Listen to the latest updates, developments, and insights into the world of cybersecurity. Learn how to protect yourself against the ever evolving threat of cybercrime from leading talk radio shows and premium podcasts.
New Start-Up Helps Websites Store User Names, Postal Addresses of Anonymous Readers
"Now Chum, Chum's imagine. For a moment that you're interested in checking book maybe maybe book by celebrated newly published author and you think all I'd love to find out more about that book visit an online bookshop But then you change your mind maybe you're distracted by something else right and then maybe half an hour an hour later. You receive an email saying, hey, we saw you visited our website. How would you feel what's? By giving them my email address. I haven't allowed in or anything like that. I'm just perusing the shop you haven't logged in you haven't given them your email address and yet they know you came to their website and they've contacted you var email we'll surely I mean. If Google facebook of God, a tracking code on the sides then they could tie that together with unless it's technically possible in fighting. So Nice. Say I'm Kinda surprised we haven't crossed that Rubicon yet it's happening. Well imagine they Semaj and you have a particularly niche porn interest may be a bit of a further on the side and you decide to go. Further, you said. You say you mean grab. With A. Reliably. Informed that fervor it's up people who? Like dressing up as very animals like a mascots at a football game. and. They get their kicks from these sort of things. Fit It looks like my husband because he's quite Harry. You must be a secret forever. I can't figure out what would be more disturbing called if he found out attractive or unattractive. So. Imagine you visit the site. You get your fill of wherever you want and they knew receive an email saying, hey, we'll see you're a bit of a fervored. Ejected throws it back in your face. WHOA says we've got even more that kind of stuff. Why don't you come back sometime if you had never give me your email address, you can be stabbed, right? Yes. Considerably, and also, of course, if someone's got your email address, any navigate some is the potential for doc seen or blackmail knows what you'd better tell me how they got our email address. Okay. There's a fascinating article on Jessica Bell. Jessa Bell has written about an outfit could get emails a startup. They claim to be the all new audience growth tool for publishers and they say they can fill up jeff way. They say they can convert anonymous website visitors into names email addresses and even their home addresses boom. And I know sales sorted. posted. Another Chapter Jeff any incredibly they claim they can do surrounded by a third of all US web traffic cheese. Okay. Well, their claims earn press Whoa Kay, let's look a little bit more into this. They say that their services already been used you know that Chap Tucker Carlson on Fox News. Well he is one of the founders of a website quite right wing website surprise you it cooed the daily caller. That is one of the sites which is using exactly this technology right now, this potentially some could find out if your partial particular political views as well. Don't understand Outta sorry you've lost me. Okay. So how is the daily caller this website run by Tucker Carlson, taking advantage of this technology so they are a customer of this firm could get emails. Okay. Get emails is run by a guy called Adam. Robinson right is a former Lehman brothers employee and his girlfriend Helen Sharp. And they've actually put together a video where they explain how that thing works. He can go and check that out on Youtube link but I can explain in very simple. Work. So, there are lots of scammy kind of websites on the Internet surprise surprise. No, there are no a shock. So there are websites which will claim Oh. We can get you better health insurance. So we can get better car insurance just enter your details here. And we will go away and find an answer for you right and what you don't do when you fill out those what most people don't do. They don't read all the terms and conditions and remained the new mock me about every week when. You're one of the unusual people who actually does that crew, but those sites will gather all that information and not really set up to. So you health insurance in countries, they do sometimes or read you. But what they're really doing these crates and a huge database of people's contact details. Okay and they are then selling those two people and that is all apparently legal because people chose to give their information and they agreed to the terms and conditions to be marketed up soon, the I've always thought those sites you know like insurance compare sites or mortgage compare sites I. think that's exactly what a lot of them are doing. I think some of them are legitimate getting A. Lot of the deals, but they say we are sharing this with interested parties on purpose to get you the numbers you want right really have to share that information with third parties. They don't have to give you a list here. Exact people were doing because it's changing all the time and some of them might be you know very bonafide companies. Some might be shade or one of the companies which is buying this kind of information is this company get emails and what they've done is they've generated md five hashes. So check some for all of those email addresses. They reckon they got about half a billion now and they're adding about one million more every day. And they say they've also partnered with mailing lists firms so that when folks click on a Lincoln newsletter and go to website a cookie can be set computer containing that MD five check some for their email address on their computer. And so what they're able to do is when you go to the daily caller cool website or never website, which is running, get email script, they can compare the hash in the Czech some to the hash in get emails database, which they've gathered from these sites around the world and they've got all information which you filled in on that full. Yeah, that's good instincts
Twitter Hackers Arrested
"We have learned more about who's behind who is believed to be behind the twitter hack. And you know not some four. Powerful state-sponsored cybercrime gang, just A. we believe a seventeen year. Old Kid His name is all over the tech press. I heard you not wanting to say it on on, Mac. Breglio. So but I do have it in the show notes. To find it I mean. Yeah. You know I come from the School of journalism where you don't say the names of miners were accused of crimes, but apparently nobody else does that. So the AD the local Florida news channel. WFL talks Tim right away. They outed him as Graham Clark from Tampa Bay Florida. We. So they also. Suitably creepy, picture. Of Him. I know in fact in fact before. I reduced in size I. Actually had in the show notes. He looks a little bit like spock at so. got kind of a pointed ear. Is Little bit creepy. And, it's interesting too that his nick is Kirk. So Oh, maybe. Two Years Yeah. So Anyway the the the sad thing is this guy's life is now seriously sparked up. Yeah. He's been charged with felonies relating to computer communications and organized fraud for scamming hundreds of people using compromised account according to a press release from Hillsborough State Attorney. Andrew Warren's office. This guy Grab Clark. Now. Faces Thirty Felony Charges? So we have one count of organized fraud involving more than fifty thousand dollars, seventeen counts of communications, fraud of over three hundred dollars. One count of fraudulent use personal information. For an amount over one, hundred, thousand dollars or thirty or more victims. Ten counts of fraudulent use personal information and one count access to computer or electronic devices without authority and scheming to defraud. So in total thirty counts of felony charges, all of those felonies. So I mean I do feel like unfortunately, there's there's sort of a bit of. overreaction I, I, mean I get it that. This was not good and certainly that the law enforcement wants to send a message like don't do this even if you can Initially, the the initial announcement didn't indicate whether Clark had any partners in crime, but a few hours after the press conference announcement, the world learned that the US. DOJ had also filed charges against two other suspects believed to have helped Clark in this hack. The first of those was identified as Mason Shepherd who who's known as chair Juan nineteen years old living in Bognar Regis in the UK and the other is identified as Nima Fazackerley. Also known as Rolex twenty, two year, old residing in Orlando Florida. The US Attorney Anderson said there is a false belief within the criminal hacker community that attacks like the twitter hack can be perpetrated anonymously and without consequence today's charging announcement demonstrates thus I think an example has been meeting is being made. That, the elation of nefarious hacking into a secure environment for fun or profit will be short lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrated, but there's nothing stealthy about it. In particular. He said, I want to say to would be offenders break the law Ed. We will find you please. So exactly the kind of thing hackers go. knows. That's GonNa, really scare me, I remember when I was a teenager. And in Fact Leo, did this did I? You know I was always a good kid. But oh, to be seventeen and have done Brazi network in front of me. Yeah. Yeah. Twitter early, fairly clever. Because, well, go ahead because it the way did it was kind of kind of interesting. Yeah. So for their part twitter disclosed a bit more about the nature of the attacks. They said that the that the phone based social engineering attack allowed the attackers to obtain the credentials of a limited set of employees, which then made it possible to gain access to twitter's internal. Internal Network and support tools although not all of those employees were who are initially targeted had permissions to use account management tools. The attackers you know apparently, just actually just Graham was able to use their credentials to then access twitter's internal systems and gain information about twitter's processes that expanded knowledge then enabled the attackers to target additional employees who did have access to twitter's privileged account support tools. Reuters also had reported something that I had not seen elsewhere, which was that as of Earlier. This year. More than a thousand twitter employees and contractors had access to twitter's in tools and could change user account settings in hand control over to others a thousand. And this was a key. To former twitter employees. Well as we know such widespread access makes it difficult if not impossible to defend against the sort of hacking that occurred.
