Speaker 1: 0:04

All right, we're live. Welcome to the Audit presented by IT Audit Labs. I'm your co-host and producer, joshua Schmidt. Today, we're joined by the usual suspects Eric Brown and Nick Mellon from IT Audit Labs. How are you guys doing today? Awesome, mark, good, awesome, excellent, happy, it's Friday, tgif. Yeah, hey, we're doing a live news episode today. We got a couple of articles. Uh yeah, this is from the hacker. News came out, uh, september 4th.

Speaker 1: 0:26

Cyber criminals exploit x's grok ai to bypass ad protections and spread malware to millions. Cyber security researchers have flagged a new technique that cyber criminals have adopted to bypass social media platform x's malvertising protections and propagate malicious links using its artificial intelligence assistant, grokk. You know, nick and I were chopping this up before we went live and it's like this is kind of nothing new. It might be new for Grok or just kind of a new attack vector, but I was talking about all of the bunk ads I see on Instagram, you know, for like flashlights that are supposedly light up a football field or you know what have you. I was curious how you approach this, eric, or how you would think about this if you were working with someone like me who's on social media for the job or at an organization? Is it just kind of awareness, like talking about it, or how do you like to like train people Well?

Speaker 2: 1:20

it's both, but we're really seeing a lot of the malicious ads that are coming through because Google doesn't really filter from ad perspective. If there's malicious content in the ads and they pop up like somebody types in angry IP for the angry IP scanner, the first one that you're going to see is a Google ad and it's not a legitimate link to that site to download the product ad and it's not a legitimate link to that site to download the product. We're seeing a ton of those type of ads that have malicious content embedded. There's some pretty good products and ways to block that. I think there's two ways to do that. One is monitoring the user traffic and filtering it, either through your firewall, with SSL decryption or with a tool that will do browser isolation and then, most importantly, not allowing administrative access to happen on the user endpoint. Nick, you're living this stuff too. I know you've been down a big YubiKey project to implement YubiKeys across the enterprise, so another way, right, but you're probably doing that in conjunction with some local admin work.

Speaker 3: 2:29

There's all kinds of technical things that we do and will do, and YubiKey is certainly one of them, and we're doing it at one of our organizations right now that we're working with and we will be doing it at more. Yubikey is the way to go, really, and so that's the technical aspect of it. But with this stuff and Eric and I talked about this Thursday we're humans. We're learning about this stuff real time as well. We might have known about it a little longer because we like this stuff and we're looking at it sooner, but a lot of this is just about awareness making people aware of what's happening.

Speaker 1: 3:00

What would you guys say? The percentage of employees are looking at adult content?

Speaker 3: 3:06

at work in any given organization.

Speaker 1: 3:11

Let's have a number.

Speaker 2: 3:15

I want to like a ballpark percentage. Are you talking about on their work computer or are you talking about in general?

Speaker 1: 3:17

Like at work logged in, punched in getting paid, looking at adult content More than you would like to know what do you think the number?

Speaker 3: 3:24

is though. Oh, I don't even know if I can get an eric. You want to take a shot at a number?

Speaker 2: 3:28

it's probably 10 to 15.

Speaker 3: 3:31

Oh wow yeah at least that I would. I would guess we have this stuff comes up a lot.

Speaker 1: 3:37

I feel like do you think they're just getting sucked into like thirst traps that are popping up, or do you think they're actually just taking the time to have some personal time during their workday?

Speaker 2: 3:49

I think I've seen both Right, Like you know, maybe an after-hours crew that's in their second or third shift, Maybe a crew that is not traditionally office workers. Yeah, there's all sorts of things you see, and you see it coming across the corporate network, but there's lots of blocks and filters on that network. So then you tend to see it more on the unfiltered guest network. We work with police departments and the folks that are either case officers or police officers that are doing investigations of course have to be able to go to any of the sites of machines or people that they're investigating.

