Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #45 - Cyber Crime - Do People Care?

There is a lot of news about cyber attacks but the big question is, "Do people actually care?" This week the guys rant about cyber crime and how it affects people and companies who often don't care until it's too late. Through real-life examples, horror stories, and tips to help you stay protected, this episode is not one to miss! 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines

New Bill to Require Cyber Attack Reporting in the US
US Gov’t Mandating a Zero-Trust Approach for Software Supply Chains
CISA Names 3 ‘Exceptionally Dangerous’ Behaviors to Avoid

ONLINE CONSUMERS NOT TAKING CYBERSECURITY SERIOUSLY

Data Masking Is the Answer to a Data Breach

AWS IAM and Cross Account Attacks

Android Privacy Issues Were Discovered in a New Study
State-Sponsored Iranian Hackers Uploaded Fake Vpn App to Google’s Play Store, Posed as University Officials
This New Ransomware, Dubbed Yanluowang, Encrypts Your Data and Makes Some Nasty Threats, Too
7-Eleven Breached Customer Privacy by Collecting Facial Imagery Without Consent

Analyzing Email Services Abused for Business Email Compromise

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome to  the cyber ants podcast this is your co-host zach  
fuller joined by mike rotondo and lauro chavez  and today we're talking about the cyber security  
even matter why do we care who cares you know  do people care about cyber security we're gonna  
unpack some of these things here and talk about  what we see what's going on not only in the news  
but just out there in the world the stuff that  happens every single day that uh often doesn't   make the news so we'll talk about that in just a  moment but before we do mike you want to kick us  
off with the news yeah so here's the headlines for  today we've got some things from the feds going on  
um there's a new bill to acquire cyber attack  reporting in the u.s centers on the homeland   security committee have introduced new legislation  last september as in last month requiring critical  
infrastructure companies to report cyber attacks  to the federal government within hours the bill   also aims to mandate most organizations to  tell the federal government as they make  
ransomware payments if enacted the cyber instant  notification act of 2021 would require critical  
infrastructure owners and operators to notify the  cyber security infrastructure security agency cisa  
within 72 hours if they are experiencing cyber  attacks which is a loosely defined term but this  
should be interesting considering sometimes it  takes over a hundred days to determine that you've   been hacked so uh yeah but i mean good stuff  though right i mean that's not i mean i can't say  
it would be a bad thing so you should update your  incident responsibilities yeah it's just it's it's   it'll be interesting to see how it's unworkable  if anybody watching any of the hearings and  
watching some of these senators ask questions  they've got no idea what they're talking about   half the time so that's my concern is that they're  going to put together a law that is nonsensical so  
true yeah i don't want to go down too too far down  that hole but the facebook interviews were quite   interesting us government mandating zero trust  approach for software supply chains uh in the  
wake of solarwinds attack last year the president  used an executive order in may advocating for   mandatory software bills and materials or s-bombs  to increase software transparency and counter  
supply chain attacks s-bombs are machine-readable  documents that provide definitive record of   the components used to build a software product  including open source software since the executive  
order software makers and buyers have been trying  to make sense of how s bomb support supply chain   security that would include yours truly this is  the names three exceptionally dangerous behaviors  
to avoid and i applaud sysa for this because they  were so in-depth that we couldn't figure them out  
uh not using mfa using default passwords and  using end-of-life software i'm so grateful for  
them telling us that apache just used another  emergency patch for exploited flaws ic managers  
hoping for a bit of respite after being warned  to immediately patch their software earlier   this week and it was actually last week are facing  a fresh problem the previous fix didn't work as  
advertised so there's another fix out there to fix  to solve that issue report online consumers not  
taking cyber security seriously and i think we're  going to talk a bit about this but bitdefender uh   releases report that analyzed and dissected cyber  hygiene practices employed by consumers that shop  
online and their findings weren't positive they  surveyed over 10 000 consumers in 11 countries and  
they learned that online shoppers are largely  reusing passwords across multiple websites   over sixty percent of consumers have experienced  at least one security throughout their smartphone  
and nearly half american parents don't oversee  their children children's internet activity lastly  
data masking is the answer to a data breach  according to blue brooks according to the stats   the rate of data breaches is growing rapidly every  year compared to mid-year of 2018 where where the  
number of reported breaches was up by 54 in 2019  combined data masking technologies with other data  
protection techniques for example encryption data  activity monitoring security information event  