Cybersecurity and the SMB
"But yet, you guys are geared towards helping small businesses from policy in ready perspective on cyber right. Absolutely. So I can tell you what we do I. Just WanNa make a comment on your diversity common because I'll. I'll make a a plug for diversity across genders races. The capabilities and skills are out there, but you have to work to find them So it's just a question. If you really believe in diversity than you have to build it from the ground up get people into the position to acquire the skills, and there's plenty of there's a diverse skill that's out there but you have to look forward. and. Not just be complacent and go to the usual suspects. So that's that's my plug on diversity it it. They are particularly in this space and it's important to for US particularly cybersecurity, which is about building things and creating solutions to actually get divers, thoughts and ideas in. Well, if I made injected diversity of opinion is so important because we. I I've been in the industry. You know roughly twenty some odd years and I feel like while we continue to innovate actually like the solving things is is the difficult part right and so every couple years ago we need a fresh perspective and what we have disabled people like this is not how it is going to happen. Yeah exactly. Exactly and so the the Cyber Readiness Institute in Two Thousand Sixteen I served as executive director of President Obama's independent bipartisan commission on Enhancing National Cyber Security, and it was a nine month commission as. We're finishing up the commission and the Vice Chair of the Commission Sam Palmisano, who's the retired CEO of IBM in I came together to talk through how do you carry this momentum forward so the CO chairs were all involved co chairs of CRI were all involved in the commission of Penny. pritzker served as US Secretary of Commerce at the time and she was oversight and then Microsoft participated on the commission Ivanka the CEO of MasterCard was a commissioner and the idea was to your earlier point that by convening senior executives to come together. And say small business cybersecurity is important. You create momentum for this purpose because small businesses themselves don't have the voice and don't have the resources for this and so if you take and convene large companies and ask them to share their best practices and resources to create free tools for small businesses, then you're truly helping businesses and you're also improving the security of global value chains. The point that Ajay Banga the CEO of MasterCard with all the time is you know we're only as strong as our weakest link and particularly for a company. Like MasterCard helping small businesses make sense but it's true of all companies are members include Exxon, Mobil, General Motors, city, those companies, all recognize the importance of cybersecurity for small businesses will, and I think it's interesting as cyber security We'll save matures and it's it's time as thing One of the things that I think we we keep coming back to insert recognizing pretty readily and it's happened a few times over the years where your smallest vendor, your most insignificant from but number of dollars you pay them vendor or partner. Tends to be one of your weakest. Of A cybersecurity perspective right. So if you think about the overuse example although I haven't heard it in a while of the h back company that you know. Is your is your H, back to provide a provider of choice for the six hundred, seventy, four locations you have right or or even or even the one like you've got a shop or something of live in an area that's got a lot of these small companies that are the warehousing and electrical companies and right. These are not like global companies but they've got somebody that maintains their grounds. They got somebody that does their payroll. They've got somebody that maintains the electrical and all that and I sort of wonder How much of the companies that? These companies rely on actually do. In terms of cybersecurity sometimes, they have such A. Wealth and abundance was an embarrassment of riches as the attorney in terms of how much data they have a about some of the world's largest companies. Blows my mind that they spent like. Maybe sometimes nothing on cybersecurity will holy cow possible. Well exactly and I think one of the things that you are calling attention to, which is so critical as that supply chains are not linear. There are parts of your supply chain that people don't think about it's the catering company. It's the HVAC company and there was a story in the. New York Times by Nicole for over a couple of years ago about an oil company in Texas that was firewalls, six ways to Sunday. But they were breached because the militia actors were paying attention to the it department and saw that at six o'clock at night typically, they would download the menu from the Chinese restaurant around the corner and. To in order to order, and so they put them out where on the Chinese restaurant. because. They see a lot easier to breach
Why does Donald Trump want to ban TikTok?
"For those who are blissfully unaware late last week, us? President Donald Trump announced that he would ban Tiktok and furthermore he said he would block Microsoft from taking over the APP which was apparently a deal that was in the works Then he's back flipped and given Microsoft, forty five days to complete the transaction and he's, but now he signed that the US Treasury should get a copy of the deal which seems weird in a country, which is terrified of socialism so like That's a basic recap, but there's so many little weird bonkers nuances to this Britain I actually bret benefit and I actually read about published on risky Biz in the Linke's quakes showing. But look, let's let's get the conversation going now and we'll start with you, alex, know they're probably some national security ramifications or concerns around APPs lactic TIKTOK. But why do we get the impression? That's not what's driving this whole thing? Well, you make it then. Prussian, because the president of the United States continues to change his justification of what he's doing is making a national data protection law up on the fly on twitter. and. So you know it's it's quite possible that watching what's going on that. You'd reasonably conclude that this isn't a well-considered change in policy, but perhaps part of the ongoing trade war and yell perhaps a mix of trump's anger at what would normally be protected speech against him on Tiktok and partially to distract from the fact that at the same day that he made that announcement, it was announced that the United States economy shrunk by nine percent in just one quarter. And so you know all those things together. Is really polluting this process now that being said I, think there are some interesting risks here in there is something we have to talk about about Chinese APPS and the data of Democracies sitting servers available to the PR. But if you're going to do that for my perspective Tiktok is probably not even the top five or top ten companies. I'd be concerned about there's a lot of Chinese companies that are much more critical inner city and much more important data than they are. This seems. To be completely driven by trump and not by some kind of process and either the White House or or the agencies were, there can rationally considering these things. Now look you and I, we have access to gripe bonds that most people don't actually have access to. A wonderful part of the job. I mean, my gripe tells me that this is not going through the usual processes. I mean the US investigation into Tiktok did start last year. Right? This is a legit sign. Lee Rooted investigation, but it's the escalation since like last week, that is just the just the mad pot, and as you say I mean why the hell out we talking about we chat and that's that's a curly a one to a strategy. I know that there are politicians here. Who Use we chat as a way to communicate with Chinese Australians, for example, right? So that whole thing is a can of worms and I think blocking chat in. A, lot of places around the world is going to be a real loser, right? So that's maybe one reason people don't WanNa. Touch it. But yeah, this is a very complicated. Nuanced issue that has just been. The whole thing strange. Isn't it? It is so syphilis. The law that we're talking about here is was really built to protect kind of the American industrial base around defense. Rightly, you have an important helicopter manufacturer and you don't WanNa get bought by Iran. That's what cities is for. It has never been used as a back door for data protection framework right here. In the United States, we do not have data protection framework. There is no law that says you cannot ship social security numbers of Americans to a Chinese company. Nothing prevents