Cybersecurity: Amplified And Intensified

Episode 32 - Ransomware recourse.

October 11, 2021 Shiva Maharaj/Eric Taylor
Show Notes Transcript
Eric Taylor:

And piss and vinegar. Here we go.

Shiva Maharaj:

Good morning. Welcome to another episode of cybersecurity amplified and intensified with your host Eric Taylor, myself, Shiva Maharaj. And we are back after a one week hiatus, because Eric was busier than the Pope. And I was sicker than a dog. So together, we are back with us uniting 30 countries to disrupt global ransomware attacks.

Eric Taylor:

I just want to go on the record. And like, I always say this, and this is full of piss and vinegar, but name one freakin federal program that ever works the way it's supposed to.

Shiva Maharaj:

CJ.

Eric Taylor:

This is gonna be a great segue to all the crap, there we go,

Shiva Maharaj:

Eric, have you ever pen tested a company that failed every single test or almost every single test and they just don't want to get back to you? Because they have a long standing contract with a court system to provide software and they are just an insecure piece of shit.

Eric Taylor:

Yes, so you know what? I was on the fence on doing this but I'm just gonna do it because you know, why the hell not? There is a company in North Carolina God a courthouse computer systems that just doesn't want to get back to me at all. And I just don't care anymore.

Shiva Maharaj:

And just for context here, how long is it been three months, four months that you've been trying to get rid of them? But it's been about three months? Yeah. Okay, so this is not Eric funding something this weekend like he did another vendor that's out in the MSP community, but we won't we may not get into that. Who knows. But this is something he has been trying to responsibly disclose to this company for the better part of three months. This is a company that probably falls under CGS regulation.

Eric Taylor:

I'm gonna I'm gonna say they do because they are dealing with court records for municipalities they have to is Windows IIS servers that are hosted in or that are publicly facing. And it doesn't appear through everything that I've tested on that they have any sort of firewall behind it. So like they almost have two servers with a when IP configured to them and they're running VNC

Shiva Maharaj:

Hey, nothing wrong with a little VNC Yeah, man,

Eric Taylor:

just nice remote access. You know, I even went so far, and this may get me in trouble. But I even went so far as to start failing. A brute forcing the ANC just doing something to get their attention, you know, blogging, my IP, them filing an abuse attack against my ISP, you know, because we're doing this, they are clearly not logging their shit or reviewing their logs or whatever, which is what we always go back to a lot of some so much. They don't look at their logs.

Shiva Maharaj:

But they probably have a sim. Because he wants to have a sim that's all you need to get actionable. Yeah, you know that in Weber, of course, but whatever.

Eric Taylor:

You're so tempting me the insights Oh,

Shiva Maharaj:

God. I wish you guys I missed this. I really do you guys missed us as much as we missed you.

Eric Taylor:

This is crazy. So you know, I've gotten about a week without ADHD minute so so you know what kind of episode this is gonna be.

Shiva Maharaj:

But a fun one.

Eric Taylor:

This is Episode 32. This Yes, it is

Shiva Maharaj:

32. And we've been doing this straight since middle of March, man was just last week. There were no recordings. So you know what I think you should do? You should send an email to Jenny certainly at csub. Because we've been trying to get her on here. Yes. And give her the rundown on this court company. Say, I'm not saying because we gave you this you got to come onto the show, but couldn't hurt.

Unknown:

It would be awful. Nice. And Awesome.

Shiva Maharaj:

Thank you. I read into her background. She is I believe a retired lieutenant. General. I'm like she's got pedigree behind her within her career, dude. Like she was part of standing up. cybercom Yes.

Eric Taylor:

I didn't know. I

Shiva Maharaj:

mean, you look at her. She seems she just looks like a really nice lady. I'm not saying that. She's not. But like, when you read about her, you're like, oh my god. She is a hitter. Yeah, like, good on her man. And I think we can have some really interesting conversations. But anyway, back to the US bringing in or uniting 30 countries to fight global ransomware I'm gonna ask you a question. And you tell me what you think. You think that is going to do anything in the grand scheme of things to make the ransomware problem go away.

Eric Taylor:

Not a damn thing. Not a damn thing because Look okay let's just listen the spin this a little bit okay, this is gonna get really possibly political or whatever but I don't care so

Shiva Maharaj:

it's a good thing you're on the right podcast or that

Eric Taylor:

you know we've been talked about before about being you know politically correct checked out the door hat off to you the dark and the folks out there but anyway, you you go to a school and it says gun free zone. But yeah, there's still shootings you can make all the laws in a world doesn't mean the fucking criminals are gonna listen to you they're gonna do whatever they want.