management and collectively implementing extensive  data privacy protections it's an interesting read   trying to sell you a product but it's interesting  there's some interesting data in there there's  
some additional headlines that we're going  to post uh with the podcast uh thing on aws  
there's more android issues the iranians are  causing problems with some hacker hacking and  
uh 7-eleven got breached with that lauro what  do we got seven 7-eleven owned by the iranians  
no they're collecting facial recognition  without consent cost oh i thought it was the new  
ransomware i didn't get my mountain dew i slurpee slurpee there my big slurp to tag along with  your http server band-aid on top of a band-aid on  
top of a diaper full of poo that would be apache  http server and we do have an exploit for version  
2.4.50 the path traversal and remote execution  the rce has been modified to work on the version  
again so please update to 2.4.5 immediately  this exploit poc that has been validated by  
several testers is available for all of you heads  out there with netflix pro or messploit framework  
which makes it even more terrifying so get that  patched sonic wall sonic os7 has a host header  
injection that will get you owned so if you're  running uh anything sonicwall sonic os 7 make sure  
that you're updating that um and for everybody  out there on solar winds pretty pretty interesting  
solar winds debacle here with an unquoted service  path for one of the kiwi cat tools in version 3.11  
that poc is validated and available for everybody  with metasploit so make sure that you are checking  
that out and getting that updated zach that's all  i have for exploits can we talk about are you sure  
because i didn't hear i didn't hear wordpress  in there no i'm not saying that word anymore  
it's it's the unnameable good it's good it's kind  of refreshing refreshing i'm sorry i brought it up  
but it's okay yeah it's not as it's you know i  have a little christmas tree that hangs in the  
uh things in the toilet room and it says microsoft  on it well well outstanding we are going to unpack  
a topic here about about whether or not people  care about cybersecurity about data protection  
what we can do about it most importantly right  before we dive into that though let's take a  
quick commercial break want even more cyber ants  be sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber rants  on amazon today this podcast is brought to you  
by silent sector the firm dedicated to building  world-class cyber security programs for mid-market  
and emerging companies across the us silent sector  also provides industry-leading penetration tests  
and cyber risk assessments visit silentsector.com  and contact us today and we're back so  
risk iq put out is a company that puts out this  report every year called the evil internet minute  
it's been out for a little while but i thought  it'd be appropriate to reference here in this  
discussion because one of the one of the big  metrics that goes by is the amount lost to cyber  
incidents per minute and that amount the amount  lost or this is for companies around the world  
every single minute to cyber incidents is  1.8 million dollars so 1.8 million dollars  
a minute is basically being it's worse than  being flushed down to the toilet down the   toilet right because it's going into the hands  of cyber criminals and they're using that to  
increase their capabilities right they're putting  that money toward terrorism and everything else   so pretty pretty bad stuff going  on there's compromised records five  
000 per minute 525 000 compromised  records per minute um there's 1095 ddos  
attacks per minute distributed denial of service  attacks per minute they're organized organizations  
victimized by ransomware six per minute every  single minute so pretty crazy stuff i mean the  
numbers speak for themselves but i'm curious  to hear what you guys think do people care  
are people still treating and based on your news  article mike it sounds like some of the studies   out there showing that people are just not with  all the stuff going on they just kind of throw up  
their hands and say oh well so does cyber security  matter do our do our do what do our lives matter  
get into some deep philosophical questions why are  we here zach why are we here i think we're here  
to do a podcast and i don't mean to be be a downer  but the topic is i think it's a little unfortunate  
you know i think it is unfortunate um yeah  you know i think it i think it matters i   think there's a i think it's a very clear one and  a zero i don't want to get binary with everybody  
but i mean it really does seem like they're  there's really not that middle ground we we  
i think we have speaking from our clients that  we have clients right all of our clients care  
but when we're talking with clients potential  clients right that may or may not have the  
privilege to work with us um they seem to be that  it's either one or the other right they care or  
they don't and it's very clear that they don't and  they probably won't care until something happens  
and i think it by nature right nobody  wants to do services on your vehicle  
until you get a warning light on the dash  i was gonna say right why change the oil   you know regularly why not just kind of just run  it and run it and run it right who cares about  
prevention if it's if it's still going just keep  it going right i think that's a lot of people's   a lot of people's mindset when it  comes to their use of technology  
