The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.
The Audit - Presented by IT Audit Labs
Social Engineering to AI Ethics: Wild West Hackin’ Fest 2024
In this episode of The Audit, we dive into key takeaways from a top cybersecurity event. From IoT hacking and RFID bypasses to AI governance and vishing bots, we explore the tools and strategies shaping security. Plus, real-world lessons, social engineering insights, and a few unexpected laughs—because security isn’t always all business.
In This Episode We’ll Cover:
- RFID hacking and social engineering insights from WWHF.
- Cameron’s IoT hacking training highlights.
- AI advancements and governance takeaways.
- Challenges with regulations and compliance in cybersecurity.
- Project management lessons inspired by Elon Musk.
Thanks for joining us for this glimpse into one of the year’s most unique cybersecurity events. Don’t forget to subscribe and share this episode with your team—we’ll see you at the next conference.
#WWHackinFest #InfoSecConferences #Cybersecurity #AIThreats #IoTSecurity #SocialEngineering
All right, welcome to the Audit presented by IT Audit Labs. I'm your co-host and producer, joshua Schmidt. Today, we're joined by Cameron Berklin, nick Mellom and Eric Brown, as usual. Thanks for listening. How are you guys doing today?
Speaker 3:We're doing great Awesome. Happy to be here.
Speaker 2:Yeah, great, as always. Well, you know, I always start with an icebreaker question. This is one. Maybe you have to put a little thought into this. But the icebreaker question is when was the last time you tried something for the first time? And I'll go first give you guys a chance to think about it, don't think too hard.
Speaker 2:So I did a conference a couple of weeks ago and it was the first time I tried a sweat lodge. So I was in it. I was in a tent with 30 guys in the dark and it was. It was cool. Um, it was cool. Uh, it was like a spiritual sauna, you know. So, um, we had a uh, a healer, shaman guy singing songs, and it was completely pitch black, it was a little claustrophobic and there was a lot of like smoke from the fire, but, um, yeah, it was a very interesting experience, definitely the first time I've tried it. Uh, I'm 39. I'm gonna be 40 here in a couple days, so you know, um, there's not a whole lot of new things. You know, when you start hitting middle age, you're running out of runway yeah, you're running out of runway and you don't get as many first time things.
Speaker 2:So I enjoyed that it was, it was different, it was new, it was uh, it was a nice experience. So, okay, anyone else want to share? How are we supposed to?
Speaker 1:go after that I know there's something a lot more boring. Go ahead, cam, hit us with it, because I've heard about sweat lodges before and I can't say I was ever tempted to try one. But so mine is a lot more boring. I this week tried all-dressed flavored chips all dressed flavored chips. This is a like canadian flavor of chips that you usually don't find here in the us, but I saw them at walmart and gave them a try. Well, yeah, what was it called? All dress, all dressed yep, all dressed.
Speaker 3:What? What's the flavor, can you? It's like a mix of flavors.
Speaker 1:Yeah, basically the ones I had were onion, tomato and vinegar. It's all that combined together and it's just like a tangy, kind of like ketchup. It kind of tastes like a chip. Would you buy it again for two bucks?
Speaker 2:yeah, I would buy it again do you remember clearly Canadian Did you guys ever drink that back in the day from the gas station? It was like a sparkling flavored beverage I don't think I've ever heard of it.
Speaker 4:Speaking of weird flavors, isn't there an Oreo cookie Coke out now.
Speaker 3:I have seen that I've not tried it. I have heard of it. I saw it's sugar-free. We should probably get those Coke-flavored Oreos and try them live on the next podcast.
Speaker 1:Yeah, I was wondering how much it could possibly taste like Oreos, given that it doesn't have sugar in it, this kind of Oreo's primary component.
Speaker 3:This is exactly what the listeners are coming here for. These are the hard-hitting questions.
Speaker 4:Yep, what was your?
Speaker 3:first, nick. Oh my gosh, I've been trying to think. Well, I mean, if I want to play it safe. You know, wild West Hackenfest was my first big security conference.
Speaker 4:Oh nice.
Speaker 3:That was fantastic. Notably, I drove my first electric car last week. Two weeks ago, my folks ordered a Model Y and they test drove the performance version and, holy crap, you're like a hippie now. Seriously, I was whipping that thing around the streets like a goddamn golf cart. That thing is so fast, I couldn't believe it. It was really fun.
Speaker 2:You'll have to try a sweat lodge.
Speaker 3:now I could cap all this off of the sweat lodge. Eric's got to have something good.
Speaker 4:What did I do? This is a couple weeks old. I went for the first time in a glider, so that was fun. Oh yeah, you know where. They tow you up behind the airplane and that was a lot of fun.
Speaker 3:How long did you stay in the air doing that?
Speaker 4:About 15, 20 minutes. The glider I was in had a I believe it was a 38 to 1 glide ratio. I believe it was a 38 to 1 glide ratio, meaning for every 1,000 feet that it would descend. You could theoretically go 38,000 feet horizontally. So just a mile is just over 5,200 feet, just for comparison. But they tow you up to I think we went up to 3,000 feet and then you circle around the area looking for thermals.
