Welcome And Guest Introductions

Joshua Schmidt 0:04

You're listening to the audit presented by IT Audit Labs. My name is Joshua Schmidt, your co-host and producer. Today we're joined by guest Bill Harris, who's an IT Audit Labs member. We also have Eric Brown and Nick Mellum coming from the office with Eric, sitting shotgun here in the new studio. We'll start off with uh uh what's been in the recent events. This one is coming from Security Week, and it says Iranian cyber group Handala targets U.S. troops in Bahrain. U.S. service members received WhatsApp messages claiming they would be targeted with drones and missiles. Nick, I mean we've uh approached the subject before on the on the podcast, but can you add a little uh insight onto what's going on here and how um maybe U.S. troops in Iran they're thinking about security and uh personal devices and all those things intersect?

OPSEC Rules For Personal Devices

Nick Mellem 0:51

Yeah, this one's pretty real for me. Uh, I spent time in theater in Afghanistan, um, in and out of the Middle East. And uh, you know, it says in there, I believe it talks about uh OPSEC, which is operational security. Um, so you we went to classes on this uh before we went in in country. Um we we could take a cell phone, but you had to remove the SIM card. Right. So you go through all these things that you can and can't do. Um that you could have the conversation about not being able to bring personal devices at all. Right. Because it it what they're trying to avoid is somebody sending a message, hey mom, I'm in this pro in in Marja, Afghanistan or wherever it is, right? So we want to, you know, before we leave, you you can give your loved ones a scheduled time. Hey, I'm gonna leave you May 1st to May 15th. I'll be over there at some point. You can give them like a two-week window because we never want anybody to know our movement plans. So that goes back to kind of what we're seeing here, right? People are you they have the WhatsApp um application on their phone. Now, you don't need to use a SIM card for this, you know, it operates uh uh over Wi-Fi if you have a cell phone or an iPhone or an Android phone, whatever it is. So you can use this without a SIM card. So we're probably moving into the conversation, not being able to have smart devices at all, or limited time on them, meaning Wi-Fi is restricted on the base. Um, but uh the big thing here is that gives the base control over communications, right? If somebody uh is injured in a combat theater zone, they'll turn the Wi-Fi off for like 24 hours until those family members are made aware that something's happened. So you can't get on Facebook and and tell your friend that, you know, John Doe passed away, you know, via IED or something like that. Right. So really off into the weeds here, but it sounds like the, you know, there's Josh, you just bypassed it there. There's like 2,300 submarines that are in Bahrain right now. Sounds like they were sending messages to, you know, right and instill fear that they're being targeted by drones. Um, they're in a holding pattern right now. We heard that there's Marines headed over there right now as a show of force. So quick skinny on how these things work is really what I wanted to touch base on there.

Joshua Schmidt 3:01

Bill, I was wondering if you could make any connections or um draw any parallels between running a group of people that are in a military situation versus an organization where you also have a large group of people, they have their own desires and their their own um impulses to use their technology, but maybe not always thinking at that high level on how to uh about security, right? Uh especially in a in a war zone, I can only imagine. Um as Nick had mentioned, you know, I'm sure people are are very eager to get a hold of their loved ones and stuff. But um, so there's an extra layer there, of course. But even in an organization, you know, people are at work, they still want to stay in touch. Um how how do we work with the people in the culture to to get them thinking about cybersecurity and just their personal security in general?

SPEAKER_01 3:48

Yeah, you bet. So I mean, yeah, for sure. I think well a lot of it's like I think kind of psychological, but I think there is a real risk here of doxing people, right? And and um, you know, I think uh I think it was um Cash Patel's cell phone, uh or by the way's Gmail address, I should say, was broken into. You know, and so that's just kind of just an example of when you are in a situation where uh whether you're in a war zone or whether you're just a um a high value target, you have to assume that your adversaries really will come after you, right? And so you you have to take this kind of threat seriously. And if if you are a high value target, then you should be using a multi-factor on your on your Gmail account. Gmail supports that, right? So you got to turn that on. Uh, make sure that you are not using your credentials across multiple sites. That's the first thing they're gonna go, you bet they're gonna go after. They're gonna find those credentials and they're gonna try them on your more prized assets, such as your personal communications, your bank accounts, and so forth, right? Um I think what we're seeing here is really just kind of an extension of the kind of the same threat that we see in the private space, and we're now seeing it uh, you know, in the in the military space because both those attack factors are equally applicable.

