Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 15 - Are we Losing the Cyber War?

Are we losing the cybersecurity war? What does winning look like? Where does the U.S. stand on a global spectrum of cybercrime prevention? This week the guys discuss these alarming yet valid concerns.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security  criminals and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome to  the cyber rants podcast this is your co-host zach  
fuller joined by lauro chavez and mike rotondo  and this is an interesting episode today before  
we dive into it into this topic that i am  particularly excited to talk about let's  
kick off with the news mike good morning and  uh welcome to podcast in 2021 these are your  
headlines for the week uh brought to you today  from the slap and scratching in mobile alabama  
mobile the place to be uh a new software supply  chain attack targeted millions with spyware  
um there's another one that's peggy backing onto  solarwinds so enjoy it's hitting uh androids pcs  
macs it's based on a android emulator enjoy  google discloses a severe flaw in widely used lib  
lib gcrypt encryption library that's a hard one to  say it's a heat buffer overflow that will go ahead  
and decrypt your data wordpress pop-up builder  plug-in flaw plagues 200 000 sites so there's  
another wordpress issue out there definitely tell  you to look into it if you have a wordpress site  
um malicious actors reserving their cyber  cyber attacks for the hospitality industry um  
so what they're doing is they're hitting the  cyber industry or the hospitality industry  
with cyber attacks stealing gas data um and  this is becoming a bigger problem because  
more people are going to biometrics or faster  ways to check in so there's less interaction with  
staff it's more electronic so when you lose your  room key there's a way around that and now that  
stuff is being that that chain is being broken  i love this one malicious script steals credit  
card info stolen by other hackers yep they are  piggybacking on other hackers work to do steal  
credit cards that they're already  stealing on their own so it's um  
hackers being hacked by the hackers to steal  credit cards no honor between these people  
no not at all no honor between thieves or  pirates i guess oh i guess not it's crazy  
linux malware backdoor super computers yep that  super computer is no longer safe there's now a  
malware called cobalos that will allow you to  create uh terminals and we'll break into aix and  
other high-end systems so got that going for us  ransomware operators exploit vmware esxi flaws  
to encrypt just the vm there's a lot of esx issues  out there please patch them but because everybody  
seems to forget that the esx host is vulnerable  just like the vms are over a dozen chrome  
extensions caught hijacking google google search  results for millions google chrome extensions have  
been backdoored being manipulated from the let's  all be unified point of view microsoft defender  
atp is detecting yesterday's chrome update as a  backdoor obviously that's an issue uh make sure  
you update your chrome and then for us mac users  recent root giving pseudo bug also impacts mac os  
that's the cde 2021-3156 so macs are now available  are vulnerable to this threat actors capitalize  
on copa 19 vaccine news to run campaigns aws  is abused to host malicious pdfs a lot of bad  
stuff out there this is a nice once again aws is  being victimized in this kind of nice enhancement  
microsoft defender now detects mac os system  app vulnerabilities so if you are running mac os  
have co-loaded it with uh windows  os or somehow running it together  
the windows defender will work with you on  that one so that's all for the headlines guys  
cool thanks for that mike uh to kind of add on to  some of that with exploits this week um you know  
the pseudo they're calling baron sem did it was  featured by fantastic hacker and that's available  
uh for download into metasploit so those that  that exploits available right now in two parts  
it requires a little uh ratchet tree to get it to  work but um it is available so keep that in mind  
make sure that you're you're treating that pseudo  stuff pretty seriously another thing that i think  
is interesting to see is that a recent kind  of newcomer author to the market has brought  
six solaris 10 uh privilege escalation  vulnerabilities uh that work in in various  
versions of solaris 1013 um so it's it's it's  it's certainly an older version of solaris but  
um a lot of organizations are still using  those older versions of spark because they work  
um so i think that's kind of interesting and then  to tag on to what mike was saying about wordpress  
wordpress fibo image remote code execution is  available has an exploit plug-in for in php4  
metasploit so again um if you got wordpress  running make sure that you're you're getting those  
modules updated so that you're not vulnerable  to this uh this irc and that's um that's it for  
exploits keep patching great thank you both  interesting times that we're in these days a lot  
is happening out there and really for the topic of  today's discussion it's it's certainly a valid one  
i think and it's it's a question that we i think a  lot of us ask on a regular basis and that question  
is you know are we losing the cyber security war  that's out there and and or or what is our status  
in this this worldwide you know battle of  the giants but then also the the small and  
medium-sized threat actors i mean everybody's  kind of in this together everybody's um  
seemingly against each other like you just talked  about mike hacker's hacking hackers right it's uh  