Speaker 4:But we did get into a thermal and you're sitting one behind the other, so you're in the front, the instructor is behind you, and we got up and then there was a Walmart parking lot just kind of off the end of the runway that we were circling over because that parking lot generates a lot of heat. And then there's an uplift, right there's an updraft coming from that and that's those thermals birds of prey circling like an eagle or hawks and they're looking. You know they're just kind of circling around and going up and moving between thermals and you can also tell a thermal in some cases where you'll see clouds that are maybe three or four thousand feet off the ground, like these little circular cumulus clouds, and that's from the warm air rising and then as it, as it rises, it cools and then it condenses and that forms the cloud. But the thermals are under those clouds so you'll see birds sometimes in there.
Speaker 4:We were in a thermal with a bird and you know, we're in the glider, you're trying to stay in the thermal, so you, you're in a pretty tight bank, like a 45 degree bank and you're just, you know, circling around. When we started out the bird was below us and then like two laps in the thermal later. I wasn't doing a very good job staying in the thermal. I could look and he's way above us. But the glider instructor was saying that the bird, he's seen them. Sometimes he thinks their eyes are closed and they're just feeling the thermal just by the, you know, in their wings, which I thought was pretty cool.
Speaker 2:So how do you land something like that, Eric? Do you just stay close to the runway and kind of judge how much time you have left before you need to start making an approach?
Speaker 4:Yeah, they have competitions or just you know people who have gliders that want to go long distance. You can go thousands of miles in them. You know, bring your p bottle, but you can go long distance in the gliders. Uh, and for us, as we were practicing, we stayed within 10 miles of the airport and then when you get close to the airport, you want to enter the airport pattern around 1,000 feet and then as you get close, you're kind of flying a square pattern in that airport.
Speaker 4:And then the glider a little different from the smaller airplanes they have speed brakes on the wings, which is essentially about a four foot section that's about the size of a railroad track like that wide, maybe you know, three inches.
Speaker 4:That rises up out of the center of the wing when you pull a lever back and that really causes you to descend quickly. So you get your your landings where you want to land set and then you, you deploy about half of the speed break and you come down at a pretty decent angle. You're looking to land in this particular glider at about 60 knots, a little over 60 miles an hour, and then you, you just come in over the runway and then you're just practicing holding it off of the runway. You're maybe about a foot off of the runway. It's got a wheel in the front, a wheel in the back and you're just holding it off, holding it off, and then it just sinks down and lands on the runway and then you pull the lever, the speed brake lever, all the way back and that the wheel brakes. And then you come to a stop and get out, hook it up to the the golf cart and tow it back to the beginning of the runway.
Speaker 2:That sounds like a lot of fun, something more fun than the sweat lodge. I'd be sweating like a sweat lodge if I was up in a glider where I think, uh, there's zero chance no, no, don't say that nick, don't say that zero.
Speaker 4:I will have my license next spring when you come up, we'll go out I'll watch from the ground.
Speaker 2:Speaking of watching from the ground first time, uh, I thought you guys would get a kick out of this, since we've talked about ufos. Uh, I, I saw starlink the other night on my my dog walk and I thought I was witnessing a ufos. Uh, I, I saw starlink the other night on my my dog walk and I thought I was witnessing a ufo, because I I had no idea that's what it looked like. I was. Yeah, I was full to wrap that mode.
Speaker 2:I was very excited for about 15 minutes until I realized what I was looking at. Um, but yeah, I I've never, I've never of that. I mean, I guess that's starting to be common knowledge. People have been seeing it a lot. Have you guys seen it?
Speaker 4:Yes, a few times you have.
Speaker 2:Okay, well, yeah, I mean, no one gave me the memo, uh, but yeah, it was about 30 lights in a straight row um flying silently across the sky. It was pretty impressive.
Speaker 1:So, um, impressive, so um, I guess at some point there's are they supposed to break up, or or go into different orbits, or, yeah, they spread out over time. They start really close together and then spread out as they orbit. So I've seen them when they, like you know, soon after they launch them, they're like a really close trail and then, as it goes on, you start seeing them one at a time. Do you guys have a starlink?
Speaker 2:no, er Eric's been using it.
Speaker 4:Yeah, whose did I use? Oh, at that vacation there was a VRBO that we had on.
Speaker 3:It was great I do have one, but I've only used it a few times.
Speaker 2:So how does it look? Like a little device. Is it like a little modem?
Speaker 3:Yeah, you get the dish, dish, this flat satellite per se, and you put it on the ground and it's got, I think like a 40 or 50 foot cable that runs to a, you know, a modem router combo and plug it into power and away you go well, I love.
Speaker 2:I love that you said your first conference was wireless hack and fest. That's what we're going to chat about today, and I'll tie that in by saying I know Eric flew out there, yeah.
Speaker 3:We did. I watched him land and picking him up from the airport.
Speaker 4:I was trying to get Nick in there. He didn't want to go. I was like, let's do a hot lap, Nick. He was pulling some funny business on that first landing and I watched it and I was like, we know, jayden and I came, came in, we, you know, we're just chilling, we're listening to jazz music on the way over, it's all chill, um. And then we came in a little hot on the landing so we just had to go around to get lined up a little bit better, it wasn't that simple.