that in theory now, obviously, we have A. Rules that have been created through FTC decisions and such. But overall, we don't have a framework for deciding what is really important Pi and work in it set up, and so to create that out of whole cloth, using a stiffest interpretation is really probably the worst way to handle what is eight really really complicated problem, and like you said, there's other companies put away the top and I think for my perspective, we chat the top Vermont for me. Right is used by the entire chinese-speaking Gaspara. Anybody who has any in China uses it, and that includes people in Singapore people in Hong Kong people in Taiwan. So lots of these places where Chinese intelligence is really interesting. What's going? We chat has become. Part of People's daily lives, and unlike tiktok, it carries very sensitive data. Right? People run their companies. All we chat, they have their personal communications reach at the. They probably arrange affairs and do things that are very black maleable on we chat and there evidence from Citizen Lab, and some other folks who have done worth that demonstrate that you can kind of get side channel information out of we chat that demonstrates that they are watching and they are doing at least scanning of certain phrases, even communications that go. I. Mean I m point, I. think that's well known and well established that we chat is certainly used by the EPA to do surveillance, right? Like that is the reason. So successful in the reason that they can block other communications, funnel people through it, but this brings us to an important question. There are some concerns that say censorship on TIKTOK. For example, there was a case where they would deleting videos that referred to. Human Rights abuses occurring in Xinjiang in in China, right, and that turned into a into massive Khufu four. Good reason. Don't get me wrong Let's not pretend for a second, the PSE or a bunch of fluffy. Fluffy pandas. Okay. That is that is certainly not the case. But let's, be real. Trees names for them. But let's look. Let's be be real here. Right? Like the hottest security angle to this, right? It's it's. It's hard to make a case that it's. It's a terribly dangerous APP now when the United States blocked the sale of grinder. To to an offshore concern I, mean I think that was another Chinese company that wanted to buy that. Absolutely. Anyway, near when they wanted to buy a company that track Global Hotel reservations again, that it's type of information is incredibly valuable to US intelligence in two, thousand, six, the US government's blocked checkpoint, which is an Israeli from blind buying sauce fly because source for. Through. SNORT had deep in US government networks. The right in all of these situations where this has happened before you can point to a single reason and you can say this is why. Absent here,
"The primary thing that we focus on is is trying to learn what the current trends are in attacker tactics and techniques how the shifting from targeting specific type of enterprises to targeting other types of enterprises. What is more popular less popular? What is the collaboration between different attack groups look like and how they leverage each other's resources and capabilities, and really the the method in which we we operate is to not assume in advance what we're going to find in that honeypot. We basically create the facade of an appealing target in a particular segment of the market, and then we cast a fairly wide net. We. Make it very apparent. That the target is there we try to make it very apparent that it is an appealing target to a specific sector of attackers, and then basically keep it up and running for a while usually a couple of months in wait and see what comes our way we deploy network of sensors within the honeypot. So we can always understand what is happening in that environment. But we try to first and foremost they hands off in terms of not making it extremely difficult for an attacker to set initial access into the environment we sort of even invite the men to a certain extent. But once they're in, that's when we start focusing on what they're doing in an exam understanding exactly how they're going through the motions what are they after? How are they doing this? Cowardly the operating and how they're running the operation what happens outside of the honeypot are they using data that they're taking from the honeypot? Anyway are the interacting with other groups based on that data and their observations? Are they bringing in other parties they're collaborating with? And so during that process, we are not completely passive. Sometimes, we would try to mimic the response of that enterprise. We would try to stop their attack to a certain extent, but really not sufficiently good enough to actually stop what they're doing just to give them the feeling that they're you know in a real world environment, it's a theater of cybersecurity. A think would be a great great name. I understand that you manage to fool some attackers at least what were they doing in the network once once the Entered it. I think the the clearest trend that we saw in this research was around. More attacks. What we saw was that. In especially when you compare it with honey pods that we ran in previous years, significantly more of the ransomware attacks on the honeypot use the tactic that has referred to as they multi-stage ransomware attack, and that specific tactic can have a major impact on large organizations basically I would say is as part of this tactic, what the attacker would do is they would. Gain access into a network, and then they would start moving into network. Before we go on on with multi-stage attack, I think we should probably create you know a baseline for our listeners. What is a single stage ransomware attack? A single state ransomware attack is essentially when the user clicks on fishing email and and the machine on which that user is is working is is you know has a ransomware infection and in multiple files usually data files get encrypted, and then that user is presented with a a ransom, a ransom demand note but those usually impact just does are we often refer to them as detonate on impact type ransomware? So the second you click on that thing, it starts running it in crypts whatever it Finds on that machine, and then at posts that ransom demand, those were classic ransomware attacks and I think over the course of the past year, we've seen a certain peak in them probably around late two, thousand, eighteen, early, twenty, nineteen, and during late, twenty, nineteen, two into two, thousand, twenty where seeing certain decline in the amount of those single stage. ransomware attacks are still very high numbers, but there's a certain decline answers a trend. So in your experiment, you're seeing a different tactic multi-stage ransomware. Correct. What we saw there the multi-stage attack tactic basically involves a situation where the attacker is is operating a hacking operation. It's a when they first start by making sure that they have access into a network that can be a user that clicks on a file, an attachment it can be in some of the ways, but once they have access to the network, they put the rent some more in there, but they don't detonated they. I, tried to maximize the impact of their attack on the target. So they can be at a place where they can have maximum leverage to gain get as much ransom payment out of that activity as possible. The way they do that, and that's why it's called. multi-stage attack is that. The first stage involves trying to. Move in the environment from that single point of entry they discover user credentials, basically passwords then they tried to use these passwords to move around the network and impact. Other systems gained control of other systems on each system that they get to. They go through the same process of they take data and they exfiltrated, they take user credentials. They put the rent some more on that impacted asset, but they don't detonate and then they keep moving in the network until they've exhausted their capability to spread across the network and the idea is to reach as much as as as important assets as possible as critical assets as possible in the network. Once. They've exhausted their capability to move around the network the detonate the ransomware that they deployed in the environment across all these impacted us at the same time. Once the ransomware has needed and there's A. Large scale denial at service, usually as as as a result of that, the follow up very commonly with a ransom demand that involves threats to expose the data that they've stolen user credentials that they've stolen, and again the ideas at that point in time to gain maximum leverage on the victim. To pay usually a ransom, some that ranges between the five and six digits in dollars.