it's a why it's kind of the wild west out  there and so the big question is are we are  
we losing the war on cyber security and a recent  support uh discussed in detail the um chinese you  
know military backed hackers going in and and  going after um consumer credit agencies large  
corporations and small the dod supply chain all  of that the uh the chinese uh nation-state-backed  
hackers basically are you know coming up over  and over and over again and so we're in this  
continuous warfare cyber warfare really right  and and um we have to ask you know where do we  
where do we stand in all this and and you know in  my opinion uh we have a lot more to do and this  
is something that we're not going to conquer  overnight and and i don't know if there is a  
end-all be-all or some definitive end to all  of this i it could certainly be a long-term  
war of attrition right kind of like the the war  on terror right or the war on drugs i mean it's  
just a it's it's something where i don't know  if there actually is an end state but the idea  
in my mind is really to subdue it as much as  possible and protect ourselves as much as possible  
um what do you guys think where do we stand  today this day and age i don't think we're  
i don't think we're losing um you know i  think we've got a long way to go to determine  
a winner or a loser in this specific epic battle  right um we're certainly the disadvantage now  
i think my my reason for thinking that is is  kind of kind of two-fold um the the first part  
is is really just because of a i think you  know it's it's a it's a different culture  
in the united states um you know most of  the youth and most of the populous here  
leverage technology for um um for leisure  you know cyber security and the technology  
i guess core of job families isn't something  you know or that profession or or even as a  
hobby isn't just something that occurs to them  right they're very good users the rest of stuff  
doesn't really doesn't really matter to them and  and you know the other the other second part is  
that you know the fabric of what we know is the  internet of everything today wasn't built on  
security it was fabricated in the method to share  data it was meant to be a public library of sorts  
and so because of that kind of i guess off-footed  approach to to to building what we know today  
as you know the fact that the internet of  everything uh unfortunately we're in a race  
to to resolve mistakes that we made early on  that we didn't see um so we're we're kind of  
doing both right we're trying to fix at all times  the things that are not in place for you know what  
we consider to be a cybersecurity configuration  right to be abused and two we have a populace that  
is you know not getting not not kind of driven  towards that heavy use of technology from an  
engineering perspective that other countries do  and um that are just kind of users of the tech  
versus engineers of the tech which i think we kind  of see in greater populous more hackers come out  
of other countries than come out of the united  states i guess there's an easy way to say it
and the irony of that is that most of the hacks  that are being used have been developed in the  
us yes yeah absolutely it is this is a strange  dichotomy right i mean i i think it's the u.s. is  
primarily a consumer class right there we're  consumers we're not we life has been very easy and  
soft for us to last what 50 years or so or however  long or whatever your point of view happens to be  
so we tend to take these things as you know these  great blessings that have made our lives easier  
without ever considering you know the ops options  of that and i tell people all the time it's like  
everything that makes your iphone easier to use  or your computer easier to log in makes it easier  
easier for us to break into and they just that  they don't always connect the dots on that  
yeah and it it comes down i think that you're  right you know we we've had a relative level  
of comfort in our country compared to elsewhere  in the world that really just scraping to get  
to get by um and it's very very hard for them to  get ahead so it's it's almost not an option to  
even create um new technologies or new methods  um they're there but they can certainly steal  
ours right and use it against us um so it's kind  of a sad situation also i think comes down to  
values within different countries so um you  know with china for for instance you know their  
their government is it's run much differently  and the government fully believes that  
um there should be visibility on everything  and and going on at all times um there there  
shouldn't really be things like privacy right and  and very much free will are very much focused on  
um monitoring everything going on including  their own people right but um and you know the  
the other side of it is that we also have the  intelligence operations that have been going on  
forever really you know since since for  since before our country was even a country  
right we have these intelligence  operations going on and so now  
the cyber warfare is an extension of that  that's another piece of it right like when the  
office of personnel management attack happened  right unfortunately um that resulted in a lot  
of our intelligence operators overseas getting  killed it's just there's no there's no way to  
to sugarcoat it that's what happened and it's  because that data is being used uh not just for  
um uh you know ransomware and collecting payments  and that sort of thing that's a huge piece of it  