The Agentic Age And Control

Joshua Schmidt 5:00

Thanks, Bill. I just want to shout out to uh the people that have been commenting. We are live here today, so if you'd like to join the conversation, drop us a comment. I'm checking the the messages as we go. We got from at handyman services uh-U40 would like to be a part of this. If we stop the OTP verification on digital platform in every way and then return to a slower but extremely safe inhuman, human in-person verification system, cyberattacking stops. Um do you have anything to say to reply to that? I think that yeah, in a perfect world, right? But that's just not the way the world's moving.

Eric Brown 5:33

You know, I I heard something at uh Google's next conference that that uh a few of us were at last week, and it it's kind of a saying that has stuck with me here um for a little while this week, and that the VP of Google Security, uh Google Cloud Security, said that the pace of change today is faster than it's ever been, but slower than it ever will be. We're we're really at an inflection point where we've come through a few evolutionary ages where we've we've gone pre-electricity, we you know, even before that we were we were agrarian and we've moved into an age where we started to have electricity, and then we've moved further and further. Information age started in, I guess, around 2020, uh maybe a little bit before that, and now we're pivoting into this agentic age. And I think this is the first time in human existence where we we've pivoted from being able to directly contribute and and do something ourselves to being able to rely on a technology that we don't fully control to execute something on our behalf. So I wanted to see what you guys thought about that. And you know, it's it's kind of a pivot from just the way in which we've we've been brought up, the way in which we've interacted, you know, in the in the in the technology era in the in the 2000s, we were offshoring work to to lower cost labor markets. And now we're we're we're we're potentially bringing that back, but bringing it back to give to non-human identities. And as those identities work, we don't we don't have full control. We don't understand the the back-end code of of exactly what those entities are doing in that AI space, but yet they're producing a work product on our behalf. And that moves us into a new era. So curious, Bill, I know I know you're in on this uh day in, day out. Thoughts, comments, what what are you thinking?

SPEAKER_01 8:00

Um yeah, no, absolutely. Um I was uh reading a story just um yesterday that the one of the um one of the executives working with Pocket OS was working with uh with Claude, or I think a derivative of Claude, to review some of the code. And the AI actually went in and he said within nine seconds it had deleted the primary database. Um so he confronted AI about this and said, What have you done? And the AI came back to his up. You know what? You're right. I was wrong, I was too hasty, I didn't know what I was doing when I was kind of going through this stuff. So they restored the data the data from a backup, but they lost a ton of most recent information regarding their clients and regarding reservations. So you're absolutely right. These agentic AI is another identity. We should treat it like a like a person and be very careful about the access that that person has and be sure that we're checking to uh confirm that what they're doing, what the AI is doing, is correct, just like we would confirm that what a person is doing is correct. Because the states are really, really big and we do not understand completely how it works and what it's really getting into.

Eric Brown 9:18

And and Josh and Nick, I think you'll you'll have some comments there too, but I want to go back to a conversation that we had with Bill a couple of years ago around quantum computing. And I'm not saying that AI and quantum are the same, but quantum exists in a state that we don't know what that state is until it's observed. And it's a little bit of a mind jump to really understand in uh how quantum can make those computing leaps that we have not really even begun to scratch the surface on. But to me, Bill, it's kind of the a little bit of the same where we basically just have to trust the outcome of that quantum computer or of that AI. And and we have ways of verifying the data, of course, but yet a a large portion is outside of our control.

SPEAKER_01 10:14

Yeah, yeah. Well, to tear a page out of our 80s playbook, trust the verify, right? Um and I think we're gonna ha we are in a position where we are trusting the stuff that AI is doing, whether you're you're vibe coding or whether you're sitting at a prompt, you're getting a lot of responses back. And as you use up more and more, you begin to trust it. But that verification step has to persist um for the foreseeable future. Um, you know, we're I was talking with an architect um who was kind of just trying to figure out really wrestling with a concept of hey, how far should we let vibe coding kind of off its leaf? And will it eventually seriously replace developers? Um, why do we need highly skilled developers, right? And so great questions, but right now we need those highly skilled developers to verify what AI is doing when it is developing code.