Yubico Chief Solutions Officer Jerrod Chong
"Completeness. So this this three aspects to this, right. So what we WANNA make sure that we have Internet scale Internet skills usually means that you know it's the technologies available everywhere I think from the out of the journey, which is like it's the technology available everywhere I. Think we've hit that mark as you mentioned Google Microsoft, and then recently apple as well has made supporting platform. But I think it's actually the beginning of the journey. Right at the end of the day you have the platform that's ready. You have you because and keys and other indicators lives it can leverage the technology but didn't actually have the bill things that used technology and that's where I think. You need to have the adopters in the picture, right so every service that is building. A platform to get them get us to do something should not start with username an SMS. So if people's do bills solutions with username passwords and SMS or some combination that. Then you really you know we we still far away so I think. excited. Don't me get wrong with superstar? In fact I think it was two weeks ago when apple announced that The develop conference that they are going to implement even to pass with. US. Slow this year coming out in IOS, at fourteen in the safari fourteen. So they are really going full force of creating the experience. They also implemented the hardware attestation pot of both in down to a K. didn't i. which is everyone else has done and it sort of bit of a because there was some you know some people are saying this privacy concerns around that. Could you explore that a little bit with us? So at station is a way to. Really. Understand that the authenticated was able to manufacture that you actually want to do business with all your trust with. So education statements are to create a genuine like this is made by. Education statement says the this device that you are registering to the service is made by your call, and you could say, well, this iphone that you're gonNA use as your web authentic hitter is made by apple in an iphone of whatever hardware specifications. So actually, it's very valuable because. There are two things that variables. So some organizations care about the quality of the type of authentic issues. We can see it's a variety of them in the market. So you know there are some organizations that care about that like, for example, government agencies, they I care about this authenticated was made by accent had to certification level. Why things like that? So the care about that but the other thing about why people care is that You know if something happens to authenticate or let's it does. Vulnerability or does the something's going on with it? They actually need to take action now if you don't know. What authenticated was made by whom you couldn't really sort of blacklist it, and so what you end up happening is like you had to, then you know you have to make some very big policy statements they I don't allow a whole bunch of these things and then they will affect you know good good authenticate as well. So does both practical needs from an industry perspective. I some some people really do care or some organizers really do care the table level of authenticity of authenticated, and then some people do practically how do I manage some of these things but most parts I think you could implement web attend service without station right? So that's that's definitely possible Steffi better than using the passwords. So. We need to start somewhere I think apple has. Jumped a leap above some of the other. Way The privacy concern pot come into this because I only saw the headlines I didn't really dive into it. Yeah. So some authenticated vendors right they they uniquely identified the device, right? So Eddie Station to the goal what would create what fighter was that. It should be anonymous I use my syndicator wherever I want because it's one authenticated too many services. So I should be able to use it anywhere and I don't want services to core relate what I'm doing with people. That say I'm going to a site that I'm I'm very familiar with and I must say you can use different identities across multiple platforms with I'm with you right? Exactly. So if somehow people could correlate that I'm using the same authenticated me at that the density and final actually was me I mean bad things can happen. This is a privacy issue
Esportz Network Brings on Chris Puckett as Host of The Gamer Hour
"Of the longest running hosts in sports has announced his latest project work with E. Sports Network were extremely excited to finally be able to announce this new show. Chris Puckett has nearly two decades of experience while playing. Casting and hosting eastwards vets his career begin early days of call of duty and Halo Sports and has evolved into being face some the biggest broadcasts and east sports history. Recently, he's been the host of the overwatch leak and right games Valerie ignition series. Today, he announced alongside each sports network, his new show. Gamer. Our his tweet is rapidly approaching. One thousand likes his positive reputation preceded him people were. Really, anticipating his next big move as his twitter bio Red Puckett for higher. Well, we're happy to announce. It's the Gamer, our from Reuters studios in times, Square Puckett will bring on the biggest celebrities and Gamers to talk about the wide world video games. The goal is to bring both the Gamer and the Non Gamer into the show, but combining all the popular culture aspects of modern video games the. Show will air weekly is a collaboration between East sports network Reuters. Puckett. We'll be updating you on this feed with more information as we announced the first few shows but be on the lookout for gaming's new late night talk show
F5 Networks "Big-IP" devices in Big-Trouble
"At the very end of last month, I think it was June thirtieth. F Five networks released a critical. Patch for their so called big IP systems. It was a maximum. Eighty as the way, it was termed remote code execution flaw. Disclosed it don't get worse. than their so called. Tm You I the traffic management user interface of the big Ip, which is actually you know like a trademark. I don't know what it stands for Ip Internet Protocol that big. Maybe it's Ad for something other than just big. Their application delivery controller ADC big on initials here. Anyway this came to light. As a consequence of F. Five publishing this patch. And with it was an urgent call for users of the so called big IP systems to immediately update with the highest possible priority. and. Big Big. Big Big Ip's f five's customers using these big IP solutions, our government's fortune. Five hundred firms banks service providers well known brands, including Microsoft Oracle and Facebook I. Mean You know this is big iron? So as we noted at the time, F five's website boasts that forty eight of the fortune fifty rely on five so somehow they missed two of the top fifty companies in the US. And at the time of the disclosure. So not quite, but almost a month ago. More than eight thousand of these big IP F five networks devices were found online. Publicly accessible on the Internet and vulnerable to attacks designed to exploit this vulnerability, US Cyber Command urged F- like independently urged F. Five customers to patch their devices urgently. They tweeted patching. E twenty, twenty, five, nine. Oh, two and five nine three should not be postponed over the weekend. remediate immediately. Wow! Five also offered some interim mitigation measures that they recommended for their customers. Who could not for whatever reason patch their big I fe- big IP equipment immediately you know sometimes that requires you take it down for some length of time and reboot, but later came to light that the mitigation could be mitigated and bypassed, which made emergency patching the only safe course like you know, do it now. So two days after the patches for this critical. Vulnerability were released. Researchers started publicly posting proof of concept exploits, showing just how easy it would be to exploit them. So that was then. Three weeks later last Friday the twenty fourth, the cyber and infrastructure security agency. Say posted. They, said CIA ESSA is issuing this alert. In response to receiving to recently disclosed exploits that that target F five big IP devices that are vulnerable to Blah Blah Blah. unpackaged big five. Unpacked F five big IP devices. An attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code. Execution Vulnerability risk an attacker. Outing that CV to take control of their system note, EH, five security advisory states that there is a high probability that any remaining unpack. Each devices are likely already compromised. CIS A expect to see continued attacks exploiting unpackaged big F five big IP devices, and strongly urges users administrators to upgrade their software to the fixed versions. CIS also advises that administrators deploy the signature included in this alert to help them determine whether they're systems have been compromised, and so the the signature was a a a traffic inspection. Script in order to see whether there is bad stuff going on, they said see I say has observed scanning and reconnaissance as well as confirmed compromises. Within a few days of F five's patch release of this vulnerability as early as July sixth. CIS Say has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies. This activity is currently occurring as of the publication of this alert meaning gay from as early as July six as one that did began and this this alert was last Friday the twenty four th, so this has been going on. They conclude the ISI has been working with several entities across multiple sectors to investigate potential compromises relating to this vulnerability. has confirmed to compromises and continuing to investigate. CIS CIS will alert will update this alert with any additional actionable information. Okay so. Now this is a classic example, and actually this sort of ties into where will be going here in a minute when we talk about Garmon. I've often been speaking about the growing critical need for companies and to a lesser degree individuals, but certainly individuals who care to be certain that they have an are maintaining an open channel of communication for receiving vulnerability notices I've been talking about email as that channel. But in thinking about this further. I think that twitter likely makes the most sense now. As I noted last week. Twitter really has become our global information dissemination platform. Warts and all
SIGRed: What You Should Know About the Windows DNS Server Bug