Speaker 3:I was watching him on the runway and he's like three feet from the ground and the plane's like and like, goes back up like this, and I'm like, yeah, right, that's why I'm not getting in that thing. I don't know if it's an eric, I just don't need to be off the ground.
Speaker 4:here we go, here we, okay. So we're coming in, we, we want to land about, uh, just about 80 miles or 80 knots on this particular plane. So we're coming in. It's a tricycle landing gear, so it has, you know, a front front gear and then two, two, you know wheels underneath the, the wings. So we're coming in the runway at at um, where do we land? Where the deadwood spearfish. So the runway is actually, um, it's kind of where we're coming in.
Speaker 4:I think I forget the runway alignment, but where we were landing, I think we were coming out of the east, the southeast. The runway is upsloped. So when we're coming in and the runway is not flat either, there's like a hump in it and you know we're coming into land, we're coming a little hot I did say that about 85. So we're bleeding off speed and then, just as we're about to land, it's got this lump in it. The front wheel touches the lump right, comes back up, and I was like all right, I'm not going to fight this thing, let's just go around full power, go around, get lined up, smooth landing done. That was not good enough for Nick, though, apparently.
Speaker 3:Me and another colleague were standing there and I'm like what the heck just happened and they were like back off. You could hear us on the radio too, couldn't you? I was inside the uh, I don't know what do you want to call it waiting room? And uh, yeah, I could hear air calling in for quite a ways out, like 20 minutes out, you were calling uh it's airport, though, a nice airport?
Speaker 4:oh yeah, it's awesome it was great.
Speaker 2:Have you seen this airport in the one of the scariest airports in the world, in nepal?
Speaker 4:uh lukla, we heard of that one is that the one where they've got to come in between, like the mountain pass yeah, it's like literally on the edge of a cliff.
Speaker 3:I thought the one in vale or aspen. Is that real right there?
Speaker 2:oh yeah so, uh, I guess it's in the himalayas or near there, and, um, yeah, that's. Uh, that's when I always think I think I saw it in one of those you know history channels 25 most scary airports in the world that looks like it's ai like an ai picture.
Speaker 2:I'm I'm glad you're being safe, though, eric. You know, erring on the side of safety always always a good thing. So you guys got there, what do you do? You check in, you get badges um, it was it connected to a casino or or what's kind of?
Speaker 3:it was.
Speaker 2:You know what's the first impression when you get this?
Speaker 3:uh, deadwood, south dakota, for a hack and fest so, yeah, after the uh grand time at the airport, uh, you know, we we made it back to the hotel, which is awesome, uh, what's?
Speaker 3:the hotel called again the uh, deadwood mountain grand. Yeah, deadwood mountain grand. So you know you check in the hotel called again Deadwood Mountain Grand. Yeah, deadwood Mountain Grand. You check in. The hotel's fantastic. I think the atmosphere is really cool because everybody's like-minded, everybody's there looking to have a great time, learn a bunch of things, collaborate with all these great people that are coming from all over the country. You get your badges, which I think Cam has his as well. It's not like a normal badge, you know you get, you know, pins.
Speaker 2:Love the UFO.
Speaker 3:Yeah, it's got the UFO and it turns on and there's a bunch of challenges you know you do with it. So they have a, you know, besides the conference, there's, you know, extracurricular items that you can do besides going to all these classes. But anyways, yeah, you know, you go check in and you get your badge, and you get your Root Tootin' Roundup book for all your stamps, so you can get the sheriff badge. So we did all that and we may have paid a visit to the casino.
Speaker 4:One visit. Yeah, uncle Eric had us going on craps and roulette. Uh, it was a good. Roulette was a mistake, the roulette was a mistake and I yeah, I'm disappointed in the roulette.
Speaker 4:Um yeah, but it was a fun time, I think we two nights we we one night we were at the Roundup where we went. They have a vendor stampede where there are different vendors at different bars, let's say six different bars in town and then you take that book and you go to that particular area. You meet up with other people at the conference and get your book stamped. People at the conference and get your book stamped, and there may or may not have been whiskey tastings and moonshine tastings along the way.
Speaker 3:Yeah, at each vendor when you're getting your stamp, there's like a trivia question or something about their tools or some sort of fun. You know, I don't know kind of icebreaker question that you do, and then when you answer the question correctly, you get a stamp and then you get a drink ticket for the bar. So you know, it's a good way to you know, start conversation with people you've never met before with your team, and I think it's a really good way to start out. Start out the conference, because the next day you're rolling into all kinds of they have four different tracks where you go to different classes and you know you can review the classes, bounce between other ones and actually kind of notably maybe before we get more into the conference Cam actually did the pre-conference training, which is two days before the actual conference. Cam, can you elaborate a little bit on what training you did and what it was like?
Speaker 1:Yeah, yeah. So the pre-conference training is one of the big things that Wild West Hack and Fest offers. So for people who want to do it, you can show up there on Monday. They have a training dinner for everybody who's attending the training and then you do your training on Tuesday and Wednesday. The one I did was intro to IoT hacking. So this was mainly hardware focused.
