Cybersecurity: Amplified And Intensified

Escalate, Exfiltrate & Encrypt - Round 7

September 11, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
Escalate, Exfiltrate & Encrypt - Round 7
Chapters
Cybersecurity: Amplified And Intensified
Escalate, Exfiltrate & Encrypt - Round 7
Sep 11, 2021
Shiva Maharaj/Eric Taylor
Show Notes Transcript
Eric Taylor:

We are live Shiva holy crap. Happy Saturday.

Shiva Maharaj:

Happy Saturday. Wait for it. Good afternoon this time. It's not the morning. That is right. That is right. Well, that is going on. But you're doing all right this morning. Yeah, had a great time when I was a kid when I was the wife. And now I'm back home, I saw my slack blowing up by soft Facebook pinging away and I am like, WTF, Eric, what's going on today?

Eric Taylor:

So it will where I'm sure that some of this will become a little bit of a pisser vinegar. But you know, we'll, we'll try to

Shiva Maharaj:

I would like to use this as a teaching moment. That is vinegar. Yeah. Okay,

Eric Taylor:

so those who don't know already, apparently, Pax eight system with a little wonky this morning, right around 280, or between right around the two o'clock hour here on Eastern time. And I'm just gonna leave this out here, because my token has already been destroyed. So it doesn't know I've been able to verify it, that sometimes it's it, depending on the CDN is still showing up a little bit, but whatever. So and that's the kind of impact a little bit of thing, two things here. One, it is a little bit less of the severity of things that we typically see. So this token would let you right into the payment portal for Pax eight, so that we can make a payment, yo, hey, there work capitalist nation. Everybody likes money much as the next person, right? So and he tastes good, money has good, we all like money. Um, the part of this is, it's really I'm really on the fence, there's a part of me that says this is an eye door, which is indirect reference link, or object, indirect object reference. So what that is, is you could take a lake and directly access a portal without logging in and without to FA and that's really where a lot of my rub comes in on this situation. It's if you have this link, you can log into your payment portal and process your things. I know a lot of msps have their they are home based businesses. I mean, we are in the the 20 years of COVID hell. So there may be some people that actually have their home addresses listed on their payment portal versus their business address. So there may be a little bit of consideration for PII. But again, like I said, the main thing that I really, really want to hone in on is you're able to access a part of Pax eight without MFA, or to FA because they don't have MFA set up.

Shiva Maharaj:

You know, one thing I'm thinking about here is this is the perfect example of how making private productivity easier makes security take a shit, this link has a token embedded in it. Obviously, the token would be unique to your tenant or what have you. Maybe in this case, Pax eight should have just taken you to a portal where you logged in, as opposed to making it really easy for you to add your payment information. Yeah, and I think that's the, that's the overarching story I see here is listen, this shit happens. Fortunately, it's nothing crazy. What are you getting a phone number, domain name and an address for your company? Which is probably on your website?

Eric Taylor:

Yeah. But I looked into it. It doesn't even give you billing address information, or your it gives a current balance. Yeah. But it's not leaking on any of your client information. Right. So it's not like you can see your billing history, your payment history. So while this is bad, on a scale of one to five, we're probably talking about a one or two. To be honest,

Shiva Maharaj:

I would say on issue more, it's more of a teaching moment than it is an incident I would consider.

Eric Taylor:

Exactly. You know, I don't think this really classifies you know, for a CVE or anything. I mean, it's maybe it does, I don't I'm really torn on that. Right. So, you know, it's kind of an eye door. It's kind of not just because you have the fact of a token that's on there. Um, you know, we talked, I think I could talk about it now. But we had the whole incident with datto those new UI have not was an eye door

Shiva Maharaj:

that they had, I was really sweet find you made. They're saying you should try it if you're if you should get a blog post and some credit for that one. Ryan, if you're listening to this, I hopefully I didn't leak anything on the bag. I mean, he's been patched for months now. So I'm sure to ask for forgiveness and permission.