"Cigarette. As checkpoint research said this is not just another vulnerability. This month's big scary worm. -Able Vulnerability! Turns out to have been present in windows server versions since Windows Server, two thousand three, which actually did come out two, thousand and three. Unlike. Windows, ten, twenty, four to two, thousand, four, which came out in two thousand twenty, but anyway You'll get to my windows. Rent little, but later. This big! This problem has been present in all subsequent versions of Windows Server. Since including. Server twenty, nineteen, which is the most recent release of windows server so without knowing it. We've been living with this in our midst for the past seventeen years. its discoverer was checkpoint research as I mentioned who named it? Sig read and I'll explain where sick Cossiga's in signature because that's about a DNS sex signing stuff signing records I was assigned to C., V., e., twenty, twenty, thirteen, fifty, and I'm always suspicious when I see such a low CV. Number. I wonder if they're going to have to start, randomize ing them. Because you know, you can tell how old it is from how small it is, you know we're in July of twenty twenty, so a thirteen fifty. That happened right at the. Near the beginning of the year, and it's like okay, especially considering how serious the guys at checkpoint think this is, so it's warm, -able meaning that it can propagate among any and all windows servers. WHO's? Who that can be induced to make a DNS query and turns out. There are lots of clever ways that can be done and the checkpoint research guys did all that. It's triggered. By the receipt of a specially crafted DNS response. And since Windows Server Services runs with elevated system privilege. If it's exploited, an attacker gets full domain, admin rights effectively compromising the entire corporate infrastructure and many who looked at this realized this could have been a flash worm of of the sort of like slammer, which remember it took, was it thirty minutes to take over all the vulnerable systems on the Internet. It is loaded this. Is a self propagating word so yeah? The end the way checkpoint explained their discovery. That is why they went. Looking was sort of interesting. They wrote quote. Our main goal was to find a vulnerability. There would let an attacker compromise. A windows domain and -ment preferably unauthenticated. They said there's a lot of research by various independent security researchers as well as those sponsored by nation states, most of the published and publicly available materials and exploits focus on Microsoft's Internet. Of and no one's going to be surprised by this. B.! Server message blocks I e eternal, blue and RDP, the remote desktop protocol blue keep protocols as these targets affect both servers and end points. They said to obtain domain admin privileges. A straightforward approach is to directly exploit the domain controller. Therefore, we decided to focus our research. On a less publicly explored attack surface that exists primarily on windows, server and domain controllers windy Ns. For anyone who's interested in the in their really detailed. Tech stuff I've got a link in the show notes. Because it's it's very detailed, and well frankly, and it's wonderful and takes a step by step through checkpoints process, so I'll just hit the high points. For every query type that a DNS server makes there is a corresponding reply. What checkpoint found was a classic. Type conversion flaw, a math result variable sizing mistake in the parsing logic for the reply to a SIG as in signature. which is part of the of DNA SEC? The extensions for DNS SECURITY FOR DNS. They discovered by Louis By. Like, reverse engineering the I think it was DNS dot EXC-, which is the the the service that does Wendy Ns. They studied the code there. The reverse engineered code. And they found a mishandling of values between the sixteen bit fields, which are used by the DNS protocol and the sixty four bit register math used by the codes compiler. All coders know that if a sixty four bit value is calculated to allocate memory or even thirty two, that is lar- larger than sixteen bit so sixty, six, sixty, four bit or thirty two bit calculated to allocate memory. And if the result is larger than six, five, five, three five. which is the maximum absolute quantity that can be represented with sixteen bits? Then the least sixteen bits of the larger value. will be as small imager. Basically, it's the. Of the overflow over six, five, five, three five. And if that smaller integer sixteen bit value. was then used to allocate memory four buffer The resulting buffer will be much too small to hold the larger calculated amount of data. And of course. That's exactly what happened.
The Emerging Role of SASE and the Cloud
"Want to touch on this this notion of Sassy and how that applies to things like zero trust, let let. Can we start with just some basic syrup for folks who might not be familiar with? Can you describe to us? What is Sassy? Sassy it stands for secure access. Edge and it's an emerging concept I think that Gartner kind of put out into the market about a year or so ago. And it's really about moving the The network security stack to the cloud. And when you think about what a network security stack is, it's a combination of things that include. firewalls and secure web gateways and VPN type technology software defined perimeter. remote browser isolation. The number of things that you used to have in your organization on premise, all of those things that entire security stack is now kind of migrating to the cloud, and when that occurs, users of this new security stack this residing in the cloud have a better scale ability better security better control. and there's a lot of. Lot of larger corporations that are starting to put these security stacks together and an offer. Sassy type services if I if I were to go back in time I remember when there was a an appliance for every one of those things that I just described you know a firewall appliance, secure web gateway appliance of VPN appliance and then. During my fortinet days I saw that consolidation occur into what was called a UTM unified threat management where all those different technologies. Instead of being separate appliances, they kind of consolidated into a single appliance all in one appliance. What's now happening is that same concept of consolidation is occurring, but it's not an appliance anymore. It's all moving. To a cloud and consolidated into a single cloud. Are, there any limitations there are. Are there any shortcomings to to moving to Sassy? Argue that you know. They really want best of breed and they. They will argue that you can't really get best of breed when you select. No one single cloud provider to offer all of those services, so some organizations will see that as a weakness and say well I want. This part of the security stack provided by a vendor. Era Acts in a different part of the security stack offered by vendor Y so that they can build a kind of best of breed approach. That I think is probably one of the biggest limitations to doing it. And what are some of the major benefits? Then we'll the benefits are that you don't have to go out and purchase all of these different appliances, and then try to deploy them everywhere. You have offices. It's all centrally located in the cloud, so it reduces your. Deployment footprint significantly, and the administration of all of those things starts to get a lot easier because the cloud provider is doing a lot of that a lot of that work for you updates and things like that so I think huge benefits come from that and I. Think one of the things that. was very telling. When covid nineteen hit, a lot of organizations scramble to figure out how to get their employees working remote better, and they were using the appliance approach. Their appliances weren't necessarily enough to handle the the low that they were now being tasked to put on them before they might have had on hundred users connecting to the VPN. And now it's a thousand users connecting to the VPN to get remote access to the network. So if they had deployed a Sassy solution is just a really a matter of dowling up more capacity from the Sassy cloud provider dialing down once they don't need any anymore.
Learning to program: The journey of Graham Cluley
"States you learned how to program by buying a magazine of local news and spending hours. Over the weekend, the bore ously type in the basic commands, and this is how I learned how to to program computers, and I loved it, and I started writing computer games for my friends. I actually began to write games which were in a way, a mixture of both. Programming and literature I got into. What's good interactive fiction will will come into the text adventure games, and after awhile I began celebrates text adventure games in those adventure games ended up on the front discs of. Magazines and I would say at the end of them. Look if you really liked the game. Why not send me five or ten quid, and all I'll help you get further in the game or something you map. And then one day. A package arrived on my doorstep from a Guy Code Allen Solomon. Played my games. And my life changed forever. I was misled. And inside the parcel, it had to check the twenty pounds, which is more than I have asked for and a copy of duct. Psalms antivirus talk it and a letter saying if you want a job, let me know. And, so I rang him up. and. I went for an interview and he gave me a job and I was his best effort. Windows program at. So few years I was writing songs, antivirus windows, but what they noticed was that I think actually I was at a particular show where we were launching the product, and I would see the sales people demonstrating my software my creation. I think they're not showing the good bits, and so I said No. You mind if I have a gun. And say they let me have a go on stage. And soon there was a bit of a crowd around as I explained and talk through my magnificent bit maps which are designed. So I think I sort of bullied my way. In time out of the programming department, so I made this great big jump. Over time I became more and more the public face of Dr. Solomon's talking to the press describing what was going on in the world of CYBERCRIME. Writing articles and generally just. do it doing tap dances effectively. And, then one sad day. The company got bought. and. Frankly I think I lost it about six weeks. After period of gardening leaf. I decided to go and join sauce vocal about half the salary, but three times the fun I wasn't involved in any of the programming US office, but I was involved in. The social media activity, and probably the primary thing of all was something which myself and criterion now co hosts a podcast with me smashing security We set up a block code naked security. At the time it was something a bit different to be honest when we launched it, there weren't many technology companies who writing every single day. About what was going on what was going on in terms of threats and trying to explain them in simple language, we were trying to explain these things in a in a way which. An intelligent child would understand because I always felt as being a problem. Where buy nerds speaking to other nerds and I. Don't think that's the solution to the cybersecurity problem I think we have to be able to communicate to everybody. Effectively I. My career now involves Brighton articles. Make Him podcasts and giving public presentations. that that's that's what I do. and. People. Thank! Goodness, interesting. I have to say Oh, how I say it and so they're asking me to keep doing that. I, wish I had gone independent sooner. Has Been An interesting new challenge and I? I wish I'd had the confidence to do that sooner. And to carve my own career is all kinds of changes because I'm basically a one man company Naum. Things like. Network. So much more important. That used to be I'm naturally quite introverted. If you've. If, I. Don't know you I'm quite quiet and shy in off high all hanging out in the kitchen or something I definitely let parties and things that he likes to be around. I'm good with the people I. Know, but I'm not good with he I time. And so I find myself events now and I push myself and say. Okay I. Don't know anybody here. Maybe, I should just go and chat to someone. Is Still. Twelve year old computer programmer inside me. It feels a little bit scared about doing that sometimes, but you know. Sometimes.