Speaker 1:We were working on like actually looking at the firmware in like microchips. For example, we had a little router that we worked with where we put a it's called a chip clip on it. It's got the pins to read the chip. You just kind of put it on top and it's kind of snaps onto the pins of the chip and it reads the firmware off of it. And we also got to solder. I've used a soldering iron before but I found out that it's very hard to use one after I've had a cup of coffee. But I found out that it's very hard to use one after I've had a cup of coffee. It's very, very precise work and the first two pins I soldered went pretty well, but the other one was kind of a mess.
Speaker 2:I've tried my hand at a soldering iron before using for my guitar cables and stuff.
Speaker 1:That's tricky business, yeah yeah, and what I found is uh it, if you get it right, like right away, it goes great. But if you have to mess with it a little bit, it just all goes downhill, it gets. It's one of those things that gets worse the more you mess with it.
Speaker 4:Did you get it on there?
Speaker 1:I did. Everything worked. Everything worked. We soldered a pin header on so we could communicate with the router over serial. Okay, yeah, so most IoT devices have serial headers like that, but they don't put them on there, right? Because they don't want people to interact with the device through a console. So what they did for us was they already got the device all prepped and stuff. They removed the solder out of the holes on the board and we got the header, got the soldering iron and we had to solder that little tiny header on there. And then we got a sort of adapter plug the pins in, plug it into the device, plug it into our laptops and then we get to communicate with the device over serial and see what that's like.
Speaker 2:So was this so you could do some actual hacking activities? It seemed like, through the pictures that I saw of you guys there at the conference, that you were maybe breaking into some RFID doors or doing some kind of live hacking. Tell me a little bit about that. That looks fun.
Speaker 1:Yeah, that was part of it as well. As far as the intro to IoT hacking goes, the big thing was how do you utilize these devices, like the firmware that's built into them to get into them right, Because a lot of these are pretty much all Linux-based, with just kind of a basic shell that you can interact with.
Speaker 3:So we learned how to upgrade the shell to a full like Linux shell so we can do more with it and things like that I think you know, josh, getting to, there's so many things going on at the conference like you couldn't possibly do it all, so you kind of pick and choose different classes that really curate. You know what you want to get out of it. So like, for example, I think the first day I was in a lot of some social engineering classes, some deep fake classes, some AI classes and a lot of these stem from, you know, governance to AI, to how people are using AI. You know to where we're seeing deep fakes and how we're combating it. You know to where we're seeing deep fakes and how we're combating it. But you know and we're talking about the roundup, like the vendor stampede there's all kinds of different extracurricular items you can be doing.
Speaker 3:You know one is the badge that we showed. You know they have a little scanner at all the vendors. So if you go to all the vendors where there was 25, you can get all their swag. You can talk to them about their tools. You know in the space what they're doing and you know they'll scan your badge and you get a point right. And then the all the tracks. There's four tracks that have different classes going on. Well, after the class, you'll go, scan your badge and you get a track, you know. So you do that for all four of them. So you have those two, you have the tracks and the vendors, and then you have, like a CTF capture, the flag event for the badge, where you're looking at the code and trying to find the flags, and then Cam, what's the? What's the last one that I'm forgetting?
Speaker 1:The events at the at the conference Yep.
Speaker 3:So they have four events that you're supposed to scan at to get those, and then you kind of complete that challenge. And then more items that you're talking about were that we did film us breaking in, doing some physical social engineering or physical breaching at the conference. Was those doors, eric? Do they have six or eight doors? I think it was. Do you remember something like that?
Speaker 4:Yeah, it was something like that. Like Josh just saw in the video, there were some that were physical use a bypass lever and then there were some that were RFID. What was kind of cool is Cam had brought his Flipper Zero so after the exercise at Wild West there in the conference, the door hacking was taken back to the hotel. The hotel badge was compromised.
Speaker 1:It was an older system that they used for the door hacking. All we had to do was just tap the card on the Flipper Zero. The Flipper Zero captures it and then it's just like having your own card, and without going into too much detail. Hotel keys are often not that different. Brute forcing is obviously not something you Somebody can't just take a Flipper Zero and hold it to the keypad until they get into the room. But if they get access to your key, that's where somebody can get the data off of it.
Speaker 2:Would that even be as simple as sitting at the bar and just holding it close to someone's pocket that may contain their wallet with their hotel key in it, or how close do you have?
Speaker 1:Yeah, I mean a lot of wallets are rfid blocking now, so it's probably not going to work for people with newer wallets. But yeah, essentially it just has to be within you know, a close range and it'll pick it up just within probably six inches, wouldn't you say?
Speaker 4:cam yeah or less yeah so then we should also talk about social engineering.
Speaker 3:Eric was heavily invested in this.
Speaker 4:Which one was this?
Speaker 3:one. Are you talking about where you're calling the yeah?
Speaker 4:that was a good one, but I wasn't going to talk. We should talk about that one. Yeah, go ahead with what you're going to say. Yeah, so the other one, really. Josh evolves around the meal menu.
Speaker 3:The vegetarians.