right financial gain but the other piece of  it is uh actual physical attacks physical war  
and uh this kind of cat and mouse game uh within  the intelligence community so they're they're  
looking at this as as really a um a means of  survival you know i know a lot of threat actors  
are they operate out of uh out of a survival  mentality where i like to think you know here  
in the us we're much more focused on a mentality  of growth and and hoping to work toward peace  
and such but not everybody thinks that way so it's  it's i think the very root of this even boils down  
to uh culture and values uh within companies and  how people how people were brought up you know and  
not necessarily at a fault of their own right it's  it's it's a very much product of their environment  
in a lot of cases so stealing from other  countries uh you know or war of attrition  
um to them that's just that's just life it's not  it's not something that's wrong or good or bad it  
just it just is uh unfortunately it comes down to  survival and i think you know there's two things  
that i want that i want to touch on first the  american business model is to make money right  
it's capitalism we're driving the share price  we're driving you know whatever maximizing  
profit and security costs money and you don't  see 100 see a direct correlation between profit  
and security um although i think there was some  cyber security company called solid sector that  
came up with the risk to revenue model but we'll  talk about that another time um but anyway uh  
we do have i mean you see that and we see it all  the time in our conversations with companies they  
well that costs too much or we don't want to do  that we can't afford the security guy or we can't  
do that and you know they fail to understand that  it costs four to ten times what to fix a breach  
than it would be to put the resources in place to  prevent a breach and this drive of making profit  
and don't get me wrong i love profit i like  making money but you have to take into account  
the risks that are out there so companies like or  countries like china have more of a holistic view  
where it's for the company whereas in the u.s it's  for the uh excuse me china is more for the country  
whereas the us is more for individual  companies and there's no true standard  
and china has then now taken in weaponized um  technology is meant as a means of control they're  
creating a social credit score based on your  social social posts your social media posts how  
your spending habits are what you know on and on  and on and all these various factors and they're  
using that to determine what apartment you can get  what job you can get whether you can get a loan  
or not etc etc and it's it's becoming a control  fund factor which you know used to have to happen  
by you know kgd agents sneaking around corners  now they just do it by eavesdropping on social  
media and what's concerning is is the us move into  that because there seems to be a whole lot of um  
a whole lot of cancellation on social media of  people that do not adhere to the dominant um the  
dominant paradigm of the day the dominant message  of the day and it's you know free speech is under  
attack you know from all ends so that's my soft  box that was a that's a good soapbox i like that  
that stealthy little plug you you you jabbed in  there that was that was brilliant yeah i like that
yeah you know it's really interesting i i hope and  i think i think this is uh this is a problem of um
these these are all problems that i think have  stemmed out of something that's that's good by  
nature right it technology technology just is  right it can be used for good or it can be used  
as a weapon right it's it's really it really comes  down to the human element uh behind it and the  
societal values a lot of different factors go  into this but we can't we certainly can't blame  
technology as being the problem i think that the  big picture is is how do we how do we create a  
culture that that understands the the fight that's  in in a lot of other cultures right and understand  
how to protect ourselves how to drive forward  then and then hopefully he used technology to to  
come together as a world not split apart and and  uh i won't get all soft and mushy on us here but  
you know when we when we talk about culture we  look at things like uh that you know the app  
uh tick-tock for example right that was  that was it's it's it's clear that it's  
you know chinese uh entities in government are  using this as surveillance software right and  
collect data on people and it's not it's not even  so much about just having the data on people that  
scares me it's the predictive algorithms that they  create um that you know these these ai based um  
methods of pre-cognitive crime you know like  it's like a hi-fi movie yeah um minority report  
minority report yeah thank you um you know it's  it's like a real life world a real-life version of  
that you know and and um so it'll be interesting  to see what what happens but the the thing that  
scares me the most is not that yeah that tick tock  is being used as as as chinese surveillance the  
thing that scares me is that our youth doesn't  care they say oh well what who cares if if um  
these these other uh you know large governments  that have ability to cause do a lot of good or  
cause a lot of harm in the world uh you know  have have all this they're they're almost just  
not wanting to hear it because the the uh  endorphins that these apps create for them and  
that the addiction that they create is something  that they're not willing to let go of and that  