Mozilla Suspends "Send" Due to Persistent Malware Abuse
"Someone were to go to send dot fire Fox Dot Com. At the moment they would be greeted by the little screen shot I have at the top of the security news of our show notes, which reads Fox and is temporarily unavailable while we work on product improvements, we appreciate your patience while we make the fire. Fox, Send Experience Better and Leo I think you did just go there did yes, and there it is so back because I really love. Fire Fox sent it so it's my go-to. Yes, it's my become my go-to file. Sharing Service the good news. It'll be back. The. Bad News is why it went away. Just to remind our listeners, we've talked about it before. IT allows files of up to one GIGABYTE if you're not signed in. Or two and a half gigabytes if you are to be locally encrypted in the browser. Optionally Password protected so that only the recipient is able to retrieve and decrypt the sent file. You get retention controls allowing the sender to set the time that is the duration and or a download count after which that content will expire from the Fire Fox send cloud and be removed. Unfortunately. As with anything that is simple, free and effective. Like think e mail. It's also subject to abuse by nefarious forces. The bad guys also love Fire Fox. Send because it lets them generate short-term links based on good-looking trusted domains for sharing arbitrary evil wear to unwitting victims, so thanks to fire Fox said the bad guys don't need to set up their own file sharing server. You know and like try to get a legitimate looking URL domain. They don't have to worry about making sure that you are. ells expire automatically. Mozilla does that for them and links it only work once create an extra challenge for security researchers. Even if the militias url is captured in a log by then it's probably been used so it's not possible to go back and obtain the original because it's been removed already. And, of course, since the IP is one of Mozilla servers. It's not one that anyone wants to just put a blanket block on. know I was GONNA say they wouldn't want to blacklist it but I'm working to be better. over the past few months fire, Fox, send it turns out has been used increasingly to store payloads for all sorts of cybercrime operations from ransomware through financial crime banking trojans. SPYWARE and used to target human rights. Defenders Fin seven revival also known as a so dino cabby. You are sniff. which is also the dream dot? Network and Z. loader are just some of the malware gangs and strains that have been seen hosting payloads using fire Fox, send as a consequence. The cyber security industry has has finally tipped its collective hat to Mozilla for suspending what has become a widely used and unfortunately now only abused service you know Mozilla did didn't just say Oh you know we recognize there's a problem we will be considering some changes in the future. They just shut it down. They said okay. We're GONNA. We're just GONNA. Stop making available until we can. You know upgraded? Cyber security researchers have suggested various changes to strengthen the service. One is to add a report abuse button so that flagging or killing militias links could be made much more quick and easy What Mozilla said in their statement about this, they said before relaunching. We will be adding an abuse reporting mechanism to augment the existing feedback form. And we will require all users wishing to share content using fire Fox send to sign in with a Fire Fox account. So. It's sad that once again we see the Internet's inherent anonymity, being abused and then having to be restricted. It was cool to be able to send up to one GIG with a twenty four hour expiration without needing an account with Mozilla. Even though I have one, but just zoom was forced to limit what they would allow to be done with full anonymity, so to now has Mozilla and as we know, even requiring an account is not a very high bar and my sense is, it's not going to be very effective, but at least it will help a bit, and it will help Mozilla to say hey, you know we've done all we can. We're doing you know we're doing all the we can do.
Presidential authorization for US Cyber Command action
"US President Trump said in an interview with The Washington Post published late Friday that he had authorized a US cyber command response to Russian interference in the two thousand eighteen midterm elections. The Post had reported on the cyber operation in February two, thousand, nineteen, sourcing the story to unnamed US officials, but this is the first time the president has claimed direct involvement. The attack knocked the Internet research agency off line in a demonstration intended. It was said at the time to show the Russian government that cyber operations particularly influence operations would not be cost-free. The New York Times, says the two thousand eighteen operation was intended as both deterrent and a realistic test of US capabilities against an actual adversary.
How to become a malware analyst
"You started out in kind of this this you know sort of loose umbrella organization the security. Checkpoints and stuff? But obviously it was a big jump between what you were doing there and moving up to a CTO and infrastructure manager, and so forth says you started configuring networks for small businesses so like. What were some of the major sort of stepping stones where you went from? This area of knowledge, and then you've got you know this this much higher in this tire. What were some of the sort of transformative things in your career that got you to where you are now where you're starting on companies, and so forth yet so when I said twenty, three, twenty, four, twenty, five, remember the age now and one of the big challenges in the olden days I should was Maui mostly through email arms. It was a constant challenge seems we would buy foul would say that I would change it with. Would by Boris you stop with the answer virus, but. Announcing to be constantly constant challenge to the businesses How could we start now at Einstein, which was the best dog. Back then as well coming into the network and we kept buying Butson kept going on today to see asking for more money. And why? Why did you spend this much money in the digital and so? From that? I decided that I wanted to follow in the logical me was. I don't think there should be a business issue. Technology issue on if I was running a technology company. I have ends do whatever I wanted, and then the baton. We could change your bowl so I saw saw company. Hold at sleep. At which wasn't enough security today and the idea was was to. Move Email security teams. Kyle. which everyone looked to me like headset. Quarantine is selling. It's good to get quarantined in the cloud. That was the mentality that unto make it a Subscriber Solution I. I thought that company. As a see, I became Iras, we took investment. And We grew fast not completely I in Dot com date to the to the embezzles on not later became a think fuse mail, which is now by viper that still going somewhere. That's GONNA. Fifteen Years Eissa. Nice legacy! From that when I Got Very involved in some government stuff some some logic at the right I saw A. It was the time was inspired by security advisement. Advise up a full, many large companies and. I helped trying secure environments in addition a lot of recovery ransomware Congress opponent came after the next is. A lot of breach recovery's reach detection I'm cigarette. And one of the things, we always still route throughout my twenty s I guess ninety now getting more than twenty nine thousand eight is. It's a waste Maur so it's whether it's somebody opening an email attachment whether it's. Pushing out like wannacry into seventeen or glass. To Wasting Maui, that's the pain point, everybody. Okay. Well, let's let's jump right into. That did so. Our topic today, specifically ransomware, but malware in general, so we've. We've spoken about ransomware on on past episodes. We had a great episode of a while back. We might release it with a Christian beak of McAfee who else talked about the no more ransom organization, but certainly as you say Malcolm. Malware ransomware aren't going away anytime soon, and they're always sort of. Staying one step ahead of Cybersecurity, expert experts, and you know sort of counter, a malware methods, and so forth I've always. We're always putting new sort of Maur of the week up on our on our interest resources site, and all sorts of crazy things, things young gap jumping and all these new technologies that that. you know added to things so What is the state of ransomware at the moment? Do you think it's gone down? Stayed Up, stayed the same in the age of Covid nineteen people. You know being decentralized locations and working from home and things like that is that make people more or less susceptibility thinker it so I know. Unfortunately it's gone up till nine extreme level at Bobi the highest job we seem. In the last three years. It's happened in the last three months. Okay, I. That stems from various various things one is we've now. The premature is now gone where. Nitty gone, fall, but the people who are outside liver attendance, being more technical savvy sales guys us, not pulsing used to get with technology and the threats. Now we've taken coal centers outside of the rental. We've native. People who pay lowest salaries outside of the purposes of they've lost. A little bit permits security. We've seen massive amounts of increase in things coming through, but more money things executed. The other huge contributing bachelors. Nobody knows what the moments anymore nobody knows. Is it normal to get an email from my CIO estimates? You're Oakland Sunday because. Normally. They're Managing was sitting across the evangelist our when people are home, in Saudi the most tech savvy people get these emails. ACID mortal enables macaroni. Viljoen down his file. Oh, you need to die. Leagues get access to this site on making a diving. It's not actually diabate Moran. We'll sing Momo. People get tricked into doing things that they. Traditionally do.