Shiva Maharaj:

Well here's here's my take on this right last week Matt Lee packs a director of security compliance I think he is, I think this is official something along those lines, Matt, if I messed that up, please scold me and let me know. And I will issue a correction. At some point to the other. He posted he shared a link that a child was born with complications, because there was ransomware attack at the hospital where the parents were the mom was giving birth. And everyone is up in arms. Like, you know, this is what happens because ransomware bla bla bla bla bla now to I think it's the sad suit on the child passed away, eventually. Definitely a sad situation. But and this is going to be an unpopular opinion, I don't blame the ransomware operators, you know, who I blame the hospital off at all, for not having the appropriate controls in place to mitigate and or move on from a hack. And I'm gonna I'm not calling these things incidents anymore, because I know that's insurance parlance to get away from that word of hacking, and why. And by the way, they're the parents of that child, I think they brought an action against the ransomware group. I don't know if the hospitals involved, but they should be. Put them in this discovery chain, and let's find out how this ransomware operator got in. Let's find out what they did, how they moved, and why it was not caught in time. Furthermore, I mean, Eric, this is your wheelhouse. I'm gonna let you get up on this one. What about the iorp? You get hit with ransomware. Okay, it's gonna happen. Why did it affect patients?

Eric Taylor:

So this is there's a lot to the story. I was digging into it over the weekend. And it's really interesting. So apparently the mother that can we still say Mother or do we have to say birthing You know what, I don't care what the

Shiva Maharaj:

mom, the mom, because I don't want to go down that path of questioning anything. She gave birth to a to a baby and unfortunately lost that. And having kids myself, I could not even fathom what that would feel like.

Eric Taylor:

So the mom claimed that she would have gone to a different hospital if she had known for a second that the hospital that she gave birth to or gave birth at, for her little girl was undergoing a cybersecurity incident, the hospital says you know, it's not really our fault. It's the doctors fault if she gave birth at the hospital because the staff knew and from what I know about a lot of the medical these medical hospitals, the doctors are contractors inside of the medical facility. So you know, it's a lot of you know, pointing fingers this and that. But I mean, not to divulge too much of personal life but you know, my son's very very sick and was had to go through many many operations in the infancy of his life. But my daughter is very fun. My oldest son is very fine. But if you had a normal baby what part did technology fail understand you know, if you got a complication you have a special needs you have you know, all that like I said, You know, I got a son very much special needs and has a lot of complications. But what happened between birth and nine months that went horribly awry to actually lose a child that's that's really the one part that I really wonder but so where in the world did this ransomware really affect patient care? For that,

Shiva Maharaj:

other than a headline? Yeah. And the question I posed to Matt lay, which Matt, I'm calling you out here, it went on answered. What is the recourse? Like, okay, let's you want to beat your drum, ransomware ransomware, whatever. The only time things change is when there's adverse recourse to someone or something. How many times are these healthcare institutions going to be ransomware And now, we're tying patient life or mortality to the ransomware. What are they going to be held responsible? Why is it there? Why is the cost of life being calculated after The fact and not before when it's time to spend money for cybersecurity.

Eric Taylor:

Yeah, I mean, I made a very public when my wife was sick and she went to one of these after care, freaking hospital craps. You know, like, they were breaking so many HIPAA laws like, I was screaming at the top of my lungs on Facebook,

Shiva Maharaj:

Gmail and Yahoo aren't acceptable email addresses to send th II to know a that's encrypted. There's a little lock in the address bar.

Eric Taylor:

Oh, okay. So yeah, good. That's good. Yeah. So the fact that they would just leave workstations on attended unlocked, you

Shiva Maharaj:

know, it's not like they're using one login for everyone, right? Like room a room Bay?

Eric Taylor:

No, they're actually using, you know, to some of their credit, they are using RFID NFC cards.

Shiva Maharaj:

Okay, why keep Listen, I can get with that. I just don't like on attended workstations being left open button. You know, we are informed consumers.

Eric Taylor:

And I am a hacker. So like, I just want to take a proxmark three, get close enough, clone it, and then take one of my other cards and just start going around, they get that? Yeah, that's just me. I'm just squirrelly shit like that. So like,

Shiva Maharaj:

oh, you're a panda, right? It's about finding ways in and then going and responsibly disclosing like what you're trying to do with this company? Like, no, you're only trying to help here and they are willfully ignoring it. and dare I say being negligence on their part. But back to the US uniting these countries. It's interesting. This came out around the same time that two ransomware operators were just arrested in the Ukraine. Now, I don't want to say was reavell, but they sought ransomware up to $70 million. And they've ransomware hundreds of companies, which would lead people to think it were evil.