Speaker 4:They pride themselves on this steak dinner that they have, I think, the second night there Chuck Wagon right or something?
Speaker 1:Chuck Wagon steak dinner.
Speaker 4:So some folks like Nick, maybe that's not the first choice, right, maybe they want a vegetarian meal and since they don't really like meat is a theme where I think they're. You know, they had the steak and then they had the mashed potatoes which had bacon in it, but you really could not escape the much you wanted to eat the napkin, but you were, you're gonna have me. Um, so for those with you know different preferences I mean it's 2024 people like different things um, you can get a coupon to eat at the restaurant downstairs. Um, so you know I was like what the heck? Right, let's get the coupons, we'll go down the the for those who had it right, you stand in a really long line, kind of like a it's like a defcon line, so I think it's the only like line at wild west where you know defcon. You're gonna wait in line two and a half hours to get merchandise because there's 30 000 people there at wild west there's maybe a thousand people total. I think a little less this year. So there's not really any lines. Everything's really approachable, really cool conference, but long lines for the food because everybody's eating at the same time. But I think the lines went fairly quick anyway.
Speaker 4:So I go up to the desk, I get my coupon. One of the other guys that we were with, he gets his coupon. Now it comes Nick's turn to get his coupon. Now, nick, you know, social engineer, that he is apparently had trouble getting the uh, getting the the vegetarian um coupon to eat at the restaurant downstairs. Nick, I think you were told that you were not vegetarian, is that? Is that what happened? I?
Speaker 3:I told her that I she said wait. The other gentleman that we were there was like yeah, I need another coupon for my buddy there, and I was like I'm not vegetarian. She's like you're not vegetarian. I was like no, no, and she was got mad at the other, our other buddy, for saying that I was vegetarian to try to get a free meal. And so could I have carried out. No, but I'm not passing as a vegetarian. I'm a happily red blooded American that eats meat.
Speaker 4:Drive an electric car and now he's vegetarian.
Speaker 3:We were just talking about how I drove an electric car for the first time, raising hell on the streets, and now I can't pass the social engineering test to get uh, to get a vegetarian meal. So but the bright side is that I just expensed it on the labs for my meal that I had.
Speaker 2:I think I've heard about this uh the uh vegetarian shenanigans a couple times now. It must have deeply affected your emotional well-being yeah, it did I, I think she.
Speaker 3:She said are you a vegetarian? And I was like, I was like yeah, I was like I can smell where you guys are hanging out, the uh.
Speaker 2:You know the, the uh, the wood, the wood smoke the whiskey, the bacon a huge vat of beans just baking outside the atmosphere at the conference is really cool, though, like that, like the Wild West name fits it perfectly.
Speaker 3:That's cool.
Speaker 2:So I'd love to hear more about the social engineering. One thing I wanted to ask you, eric, is this is probably not your first conference. You've probably been to many conferences at this point. Yeah, is that safe to assume? Yes, yeah, yeah, is that safe to assume yes, yeah, okay. So why, why keep going? And what did you learn? Or what can you take away from a conference like Wild West Hackenfest to bring back to it audit labs, and how does it maybe influence your work? You know, moving forward.
Speaker 4:Wild West in particular. It's for me it's kind of like the culmination of summer. It's a time where we can get together, you know, as friends and colleagues. I think there's like a group of I don't know 10 or 12 of us. We jump in a signal, chat out there, and then some folks like Cam go out early, do a little training and then most of us are all there by Tuesday or Wednesday and then we're able to just kind of hang out outside of work, socialize, have some fun and just kind of, you know, be together, hang out and talk to other people that you know maybe we only see at that conference once a year Meet some new folks who are doing, you know, in the same business that we are, have some fun around the craps table.
Speaker 4:And this conference in particular is different from others because it's in a really small town like Deadwood. Maybe there's 2,000 people there. Normally. It's not like going to Las Vegas for DEF, con or Black Hat, where you're just kind of sucked up in this large ecosystem, which is a different kind of fun. But this one is. It just feels more kind of homegrown. Nobody's pretentious, you don't have a bunch of goons yelling stuff constantly like you would at Defcon. So I've stopped going to Defcon and going to Wild West. You know, kind of like for the summer conference. There's some things at Defcon that you can't get anywhere else, like the Sky Talks. But in all honesty, for the Defcon stuff, stuff, I think you can get it all online. You can just go to the virtual conference, which I will say the Black Hills side, or the Wild West Hackenfest. Sometimes it's kind of hard to hear some of the conferences. They do make them all available online, so I attended a few sessions remotely even though I was there, just because it's easier to hear.
Speaker 3:Kind of branching off what Eric's saying, especially being, like my first bigger. I've been to other conferences but this was the biggest cybersecurity one I had been to and I think it was really cool, kind of like what Eric was saying, that you get all these people that really love this line of work and they're really just genuinely invested, that want to collaborate with like-minded people, and it's like Christmas Everybody's in a good mood and they're happy to be talking about things they just actually enjoy social engineering, black hat stuff, whatever it is deep fakes, all kinds of stuff, anything you can think of. It's probably there. But then you get people that are literally just to do the badge competitions and hack the badge and do all these different things. But it's just such a cool environment.