that's the scariest thing to me it's not it's  it's just it is a drug i think you bring up a good  
point it's probably a great topic to have another  type but you know you're right there's there's  
certain things in the brain that are happening  when these individuals when individuals are using  
these apps and it becomes an addiction um you  know the infinite scroll right it's for a reason  
it's so that it never ends it can never end for  you if you want it to right you know what i mean  
oh yeah so it's super interesting well i can't  remember the guy that came out with a facebook  
engineer that came out so this is all about  driving dopamine right huh yeah totally i know  
you're talking about i can't remember either but  it is it's a um it's it's a it's a version of a  
you know fixed from a drug and when you've  got artificial intelligence and it's it's  
weird because you know you know the chinese we we  know they have all the intelligence on their own  
people already right they're running this weird  social social scoring system that's going on if  
it's out of a sci-fi movie too they did an episode  of that on that i can't hear that sci-fi movie um  
that was on netflix but uh anyways go to a planet  that's like completely driven you have a score  
that you know that was from uh that seth uh seth  mcfarlane uh that's right uh what was that called  
what the heck anyways that's seth macfarlane  sci-fi anything today we should it's you know  
what i've only had 16 cups of coffee so i i've  got to get to 20 before my memory starts really  
kicking in from that far back but yes they did a  they did an exact episode on that one that's weird  
right the truth is stranger to fiction but i think  the chinese are bored they have all the data that  
you know they got this really cool i mean i think  they probably built this fantastic data center to  
do all this with us ai it's probably a marvel like  i don't care i mean their purpose is bad of course  
but i'd still like to look at the technology  i imagine it's impressive right imagine it's a  
sight to be seen um but they they did all that and  now they can't they've got everything there what  
what's next well let's gobble up the rest of the  world uh the orville that's the name of the show  
the horrible thank you yes what happened to it i  think it's on netflix now but anyway yeah but that  
that episode man where they had that they had  to visit that planet where that you know he made  
a snide remark and they were gonna banish him  you know they were punishing him through their  
social system yeah and reprogram them yeah super  interesting that the lady couldn't order coffee  
because she didn't have enough um you know social  clout right or whatever she'd have enough likes  
exactly it's such a such a random how random it  applies and that's exactly what the chinese are  
doing almost like they watched the episode and  was like that's a brilliant idea let's do that  
it you know in the on the cyber  warfare side of things i what i mean  
is people ask what does winning look  like right how do we win what do we do  
to get ahead of it and that's that's an extremely  hard thing to answer i mean winning looks like you  
know world peace and everybody loves everybody  but what's what's the reality of that happening  
it looks it's not gonna happen but winning for the  united states and you know in our in our you know  
kind of cyber battle would look like much like  an organization that's successful at aligning to  
any given framework right where the people are all  trained right that's a cultural change inside of a  
corporation that has to occur right that everybody  has software on the machines right there there's  
certain things that they they're made aware of  and what tactics and what you know software is  
vulnerable and shouldn't be used and so we would  have a cultural shift where all of the american  
youth and and people and it would be a massive  effort right to educate the youth and educate the  
you know the elderly um to assist them in their  homes and you know in in their places of uh you  
know kind of um you know not a rest home i guess  what you call that like sort of um supervised  
adult supervised living or whatever assisted  living but you know they're they're victims too  
right i mean we've seen we've seen right here in  local um local municipalities these elderly people  
kill themselves because they fall victim to scams  that have taken their last of their savings um so  
they're victims too and um i think it all starts  with that education right that cultural shift but  
i that's what i think it would look like it would  look like a corporation that's been successful to  
aligning to like nist 853. where and and that that  that part of the people specifically right where  
they're they're they're getting a training program  right we're free or they're getting it on their  
own they're updating their computer they're not  installing random apps they're not letting kids  
there they're running in a user shell and not an  admin shell right until they need to do something  
um you know i mean there's a but that's what i  would think that would give us an advantage over  
you know and this and it would it would include  companies actually all organizations operating  
united states doing the right things to software  development right making sure that they're  
they're they're eating their own medicine  right these companies that are offering these  
um you know trusted software deployments that  are need to be running their stuff through bug  
bounty programs and and initiating that type of  security so that we have a more security culture  