but i think the problem is still this and we  still see this as i don't have anything anyone  
would want to steal is that attitude or who's  gonna care about my password at my amazon account  
and my old navy account and my you know fanatics  account you know what if they break in so what  
it's those kind of things that you know it's  a fundamental misunderstanding and i think   one of the failings is that cyber security  training for work is not translating to home  
and i think that's part of the problem  from a consumer perspective is they're not   putting one in one together they're not  they're not translating those practices  
they're forced to at work to working at  home to their own personal lives and i think  
if you if you put an emphasis on that for in your  training that it would benefit the worker at home  
as well in their personal life those numbers  may drop to a certain extent on the other side  
cfos running compliance and security and i.t  projects are looking at dollars and a lot of times  
the technological voices the tag voices don't have  a say in the manner and they're looking at dollars  
and cents and trying to figure out how cheaply  they can get away with getting something done and  
they're failing to see the fact that mitigating  a breach beforehand costs x number of dollars  
after the fact can cost 10 times x  because of the reputational damage the  
replacement of rebuilding of systems and the  loss of client faith and i think you have to  
take the dollar and cents you have to be able  to translate the cost of security measures to  
you know why this benefits a company to get  through some of those accountant springs
yeah yeah that's very much very much  what we see and i think that they see  
you're right they see the cost but it that  coupled with if they knew a breach was going to  
happen this year and it was guaranteed this year i  guarantee the the proactive cyber security budget  
would would be in place right away but i think  another another kind of misunderstanding that  
leads to poor decision making is that well yeah  you know it could happen but it's probably very  
unlikely that it'll it'll happen to us you know um  you know ever much less within the next 10 years  
and i think that that's a lot of the a lot of the  thought process it's well it's probably just not  
gonna happen to us it hasn't happened before why  would it happen now that's true i think there's a  
lot of dunning cougar effect happening right in  in kind of both hemispheres of the business and  
it always comes back to two things  either a lack of knowledge over   all three things lack of knowledge  over confidence or a dollar problem  
yeah you know what i mean um or you know i guess  overstated confidence in their systems and i think  
we see that a lot where they believe that they've  deployed to a place where they're unhackable  
right and then and then they have the kind  of compounded delusion that well on top of   that we don't have anything anybody would want  i think there's those two things and and there  
are certainly some very very very secure data and  and there's some very well deployed architecture  
however to you know think that nothing's  undefeatable is well it's silly really um  
especially with quantum computing um  where it is today you know and so um we've  
we've seen an increase in highly intelligent  attacks carried out against organizations  
well you can also yeah and add case in point the  client just brought this up to us yesterday or the  
day before camera which but remember the solution  for getting rid of a hard drive drill hole through  
it it'll be fine well now they're being able now  they have technology out there that will now read   a hard drive that just has something drilled  through so people are going to great lengths  
to steal data for a reason if they're going to  that length to figure out how to reverse engineer  
a hard drive that's had had a hole drilled through  it to be able to pull that data yeah well i think  
another another big misconception that we see um  is that somebody else is taking care of security  
right and that's that's another reason why it  doesn't it sometimes doesn't get the budget it   needs is because oh well we're in the cloud right  we use office 365 or or and that's one thing but  
when people say they use aws or azure so they're  they're fine and and they're sock to compliant  
it makes me cringe i think there needs to be  a lot of education around why that is not the  
case because you're in the cloud doesn't mean  somebody else is taking care of your security   for you yeah it's like daycare you know it's like  do you just you know let anybody take your kids  
sort of thing right i don't want this  to sound like some circumlocution around   um us you know selling services because what  it doesn't matter if you use song sector  
anybody else what's important is that you find  some way to secure your business because what i   guess what what we what the skin we have in the  game is the same skin that every other american  
has in the game is that the moment that you take  this for granted and you have high confidence  
over your systems unwarrantly so because you've  never done a pen test or a technical assessment of   any kind and something happens and you have to pay  ransomware now you've just hurt everybody because  
now all the same criminals that are attacking  everybody else and they get through to you because   you made mistakes now they have extra ammunition  and you know monetary specifically ammunition  
to now front more attacks against everybody else  so you perpetuate the problem when you pay out  
and it's um and it's concerning and i think that's  that's a large reason why you see this legislation  
try to come in where they're talking about you  know they want to know if you've paid ransom   because they want to try to track this money  back to a criminal central um or a set of of  
cells that they can pinpoint to that are that are  warning attacks against american businesses so by  
you know by being by not being proactive and not  taking this seriously you weaken the rest of us um  
in in the same way that and i don't even get in  that conversation but the same way you could have   about a vaccine with a a malicious virus that's  going around okay and the same argument that you  
could put there right that the whole thing makes  us all better in this case it really does because   um you know we're wielding technology these  companies are being allowed to wield technology  
in a manner that is unfortunately not secure and  it's causing all the rest of the company's harm   and additionally it's not so much necessarily 100  of the time they're going to steal data there's an  
article i came across i think it was last week but  i didn't share it or i may have put the headline   into the podcast was a lot of ransomware now  is simply being implementing something to mine  
cryptocurrency that's all they're doing  with it they're just trying to create a   breach a whole a website arrow yeah monero  got nailed uh yeah i mean that's that's all  
they're trying to do they're trying to use  it to mine cryptocurrency so what they're   stealing from you is your your compute power  and they're you know which translates loosely  
to your electric bill and all that kind  of stuff right but in reality once they've   established that to use you for mining  cryptocurrency they already have a foothold
right exactly i'll put you in the i'll i'll just  walk it through you real quick i'm going to break   into your systems and i'm going to say okay what  do i have options to is there data here that's  
worth selling on the dart net no is there data  here that i can use to get into other systems  
and other individuals if the answer is yes no  that could be good what else is here okay so   let's say i don't have any of that data i'm just  looking at you know some files and some emails  
there's nothing really here tangible but there's  compute there's compute and there's dependencies   what is this organization dependent on oh they  have a sql database i'll just lock that up and  
then i'll ask for a ransom there's no data in  it that i care about but i'll lock that up ask   for a ransom in the meanwhile on these two um on  these two dell deprecated edge servers i'm gonna  
load some crypto ransomware that is gonna lock it  and while it's locked it's gonna mind for manero   or whatever other crypto i choose and it's simple  as that it has nothing to do with what you do what  
you're doing what organizations that you serve or  what clients you have in some cases right that may  
be the case but a lot of times it's opportunistic  i'm going to come in there i'm going to be like   what can i do here i need to make money this is  about money this isn't about you know i don't like  
what you're selling on the on the internet this is  about coming in and getting money out of you this  
is about if you don't have data that i can sell or  reuse i'm going to drop some form of gear on here  
that's going to misuse your technologies and i'm  going to move on and hopefully you don't notice   it that would be my my best case scenario here is  that if if i know you don't have enough money to  
pay a large ransom i'm just going to drop a bunch  of of of miners on your gear and because you're  
not smart enough to figure any of this stuff out  anyway and users are going to play about slowness   and maybe you'll throw another server in for me  to add throats more gear on later and i can just  
continue to mine crypto on your hardware exactly  it's a good idea to set up a honeypot with a fake  
company financials file in it that shows  20 on the balance sheet so that they know  
okay this is probably somebody that i don't want  to demand a ransom from it's always worth worth  
my time for the 20 bucks you know but uh it's  as simple as that though really it really is  
it's a game of economics right it's it's and it's  no different it's the same thing with the war on   drugs right i mean it's really about it really  comes down to economics and so when we we make  
um to dispel another myth right that that oh  everything's hackable so why why bother right  
well when we make it more costly for the cyber  criminals um to do what they do um it's it's gonna  
it's gonna hinder their business right so when  their return on investment starts to go negative  
well that's not a very good business to be in and  they won't be in it for very long right so when   it's harder for them to to get in actually make  money out of breach in your environment that costs  
them and so that's that's the name of the game and  we need to look at it from the economic standpoint   but let's let's talk a little bit i mean what do  we do about all this because one of the things  
and this is i don't know if i don't want to get  too philosophical here but and maybe philosophical  