Speaker 3: 4:34

So those are wide open. I was seeing it in previous organizations where people would be logged into their personal Google to review their Gmail or whatever logged into their personal Google to review their Gmail or whatever. So when they're logged into their Google, their search history and everything comes up. Or they might click on something or it shows up and they're frequently browsed right. So you might be working on their computer or something and you see or seeing this coming up. Well, you know, now it's, now it's got a way in to the network where these malicious links or what have you.

Speaker 1: 5:02

Reminds me, this Monday we have episode 73 of the audit coming out with Ed Gaudet from SenseNet, who we talked at length about. You know kind of this being a new attack vector with ransomware and whatnot, and that's why I wanted to bring this article in. This is from newsucsc. Traditionally, measuring heart rate requires some sort of wearable device, whether it be a smartwatch or hospital-grade machinery, but new research from engineers at the University of California, santa Cruz, shows how the signal from a household Wi-Fi device can be used for this crucial health monitoring and it sounded like, yeah, just with the Wi-Fi, or like a Raspberry Pi, some cheap device that's maybe $10, 15 dollars they're achieving this result.

Speaker 3: 5:46

Like it says here, you're only 10 feet away, or three meters away for the first thing I think about when I read this is you know, if you think back, probably more than 10 years ago, the attack space was your organization might be 20, 50, 100 devices. Now in this space, we're protecting thousands of devices our entry points, tvs on the wall of your organization, printers, everything that's connecting. So now here's just another device entry, here's another door that could be unlocked, right or not locked, for somebody to come in, but it's cool technology. I wear an Apple Watch as well, regularly too. So you know, we're all. We're all have these devices.

Speaker 1: 6:28

I wonder how you know, this affects governance or how, what, where this falls, where the responsibility falls, of course, on every person to protect their own security. But is this something they're going to have to look more at in a governance way, because these devices that we're wearing are collecting all this data, this mountain of data that then is being used for advertising, or maybe to sell pacemakers, or to sell supplements or whoever would like to buy that kind of data. And if we're all of a sudden, if they're able to extract that personal health information from us without our consent or without knowing it, I wonder what kind of ramifications that may have.

Speaker 3: 7:09

I think you'd certainly run into that kind of an issue if you're going into a public space. But if you're using this at home in a controlled environment, you know you're probably not going to run into this problem where you. You know, if you go into a GNC or something, you'd probably have to sign a waiver for them to see this or whatever it is you know for it to be public knowledge. But I think you know, eric, correct me if you think I'm wrong, but I think right here, if it's not traceable to a specific person, you wouldn't technically fall under like a HIPAA regulation or something Like. If it doesn't say, nick, this is his information, his address, social or whatever it is, you're less likely to actually have a governance problem. Now it's more of just an ethical topic.

Speaker 2: 7:51

It could be interesting, too, around what data is available to the service providers that we use. So could you run into an insurance issue? Right now we know Google and Yahoo and Microsoft are in our email and the personal side and they're gathering information about us and using that to market towards us. But what if they were using that to write policy, like some of the car insurance providers want you to stick that device in your car, track your driving habits to increase or decrease your rates? Same thing could happen on the health care side.

Speaker 1: 8:26

And there's a lot of talk online too, just about, like, social credit systems. I don't know if this relates directly, but the whole picture, the big picture of how you're interacting in society, how you're driving. Is that going to be connected to a real ID? In society, how you're driving, is that going to be connected to a real ID? Is that going to be connected to some sort of government database, whether it's private or public.

Speaker 3: 8:45

We're certainly on the doorstep to that issue Because, to Eric's car insurance comment, I know Tesla has an option where you can buy insurance from them and they obviously have all that data from the car right so they can fluctuate real-time your premium if you're like heavy on the gas all the time if you're using their insurance.

Speaker 2: 9:05

It's like a Dark Mirror episode. Nick's going to start talking about chemtrails and how the government chipped us.

Speaker 3: 9:13

That was what that beat of rice was.