Eric Brown 11:08

And I think we're at that paradigm shift, Bill, where if you look at some of the mid-market tools, and we've been having some conversations with entities that are examining the SaaS providers they're using. We'll we'll take HubSpot, for example, which is a mid-market CRM tool, right? Something that you you keep client data in. And there's an AI company in town here who they they were looking at their HubSpot spend, and it was gonna be around$30,000 a year. I said, wow, you know, we could agentically develop a model, or not a model, but develop a CRM platform that's custom tailored to us for a lot less than$30,000, and it's gonna be purpose-built for us. We're not gonna have to continue to pay that SaaS maintenance fee. So I really think we're we're ripe for disruption in that SaaS space where there are that are out there hundreds of thousands of products that are out there in that mid-tier space that are not really providing a unique experience. I mean, there's you know, probably a hundred different CRM tools. I know we we here at IT Audit Labs had been going through this process. Nick was uh Nick was taking us through that about a year ago. But had we been where we are today with agentic development, I don't know that we would have now gone down the path of buying a SaaS solution when maybe we could have developed one in a month.

SPEAKER_01 12:39

Oh, yeah. Yeah, there's been a lot of conversation about that. Um you're right. Like why would you develop, like I'm sorry, why would you pay for off-the-shelf software or for a SaaS solution that gives you most of what you're looking for and maybe it gives you some things you don't really want, but you're gonna pay for anyway, when you can use AI to develop something that gives you everything you want. Now it does come with a little bit of a burden and overhead, right? But the price is right. So if you're looking for something really simple, absolutely, why wouldn't you do that? And I think you're gonna see this is gonna have a real impact, not only on those smaller applications, but I think you're gonna see it potentially push in on the public cloud space. And some of the th some of the things that you can run in the public cloud, you might not need to pay that if you can do it um you know cheaper on your own structure, whether your infrastructure is on premises or in the cloud.

Nick Mellem 13:33

Yeah, we we saw that real time when we were looking at the CRM stuff, right? You what you you go to one tool and it might do two extra things that one other does, but it's 10 times the cost. So are you willing to pay the 10 extra uh 10 times cost to have those two pieces of functionality? You know, that's what it comes down to. But you know, if I go back to the question that this gentleman put in, I think uh um, you know, an effort to not go back in technology, I think we're building friction at scale, right? You know, it's like fight oh two keys, pass keys, you know, uh out-of-band verification, um, zero trust architecture, et cetera, et cetera. Um, you know, and I think like the answer really right now is is YubiKey. That, you know, that's what's accompl what you're accomplishing in one of the organizations that we do a lot of work with. We're in the middle of a mass rollout of YubiKeys, and you know, that's the IAM portion where we're identifying users via PASKE and uh we could probably have a whole episode just talking about this question.

Joshua Schmidt 14:31

Yeah. I I want to jump to some of the quantum stuff since that was mentioned. Uh Bill pulled up an article, but I'll just put a bow on this and by saying, you know, uh the the uh the music industry, which I've been a big part of for the for the last several decades, has already been disrupted. Now you know Hollywood has been largely disrupted. I think every year the Oscars and the the you know, the Grammys and the Emmys, these legacy uh you know events are getting less and less views. The same with uh you know legacy media has already been largely disrupted. You know, you're just you're not people are not getting their news from from any, you know, from ABC, NBC, even goes to the late shows, right? So um I think yeah, that's probably next on the chopping block, right? Like software or even like video games. You know, I think um indie games are right neck and neck with some of these large studios like Rockstar that are pumping millions of dollars in. You got people that are single, single-handedly developing games that are being played just as much. So it'll be interesting to see what happens. You know, that's a big part of our culture and what makes uh America uh a cohesive uh um entity, culturally speaking. You know, our movies, our music, our our software, our our identity. So it'll be interesting to see how that uh happens as things begin to fraction.