Speaker 3:I think that's maybe one of the most underrated aspects to going to a conference like this is the atmosphere of all the like-minded people.
Speaker 3:You know Eric, cam and our other friends, colleagues, or there are people we've never met before from other organizations that work, you know, in government entities, whatever other clients that we collaborate with, and you get to see them all in this place and it's kind of not like work because you generally want to be there and Eric also brought up meeting people that for from, let's say, the West Coast, that go to this every year for their organization and you see them again, and for me the first time.
Speaker 3:So I got to meet some people that Eric and others collaborated with last year and it's everybody's just in a good mood, happy to share. You know what they're learning or how they're handling this situation, and I think overall it just it made us all better. Besides learning new aspects, you know what they're learning or how they're handling this situation and I think overall it just it made us all better. Besides learning new aspects, you know from classes or whatnot, seeing all these different people come from all over the country is really cool, or was one of my highlights of the time.
Speaker 2:Yeah, I know burnout can be a big thing in cyber. So I'm sure it's nice to get out of the office, you know, off the computer for a few hours and interface with people and and kind of have that camaraderie around your work and maybe gripe about some common complaints that you guys deal with on a daily basis. But was there anything that you learned specifically that you might have taken back into the office after being there? Maybe, Cameron, was there something that that stuck out to you that you that may influence your work?
Speaker 1:Boy, well, I ended up going to a lot of talks there. You know I tried to consistently. I go to one each session. I can't say I did 100% of the time, but I tried to and it's it's honestly tough to pick out one exact thing because there was so much information there. You know they get a lot of talent in that do these talks, and I I mean I think I really I just enjoyed listening to it, you know, and getting to hear what they have to say, and I tried to take some notes as well. You know where I could sometimes take pictures of slides and things.
Speaker 2:Yeah, I'm sure it's hard to kind of keep track of everything. I know what it's like being at some of those conferences. How about you, eric? Was there anything that you learned there that was like kind of a key moment, or maybe a speech or something that you would be bringing back to IT Audit Labs?
Speaker 4:You know, I don't know if I learned anything that was net new per se reinforced concepts that I had heard in the past. I think for me one of the more memorable talks was the one on deepfakes, and we do a lot of talks around personal information security, so that was a cool one, just to see how far that discipline has come in. You know, the last couple of years where you could take a photo now and just by looking at that photo, someone who is relatively, you know, well studied in the area of technology around not only deep fakes but really understanding how to discern where maybe a photo was taken from and kind of use technology that will essentially overlay a shadow map. So, you know, at 2 pm the sun is at this angle, you could see the person giving the talk showed a picture that was taken from a window at the Stratosphere in Vegas when he was out there for Black Hat and DEF CON technology that that's available could pinpoint exactly the day and time that the picture was taken by overlaying the shadow.
Speaker 2:You know, within five minutes, right, but um, something like that is really cool and something that we wouldn't have been able to do, you know, even 10 years ago so what's an example of something that that's that's really cool, but also what's an example of something that might have been solidified, that you kind of already knew about security. That was like oh yeah, of course this is kind of a big topic. I know we've been talking a lot about AI and generative AI and things like that.
Speaker 4:The AI wave and the billions of dollars going into AI, it really feels like we're experiencing that dot-com bubble again.
Speaker 4:But on the AI side of things, the AI technology is getting decent.
Speaker 4:There was a CTF that Nick was alluding to earlier that was put on by I think it was Red Siege, and they spun up a vishing CTF so voice phishing and the concept was you had to get three flags, so three different passwords, and you were calling into this organization, this fake organization, but the fake organization was staffed purely by but the fake organization was staffed purely by AI robots. So you would call into the help desk, you were greeted by the help desk receptionist and then you could be transferred to a different department and the idea was to be able to just using your voice and communication to socially engineer a password reset. It wasn't perfect, but it was really cool to be able to see how far just the voice recognition software had come. You know it's probably operating at like the third grade level, so to speak, but within five years it's going to be really good. And just to be able to have a CTF that was vishing based, having no human interaction, just spinning up computers in AWS, I thought was really cool.
Speaker 2:That's awesome to hear. I just got an email from a colleague or one of the producers that I work with for my agency. What's happening now in music is that they're using that voice recognition software so that you can replace your voice with a different style of voice, much like we're hearing with voiceover talent happening on YouTube. I'm starting to see a song and then have it overlay or change my voice into a female voice or an old soul singing kind of sound or a husky like country voice. You know something that I'm not able to do with my inflection, so it's interesting to see where all that's going to end up in a few years in all industries, right, not just cyber, but kind of across the board.
Speaker 2:It's like auto-tune on steroids, just cyber, but kind of across the board it's like auto-tune on steroids, yeah, and there'll be a pushback, but then eventually it will kind of become ubiquitous. You mentioned social engineering.
Speaker 3:I think you had a little bit more to say about that, but maybe Nick was there anything that you took away that you're going to be bringing back to the office?
Speaker 3:For me, obviously, social engineering is huge One of the gals out there she did a great, great talk on that and I think for me the takeaways were some of her tactics and failures that led her to be as good as she is now hoping she's going to come on the show here and hopefully another couple of weeks or a month, but that was huge for me just to learn some different tactics and how she's going about it, even down to like her goal bag, like what she's bringing and how she's setting up to be successful.