Eric Taylor:

Maybe so. Maybe so. But yeah, it's uh, you know, it's, it's really interesting, right? So the Oh, thankfully, we was on the air people were messaging me. It's kind of the next thing I want to get into. Yo, well, I was able to message Matt Lee. send him a message on Facebook that I see Matt creeping in our comments there. Matt. We know you want to come on legal property won't let you but we'll provide the person vinegar for you, buddy. I see it. I see what's going on Matt, buddy. Thanks for tuning in, man. Appreciate it. Um, so yeah, I mean, I was able to message you know, Matt, Matt able to message Greg and you know, I was set to send a message to them on our send message to Matt on On Facebook and Levi's, you use a secret super secret batphone. That's right, I use signal

Shiva Maharaj:

now you have to use WhatsApp. So when someone reports the message, it's no longer enter and encrypted and Facebook can see the message.

Eric Taylor:

So that's actually what we have to talk about next week because WhatsApp, we're gonna get out of the bag. We're gonna get derailed here real quick, but you know what's up? I am unmedicated. So I'm full ADHD mode. Okay, before we strike, he

Shiva Maharaj:

might throw out email backup. Yeah, sure. And one of our colleagues, Howard space. If you want website design, go to Howard Irie say this because Howard, you will give me 35% per referral that you get off of this. And you will give Eric another 35% leaving you with 30% for yourself because that math works. Now if you look at the bottom here, you have my command console.com I see a lot of partners saying they thought it was a phishing email, because the URL is my command console.com The email address is pacsafe.com. How locking stupid are you to not know that their platform is called the command console? It is one like that from inception. No, this is not a dig at x eight. This is a dig at the idiots who use it and don't know what they're using.

Eric Taylor:

So my command SOC console has been deprecated. You're supposed to use App dot Pax eight.com. Now, it's all redirects everywhere. I mean, they should really take it down. But

Shiva Maharaj:

Matt Neal, I need make a note please. Okay, that's the one bad thing I can say about Pax eight in this situation. But seriously, like, everybody makes a mistake. That's it's a relatively benign issue. But I think this really underscores two things for me is people should really know what they're using and how they use it. Meaning what are the URLs that your products use? I think it's smart to have a separate URL from your email, and split authentication. But hey, what do I know? I'm paranoid, right? Yeah. And the other thing is, this is a really nice teaching moment for what I would call zero trust. Why would anyone trust anyone to click on a tokenized link to get in? Just make them login? Make the fuckers login yet?

Eric Taylor:

And I do wonder, you know, hopefully, I mean, I know Matt is going to me, he's put out some stuff on the, on the Facebook groups and stuff like that. And I'm sure they're still working on this whole situation. Right. So I'm sure there's going to be more information to come out soon. So you'll follow Matt Lee, and you know, Ken Patterson follow the groups because they are arguably they are the faces of packs Eight, Nine times out of 10 right. So

Shiva Maharaj:

now, Dave, you know Matt's more frickin active on LinkedIn than I am I look at all his posts on like, where the Where the hell's he getting the time for this shit? And he's making videos and there should look at it.

Eric Taylor:

Look, dude, you've got fax eight now, man. He's got probably got a whole marketing team behind him now. There you go. minions minions. But yeah, I mean, the one other thing you know, you and I shit on MSP is a lot. wailing we know. You know, because they are a bunch of pizza techs. They are. They are you know, just they really really suck. When it comes to security a lot of times these

Shiva Maharaj:

days, I don't think they suck in security. I know this is like me speaking blasphemy here because it goes against everything in my fiber to say that. I just think people need to realize MSSP is tech support. It's not security. It should move towards security. Yeah, but they can be mutually exclusive. And just because you get an extra nav a managed sock or other piece of Kool Aid doesn't mean you can add that s it's true. Just because

Eric Taylor:

you're white labeling another partner does not mean you're now security. But the fact is speaking to us about Matt and hopefully you know, I don't know letting me I'm not deleting cats on bags, but uh, you know, I

Shiva Maharaj:

think we're not live even though it says live on

Eric Taylor:

it. We are live on youtube now. But it's really made me feel good that there are msps that are out there actually looking for this shit. Yeah, that really made me feel good this morning. Because I mean, like you I was out and I was doing the yard you know, cleaning up the cars you just the whole living life and not tied to a computer on the weekend. That's Yeah, it was actually kind of nice. I know. All right. We got to work off those chick fil a calories man, dude. Oh my gosh. So we know you chick fil a to sponsor but Anyway, I digress. We curse on lunch man. Dude, I will go full on Disney talk from now on if chick fil a was sponsor us Challenge accepted.

Shiva Maharaj:

I will go back and delete the catalog.

Eric Taylor:

For those who don't know what Disney room talk is pretty much you don't say anything that Disney character would not say. They saw some pretty nasty things.

Shiva Maharaj:

If you really listen to what I'm saying. Anyway, we're getting we're getting, we're getting. So this is what happens when it's the weekend and we just have it why Non issue to really talk about we talk about all kinds of other shit. So how would you rate this? You said you rated the say one out of 10? Yeah, one out of five. But yeah, let me is that because you can't raise it to zero because zero doesn't exist? it Yeah,

Eric Taylor:

you know, it is a little bit of a situation, right. But in the grand scheme of things, you can't access any billing information, you can't access notes, let me tell you that you can't access any invoicing information. So you're not leaking client data. You're not you know, and this will be a note to Matt, and anybody else who packs it that may be listening to this thing I would imagine in the next couple of months now that this is getting put out there and everybody's gonna be talking about it, I would really recommend you updating your log retention is start finding out who's starting to fuzz crap and message me because you know what I do? I'll give you my IP address so you can filter out all that mess.

Shiva Maharaj:

Well, you know, some some vendors don't like you flooding their lawn stashes there's all I'm saying. I won't name names of

Eric Taylor:

ideas. I don't care anymore. They have gone dark and not responding to me anymore. So you know me at times s do not see eye to eye on

Shiva Maharaj:

Hey Matt, if your list if you're still listening and haven't gotten sick of worship, I would like to see Pac sage. Get rid of this to any type of tokenized link. I think that is a bad practice. And you're not pacsafe not alone. Every company that I know of canon does not so but let's make security great again.

Eric Taylor:

Yes, let's do let's go back through my emails. And I don't think that token leak has been in previous emails. I've

Shiva Maharaj:

never seen one from Pax eight. Dude, listen, it's that is their finance department wanting to make it easy for you to pay them. That's what it is. And I wonder if it was a new system that they're testing out. That's why you have to go to Matt and say I want to do the stupid shit and not can say No, do not do this stupid shit. Make them login. And that's it. Easy peasy. Let's say those exact same words which exact same word. You know, you should come on here. We won't ask you anything about the email. tokenize fuckup. I mean, and that's just a joke, because you know, it can happen to anybody. But come on. Let's get that sexy bald head on here. You can do it. I

Eric Taylor:

just wanted to I want to know. I'm hard have it. I just want to know Matt and anybody else who watches this? Do I got to grow a full beard to be taken seriously, for cybersecurity? I'm just wondering because seems like everybody in cybersecurity has a full on Duck Dynasty, freakin beard going on.

Shiva Maharaj:

You're incognito. You're like Chrome incognito tab. They don't see you come until it's too late. You're a pen tester. I do call myself the fat ninja a lot. So no, with that,

Eric Taylor:

we'll see I just call out the log stories over. So that's a long story. But a lot of times I can sneak up behind you. it scare you. You don't even see me come and I'm pretty fat.

Shiva Maharaj:

I know how to I know how to trap you though. Just drop crowns. Fucking that's a Marine Corps joke for those who don't know, but anyway, cuz Yeah. Anyways, a former Marine, so we're dairy got sponsored by chick fil a with their stuff. Sponsors

Eric Taylor:

raw will start getting Bulldogs in here. Um, but yeah, I guess that's pretty much it. You know, everybody kind of calmed down a little bit.

Shiva Maharaj:

This is an issue. It's not a non issue. let's let's let's cut him some slack. I mean, you know, it's not like they're gonna say, Oh, this is truly non issue. Oh my gosh, oh, this is a bunch of msps just needing to bitch on a Saturday because they didn't get to go out and do chores.

Eric Taylor:

That if you got this email, just go ahead and pay your invoice. Just because you know, they're going to need some some extra money or you know, timely for the overtime of the people who's gonna have to fix this code. So there you go. Alright guys, thanks again for tuning in. If you join this on a live Saturday, we really do appreciate that please share this information out with folks because there's a lot of msps that are completely losing their frickin line over this type of situation. Anyway, not that bad. It's not that bad. If you want to ever join us and watch us on youtube just go to YouTube dot barricade cyber comm or if you want the audio version, please go to amplified and intensified.com you have anything you want us to talk about please email us at that address at info at amplified and intensified calm. And until next time, take care of everybody

Shiva Maharaj:

and no more tokenized links, no more document plagues and SEO sucks.