Nick Mellem 15:43

What you're saying, Josh, is really interesting. And I think we talked about it on an episode maybe like a year ago um with AI and like commercials. Like let's say you watch the hockey game last night or whatever your favorite TV show is. Yep, okay. I didn't watch, but they they won the wild one as well. That's the hockey game I'm referring to. But think about that commercial comes on, and let's say you you love Coca-Cola or Pepsi or whatever, but you know, Eric likes whatever he likes. He likes uh these specialty milks, let's go with. So when we're watching it, he might get a commercial about that, but I'll get a commercial about Coke Zero or whatever. How many specialty milks can you name? Almond milk, uh, cashew milk. I think we'll cut it off there. I'm not cultured in the milk world. I'm not, and I'm proud to not be to not be cultured there. I'll keep it there. But but the only reason I'd bring that up is because of what Josh was talking about with these legacy media uh outlets putting on these music uh movie events. Like, is it gonna go AI driven where you're gonna see the things that you like and they're the music you like? It's gonna curate this content towards you to get you to engage. Yeah, instead of just watching the whole thing because you want to see one performer go. I think it was years ago at the VMAs or something Metallica played. So I watched the VMAs just so I could see Metallica play. But they they play them at the end, so you gotta watch the whole thing.

Joshua Schmidt 17:06

I probably watched like the Nicolas Cage channel where every movie is just Nicolas Cage. Man, Nicolas Cage. You know, Devil Wears Prada. Devil Wears Prada, Nicolas Star Nicolas Cage.

Community Events And Listener Comments

Nick Mellem 17:18

There is another comment in here, Josh, and I like this one. This one was uh, dude, I wish I could meet these guys.

Joshua Schmidt 17:25

We want to meet this guy too. That's coming from at I'm Ugly.

Eric Brown 17:30

There we go.

Quantum Safe Ransomware Hype

Joshua Schmidt 17:30

So, you know, hey, we have a game night. Game night. Yeah, you can go to itaudolabs.com. We have lots of events coming up. We go to lots of conferences. Uh Jen Lotsy's gonna be at Secure 360 here in a couple weeks. And uh yeah, we do have a new calendar up with all of our events. And uh you can go check that out, itautolabs.com. Is it a photo calendar? Yeah, well, I mean, there's there's pictures involved. I don't know if it's a photo, it's not like a pinup calendar. That would be a good idea, though, like cybersecurity with the IT outlab staff. I wanted to segue into this article by uh from Rs Technica that Bill sent over. It says um in a first ransomware family is quant uh confirmed to be quantum safe. Technically speaking, there is no practical benefit. U QC. So why is it being used? A relatively new ransomware family is using a novel approach to hype the strength of the encryption used to scramble files, making, or at least claiming, that it is protected against attacks by quantum computers. Bill, what uh uh what about this piqued your interest? And you're the quantum guy, so uh let's dig in.

SPEAKER_01 18:37

Yeah, right. So you know I've been following quantum for a while, and I found this one to be pretty wild. So we've got a uh a ransomware package out there. That's it came out, I think, in I think it said September. And so it's it's called Kyber, that's the name of the package, and it and it's called that because it's using NIST's newest um symmetric uh quantum algorithms for encrypting data at rest. And it touts this to its victims. So not only does it tell you very happily that it has um it has encrypted your data and you're screwed, but it's encrypted your data with a quantum quantum safe algorithm, so you're really screwed. Now, um what it's really doing, two points to make here. What it's really doing is it's it's actually not encrypting the whole data with uh with uh the kyber algorithm. What it's really doing is it's encrypting your data with AES, and then it's encrypting that key with NIST's kyber algorithm, which is which is quantum safe. The second point though I want to make is that AES is plenty, right? So this is definitely overkill, especially when you consider that kyber, the the the as in the ransomware package, gives you 72 hours to make a payment. You're not gonna break ADS in about a billion years right now, much less 72 hours. So it is absolutely overkill. But the I think the interesting thing here is that the uh the bad guys are really kind of uh clutching to quantum to instill fear now in their target base.

Joshua Schmidt 20:14

Aaron Powell We keep hearing, Bill, that quantum plus AI is going to be the the apocalypse, right? So we're gonna have the tinfoil hat moment here. But do you feel like um maybe you already kind of uh touched on this, but and from a layman's point of view, is does it feel like tech companies are starting to come up with solutions preemptively for this convergence of of of quantum computing and and post-encryption technology?