Speaker 3:But I was going to bring up AI as we were just talking, but in the conference one of the talks was, you know, governance of AI and I think that was more of a takeaway for me, being in living in more of the compliance auditing space myself is how do we work to govern with policy procedures and training of staff of AI? Right, the governance piece is huge as we're trying to keep a lid on what AI is doing. So there's a couple of talks that I did attend on policy creation and rules and governance for AI. So I think that was probably one of my biggest takeaways that I would bring to to a client from the conference. That was tangible information that I learned um was just about the governance piece of where we're going and the best way to to do that with AI.
Speaker 2:And what specifically has changed or evolved from you know what? Maybe it was a year or so ago.
Speaker 3:Well, I think it's huge. I think it's changing so much, even on a weekly basis. This is really a broad answer, but I don't think that we ever had a good way and this is my point of view that we were actually governing AI. Right, we're just learning how we want to, how we want to implement policies, what do we want it to do and touch within our environments? No-transcript. More traction now, as we, you know, get deeper in AI.
Speaker 2:You know I just read an article today as I was looking through the news about. You know, it's just kind of a burnout in cyber and there's been a slowdown in the hiring and we've talked about this a lot. It's just kind of a burnout in cyber and there's been a slowdown in the hiring and we've talked about this a lot. It's just that constant uphill battle of trying to explain to entities why it's so important to implement these practices. And people are kind of stuck in this mentality of being apathetic, or you know better them than me kind of mentality.
Speaker 2:Do you think that some of the regulatory industries will kind of help push some of these changes that you guys really need to see and help drive the safety that we're all craving, that no one really wants to pay attention to until something breaks and maybe you can speak to that, Eric, because I know that's a constant source of your attention is like explaining to people what the threats are, because no one really sees them. You know, no one gets to see what you guys prevent, right, and it's always like you know, you hear about a crowd strike or something like that and that's kind of how we get that news. So it's kind of a thankless job.
Speaker 4:You know that's an interesting one too. We do get involved in a lot of governance and be interested to get cam and nick's take on this. It's a problem I'm currently wrestling with in one of our larger accounts, where they're they're an entity that has some governmental oversight and they've been stuck on a problem where they're trying to connect two different environments that have sensitive information in those environments and technically they can do they can connect the environments. But there's a hang up on some of the but there's a hang up on some of the policies, the governmental policies that are essentially, depending on how you interpret the policy, you may or may not be able to essentially do everything that you want to do in order to have the two environments connected and to be able to have user workstations or user mobile devices in one environment, sending data into this protected environment, the management of the user endpoint device, kind of controlled in an environment that has less security controls. You know the oversight as well, because this environment has, you know, let's call it corporate standard controls. We'd have to replicate that environment, move thousands of users over into this other environment or create all of these complexities around how you're doing user management between really this more closed environment and then more of the traditional corporate environment.
Speaker 4:So when you've been involved in the project for about nine months and there's been two or three different teams working on it, and every time a new team gets involved they're relying on this third party government agency to you know kind of provide some overall guidance and they're kind of, you know, going hat in hand to this agency, saying, yeah, you know, can we do this? And then you know they'll get a little bit of guidance that you know the government agency is not going to be involved in the architect, but they'll just kind of say yes or no or whatever. And then you know, four weeks later they'll come back with something else. Can we do this? And it just keeps going round and round and round. So I recently said, look, we're never going to get to the bottom of this, we're never going to be able to implement this. It's clearly a need for it, but if we just keep going round and round, we're not going to get to the bottom of it. If we want to actually get something done, we've got to say, okay, we've read the guidance, we understand the guidance, but we're going to put something into place that works. They can audit us, that's fine. And if the audit, if we're not able to adhere to whatever the guidance is of the audit, that's fine. We'll take an audit finding and then we'll go back and you know we'll do our best to shore up that finding. So to me that's an approach. Otherwise you could just get stuck in this cyclical loop where I could easily see this not being solved for five or 10 years more, given that it's already two and a half years or so in the making and I've just been involved in nine months and just seen it spin and I'm currently reading the Elon Musk.
Speaker 4:I guess it's not really an autobiography but it's written by Walter Isaacson who has kind of studied Elon and regardless of whether or not you're an Elon fan, you have to admit that the guy has done some crazy things, some things that people just said weren't possible, and the book goes into that. And you know, maybe Elon hasn't always had the right approach of how to get something done, but he's gotten something done and he's done it in industries where there was traditionally a lot of resistance and a lot of government red tape to get something done. So in the book, like Elon's, like the only laws out there are the laws of physics and you know, as they were going through and they're building rocket engines, there was, you know, some, some policy or some regulation somewhere that said you know you have to do this or you've got to have so many hours of testing, or whatever it was said you know you have to do this or you've got to have so many hours of testing, or whatever it was. And you know Elon was really hard on his team and would say you know these regulations are there, you know they're suggestions, and if it doesn't work, and then you know, challenge it, figure out who wrote it, go. You know, go and talk to that person and find out why it's. You know that's the case. And then you know, if you don't think it's right, then you know don't do it right, you know we'll figure it out in court or whatever.