Eric Taylor:

Oh, I don't know. This is the one part the I was read through this. But you know, those who have it are looking at on YouTube can see the highlighted section. Let me just read it just for the audio people. So in this article, it says two suspects were arrested, including a 20 to 25 year old, believed to be a crucial member of a large ransomware operation. I don't know if re evil is considered a large ransomware operation anymore. They're not pushing out. Unless they are let me say unless I don't know if they are as large as they used to be because their name and shame site is not as active as it used to be. So either they are one not as active as they used to be. or two, they're getting really damn good at collecting payments.

Shiva Maharaj:

I think they have adapted their tdps whether they're still trading on their repo or some other name, which means if a new name new connectwise had coming. But it's interesting timing that both of these were released around the same time. And this is not the first arrest in the Ukraine of major hackers. I think Kanzi got some of their people got picked up in either Kiev for Belarus in the last few months. Yeah, Belarus. Yeah. Okay. And we've seen they've gone as far as Israel to arrest suspected Russian hackers. So if, yes, you're going to get some top line benefits, but these groups are so entrenched in countries that allow them to operate it's very unlikely to make a lasting effect or a lasting difference. And they pop up new names faster than some people change your underwear. Yeah, I

Eric Taylor:

mean, we see this with businesses a lot where you know, you'll get some sort of federal indictment or whatever you get in some trouble with the law. They'll just shut down business and open up businesses a new name, and that's on the legal side. You think it's gonna be much harder for somebody illegally to do it? I mean, come on guys. It's you know that a lot of people keep saying oh, we're just going to make cryptocurrency illegal and thankfully the US government said yeah, we're not really going to do that. You know, there's to me while there are a ton of illegal activities Sorry, I got something my third there that's happening on cryptocurrency. There's way far more illegal activities happening on cryptocurrency, a ton of hobbyists a total miners doing whatever the hell they want to do, but it's like a nine to one ratio of illegal or illegal, illegal transaction. So,

Shiva Maharaj:

you know, this morning, Chris Hallberg, who's the founder of recorded future, and yes, we like record a future but we like john weitzel more. Sorry, guys, good job. He put out a post this morning on Twitter saying that we have to be careful about companies that are being sold to China or Chinese controlled companies. And I replied to it saying you know, I'm less concerned about that and more concerned about investments, hidden investments into US companies, technology companies that give them access to the algorithms, the programming and everything else. But you know what i'm curious about. And this is something I posted them because they are recorded future and they should be able to look into this if they care to. Let's look at the money laundering that's going on due to NF T's. Okay, let's track the money coming out of NF t transactions and going into special investment vehicles and spax. And everything else. Let's take a look at that, like, you guys really want to talk about this stuff. Let's go into the underbelly of this.

Eric Taylor:

Yeah, that'd be a good well, we got to get john on here for next week or something. I really haven't dive into that. I mean, I know that'd be a major treasure trove of information that, you know, that would be a really, really good conversation. Think

Shiva Maharaj:

about it. And then of t is just like art, right?

Eric Taylor:

Yeah, but so yeah, I really got a bone up on NF T's because I'm just not as vast.

Shiva Maharaj:

It's horseshit to buy horseshit bass. Yeah.

Eric Taylor:

You know, it's like I make a drawing, and then it's like, I'm selling

Shiva Maharaj:

the digital version. Yeah, or the digital rights to it. But you know, my point about this is art is something that may be worthless to one person and worth a tremendous amount of money to someone else. So creating value there to create a transaction to launder money, I would say is probably highly likely and has been going on. Maybe, maybe, but where does that money go? If If, if they are laundering, where are they taking that money?

Eric Taylor:

I don't think anybody really knows. Do they? Yeah, I'll go for our next episode. Maybe for this Friday. Because it's really a striking a chord because I was listening to another podcast

Shiva Maharaj:

out there you there was only one podcast.

Eric Taylor:

I think it was the jack reciters whatever. But maybe it was grumpy old geese or something. But there was

Shiva Maharaj:

an Arctic guys one cave. Seriously funny, though. Go check that out. Sure. Tom Segura.

Eric Taylor:

There was somebody talking about how there was a famous artists who went out and who said he hated NF T's or whatever. And so like, dropped an NF T and come to find out it was done by a hacker or whatever. It was a crazy crazy story of how it really went through but it kind of opens up my eyes like you know, this is still the wild wild west when it comes to a lot of these things.

Shiva Maharaj:

Well, I think the only way you're gonna Well, the only way the government's gonna regulate this is by allowing the commercial banks and the investment banks to hold trade and transact with cryptocurrency that's the backdoor way in, because it is supposedly decentralized, right?

Eric Taylor:

Let's say there's, you do have that but you also have private people that are doing things so you know, you have people have a private wallets. You know, we know several people who do mining and transfer to private mail, personal wallets, things that nature, so they

Shiva Maharaj:

don't want to get their shit stolen on Coinbase.

Eric Taylor:

That was an interesting story, too. Oh, my gosh,

Shiva Maharaj:

the number of authentication points you needed to have to actually complete the theft of the Bitcoin was interesting. But then again, with all the breaches out there, exactly your data and the reuse of passwords and SMS MFA, which is my favorite of all. And I hope you people understand I'm being sarcastic here, that it's relatively easy to scrape the data together and commit something like that. And this

Eric Taylor:

brings up a good question. I've been wondering how long is it going to take for the hackers or whoever to start correlating this data from LinkedIn from fake?

Shiva Maharaj:

I think it's done? Well, let's go on Facebook. Let's find your mother's maiden name, your favorite color and all the other secret answer questions that you answer, right. And how many people have that openly on their Facebook?

Eric Taylor:

Yeah, it's definitely interesting. But the fact that people have that and they're not updating, they're not following the trends. They're not saying, Oh, you know, this data was leaked, I really need to change that stuff like,

Shiva Maharaj:

Well, a lot of it is muted if you have proper MFA, right?

Eric Taylor:

Yeah, MFA not to FA multifactor.

Shiva Maharaj:

Yeah. But a lot of it would be muted in that such in that scenario, I think if the government wants to regulate anything, make MFA mandatory for every service,

Eric Taylor:

like, do their jobs even getting that done with CMMC SOC. CMMC,

Shiva Maharaj:

then that shoots a dumpster fire waiting to happen, okay, because until they take that in house, and it's for the D o t by the D o t, as I've said 1001 times It doesn't mean shit. Okay? And as long as there are multiple compliance regimes and Eve means even less to me, butter, you know, if you can, if you want to put these 30 countries together, okay, fine, you know, create let's use that to create a framework of bullshit, blah, blah, blah. But why not mandate every software company to include whether price can go up or not? That's a whole different story. But MFA should be mandatory. Yeah, there should not be any more SMS based tech. To fa.

Eric Taylor:

Yeah, I mean, the fact that you're using SMS and just Google to TP codes and all that it's,

Shiva Maharaj:

there are enough services out there for every provider to put this onto there for every software vendor to put this on their product.

Eric Taylor:

Yeah, I mean, I think even with Cisco's Duo Security, that they have a really good discount program or may even be free for vendors actually start integrating with them, because, you know, they're getting it from the partners

Shiva Maharaj:

may did make it a cost of doing business. Yeah. Right. Like whether or not it's included at the baseline level, whatever, and their prices raised. How long are we going to allow people to cheap out on security, to the point where it puts you in a detrimental position?

Eric Taylor:

That's a question for Jen.

Shiva Maharaj:

I think Miss Jenny surly, or Mrs. Jenny Sully should join us. As I said in one of our posts that are tagged you and I guarantee you will ask you better questions. They may not be good questions, but they'll be better questions.

Eric Taylor:

They wouldn't be Yeah, he is. I think you know, we've said it many times where he Oh, we are so far behind on cybersecurity as a nation state and a whole for businesses that

Shiva Maharaj:

if we don't get a nation stout, I'm sorry. Good.

Eric Taylor:

If we don't start doing stuff now, we're just totally fucked.

Shiva Maharaj:

Well, speaking of nation state, I think lock that kind of just fuck themselves.

Eric Taylor:

How so?

Shiva Maharaj:

They decided to go after an Israeli firm that provides aviation consulting to the IDF. Like why are you going to go poke the bear? Huh? I mean, granted, I think if you're going after a target like that, it's probably nation state. But hey, what do I know? I'm just idiot. In a room doing a podcast, so

Eric Taylor:

between two idiots, but seriously,

Shiva Maharaj:

why are you gonna poke the bear? Why are you gonna go after the 8200? or something? The 8200 is gonna have their own sense. Do you want to get Stuxnet netted?

Eric Taylor:

Dude, they are. They've got balls. That's all good news like I would ever share with

Shiva Maharaj:

you. But, you know, to quote, john Murchison of blackpoint cyber. The juice had to be worth the squeeze for them to go after that.

Eric Taylor:

They had to man, there's something going on with that game where it's like, yeah, you know, I'm not sure if this is just a big dicks weekend competition. Yeah, I

Shiva Maharaj:

longer okay. Remember there was in the news. Recently, a Russian Hacker was just extradited to Russia. Yep. which no one saw coming. But part of that story was that he was arrested in Israel extradited from Israel to the United States. Yep. And Russia really wanted him back. And I believe they found a Israeli citizen and charged him charged her with drug trafficking or something to try to get a prisoner exchange or something or the other. So is this hit against this company directly related? Or is it retaliation for arresting and extraditing that hacker to United States now that we know that person's back in Russia

Eric Taylor:

could be

Shiva Maharaj:

coulda, woulda, shoulda?

Eric Taylor:

There may be something bigger at play where, you know, there's they're just trying to flex a muscle of like, Don't fuck with us too much? We know I don't

Shiva Maharaj:

think it's I think we're I think we're way past flexing muscles, you know, what I think was flexing muscles, bandwidth calm and voice DOD. Ms. I don't think those were attacks. I think those were probes to determine and establish what our ttps would have been to continue to map out our response and our soft targets.

Eric Taylor:

They're still dealing with that too, aren't they?

Shiva Maharaj:

To some degree, yes or no, I don't think it's something that you can just draw a line in the sand and say, okay, from today, we're perfect. There's going to be, you know, while they were dealing with that mitigation, what was going on elsewhere in their system? was their persistence. You know, these are the things you have to look at. And I'm more inclined and trying to figure out, you know, here's one thing I want from all of these major incidents, and maybe this was something you would agree with. I want the post mortem.

Eric Taylor:

Yes. There's so many times that we want post mortem, I mean, they're like, how did they get in? I grant it from an IT. I don't care

Shiva Maharaj:

about the mitigations. I do.

Eric Taylor:

But then Want to so

Shiva Maharaj:

i'll tell you why I don't care about the mitigations because they're gonna wrap that bullshit and say, well, we can't tell you that because we have to protect blah, blah fuckin Well, yeah. But tell us how they got in. Tell us how they spread. Tell us what they reached out and touched.

Eric Taylor:

Yeah, that would be nice, but greatest safe

Shiva Maharaj:

harbor around. Let's go back to legislation. Let's have meaningful legislation around things that are built to protect our infrastructure and our ability to defend under a safe harbor guideline. When they disclose these things. They shouldn't be eligible for prosecution or fines unless the liberals negligence Yeah, then whatever.

Eric Taylor:

And I think that's what Jen and them are trying to do, because they're trying to create law now from what I was seeing over the weekend, where you have 24 hours to disclose any that's fair, that's on the you've been touting for a while, you know, I've been wanting to do a little bit more of a grace period. But

Shiva Maharaj:

here's, here's what I think. Cuz I like CMMC. Sometimes.

Eric Taylor:

You waffle. Next episode, I'm bringing Eggo and every time you walk home, it's gonna give me a flat.

Shiva Maharaj:

I like the premise of CMMC, its current implementation, I think is more shit. But you know, you have the five levels, right? Why don't we start rating every company in this country on levels one to five, level five is critical infrastructure, level four is just under that, and so on, go down, you know. And basically, based on what your rating is, is how long you have to disclose a hack. Or as the insurance companies like to call it an incident,

Eric Taylor:

that's just going to be another way of companies trying to race to the bottom? Well, we're not that important.

Shiva Maharaj:

Well make it or make it three days. Like if you're a level one, which is lowest, you have three days to report breach. Your level one, it's 24 hours. Now, you know, one thing we advance on two weeks ago, let's at least bytown, this thing comes out. And one, one of the many things we agreed with him on was government needs to learn to fail faster. Right. And my problem, you know, I was for the longest while and correct me if I'm wrong here. I was pro regulation on msps. Yes. And the more I think about this is the more I think it is the worst idea possible. Because

Eric Taylor:

to get into my side where it needs to be regulation gets a business

Shiva Maharaj:

worse.

Eric Taylor:

Oh boy, here we go. newsflash, everybody.

Shiva Maharaj:

We're never getting any sponsorship from a major IT company after this one. It has to be placed on the publishers of the software. Don't tax the MSP, they have no r&d budget, they barely have resources, put the onus on the software companies to be secure. Put the onus on the software companies to select who they partner with make sure they're not giving a W MD to a 12 year old who can throw a tantrum.

Eric Taylor:

So yeah, no, I don't, I think, okay, so if you go back and say the businesses themselves need to be under this mandate that's going to cover the software companies to begin with. But the owner, I think it's the owners of these businesses really have a vested interest in the actual security of their business. They're not gonna care,

Shiva Maharaj:

okay, so. But we can, let's take, let's take an RMM because they're so secure, right? And they are the epitome of a rat, and the command and control setup. And there's no possible way to hack into these things because they're so Luber, secure with their 35 year old code. How many providers are actually providing the appropriate training to the partners they bring on to use these products? Or they're just saying, take it, run with it, go forth and fuck yourself?

Eric Taylor:

Pretty much the letter. I mean, a lot of them have their own training partner program

Shiva Maharaj:

bullshit is optional, right? It's not it's not mandatory, and some of them even charge for it. Well, that's why it's not mandatory because of what they charge for it. It's like it glue giving you a PDF for $450 and saying that's your onboarding guide like fuck you it glue and Kaseya But back to my thing about regulating it providers. technology changes too quickly to create what that baseline minimum is gonna be. And legislation. There's no way legislation can keep up with how quickly it changes.

Eric Taylor:

Now, so that's why I think you know, if you again, if you put it onto the business, it covers a software company. It covers the technologists, the MSP. MSSP burns, what I MSSP whatever. Get rid of the dumpster fires.

Shiva Maharaj:

Yeah, but how do you do that you got to put minimums like $50 minimum once off. It's kind of bullshit, right?

Eric Taylor:

Let's see. Yeah. But that's gonna, it's gonna be a trickle down effect. So, you know, if you have a neighborhood gas station or neighborhood pharmacy, you know, what mandates Are you going to put onto those folks to make them do business? You know, here we go, we're gonna do a little bit more political bullshit. So why not? You know if the government's going to say you're going to be be forced to mandate all your employees have a fucking vaccine, whether they want to or not, then what's the difference of you know, making sure there's some sort of compliancy in place?

Shiva Maharaj:

Are we going into my company? My choice now?

Eric Taylor:

Yeah, this oh my gosh, this is this feels like a Friday after show. But here we go.

Shiva Maharaj:

You know, we had a little we had a little break, we got some excess piston vinegar that's got to get taken out before we can sit down with people and be somewhat civilized. But let's take the politics out of this for for one second, right, let's, let's pretend we're in a country we love. And we want to see it do better. And we want to do things to make this country better. Yep, absolutely. What would that day

Eric Taylor:

to quote madly in packs eight raise the tide? Those are those who are not on video. chyba just fell off his chair. But

Shiva Maharaj:

I was out there for you, Matt. I love you. I love your bald head and your big beard. That makes Eric not feel like a security practitioner because he doesn't have that beard,

Eric Taylor:

I know.

Shiva Maharaj:

But saying you want to raise the tide. When you are at your former position. Makes sense. Because you know, you're lifting everybody. But I really want to have a sit down and talk to you preferably on our podcast, because why not? But I'm inviting you to come on to the podcast and convince me why I should. me or anyone else should be a part of helping raise the tide. Because now that you are director of security and compliance over pacsafe you can take on that fight. And I want to understand how and why this is going to happen. I really do. And if I can Oh, great. And if by me helping me as I shut up, hey, I could probably try to maybe kind of do that.

Eric Taylor:

Well, he's done all this podcast anyway. Yeah, I mean, it's been discussed. And those packs eight CMMC groups I'm a member of

Shiva Maharaj:

how's that coming along?

Eric Taylor:

I plead the fifth.

Shiva Maharaj:

How many people are ready for CMMC? a year and three months later? Four companies? I think. Really?

Eric Taylor:

Yeah. One of them that we know of is actually going to become are trying to become a C three PA. Oh, whatever the hell hell fuck

Shiva Maharaj:

me.

Eric Taylor:

There's some there's two companies, I think our CP

Shiva Maharaj:

are whatever. They're the three deals with an A. Yeah,

Eric Taylor:

they're the practitioner version of it or whatever.

Shiva Maharaj:

Oh, that's my problem with CMMC. Right? It's like, you have so many variations of bullshit that can either audit you give you some form of certification, blah, blah, fucking blah.

Eric Taylor:

I just think they really need to change the title because I mean, even though I was in the Marine Corps, and I'm familiar with acronyms, every time we start talking about C three pa O's, I start thinking of frickin Star Wars man. I just I did that on purpose. I can't get so I could never say it straight. I'm just thinking of Archie D two and C three p OE

Shiva Maharaj:

that's it. You got it from now on. Just call it RTD there we go

Eric Taylor:

from now on. Done. Sir, but anyway, yeah.

Shiva Maharaj:

Back to lock the 2.0 poking the bear. How long do you give them before they either get murdered death killed? figuratively, not literally. Or have to rebrand to something else?

Eric Taylor:

I don't know. I mean, lock of it. They've definitely got the go. Who knows? they've they've been around for a while they? I don't know. I don't know. I think they're gonna be amenable to this.

Shiva Maharaj:

I will be interesting because the IDF and what is called they're at 200. They are. They're capable.

Eric Taylor:

They are willing to find out where lock the 2.0 operators are at.

Shiva Maharaj:

I don't want to look for some mushroom clouds. But you know, it is what it is. But speaking of malware, did you see that? There was a Trojan being given out as a way to determine the phones had Pegasus on it.

Eric Taylor:

I did not until you shared this with me this morning. Well took a little bit of a hiatus this weekend but yeah this is definitely going back to record a futures and you know what they were talking about but yeah, this Pegasus is just the gift that keeps on given isn't it?

Shiva Maharaj:

I just think it's it's uses more widespread than people actually understand the world would care to believe. I don't think it's just been used by nation states or has been used by nation states. It's a lot more than people have been led to believe. Now, I tagged you in something on LinkedIn this morning. something along the lines of you know, it's not like there's a platform out there that exists to determine if Pegasus was put on your phone. And I think in parentheses I had in parentheses I had cough not Webroot.

Eric Taylor:

Cough You are so tempting me to go down that route, aren't you?

Shiva Maharaj:

Well, you know, I, I saw as an aside to the Pegasus thing here, I saw a vendor that I hold in high regard posts that they're doing something with Webroot and I sank in my chair. I laughed hysterically almost to the point of crying that I shared my screen for you to see to try to trigger you.

Eric Taylor:

Oh, it triggered me where I want to just go on full blast. Oh fuck Here we go. You know, it's Webroot when it came out for the MSP model, was the best thing since sliced bread. It was a light foothold. We're had very little resources, you can run you can't do shit. Exactly. You seriously. All you got to do as a regular user is unregister the DLL for Webroot and you make it immune. It doesn't work. And now you're going to have a third party EDR

Shiva Maharaj:

Yeah, it's not like it's not like silence and stuff like that has the same vulnerability or

Eric Taylor:

worse things. I think silence does or is it Sentinel one,

Shiva Maharaj:

not Sentinel one. That's a different workaround. But silence definitely has that type of workaround, even though their attack on LinkedIn told you now.

Eric Taylor:

Yeah, yeah, fucked hearts. But yeah, I mean, Webroot has been the laughingstock of the cybersecurity world. Like this thing stops nothing. It doesn't stop ransomware payload that doesn't stop anything. So why is a cybersecurity firm going to partner with a dumpster fire of an MSP av and think that they're new and whatever, I don't know if it's a just some sort of marketing ploy to get their name out there a little bit more or

Shiva Maharaj:

potentially think consider how many it providers use Webroot? Personally, I think they use Webroot because it's the cheapest thing possible out there. Now I've heard rumors as low as 15 or 20 cents an agent

Eric Taylor:

man you know what if we ever went to some of our partners with leave and half that price they would lock left us out of the country?

Shiva Maharaj:

That's not my Hill to die on. But back to NSO I think this is even more reason why I am comfortable with deploying CrowdStrike mobile across client devices because it's a known quantity and the likelihood that it's a rat or a Trojan or something else is slim to none

Eric Taylor:

yep let's go aside topic a little bit because this is something I was brainstorming this morning but we've never done that before on this episode. And not even in the past 40 minutes as episodes been recording either told you I'm add like a mofo today. I was auditing a new client that we got last week. And they have a ton of legacy personal devices.

Shiva Maharaj:

Legacy slash too cheap to upgrade. Okay, gotcha. Okay.

Eric Taylor:

So they're BYOD. And the mobile device were to do MFA. So anybody who's familiar with duo, now you have your free MFA. And it doesn't require devices to be updated. But if you go one step up to do beyond I think it is whatever their $6 plan is. You have device health, where you can enforce devices to actually freakin do this in a breeze. The interesting question to me this morning, if you're going to have MFA in your organization, should the company be mandated to either require their their employees to have up to date equipment to leverage MFA like duo or issue out company devices?

Shiva Maharaj:

I'm going to take an unusual approach to this one.

Eric Taylor:

Okay, because I'm torn.

Shiva Maharaj:

How do you how do people get well, pre COVID? How did people get to work?

Eric Taylor:

They drove their fat happy butts in the car,

Shiva Maharaj:

in the car they owned right sees and you're still using that mentality, I would say let them make they should. It should not be an issue for an employee to put a MFA application on their personal phone. As long as we know, you're not right. You're not getting any other data from on their phone, forget a BYOD policy. I'm just saying, Do MFA authy, Google Authenticator, Microsoft authenticator, it should not be an issue for employees to put that on their phone. Because if they can draw their own car to work to and from work release they can do is do that. Putting that cost burden on an employer to provide cell phones is undue on unnecessary in the SMB in the enterprise, okay, I can see that being a thing, or get the dual dunkles or a yubico or yubikey, or something like that. But with all of the applications people have on their phones right now, putting dual MFA, Microsoft authenticator Come on, it's not a big deal. And give them a bypass on the dual health to not be up to date or whatever.

Eric Taylor:

But I mean, we you, so like in the apple world, 15 dot 0.1 just got dropped. So those who don't have Apple, or if you have an Apple device,

Shiva Maharaj:

upgrade, don't talk to me, if you don't have Apple, I just can't, I know she's

Eric Taylor:

got this obsession. If you text somebody, it's not a blue box, and it's a green, he doesn't want to talk to anymore. But anyway. The we're seeing iOS devices as far back as 13 dot x. Tell me they're just, they're not just like one or two minor versus we're talking major versions

Shiva Maharaj:

now are these phones that can't upgrade? I think the older stuff can only upgrade to 12 point something and they still get security updates. So they get dot dots, whatever on the 12 cycle.