and i think that's probably where it would would  start and that would fend off a lot of what's  
happening i think well i remember a couple years  ago there was actually a study done that most of  
these like payout apps that are out there uh it  was something only like 20 were actually tested  
for security and they're still being launched and  still being out there i mean and it's just this  
lack of accountability right because really what  was the recourse if you got hacked there really  
wasn't any until um was it west i can't remember  the bank uh the hotel agency that got sued by  
the fcc because they claimed they had all these  security measures in place got hacked and turns  
out they didn't have any of them uh yeah i really  can't remember anything this morning either um  
um been a lot of data to like chew through the  past week you know i mean it's it's been a it's  
been a bit with stuff going on so i'm only  on day two of my vacation and so i'm assuming  
that by by the time i return on wednesday  i'm going to be dumb as a post so um yeah
you know i think and i think we're i think  perfection is is you know is not the uh is not the  
focus right or zero hacks zero attacks anything  like that i think that's just something that's  
going to continue to happen unfortunately like  war itself right uh like terrorism like things  
things like that that we want to get rid of the  world i think that's going to continue to happen  
but how do we minimize it how do we mitigate it i  think that what we have to do as a nation we have  
to make ourselves harder targets than those around  us so it becomes more and more costly to perform  
cyber attacks now that's not going to stop the big  you know nation-state backed threat actors right  
but that's going to stop a lot of the activity  and it's going to make it more costly for them um  
and and by doing that you know the more we protect  ourselves the more we can continue to innovate  
continue to drive forward get ahead and not have  that information stolen and then hopefully use  
what we create out of that for for good and and  continue to grow and and thrive really and then  
and then hopefully help others others do the same  right and so it's going to be one of these ongoing  
ongoing situations but i think  right now that you know we are  
we're failing to protect this this nation from  you know from cyber attacks there has to be  
done more there's a lot of people working hard  on it but i think it somehow we have to spread  
this message to the general the general  public that's not in this business that's  
not thinking about these things i i would  venture to say that 90 probably 99 95 of  
the uh nation's population cyber security doesn't  cross their mind for themselves personally  
unless they see uh you know something on the news  that happens right but they're probably day to day  
people aren't really thinking about this at all  kind of like you you talked about earlier laurel  
so well what's what's interesting is that you know  as a country here in the united states we we we  
have the second amendment right the right to bear  arms and so there's a lot of americans that have  
weapons you know so they're they're we're  physically protected you certainly don't  
want to start a land war here but the same  people that protect themselves physically have  
little to no protection in in the cyberspace um  so we i think you're right i think it starts with  
awareness if their their default passwords  on their on their routers right yeah well i  
also think that we need to start having real world  consequences for hacks for these companies because  
i can't tell you how many cios that i've spoken  to it's like i saw our stock dips for a while  
you know we'll be back kind of thing and and they  just don't have there's no consequence for their  
lack of activity i i agree 100 and i also think  that we should have real world consequences for  
foreign governments that don't that don't  regulate um attacks coming from within their  
country or even try to go after them i mean not  i'm not talking about go to war with them but  
i'm talking about you know whether we need trade  embargoes or we need something that that causes a  
little bit of um it creates an incentive for them  to actually do something about it because a lot of  
a lot of uh nations are just just letting it  go without any any any consequence whereas  
other crimes within their country they would they  would penalize heavily um the the cyber attacks  
are almost not taken seriously in a lot of places  yeah and i really think they should be so i we you  
know this is a fascinating topic we could go on  and on but we're we're coming up on time here so  
just to recap you know i think it's it  really comes down a cultural shift to  
education to focus on this to really taking it  more seriously as a nation than we we ever have  
i think people are starting to wake up on in that  sense i think we're certainly headed in the right  
direction and and and working harder toward that  than ever before uh but there's a long way to go  
so you could spend an hour on linux a  day there you go not playing video games  
well thank you very much for joining us today  thank you for listening be sure to rate us  
on your favorite podcast platform let us know your  thoughts comments questions so we can answer those  
in future episodes and always feel free to uh to  reach out so thank you very much have a great day  
take care everybody take care pick up your  copy of the cyber rants book on amazon today  
and if you're looking to take your cyber  security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast