Cybersecurity: Amplified And Intensified

Elevate, Exfiltrate & Encrypt - Round 2

August 20, 2021 Shiva Maharaj/Eric Taylor
Show Notes Transcript
Shiva Maharaj:

Good morning, and welcome to another episode of cybersecurity amplified and intensified with your host, Eric Taylor. And myself, Shiva Maharaj. Today is another edition of our q&a for submitted by our loyal listeners out there, all two of you, or maybe more, let us know how many of you are going to work.

Eric Taylor:

It's just another day of full of data breaches, penetration tests, and lots and lots and lots of coffee consumption.

Shiva Maharaj:

Coffee is good black rifle. If you're listening, we want you we will, we will love the sponsorship of some coffee. I know Eric, when he could go through a bad day, probably. So what are we kicking it off with today? What's the first article submitted by our listeners?

Eric Taylor:

The first one I think we're going to dive into really is Cisco will not fix zero day remote code execution, RC vulnerabilities at the end of life VPN routers. So there's been some zero days that as you can tell from this that's been released via GitHub, where you could be able to SSH or not through SSH, but the GUI be able to raise to an elevated command prompt in a GUI from a Cisco VPN. What is your take, after looking through this article, so far, not gonna have the same opinion.

Shiva Maharaj:

I applaud Cisco, it's about time vendors start saying no more updates to end of life hardware, because that is how we get into companies coming to your eye saying, Hey, we have legacy, blah, blah, blah, out there, and we got hacked. Well, you got hacked, because you're too cheap to spend money. There's no need for legacy systems, I do not care.

Eric Taylor:

The excuse. Yeah, even on his article re I agree with you about the percentage of their small business models here that are listed on this website, we'll have the link for those who are in the audio version of this thing. There are end of life as of December 2 2019. So we're coming up on three years, we're at two and a half years. So even if you were waiting for end of life, and then cycling out save for six months afterwards, you know, I don't agree with it. But I can easily easily see that standpoint, you know, trying to maximize the life show or the shelf life of your, your hardware. But Yo, we're at two and a half coming up on three years past the time that this thing has come into life. It's time to move on.

Shiva Maharaj:

Let's be honest here, December 2019. Was AOL, and of life for those of you who don't know what that is? Now, do you think all of those route router models are up to date with their software patching? Absolutely not.

Eric Taylor:

So what does it matter if no more patches are going to be released after AOL, you would think that they would just hopefully, they as the clients, or msps, or anybody that's, you know, selling these things and using them, that they would eventually get their souls together and get a newer model? Right. But I just

Shiva Maharaj:

just too much that would cost a fraction of what you or any other IR firm would charge post incident. What are you talking about? That's madness,

Eric Taylor:

you know, I get it. But at the same time, you have to invest in your technology, you got to invest in your security, if you're not going to do it. Who the hell is your insurance company

Shiva Maharaj:

when they have to pay a ransom?

Eric Taylor:

Yeah, like, that's gonna save you. You know,

Shiva Maharaj:

I do want to bring up the Accenture breach. We all don't have much information on but by all accounts, they were able to recover very quickly, with barely missing a step, if at all, and I'd like to see more businesses, small, medium, large enterprise get to that point,

Eric Taylor:

I'm wondering if they just had really, really damn good backups.

Shiva Maharaj:

I think the Accenture bench goes deep. And they have the capabilities. And they do what they say, as opposed to most providers, you know, they're like, do as we say, not as we do.

Eric Taylor:

Absolutely. Yeah, I don't know much about them. Right. So I'm gonna go out on a limb and make some assumptions that they are from all accounts that we see so far. They seem like they are what we call tip of the spear. They actually like you said, they eat their own dog food, they are, you know, actually doing things. Correct. So I would love to see a post mortem, even if it's no by them, or somebody else that could just attest to the findings and their actions that they have done. But this is how we recovered so fast.

Shiva Maharaj:

Well, they did they did come out and say they just restored this they isolated the intruder, and then they restore from backups. And that's it. And they hired a third party firm to come in to do the IR because they thought it would be a conflict of interest for them to do it themselves, which I think they get three for three their 100% a plus. And if more firms can respond like that ransomware would be less of a hassle.

Eric Taylor:

Absolutely. Absolutely. So yeah, definitely hats is what they are saying is true. The massive hats off to them.

Shiva Maharaj:

Don't be true. No company is going to lie.

Eric Taylor:

Come on now. Like the pipeline? Yeah. Colonial pipeline? Yeah. Oh, crap.

Shiva Maharaj:

Sorry. Oh, boy, allergies. What can I say

Eric Taylor:

those you can't be doing that if we ever get black rifle coffee, this dude, sponsors, I can't be spewing coffee all over my desk when you make the laugh.

Shiva Maharaj:

Challenge accepted.

Eric Taylor:

So the next topic we want to go into before in this conversation gets wildly off track here, cheese bake actually leave their customer information to its customers, this is a freaking interesting story where they flat out, they just don't care. They're like, asked, sorry, no, we actually sent you information for another customer. And yeah, you know, we're gonna send you some free credit monitoring,

Shiva Maharaj:

you know, I see something that says experience, you know, dumpster fire of data leaks. So here's my take on this, and I did a hot piece on LinkedIn, you know, my little douchey posts with a nice little blue fluorescent background. But here's the thing, as long as data collection is an asset on a company's balance, balance sheet and not a liability, this will continue to happen. And there's no way that any of this is ever going to stop, unless there is a measure in place to find the company for these data breaches for I don't want to call this negligence because you know, these things can happen to anyone. But there should be processes in place to mitigate these things.

Eric Taylor:

Exactly. The one thing that I would just want to hold on there for saying that you mentioned to you but you know, they simply say we are sorry for letting you down, quote unquote, again, you know, either that party had, but we'd like to offer you one year free credit monitoring through experience identity works states Chase,

Shiva Maharaj:

so I just, sorry, God,

Eric Taylor:

I just think that this is like, Hey, sorry, we stuck you up, you know, held at gunpoint and robbed you go down to this crooked cop, you know, and, you know, watch out for you that we paid off. You know, it's like, let me just refer one bad person to another bad person. I don't think this is helping anything.

Shiva Maharaj:

Yeah, I wouldn't call chase a bad person in this case. Yes, it was probably a mistake. They came clean about it. And actually, I don't know how they came forward with this. But experience and multiple breaches of hundreds of millions of people with social security numbers, addresses, date of birth, everything PII you need to take over someone's life. And they don't, nothing happens to them, because they have really good lawyers and really good lobbyists. Yep, it's really bad man. There is a another bill on the floor for breach notification for banks that some of the banking institutions are trying to go against, they do not want to have to notify within 24 hours of a breach. They're asking for 72. I think 24 hours is enough to say, Hey, we had an incident. And we will provide you information on an ongoing and as needed basis. But at least let people know,

Eric Taylor:

is there a current notification bill that has been passed where they have to do a notification at all

Shiva Maharaj:

I don't know. And furthermore, I don't even know if they follow these things. Because you and I both know, institutions, companies that have had a security incident, and they have data on New York state residents who are who fall under the new york shield Act, which classify a breach as unauthorized access, which I love. It's not provable. exfiltration blah, blah, it's unauthorized access. And one company in particular, still has not notified New York State. So until these things are going to be enforced, everyone's data is going to be on the dark web. And pretty soon, once everyone's information is on the dark web, they're gonna have to look for other ways to monetize that stuff, meaning the bad actors well, that

Eric Taylor:

that really brings into the what our last article will be in just a moment. But the I just looking back over the I spent some of this week looking back through all the breaches and everything like that, throw them all my feeds over the various ransomware actors and a couple of the folks that actually so the information on the dark web, Tor network, but you know, we call it dark web. Um,

Shiva Maharaj:

it's it sounds sexier, it does and more dangerous, so therefore, it markets better.

Eric Taylor:

Dude, I gotta lie. You freaking go to the you try to click on the wrong thing on the Tor network, and you're gonna see crap you, you're never gonna be able to get out of your head. And so it

Shiva Maharaj:

that's why I click on the links you send me

Eric Taylor:

just a second, I didn't send you a malicious PDF. So this next one really is one that especially hits home to me because we are you know, everybody in my organization has T Mobile. Yo, we I don't know if we are part of this just because our plan is still a quote unquote sprint plan and it hasn't fully transitioned over to T Mobile yet. So I don't know how the database I think the databases are still separate because we still have different logins for sprint accounts, and T Mobile accounts I'm thinking this completely separated, but I'm still nervous as crap over this one where it's not just your name, address and dadgummit, your social security number, but it's also your phone identification number your I Am I hold on IMEI? Yeah, exactly. So you can start fish, you could actually literally start doing sim cloning and stuff like that because a lot of the Google phones, like the true Google phones,

Shiva Maharaj:

are they getting the E sim numbers built into the phones themselves? Mm hmm. So SMS to fa, I love you.

Eric Taylor:

Now see, like, iPhone still require a SIM card for T Mobile. Okay. Now, Google pixels do not so you know, at least with an iPhone on T Mobile and sprint, you have that extra layer, if you will all use an extra layer really, really loosely. But you have a extra layer of quote unquote security that they have to overcome to fully clone your phone. But if you're going around, and people have Google Pixel phones, by guys choose, mimic that frickin number and you're golden.

Shiva Maharaj:

So let's dive into two FA here because I know you think it's a dumpster fire. I think it's a dumpster fire. And a colleague of ours showed us a patch, that the military issues for dumpster fires, I think we should start sending those out to people when they are worthy of a promotion, but is now a good time to really talk to your clients about moving to something like a duo push notification for MFA,

Eric Taylor:

any form of MFA. You're even Microsoft authenticator is a frickin MFA.

Shiva Maharaj:

Two, that's kind of limited just to Microsoft. If, however, you have a smart provider, and you are leveraging SSL to give you that one place to breach for the keys to the kingdom, which almost two minds there, I love it, but I hate it for that very reason. I think duo is probably your next best thing, right?

Eric Taylor:

I am so overly paranoid, maybe just because I'm in the cybersecurity space. But when I try to access my 365 as your tenant, I get prompted with Microsoft authenticator. And once I cleared that, then I get to do notification, because I'm just super paranoid

Shiva Maharaj:

as you should do. So I mean, you're an IR guy, you are dealing with ransomware operators, so they'd love nothing more than to pop you

Eric Taylor:

get the stuff that is inside my teams. Holy crap. Exactly. So I think that's it for today.

Shiva Maharaj:

Yo, nice, quick round up. Hopefully. Before we break, there is one more article I just sent you. Because what's this podcast these days without getting a tad bit political? Well, sure. Let me just pull this thing up here real quick. It's in slack. And for those of you we have our own private slack that we use to make fun of

Eric Taylor:

vendors karkos sometimes, Brian weeks, we love making fun of him. Then we get rid of this pop up ad and bring it up here. So does abandoning embassy incommode pose security. Oh, dear God, here we go. Get me on my soapbox. We're supposed to keep this under 30 minutes.

Shiva Maharaj:

here's the here's the thing. I will preface this by saying my personal view is I don't think any president would have done any different in the withdrawal. I think the only variables that could have potentially been controlled, are the ease and pace or relative ease and pace of evacuation. I think the fall was going to happen regardless of who the President is, or was or will be. That said, I read a lot of articles where it seems there was no effect plan or contingency plan for the embassy and Americans and those friendly to American forces. What really is starting to rub me the wrong way is we've seen China making overtures to the current Afghan government or whatever we're calling them these days, what type of technology is being left behind that was that the Afghan former Afghan army was equipped with what kind of technology may be left behind in the skirmish to get out of the embassy that can be exploited by a pts looking to get in on our technology? And that's where I'm going with this article.

Eric Taylor:

Yeah, so I've seen some unofficial reports but I know through history we see we've seen a lot of this stuff where the embassy was being turned into a dumpster fire literal dumpster fire they were burning, not shredding but fucking burning. classified documentation inside of the the embassy. We have seen reports where the Taliban is learning how to fly the Blackhawk Blackhawk helicopters that were there we've seen reports of the the Mark 19 grenade launcher over 3000 of them being left there the I agree with you should we get out? Yes. The the reports that all the generals all the people that were in the secure the quote unquote Information Security space, whether that will be They haven't said or I haven't seen any I should say whether it's you know, CIA NSA, military intelligence whatever the case is that if we do this in a way that you're projecting This is going to end fucking horribly. This is a bad way of doing this. And there's people who've come out on a new thing we have given the the image this current administration's so many names where they're located all this stuff and they're not doing anything It is literally like the way I look at this. It's like a kid just had a temper tantrum picked up this ball is walking the fuck hole.

Shiva Maharaj:

I don't think it's that I think the government again, it could be the previous administration, this administration or the next one, whatever incarnation, I think they're just tired of, of spending money to play whack a mole. You know, it's you can't keep an occupying force, and keep continuing to burn billions and billions of dollars every year when our economy is as fragile as I think it is, at least and we have all those things to focus on. We're not Team America, world police durka Darko,

Eric Taylor:

we are so many centuries, though we have been the world's police. It just does. Oh, God, here we go. But when China goes and said, Look, look what America is doing. They're not going to be around to help you. When the shit hits the fan. They're just gonna pack up and leave. Again, that spoiled child who gets pissed off takes us bottle walks home analogy,

Shiva Maharaj:

but that was gonna happen anyway, whether it was today, last year, next year, five years from now, I guess

Eric Taylor:

because of the lack of planning of getting our assets, our own citizens, the folks that were told, look, you help us we'll take care of you that lack of taken care of but these people I think was doing it.

Shiva Maharaj:

I think we should have left to Bagram bigger facility easier. Not easier. But easier to Bagram airbase would have probably been the better place to make the last stand for the evac and not the couple airport, because by grams bigger, you can move more volume through it. And you could probably get this done. But you know, listen at six one happens. The other everyone's Monday morning quarterbacking this thing. I just hope they get our people out safely, quickly. And we can move on to our cyber warfare with the Fantastic Four Nations of China, North Korea, Russia, and Iran. So and I hope that the embassy actually destroys anything that is technology related not to give anyone insight.

Eric Taylor:

Yeah, thankfully, I haven't seen in a reports where the embassy was overtaken during our occupation.

Shiva Maharaj:

Well, I think we've learned a few lessons after Benghazi and a couple of the other incidents. So hopefully, we're well on the way to getting the people and technology out of there. Or at least destroying the technology to the point where it's not usable.

Eric Taylor:

Yeah, this slide go down to Ghazi stern freaking cursing a lot.

Shiva Maharaj:

We're gonna do a special episode for that one. Oh, gosh. I'll bring the crayons. Those of you who don't know what we're talking about here, and I say this with peace and love. Eric is a former Marine.

Eric Taylor:

No former but yeah. But I think that's it for me today. Me as well. Man. If you've made it to the end of this episode, we want to say thank you so much for tuning in and enjoying it. If this is a value to you, you've got to enjoy it. Please do us a favor. Refer this to somebody send it out on Redis and have that on LinkedIn. Send it to your email. Go help us spread the word. If you're on YouTube. Please subscribe, tune in. And if you're listening to us on the podcast, please give us a rating. Let us know how we're doing. Until next time. Thank you so much for tuning in.