SPEAKER_01 20:38

Yes and no. Yes, I think on the um on the encryption front. And I think that really falls in the two categories. Your asymmetric encryption, which powers the internet, that is uh vulnerable, right? We need to move away from these older RSA keys and and move to stronger algorithms for transmitting that data. Now, on the symmetric encryption side for your data at rest, there's no concern really. Um AES 128 is actually sufficient, sufficiently quantum proof. Uh and most of Russia using 256. Um, so um I think we're way ahead of it on just safeguarding uh our our data. Now, on the other hand, the second point here is that we're not really doing very well with just getting our arms around AI. Okay, so there's all kinds of ethical problems with AI. There's all kinds of access issues with AI. We're we're not quite sure, we talked about it earlier, precisely how to confirm the accuracy of the AI output sometimes. Uh and now if you're gonna compare if you're gonna put quantum power behind that when quantum power becomes really maybe useful, maybe in 2030, 2035, it could be a real problem. Um, because it can really accelerate what AI is doing faster than our human ability to contain it.

Nick Mellem 21:56

So I think a lot of this is encompassed in this PQC correct. Bill, are you you're probably in there and are familiar with that, the uh uh post-quantum uh crypto uh cryptotography, excuse me. Um with the uh three three, I think it was it FIPS 203, 204, and 205?

Post Quantum Crypto Versus AI Risk

SPEAKER_01 22:13

Uh I forget the exact the precise FIPS um name for it, but yeah, NIST did release a FIP standard for um for different hashing and uh uh cryptographic um algorithms.

Joshua Schmidt 22:26

Aaron Powell How much of this is just hype and marketing? Because uh the article dives a little bit into that too, right? Because everything's AI now, right? Even things that were coming out before AI that are maybe just machine learning, for example, now are being marketed as AI. They have to be, sure. Trevor Burrus, Jr. Sure, yeah. The stakeholders um invested emotionally. Do you see that happening as well with quantum in the near term as well? And it seems like the threat actors are using that as a scare tactic.

Voice Agents And Call Center Upheaval

Eric Brown 22:53

Aaron Powell Yeah, I think so. The conference that I was at last week, it was I don't think there was a presentation that didn't have the word AI in it. Um and this was Google's premier conference of the year. Uh not many on quantum, maybe one or two. The monetization of AI right now is really what the hype cycle is with most of the world's processors going towards AI compute, new data centers being built for AI generation. I I don't think we've as a hype cycle yet hit what quantum is going to be because we're just so stuck in this agentic generation, which uh we're just starting to scratch the surface on that. Now we we were having a conversation about two hours ago on a development project that we were working on that could really help a company revolutionize how they're looking at at data and even interacting with data. And as we were whiteboarding this, it's like, wow, this is what what's happening today with agents that came out 12 weeks ago. What's going to happen six months from now and what that's what is that gonna do to the to the workforce as we look at voice, I think is really that next frontier, if you will, where AI, the latency times are significantly less now, and the ability to have that natural language with the the next generation of voice agents that are coming out, really being able to tap those into data sets that you have. And I think call centers are ripe for disruption when you're gonna pay less than a penny a call to be able to have near access to real-time data and an agent that can speak in 30 different languages, um, working 24 by seven, really low latency, and no wait time. I mean, that's that's a no-brainer for call centers.

Joshua Schmidt 25:01

Kind of shooting from the hip here, but um, as we were having this conversation, I was reminded of the recent news of the new CEO at Apple, and I've been seeing some stuff around their approach to AI because they've seem really late to the party, right? This is coming from built-in. Apple is late to the party, the AI party, but maybe that's the point. Apple wants the gold standard in consumer tech is being overshadowed in the generative AI era. Well, it's a playbook of small strategic partnerships and quiet RD payoff in the end. Maybe you guys could add to this, you probably have been reading about this too, but it sounds like they're trying to stay kind of on the backside of that wave and not be on the crest or even at the front of the wave. They're they're they're trying to see what happens. They might be anticipating a bit of a AI bubble in the investment, so they they don't want to put all their eggs in that basket. I will say, you know, Siri is very frustrating in the age of Chat GPT and Claude. All the uh talk-to-text is just really bad. So um, you know, I think there's room for improvement, and we've talked about that before.

