on this. We would call it operational security. Right, Don't post where you're going on an operation. If you're deploying, you know movements. It applies here. You know, maybe if you're taking a picture of your house, don't put the address on there. You know, wherever you're going or whatever you're doing, it's certainly like what you're saying, josh, at your kid's school, your teacher's name, the address of the school, it just it really puts our kids into a, you know, a sticky situation, right, that they, like you said, josh, didn't consent to, they don't know about, right, they're young and you know we don't even be subjecting our kids to, you know, to that kind of behavior from you know unknown entities.
Speaker 1:I got one more for you. Cameron, probably don't do this. You don't strike me as a guy that posts his food like Nick does. My last tip was to wait till you're done with your vacation to post your vacation pics. Wait till you get back home, you know. Just stagger it by a week. If you go out of town, you don't need to tell everybody we're leaving that day, and that way you still get to share your trip if that's something that's important to you. But you're already home. So you know it already happened. People don't need to know where you are all the time.
Speaker 4:And they don't. Yeah, they don't need to know that you're gone, that your house is empty hey, my house is empty with all my stuff in it and I'm not gonna be home for a week because I'm in hawaii or whatever.
Speaker 1:Yeah, these are social engineering gold mines yep, I'm gonna do a shout out to eric brown here and say nick, you need to start a tiktok account for mr meowgi.
Speaker 2:I was waiting for it. We made it like 48 minutes before the cats got brought up. Shout out to EB out there.
Speaker 1:All right. Well, we have one more thing to talk about that's been relevant to us and we'll wrap it up with this. Today I'll share my experience. I just switched over to Bitwarden for all my passwords and cleaned up my security and it was rather painless. It was just a little time consuming. I was a little freaked out to do it, just because it's not fun downloading a CSV file and, you know, logging into 18 different websites and then looking at your phone, looking at your browser, trying to like, suss out, how am I doing this? Because we get so used to like how we log into things and we just want it to go quick because we're trying to get our work done or whatnot. So, but I'm happy I'm switched over and still got a little bit of work to do.
Speaker 1:But yeah, I did realize I did need to download the desktop extension for my desktop and then a browser extension and sorry for my mobile as well, and then the browser extension for whatever browser I was using within those devices. So it's kind of a multi-step process. So you got to have the main sign in and master key, but then you also kind of have to integrate them into your browser. But once you kind of get past that stage. I felt like it was very seamless. So when I'm now logging into websites, it's coming up right away and I'm kind of back to where I was flying through websites. Do you guys use these and do you have anything to add to the convo?
Speaker 4:Yeah, sure, I mean, I've been using Password Manager and it's Bitwarden for quite a few years now. It was a situation where high school I was, you know I had to have accounts for things. I would just, you know, maybe use variations of a password that I used before. I never needed a password manager. I was like you know, that's too much work, too much work to set up a password manager, and it can be especially if your password, if your passwords, aren't already stored somewhere.
Speaker 4:It can be a lot of work to start getting all that into a password manager like Bitwarden. So it ended up being like ended up taking probably a few months for me to actually finally get all of my accounts in there, because they weren't all in a password manager before. But it's worth it. Once you have it set up, it's not only way more secure you know every single password is different but it's easy, right? You can use your fingerprint to unlock Bitwarden and it autofills your passwords for you. So now it's like I lived without it for so long. Now I can't live without it kind of thing it's. It's made life easier and more secure.
Speaker 2:You. Just you hit it on the head cam. I was going to say that there's not many situations that you can say are more secure and easier. Yep, right, and here is a perfect example. I, obviously I use one myself, but I'm going to go against the grain. I use a proton proton pass. It works the same as a bit warden, but I have it on my phone and all my computers iPad, things like that and you know I used to well, this is probably three, four years ago Now I got all my passwords off off Google and get the CSV implemented there, so it's pretty easy for me to switch over.
Speaker 2:I think one good thing about these services is they have a password generator built in, or whoever. One of the big pieces of advice is we always give to anybody is to don't use the same password for every application or every website, so on and so forth, and this makes it really easy because it will suggest the password. You don't even need to think about it. It will autofill it, save it, put your email on as a username. So again, just another step easier. But yeah, if you're not using a password manager, I highly recommend you start. You don't need to spend a bunch of time getting set up. I think you can if you start it and you can implement all the passwords you already have. But just let it evolve right. Just keep getting passwords in there slowly as you create new accounts, things like that.
Speaker 1:When you switched over, did you realize how many junk username and passwords you have? Because you know when you update your password or you forget your password and then you go make a new one and it's still stored in that CVS file or in that passkey. So I've been like sorting through tons of just junk username login credentials.
Speaker 4:Yeah, no. As time went on and I started adding more and more accounts to it, it became very clear how much of a problem my password practices were at the time.
Speaker 2:Diamond himself out.
Speaker 4:There was a time when I typed in all my passwords and there was not that many variations. Obviously, after four years of going to school for cybersecurity, I cleaned that up a little bit.
Speaker 2:Changes your tune pretty quick once you see how nasty it can get.
Speaker 4:Yeah, yep so and like, for example, bitwarden has, it allows you to have some insights into password reuse and things like that. You know that's pretty common for most people. Most people are going to have a lot of password reuse and if you're able to get all your passwords into a password manager, you can see the numbers Like here's how many times your password has been reused.
Speaker 2:Right? Yep, I think even on the iPhone it does that too. If you go into the passwords area on the phone, it will show you oh, I have five, I have 20, I have 200, or whatever it is. Passwords have been reused. And I think it even gives you an option and a link to change it and it will automatically go to the website to help you update your password.
Speaker 1:And that's what I was going to call it. That was the biggest pain is to log into the website and then go change it, because every website's different. The next level I would love to you know maybe this will get out across the algorithms to a developer at Bitwarden. I'm sure they thought of this. But wouldn't it be great if you could just change it right in the Bitwarden app or the ProtonMail app, where you didn't even need to log into the website, whether it's Google or Netflix or whatever? It just pushed it out for you and you could do it all right there.
Speaker 2:It could be slick. It sounds a little scary to me having that connection. Make sure you have MFA set up.
Speaker 4:Yep MFA.
Speaker 1:Cameron doesn't like that idea.
Speaker 2:It makes me a little scared, but could we get there Maybe?
Speaker 4:I like the idea of the convenience of it, of course, but there's always the trade-off of convenience and security.
Speaker 2:I'm going to say no just because of all the connectors to that one that it would take to get that to work Again. Fantastic idea. If you can implement it properly, you won't be sitting on this podcast anymore.
Speaker 1:The first, one's free. I got a lot of ideas. This is why you guys are the experts and I'm just the producer.
Speaker 2:It's a great idea. We'll leave it at that.
Speaker 1:Hey, well, it's a great spot to leave it today. I had a lot of fun chatting with you guys.
Speaker 1:We're joined by Cameron Berklin and Nick Mellon of IT Audit Labs. I'm your producer, joshua Schmidt. Today we've been talking about some news and then a little bit of extra about Bitwarden and password managers. If you want to hear more, we have all of our episodes on Spotify, apple, amazon. You can find us on YouTube. We have shorts that come out several every week and please subscribe, like and share it with your friends. You've been listening to the Audit presented by IT Audit Labs. Have a great day and we'll see you in two weeks.
Speaker 3:You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact or all. Our security control assessments rank the level of maturity relative to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. Joshua J Schmidt and our audio video editor, cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.