maybe putting it that way as a stretch but i look  at what's going on in the world um especially with  
our you know the younger generations and stuff  that are let's take tick tock for example not to  
go too far down a rabbit hole but we saw through  that that a lot of the younger people don't really  
care about their data right they're putting it  all out there anyway all their information sharing  
freely kind of wide open economy um you know share  or sharing economy i should say all this stuff  
it's kind of been it's it's become more the norm  and um how do we get them to understand that hey  
you know giving um nation state threat actors  a whole bunch of data about your personal life  
is not maybe necessarily the best thing because if  if we can't solve that right now i don't know that  
the future generations are going to really care  when it gets you know comes down to company data   customer lists all that kind of stuff they're  going to think oh well i don't care if people have  
my you know information why why would anybody else  care you know i think it's a it's a it's culture  
shift that may be happening that we may need to  correct and thankfully that's that's why we're   doing this podcast and have our um you know 500  million listeners so we can make that change today  
nice well i just did just to tie up the previous  conversation with cyber criminal i think there's  
a saying is that the the hungry human goes  after whatever game he can catch or she can  
catch right or we can catch anyways but yeah you  know what i mean and so it it if you if it's hard  
if it's hard okay you know it's hard to kill big  game right and so you go after smaller stuff and  
that's where you watch all these survival shows  they're you know they're very seldom getting deer   you know they're mostly for there's mostly  mollusks and bugs and um you know so don't don't  
be one of the um don't be one of the lower you  know belly crawlers from a technology standpoint   you know be an apex predator and if you're an apex  predator um from a technology standpoint then you  
can ford off a lot of lesser um criminals from  their abilities to with their abilities to get  
into your systems and cause you harm but how  do we how do we make people care right so and  
zach you mentioned tiktok just for those  that don't know you know tick tock was   you know it was dispelled as spyware  for china and um i think that you know  
however you look at it okay it's questionable  software okay and and you're right people don't   care they're putting anything that they want  on there it's probably being leveraged for  
machine learning right everything that  every human does on there is probably   leveraged to make the next robo um you know um  i don't want to say the border here but you know  
what i mean i'm saying that you know this is all  going to go into some big learning program right   some big data learning program all these videos  and all the stuff everybody's doing and i think  
it's a wonderful thing that everybody can share  this type of creativity and close with one another  
because i think that we should we should have that  kind of liberty to to share this with everybody  
right to share what we want with everybody and i  want to say that share what we want with everybody   that's where i think you draw that line is where  people extract data that you're not aware of  
or extract information from you that you didn't  you didn't wish to provide right it's like coming  
home and and you may have an acquaintance  that you've met a couple times and they're   sitting in your living room drinking your beer and  you may like that person you're like you know i  
invited you over here to drink beer with me but  to come home and see you sitting in here drinking   beer is just weird and and i think i already  apologized i already apologize for that lauro yeah  
look i'm gonna bring it up over and over  again it's just weird all right like and   so i think that's it if you've been wearing  pants zach it might have been acceptable  
that's exactly my point you forget one detail and  you know you never hear the end of it no no no no  
you don't in my underwear is even weirder okay  so we don't need to get into this conversation  
but that was just strange okay so yeah just  remember you're clothed and fully clothed  
and that might be okay but you know rhetorical  side right i mean that that really i think is   where you draw the line is where you willingly  give this information versus someone you know  
takes it um without your consent and that's the  whole point of data privacy and and i think that  
you know for the individual humans that own the  right to their videos that they take and that   they post on tick tock that's certainly one thing  right but for the organizations and the companies  
that have that data and use it to sell you stuff  and use algorithms to you know pitch types of  
things your way it's their responsibility to make  sure that you have their consent to use that data  
in that method and that they were protected  with that data it you know just as you know  
you take your drop you drop your craft at  the shop you wanted to take care of your car   you don't want to get it with scratches and  dings all over it right i mean that's just  
basic expectations of a service related industry  you want your food to come out with no hair on it   i get that right i mean everybody should  get that this is just the same thing  