Nick Mellem 25:59

Aaron Powell It is really hard to believe that the richest organization really in the world can't figure out AI, right? It seems like they're waiting for other people to figure it out. Yeah, and that where I was gonna say next was that's Apple's MO. Like that they do that with everything.

Eric Brown 26:16

I think this is what we're seeing, but it's not probably reflective of what they're doing. I I would imagine they're putting billions of dollars into AI research that's just not public yet, right? Like they're doing stuff way out there that we'll hear about in 10 years. And and that goes back to something, you know, here in the Twin Cities, United Health Group's a pretty big organization, uh big organization globally, right? Like, you know, top five. Um and years ago, I uh uh a friend of a friend worked there and was telling me they have like a Skunk Works team. And the way he described it is tinfoil hat. Yeah, here we go. They've got a Skunk Works team over there that was working on this project that was recording all uh voice calls that were were coming into a particular help center related to medical, I forget what the exact medical need was, but they were recording these calls. And and the idea was that they were able to predict if a person was going to get Alzheimer's years down the road just based on the speech patterns that w were were perceived on the call. And that's what the the compute was doing, right? So I just I who knows if that's true, but it it sounded pretty cool. It sounded pretty accurate that something like that could potentially happen. I mean, if we're using quantum technology from um is it Palantir to detect the guy's heartbeat in some desert mountain in Afghanistan from 40 miles away, right? I mean, the stuff that they're doing, and you know, Apple's in on this as well, the stuff that they're inventing now and thinking about now, we may never even hear about.

Robinhood Phishing And Gmail Dot Trick

Joshua Schmidt 28:05

All right. Well, speaking of uh vulnerabilities and uh developments, we're gonna switch gears to this Robin Hood vulnerability exploited for phishing attacks. I thought this one was timely. We've been working on um Harmony Checkpoint rolling that out here with the 14 plus one. We've been a lot of talking around the office here about how we're going to be offering that to clients and and uh there'll be more on that to come. But um, since uh phishing and uh email security are top of mind, I thought we pulled this one up from Security Week. It looks like uh legitimate looking emails coming from Robinhood systems lured uh recipients to phishing websites. And this is nothing new, but it's a new headline, right? And I'm a user of Robinhood. Do you do you guys guys dabble with Robinhood or you do go through more? I do. Yeah, I remember a couple years ago there was that AMC GameStop uh run uh meme stocks on the shorts, and uh that's when I got in to playing around with some of that. But um, yeah, Nick, I I know that this is near and dear to your heart, the social engineering aspect of this, and then also the security, uh email security aspect. So maybe you could shed a little light on this for us.

Nick Mellem 29:10

Uh you could go a lot of different directions here with like vulnerability um and patch management, uh, you know, but the social engineering aspect, yeah, is the big one, right? So you're sending out all these phishing emails, uh, seeing what hits, seeing who's uh, you know, and I guess you could go more of a spear phishing route here because you're looking for the specific Robinhood users um in this area to see if they'll click on anything and then log in to that specific uh account and then gain credentials that way. Uh so there's a lot going on here, but it's it's really nothing new, right? We see this stuff all the time, um, especially with our work with uh email security, DLP, et cetera.

SPEAKER_01 29:46

What I found interesting about this, and Nick, maybe you can tell me, because I I I agree it's not new, but what I didn't know, um, what I found kind of interesting was how they were able to um deliver the fish, right? So they were creating new, they they took the old email account list that they had probably stolen from months earlier, um, and then they were creating um new email addresses and then using this anomaly in the way that Google handles email addresses, right? So you put a dot in there, Google's going to ignore it, but uh Robinhood doesn't, right? And so they were kind of using this weird workflow exploit to get past the DMARC and everything. So I Robinhood was delivering these emails. They were coming. So Robinhood was like, yeah, this is this is fine, everything's great. And so they were delivering these very convincing emails because they were coming right from Robinhood, bypassing all their security.

Nick Mellem 30:43

Is this have something to do with uh the Gmail dot trick, right? So you have Nick Jones, and then you have one that's Nick Jones or Nick.jones, right? But it treats both of them as the same.