Eric Taylor:

I mean, should it be required that employees keep an updated phone, somewhat updated

Shiva Maharaj:

phone? I think it's a teaching experience, I think maybe internal it if you have that at your company, or if you're an MSP and you know what you're doing, maybe you should actually have a conversation with them and say, guys, we're at 15 if you're still on 13 What the fuck? Like, come on, let's update here. Let's get you the new emojis. Because you know you want that?

Eric Taylor:

Yeah, I don't even think 13 has the ability for poop emoji.

Shiva Maharaj:

And why use it? Exactly. Come on. Everything else is a hot steaming pile of poop. So join in. But that's where I think I think you have to go with that. Like, you know, putting CrowdStrike mobile onto a personal phone, I think is probably not a good idea. Because it is very invasive. It's designed to basically pull copious amounts of data off of that device. But something like MFA, that's benign, and it helps you do your job, or helps you accomplish your job just as using your own car to and from work helps you. But what

Eric Taylor:

if I use a public transportation shivah

Shiva Maharaj:

who's paying for the MetroCard or the the transit card?

Eric Taylor:

Um, food stamps? Now I get your point, though, but yeah.

Shiva Maharaj:

Oh, boy. week that is a whole different type of

Eric Taylor:

Yeah, that's why I diverted out. Let's just stay over here.

Shiva Maharaj:

Oh, boy. All right. Almost triggered, but feasibly, you are using your own money to buy your tickets, your car, whatever you need for your motor transport. So just using that mentality, it's only two cell phones still charged per text message, or everything unlimited at this point.

Eric Taylor:

I think everything even the pay as you go plans are unlimited, I think.

Shiva Maharaj:

So if it's unlimited, there's no cost burden. And if there's a cost burden, use a goddamn MFA app that uses the Wi Fi you're connected to at work that your company allows you to listen to Spotify on. Yeah. Like don't penalize your company, but yet, try to reap the benefit of being able to use Spotify in the office, not on your data plane, right? Don't be a motherfucker. But what do I know?

Eric Taylor:

I even have one that was the one I was talking about. The motor goes like, oh, we'll just put iPads in front of the workstations. And that would just be tied to one account. So as different users are coming up in the manufacturing, they'll just look there and just accept it. And I'm like,

Shiva Maharaj:

you know, if you're manufacturing, I would probably look into something with an RFID or a yubico or something like NFC. Yeah, because you have a cleanliness factor being on just on a manufacturing floor. floor. Sorry. Done. But there are ways around these things. I think, a lot of people to make the excuses. No, I don't wanna use my personal phone or no, no, no, come on. We're way past that. We have been this country has been rocked by ransomware for the last two years.

Eric Taylor:

Sir, yep, yep. And it's

Shiva Maharaj:

only gonna get worse, it's not gonna get better, even if we have 30 allies creating coalition here because it's not gonna To be lasting, it's not going to be effective change. I think, you know, indicting people in absentia isn't gonna stop them from operating in countries without extradition. He's as bad as that sounds and I know it's not toeing the party line or whatever. But it goes back to the question that I asked Matt or people on that lease post. How do we fix this? What is the recourse? Once we can identify what the recourse is to all these things? is how we can build out a better response or even a response.

Eric Taylor:

That's when we're going to build back better.

Shiva Maharaj:

Hey, come America great again.

Eric Taylor:

2.0 I don't know.

Shiva Maharaj:

Brian, do you have the red caps?

Eric Taylor:

So many inside jokes on that one? Oh, my gosh, we'll have to disclose that one one day. Anyway.

Shiva Maharaj:

Well, we got to bring Brian on to do that one. I think,

Eric Taylor:

well, his little California assays to get up before three, eight or three, three o'clock in the afternoon Eastern time.

Shiva Maharaj:

This is true. But he is in California, so but you know, or

Eric Taylor:

whatever. They're freaking on holiday time all the time. So over there, you know, stop them berries with our toes and crap.

Shiva Maharaj:

Some people call that wine.

Eric Taylor:

I just call drink and foot fungus. That's just disgusting.

Shiva Maharaj:

And with that, I think we're good to go.

Eric Taylor:

I think so as well. Before we go we are circling

Shiva Maharaj:

the drain.

Eric Taylor:

Ladies and gentlemen, thanks again for tuning in for yet another hopefully hilarious episode of amplified intensified. We hope you enjoy the content. Do us a favor, please like and share our content. tell a friend about us. We want to grow this frickin crazy thing that we have here. Until next time, stay well, my friends.