Speaker 1: 9:17

Amazon satellite internet service hits 1280 megabytes per second, though it was achieved using an enterprise customer terminal on a network that currently has plenty of capacity. How does this change your approach to cybersecurity? When you're talking about opening up new pathways for network connectivity, I mean more operational resilience. You can always hook up to the internet If you can have faster, faster speeds, but are also giving those bad actors that same opportunity. Does it change how you fortify organizations or people that might be using these services?

Speaker 2: 9:51

Nick, I think you've got some thoughts here too, but from my perspective it's another. It's a redundancy. We've got a customer that's got a location out in the Washington area Kent Washington and the internet out there is. There's not a lot of great options and they seem to have issues with whichever. We've tried a couple of different ones and every six months there seems to be some sort of an outage. So having satellite-based redundancy is great and that ability to failover from one network to the other is great. As long as all of that traffic is encrypted through the satellite, they're not going to really be able to look at that data.

Speaker 3: 10:34

Yep Agreed. I think I was going to say every time you can get some redundancy, it's going to be good. That's how I have it set up in my house too. It's in a monitoring mode, my phone's connected to it. It will always send and receive messages from that. I think the monitoring fee from Starlink is $5 a month to have it set up like that. If you want to kick it over to full service, it's $60 or $100 or something like that. But if you want to kick it over to full service, it's 60 or 100 or something like that. But to get back to your question and Eric already nailed it I don't see an added risk at all and if anything, us as a provider or a security advisor to an organization, we would advocate for something like this because we want to eliminate any outages. So to me it's a good thing.

Speaker 2: 11:19

I think if you get into some customers that have real low latency like stock trading type of it's not issues but requirements then it might not be an option but for the vast majority it's probably a good viable backup To Eric's point.

Speaker 3: 11:34

It's not going to be as good as your fiber connection at home, but the Amazon video that they were showing I think it was somewhere in Washington as well, it was where Eric was talking about it's in Claim Kellum or something like that, where this town they have people actually moving out from what I understand, because the internet is so expensive and they're getting like 0.7 of a megabyte of internet and they're paying like $80 a month for it and it goes out all the time. So there's cafes that are opening up where kids are doing their homework in the car, their parents' car parked next to the cafe to get internet to connect to do their homework. So that's what amazon's doing is they're coming in and they're trying to launch these satellites. Now they're way behind starlink. Be just on the satellite numbers. I think they're going to try to get to 100 satellites launched this year and starlink's over a thousand satellites right now.

Speaker 2: 12:26

So I think starlink's like seven thousand is it seven thousand or one way off? But it's like it wasn't it abe lincoln doing his homework on the back a coal shovel, and now we're doing it in the back of an SUV.

Speaker 3: 12:36

Going backwards.

Speaker 1: 12:37

You guys. The first time I saw Starlink, I thought I was witnessing an alien invasion out on a dog walk.

Speaker 3: 12:42

Now, here we go, get the tinfoil hats out 30 lights going across.

Speaker 1: 12:46

I saw someone make a post about that recently. They had a similar experience that no one had told them, or they had not read about how that's going to look in the sky. And then, I think, they break up, don't they? They reach a different formation at some point, and that's how they launch.

Speaker 3: 13:03

All I know is they get service and it works good.

Speaker 1: 13:07

All right, Jens. Anything else top of mind today? Cybersecurity in September 2025?.

Speaker 2: 13:12

Get ready for October.

Speaker 1: 13:14

Is is cybersecurity awareness month yep, that's right, we got some exciting things coming up yep, awesome posters up on the website, uh, for you to download and put in your office if you're so inclined. And then, um, yeah, we're going to be uh, rolling out some really fun stuff, so make sure you subscribe, like and share. Um. Check out our youtube channel. Leave a comment so we know that you're watching. Until next time. My name is Joshua Schmidt. I'm your co-host and producer. You've been listening to the Audit. We've been joined by Eric Brown and Nick Mellon from IT Audit Labs. Catch you in the next one, thanks.

Speaker 2: 13:46

Yeah, have a good weekend. See you, guys. You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. While our security control assessments rank the level of maturity relative to the size of your organization, assessments rank the level of maturity relative to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.