Eric Brown 30:56

Yes. There you go. Can you can if you put a dot in the email, so like Nick.mellum, he could filter out any of the dots coming through as spam because he knew that he gave the Nick.mellum when he signed up for a particular um conference or whatever.

AI Gatekeepers For Safer Email

Joshua Schmidt 31:12

Aaron Powell I think another interesting wrinkle in this, we we just had a recent recording with Cameron Birklin talking about email security harmony checkpoint is uh we talked about how you know threat actors can get in, steal an email list, and then not use it for a very, very long time. And I think this is another good example of how um unprotected inboxes or s or lists, uh email lists can um not just create a point of vulnerability around the time that it happened, but months, maybe even years down the road in a way that's unique, you know, that might not even have been thought of at that time when they were stolen.

Eric Brown 31:49

I'm kind of thinking through a new product category where on the corporate side, right? So you have um email coming in, and if you have an organization with, say, a thousand people in it, the the email relationship is one-to-one externally. And I wonder, does it need to be? Could it almost be like an RFC 1918 IP address where you have your um company addresses? So like you know, in the RFC 1918, it would be like 192, 168, one dot, you know, if in a slash 24, and then you have you know, the same network could be in multiple companies or you know, like the 10 dot, right? Depending on how many addresses you need. Um but anyway, here go with me on this. So rather than expose my email address to the world, uh and you would, but why should the external person have a direct line of communication to me, right? So send the email in, and then it just goes into this big bucket, if you will, this big database, and we'll let AI review the email, pull out the themes, rewrite the email, check all the hyperlinks, maybe even remove the hyperlinks, and then send me a message, you know, in Teams or Zoom or Discord or whatever, whatever medium I want to be communicated in with a summary of the email. Like, you know, hey Eric Nick sent you an email at 210. He wants to know what you want for lunch tomorrow, right? Like, you know, but I don't need the I don't I don't need the direct email, but it that would just eliminate, completely eliminate any phish viruses, spam, whatever, because you could you could have all that email processed, rewritten, and delivered to you in a summary format, if you will. It's over 80% of the email that's coming in is garbage anyway. Um so why do we need to hit that, you know, why do we need to spend the resources filtering that with tools when we could use AI here pretty soon to do all of that work for us? What are you guys thinking?

Nick Mellem 34:08

Aaron Powell Well, Apple is doing that a little bit to a certain extent, not you know, sending you back the email filtered, but they if you sign up with Apple, if you have the option, it basically gives a dummy email. The whole it gives you an option that says, Do you want to hide your email? Yes. Yep. Yep. So but it's not doing the back end part like you're talking about.

SPEAKER_01 34:28

Aaron Powell I think that's pretty slick. I like it. I like it a lot. It's like it's like having an agentic agent who is your administrative assistant, right, to read your email and filter out what's meaningful, what's not. And and by the way, scan it for any, you know, anything that's uh any any malware or phishing attempts.

SPEAKER_04 34:44

Aaron Powell That we just think of a new project. I mean, we could probably rate this over the weekend. I'm not even kidding. Well, you can because you're going to Devil's Rada, but maybe the followers would go.

Eric Brown 34:58

The database space in something like a Cloudflare is so cheap these days and so easy to access, it it wouldn't be tough to spin up.

Joshua Schmidt 35:07

This is from R's Technicum, why a recent supply chain attack singled out security firms, Checkmarks, and Bitwarden. It's been a bad six weeks for a security firm check marks. Over the past 40 days, it has been the victim of at least one supply chain attack that delivered malware to customers on two separate occasions. Now it has been hit by a ransomware attack from prolific fame-seeking hackers. Bill, why'd you pick this one? I uh you know, I'm just gonna venture out on a limb and say this is a good example of why you you need a managed service, not just tools in place, but you need someone riding shotgun with you to be checking your security at all times. There's always things that are moving. Am I am I on the right path there with that?