Speaker 4:And that I mean that approach has worked right. Like he's launching rockets, stuff that you know Boeing couldn't do. He's got an electric car company and you know the most successful car company of all time. He's got Neuralink. He's digging holes underneath Los Angeles, um, and and in Las Vegas it's tuned out to robots. It's got robots. He had PayPal, uh, and I'm probably missing. Uh, and Starlink? I mean, starlink, that's going to be the most successful company of all time, right, I mean that's going to be the most successful company of all time, right? So just changing the dynamic, but we're only beholden to ourselves. I mean, you know, humans writing policy and requirements for other humans, just because it's written down doesn't mean it's right.
Speaker 4:And just kind of tying back Josh, to what your original question was around how are we doing governance in this ecosystem where we have a rapidly changing environment? And I think we have to go back to what is it that we're trying to do? Well, in information security, we're trying to protect the information of that organization. I mean, that's the very root of it, right? Or is there privileged information in that environment? Are there social security numbers? Is there healthcare information, driver's license records, police data? Are there systems, then, that protect our safety right, our SCADA systems or operational technology environment, like you know what is the route that we're trying to do.
Speaker 4:And then, how do we best accomplish securing that environment? You know, are we using encryption? Or you know how are we doing that? When you get beyond that, I think some of the regulations really do have to be looked at, because otherwise we're just going to be in this constant loop and we're not going to be successful. We're just going to be wasting thousands of hours of time. So you know, I'm an advocate of going back. Look at what it is you're really trying to solve for that organization and then putting something in place, and then take the audit finding and you know what's the worst that's going to happen. They say you got to fix it. Okay, we'll fix it, you know.
Speaker 2:So that that's kind of where I land on the whole thing I love that cut through the red tape and then then go back to the drawing board and then see what can be fixed to kind of augment things to meet compliance standards or whatever. At least you got something done. I see that a lot in general. I mean I think we probably all we see a lot of people go and insert. A lot of money is being made in boardrooms. You know I often joke, you know, talking about whether we should use an exclamation point or not. You know, on this, on this email or this memo, you know. So I can definitely relate to that. That's an awesome take.
Speaker 3:Hey, yeah, we're almost at an hour, so maybe if you guys had any final thoughts on Wild West or what your next conference is, and then we can wrap it up for the day. I mean, I think we're all excited that Wild West announced Mile High in Denver, so that's coming up in February. I think a lot of us will at least be there, virtually trying to be there in person still working out some logistics there there in person still working out some logistics uh there. But uh, I think it's a great step for wild west and the community allow a little bit more space see what they do uh with with in denver, with more space. So I'm really looking forward to uh, you know, going to to the mile high event in february that sounds like fun.
Speaker 2:I also want to take this opportunity to point out that eric has been speaking at some of these conferences, doing some keynotes and things like that. You just did one this week, right, eric?
Speaker 4:I did. Yeah, there was a symposium in Minneapolis. That was a really cool conference. It was a three-day conference. I spoke on the first day. What was really cool is the account that both Nick and Cameron were there were at the conference representing in a capture the flag and they came in second amongst the professionals. But I will say they came in second probably because they didn't have Nick and Cam there, because they only wanted full-time employees from the organization. For whatever reason Wouldn't have been my first choice. But I'd say send whoever you can that's representing that organization and you get Cam and Nick on it. You probably would have come in first place.
Speaker 2:Take a number one spot you heard it here ITAL's got the best. Was it GridSecCon Eric?
Speaker 4:It was Cybersecurity Summit.
Speaker 2:Gotcha, all right, just to let our listeners know, reach out to IT Audit Labs if you'd like to have Eric speaking at your conference. We're available and we'd love to meet up with you if we're at one of these upcoming events. Cameron, any final thoughts before we wrap up today. Are you going to any conferences 2024 or 2025?
Speaker 1:Yeah, I'm looking forward to Wild West, hackenfest, mile High. If everything works out like planned, I'm definitely going to be there.
Speaker 2:Well, it sounds like IT Audit Labs will be well represented, so please get in touch if you're going to be there. Maybe we can connect up for a whiskey tasting or at least a coffee. You've been listening to the Audit presented by IT Audit Labs. I'm Joshua Schmidt, your co-host and producer. We have Cameron Birkland, nick Mellom and Eric Brown, and we had a great time chatting today. Guys, thanks so much for your time and thanks for listening. Guys, thanks so much for your time and thanks for listening. Just one more shout out we have coming up on the end of the year here, so we'll probably take a few weeks off during the holidays. We're not quite sure the schedule yet, but we'll be sure to let our listeners know. In the meantime, we got plenty of content, plenty of past episodes, so please like, share and subscribe and tell all your friends and give us a five star rating on Spotify. We now have video on Spotify as well, so you can see us on YouTube and or Spotify.
Speaker 4:Hope to see you soon. You have been listening to the audit presented by it audit labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J Schmidt, and our audio-video editor, Cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, Spotify or wherever you source your security content.