Microsoft pushes fix for two vulnerabilities in the Windows Codecs Library
"US cert posted last a Tuesday on June thirtieth. Microsoft has released information regarding vulnerabilities and they're oddly low numbered so apparently Microsoft is known of them for a while there twenty, twenty, fourteen, twenty, five and fourteen, fifty seven, the CV designations in Microsoft, Windows Codex Library. they said this contains updates that are rated as critical. Remote attackers leveraging these vulnerabilities may be able to execute arbitrary code for more information. The vulnerabilities please refer to the information provided by Microsoft and of course it's like Oh. What's this because again? This was this is out of cycle this. This is the end of the end of June. They didn't even feel they could wait. A couple of weeks until July's updates apparently so. Both of the advisories on Microsoft's site have the same title Microsoft Windows Codex Library Remote Code Execution. Vulnerability that's for for fourteen, twenty, five, fourteen, fifty, seven, and the disclosures are almost identical. But of course at this point, our listeners are low longer surprised to learn of a fatal flaw in a media Kodak as we know Codex. Are Complex interpreters. Of a compressing encoders Meta data. it's truly difficult to make a Kodak both screamingly fast as they need to be, and also careful at the same time, being super careful means checking everything and checking everything takes precious time when a Kodak is by its nature, often racing the clock. So, what made these? Stand out aside from the fact that they were once again patches for an out of cycle, critical, remote code. Execution Vulnerability and the second one is an information disclosure. Was the fact that Microsoft indicated that the updates would not. Be available through windows update north through windows update catalog. No these updates would be provided through. The Microsoft store. And as well as like what? Users are instructed to click on the little white shopping bag. On the windows, ten task bar and I'll note that none of my windows. Ten task bars have little white shopping bags. But that's another story. Then you select more downloads updates and then get updates. In their disclosure. Microsoft wrote a remote code execution. Vulnerability exists in the way that Microsoft Windows. Library handles objects in memory. Okay, no surprise there. An attacker who successfully exploited the vulnerability could execute Arbor Schroeder. Code Right? And the other one a slight variation, same boilerplate, an attack who successfully exploited the second vulnerability could obtain information to further compromise the user system. And in either case they say the exploitation of the vulnerability requires a program process a specially crafted image file right so it's the evil image, which is what you'd expect a Kodak to Barf on. The update addresses the vulnerability by correcting how Microsoft Windows Codex Library handles objects in memory. Then, they wrote. Affected users will be automatically updated box Microsoft store. And according to Microsoft's users who want to receive the update immediately can check for updates with the Microsoft store APP. That's the clicking on the little white. Bag that I talked about before. And I was thinking about this. I suppose it makes sense for store APPs and extensions that are sourced by the store. Even when they are provided by Microsoft to be updated through the channel that the user. Used for their original delivery, and that's especially the case for third party. APPs being updated mean. Microsoft would not want to be hosting updates. Of Third Party APPS through their own operating system and APP update channels to the windows update and the update catalog. So the store it is. Both updates were privately reported and are not known to be used in the wild, so it's not clear to me why the emergency but the fact that it was on the thirtieth, which was a Tuesday as I right? Yeah, it was a Tuesday. maybe that was a deliberate like store patch Tuesday new thing that is going to be happening. The problems exist in. Excuse me. The H., E. V. C. video extensions and they're not free, surprisingly ninety nine cents if you want that from the Microsoft store. Maybe a You'll you'll get them. As part of an of another package provided there, there's like actually two different instances of H. E. C. on the store once for ninety nine cents and one says it's provided by other software. The FCC extension apparently not very popular read only two and a half out of five stars and Microsoft's description says play high efficiency Video Kodak. That's what HIV stands for. In any video, APP, on your windows, ten device, these extensions they say are designed to take advantage of hardware capabilities on some newer devices, including those with these Intel seventh generation, core, processor, and newer GPU to support four K and ultra HD content. They said for devices that don't have hardware support for H. E. V. C. so a software Kodak to enhance what you have on your system. and. This was sort of a new designation for me. And actually. We've already gone to the to the Kodak beyond this, but wikipedia explains the HEC. This high efficiency video coding is also known as H. Dot, two, six, five, and also MPC age part two video compression standard designed as part of the M Peg h project as a successor to the widely used ABC. which is what everybody is now using that's H. Dot, two six four, which is MP for ten, so and and wikipedia finished in comparison to ABC H.. E. V. C. offers from twenty five to fifty percent, better data compression, the same level of video quality, giving it substantially improved the equality at the same bit rate. Okay so. if you're curious to know, and it turns out, you may need to be curious whether your system or any system might have the H.. Video! Extensions installed. And, if so, which version you, there is a power. Shell Command the which will tell you, so you'd open power shell. Probably do it with Admin because why not and then it's I, have I have the command in the show notes if you're interested, but it's get high hyphen APP x Package Space Dash Name Space Microsoft Dot H.. E. V. C. video extension. When I entered that into my win ten machine. I got nothing. It was just blank in return, but the repaired versions of the HVAC extensions one point zero point. Three one, eight, two, two dot, zero or three, one, eight, two three dot zero. and so since I don't have a my power shell just exited returning nothing. Some commentators have observed that this new. Store Windows store channel for releasing critical updates outside of the normal window security update distribution channels. Though I noted I could see why it happened. It made sense is understandable, can cause trouble in enterprise settings where certain windows features and windows store. Probably. I would imagine the store more than anything else may have been deliberately disabled by enterprise policies, and for such companies who have purposely disabled, the Microsoft store and the Microsoft store automatic up up. Up Updates. Those vulnerable computers will not receive fixes without the removal of that policy and in Fact Computer World's Industry Fixture Woody Leonard. Over in his ask, woody column was far less patient with this and much less understanding that I was about. Like I could understand why that was the windows store. One of the replies to his posting noted that this optional hec Kodak exists by default in Windows clients. Editions since eighteen o nine, except the N. and the lts's editions I do have the Lt Tse. The Long Term Servicing Channel so that explains why my power shall query came a blank. But assuming that's the case. it would be probable then that any normal windows eight, hundred, zero, nine, nine, hundred, zero, three, nine, hundred, Ninety, nine and twenty, four would have the vulnerable Kodak installed. Yet presumably be unable to get it updated if the user or an enterprise had determined that they had no interest in the windows store, and had consequently removed and or disabled, it It's exactly the same as if we could uninstall windows update, which, of course we can't because we need. We need windows updates so. It'll be interesting to see if like what happens with this Woody wound up his post by writing quote. The distribution method is riddled with all sorts of obvious holes. He said I mean anybody with any sort of updating. Experience should have been able to compile a list of half a dozen ways that this could go wrong. And he finished yet another unholy mess, and actually he also he used some of the content in his kgab computer world. Call him where he just really raked windows Microsoft for the debacle of the June windows update with all the printer issue. Basically all the things we've talked about and touched on, but ooh being much less. Forgiving, either even than I am
EncroChat user experience includes getting owned, going to prison