SPEAKER_01 35:46

Yes. Uh but also I chose it just because it I think it really highlights the perils of putting a lot of your passwords in one place. And I'm not saying that's the wrong thing to do, right? I'm not I'm not saying that at all. But I am saying that uh service as secure as Bitwarden is is not um you know exempt from this type of an attack. So what happened here is that Checkmarks was uh hacked, essentially. Um someone uploaded um malware into Checkmarks. That malware then, um, because Bitwarden uses Checkmarks as a um as a as uh a source for some of its own code, that malware then found its way into one of Checkmarks' um CLIs for their product. So if you were using the Bitwarden CLI, this does not affect the Bitwarden vault, by the way. The vault is secure. But if you're using that CLI, you may be thinking, hey, I'm doing the right thing. I'm using a secure password manager, rock on. That's usually true. But increasingly we're finding that these hacking groups are going after these types of targets, these types of security firms. Um and the irony should not be lost on any of us.

Eric Brown 36:53

To um Bitwarden's credit, I think it was 90 minutes that they had the um vulnerable CLI out there. That's right. Very quick. They reacted very, very quickly.

Nick Mellem 37:04

And I think they they, yeah, like Bill said, I think they confirmed that the the the vault data was none of it was compromised, like Bill said. So that's the big takeaway.

Breach Readiness And Response Playbooks

Joshua Schmidt 37:12

Aaron Powell So Eric, maybe you could give us a quick breakdown of how you approach these things from a leadership standpoint when there is a breach and you are a credible credible company like Bitwarden. Did they handle this correctly, you know, by stating it, getting out in front of it? What are those what are those uh best practices when something like this happens? Aaron Ross Powell, Jr.

Eric Brown 37:29

I I I think they did a a pretty good job with it. And they are gonna be at the forefront of these because they do have so many passwords. And you know, that essentially if you can get into their vault, it's um it's gonna be a treasure trove. A way that and and again, not to keep going back to Google Next, but there was a person from Pricewaterhouse Cooper, and um she was being kind of co-interviewing, they were interviewing each other. Uh the the VP of um Google Threat Intelligence, I think her name is uh is Joyce. But at any rate, the person from Pricewaterhouse Cooper said that every company should expect to experience a breach within the next two years. So that that you know, that's pretty impactful on its own. But it's like, well, what can you do about that then? And it really comes down to having being being prepared to be breached. So already having the conversations with your legal team, already having the media statements at least drafted and approved and ready to go, know who's gonna be in front of the cameras, know who you're gonna pull in, and and have having had researched all of that, it won't be a shock when it happens. Because it, you know, when you when you go through these events, it's it's pretty impactful from a um from an energy standpoint. But if you've already drilled all of these things, then you're ready to go. You know, you you know who you're gonna call, you know how to do your your restores, you know, you you've exercised these playbooks. And you know, I think you mentioned the the after the alarm before, but that's these are the things that we're talking about. These are the things I think we have to talk about more and more, especially with you know vibe coding and people who aren't developers that are relying on agentic tools to do code development. Um, it's already been bad enough with regular developers developing insecurely now with less checks and balances. Who knows? And you know, you could say the other side of the coin is maybe there's gonna be more checks and balances. But I think the point is um the breaches are coming, and you can have all the the dry powder that you want, but that's only gonna get you so far. And I I think the other side of it is the you know, just being prepared to to be breached. Yeah, at one point I was kind of like, hey, is this a defeatist attitude? But it's no, it's a practical thing. Because if it does happen to 99.9% of the organizations at some point in time, having the communications ready to go and knowing how you're gonna react to it, it's probably gonna save you a lot of at least mental anguish in the long run. And I think it's the same on the personal side, right? So, you know, knowing in the event of an emergency, what are you gonna do? Having had that communication plan with your family, what are you gonna do? Where are we gonna meet? How are we going to get hold of each other? All of that sort of stuff. Preparation is never a bad thing.

Joshua Schmidt 40:46

Thanks so much for joining us, Bill. You've been talking today to Eric Brown, managing director at IT Auto Labs, Bill Harris, and Nick Mellum, IT Auto Labs members. My name is Joshua Schmidt, your cohost and producer. Thanks for joining us live today. This episode will be up, and all the separate news articles will be videos as well. Please like, share, and subscribe and source us wherever you get your podcast. We also have uh an opportunity to give us a rating and a little review on Apple Podcasts if you got the time. And I hope to see you in the next one.

Eric Brown 41:14

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.