and i think the way that you resolve it really  is with unfortunately is going to have to have   some legislation but cyber insurance i think is  a great way to resolve it it's required to drive  
and operate a dangerous piece of machinery well  your technologies can be dangerous especially if   they're getting used to attack other technologies  that americans are using or to mine in their data  
so you know where's where do we draw the  line to say that if you operate technology   in a manner that stores data that you  need you must have cyber insurance  
yeah and then cyber interest is going to require  you to have you know a modern car with wheels   and all that kind of stuff right that's the good  thing i think about cyber insurance because even  
though it's a reactive measure um the insurance  companies are getting better and better about  
asking you know doing more sophisticated  security questionnaires which is which is  
awesome right it's just to be able to get the  insurance in the first place i think they've   that certainly helped um the the problem that  people face with the compliance stuff though  
is that it's generally you know it's focused  on one type of data or very industry specific   it's not all-encompassing of their organization  so a lot of companies still have it wrong they're  
still chasing one compliance framework to the next  rather than building a holistic security practice  
and i think that just takes education right  especially at the leadership level the executive   level i mean i mean i think we really need to have  more technology education from from the beginning  
i mean from kids at school and stuff i mean yeah  you know they might learn to type or whatever but  
it's it's they're not learning the fundamentals  of how their devices work and talk to each other  
and that sort of thing so i think that can be  tremendous another another thing that i would   like to see as far in the education realm is the  more data we can collect about on the breaches  
and activities and what's going on and share kind  of the some of the figures from the evil internet  
minute report but if we were able to have more  specific data by location of companies by industry  
company size all of that and really break it  down to a more granular level we could make it  
hit closer to home with and i know that they're  getting better but still a lot of that data is  
very loose and it's it changes depending on where  the source is and all that so we could get a more  
definitive uh or better system of defining costs  of breaches where they're happening where they're  
the most likely average down times all those  things and help people understand that for their  
specific business then we get away from the broad  kind of mind-boggling numbers we get down the  
specifics and that way the cfo for example could  say okay well i can pretty much guarantee that if  
i don't do this in the next five years i'm gonna  have to spend x amount of dollars and they'll   have that figure dialed in much with with a lot  more specific information so i don't know how we  
how we do that uh by any means are people  that are a lot better than me when it   comes with you know data aggregation and all that  but i think that that would be tremendous because  
people got to wake up to what's going on  and dollars and cents helps them do that  
yeah it does yeah unfortunately well you know  they're wielding you know it's it's just like uh  
you know they can get a driver's license where you  can drive a car if they're driving school we have   organizations that can spin up these technologies  on cloud infrastructure on a whim and just  
use them you know it's like oh i got this code  that this somebody wrote me i'm just gonna you   know get somebody to put it up here and i've got  now i've got this business and you know if you  
market anything right you can gain trust and you  can get people there and it's just kind of like a  
you know it's just waiting to happen sort of thing  it's uh unfortunately it's a sinkhole right it's  
it's that you know it's there you have specific  equipment to see it and it's just a matter of time   so yeah i think hopefully cyber insurance  will will help help people puts at least  
some proactive measures in place good stuff today  any final thoughts ideas any any ways that we can  
change the world today in this episode love one  another that's for sure i love you guys anyways  
no nobody can't i think we i think we i think  we uh i think we kicked around a lot today  
well yeah i think i think it is important but  for those of you listening if you have ideas   if you have thoughts if you have um questions  for us please go to cyberrantspodcast.com and  
send them in send them our way or reach out on  linkedin and then also all the news articles are  
posted the links to the articles and stuff on  cyberantspodcast.com pages so you can go look  
through all the episodes um there's a lot of good  stuff there and uh by all means let us know what  
you want us to talk about future episodes uh  we're interested in and what you're interested   in we're here to here to kind of give back  and and spread some good knowledge around so  
reach out and have a great rest of your day  thanks for joining and we'll talk next time  
pick up your copy of the cyber rants book  on amazon today and if you're looking to   take your cyber security program to the next  level visit us online at www.silentsector.com
join us next time for another  edition of the cyber rants podcast