"I think it was a couple of months ago. Actually that we I bike about this incur chats far network. This is encrypted like modified android foreign. That was marketed to criminals feel like doing their super-secret high end drug deals and stuff they got aren't pretty hard a while ago and wound up actually shutting down, they pushed out notifications to all of their customers, saying. Yeah, don't use our phones anymore. We're just GONNA close turns out. They did get courteous. Courteous earns looks like by French authorities, but the resulting arrests have started, and it's just i. mean this is big. This is amazing. Yeah, this story certainly has gotten bigger and bigger. The more we hear about it, and yet they got well and truly earned by the ranch. it does seem like by had deployed malware out onto the individual phones using that. That to be able to scrape up conversations and photos, a who the other information being exchanged in before it was encrypted before it was sent out over the network and have been doing so for quite some time. Yes, and then the fact that it managed to lost this long. Yeah, because there's been a whole bunch of race and a bunch of groups. Criminals wound up all over Europe through this corporation. In fact, they managed to keep it. kind of under wraps as long as they did is pretty impressive, as well good, good obstacle, but yeah, just a really really interesting story and a close to them. You know some people are asking about the you know. What does it mean to be able to? Do? You know why lawful interested in this manner ride by going out mass compromising age devices. Without the cooperation of the Manufacturer and it's. Interesting comparison to the other Crypto, wars was going on about into encrypt, or you know how adversaries in this case, law enforcement move around the network to be able to go where the daughter is. Who Cares about into their? Own the edge devices, and this is just such a great example of that it is, but I mean the huge irony here is if I were using signal on irs that'd probably would have been most of them would have been fine right well, of course, they yeah that that is kind of funny presumably IOS. Remote sports that you could use the deployment with probably more expensive than whatever it took. EARN CRA CHATTAN and pushed off. Some of the top people, but they wouldn't have got like I. Mean a lot of people are getting a getting arrested here. I actually asked Joe Cox joys been doing great reporting on this in fact, and actually asked him to tell me what he thinks is significant about all of this, and here's what he had to say. I think what's different hair. When it comes to the increase chat operation as opposed to technical investigations by law enforcement is the Shit scale I mean. We're not talking about single dark web marketplace. With some Athens some sellers of cocaine that sort of thing. This was the technical infrastructure for a large chunk of organized crime across continents. We're talking hitman money launderers drug traffickers, basically the real career criminals used this phone service and is very hard to overstate how big of a blow this is to them. People are trying to escape from the countries that in people going to ground. There is going to be likely severe disruption to the bulk drug trade with us. So at yeah, turns out the Anchorage user. Experience is not quite what people signed up for. Some of the arrests have been spectacular I, mean we? There was one where there was. Tons of coke was seized. We've got twelve hundred kilos of math, but probably the one that really caught my eye was actually this news just broke this morning, but Dutch police actually found some shipping containers one of them was set up to be like holding cells, and another one had like a dentist chair in it and bags full of pliers, and it was like a torture chamber, and they even had collected intelligence on who was due to spend some time in this special shipping container. Container and warned them often sent them into hiding, but I mean yeah. It looks like really heavy. Bad Crooks have have all been getting busted here.
From Ransomware To Blackmail, With Assaf Dahan
"We're GONNA talk in this. You know short conversation that we're going to have about one particular topic which I found as I said very interesting. And that's the shift from ransomware to blackmail a very new development in in ransomware, so let's start from the basics. What's the basic difference between ransomware or a ransom and blackmail? So it's a very good question, so we'll start with some definitions a nuances in the English language before we dive into our world of ransomware. So a ransom is a sum of money that is paid to in order to release the captive which could be a person. It could be an encrypted file for that matter. Right whereas black male is. A criminal offence where there's a payment or benefit that is. Paid in return for the criminal, not to reveal compromising damaging information about the victim, so that's an interesting nuance to keep in mind now when it comes to our world of of ransomware. What we've been seeing that the ransomware operators, the several criminals are facing some problems, sometimes with the getting the money getting paid, not that could be because of a legal or ethical reservations or restrictions. Some organizations are prohibited from paying a ransom to cybercriminals cyberterrorists. The mental agencies I'm guessing. For instance, there's a lot also ethical issues some organizations believe that these they pay you know it doesn't stop the attackers from coming back and demanding more ransom, so it's no never ending of vicious cycle of. Payment plus you're never totally sure that. Even if you do pay the money, you'll get information back so. Excellently. and. Also in recent years since the surge of ransomware out, we see a lot of organization actually. Implementing good backups and disaster recovery plans, so a lot of the organizations can partially or even fully recover their data without pain. So ransomware operators needed to find a clever way into making the victims pay in a way to twist the victim's arm into pain, and here comes the black man part, so what they're. Is Not only their encrypting the data, but before the encrypted, or even after they xl trait, ridiculous amounts of sensitive data about the company about the financial. statements employees customers data super sensitive information. That is under almost every regulation. A you know a company like that would be fine if if the if the information got out. Right and also, there's a reputational damage. There's a lot of collateral damage there, so what we've been seeing. Is that a lot of ransomware operators such as rebel group. Maize and other type of prominent to ransomware are doing this shift in day they now have like blogs into dark net such as that happy blog of rival where they each day almost dare auctioning data of other victims basically starting price ranges US usually between like. Twenty thousand dollars to fifty thousand dollars, and it goes up and up and up and up so you mean they're auctioning data from companies which refuse to pay the blackmail, and now they're making money off of auctioning that same black male data. Yes this is so clever? variously clever but very clever. So if you didn't WANNA pay us at the beginning to recover your files. NO PROBLEM WE'RE GONNA auction it. We're going to offer it to the highest bidder so way. They're twisting. They're victims are into paying so a lot of the companies will do it covertly like there. There's also the question of whether you pay or or don't pay and a lot of companies. Even if they paid, they tried to make it very hush hush. And that way you know, it's very hard not to pay You have all this data about your customers about your intellectual property about your financial statements, all of that if it's know out there up for grabs for for the highest bidder. You WanNa. Make sure that you pay. That ransom were black. Mufi, do we know? Oh, can we estimate what percentage of the companies choose to pay versus those who choose not to pay the blackmail? while. It's very difficult to estimate because as I mentioned before. Is probably not the proudest moment of a company when they have to. Pay a ransom some of them. Even if they're paying the rent some eventually they wouldn't admit it do it. hush-hush manner because of searing legal event reputational damage so even if companies do pay. Very little will actually admit it. So we can't really really know what's going on out there. But we can now is that a lot of people are a lot of organizations do pay and just because if you track down, you know bitcoin wallets, and you see you know crypto currency currency transactions. You can see that you know. The wallets of the cybercriminals especially ransom where operators is is increasing. Their annual revenues exceed even billion dollars in some years. So amazed that someone has to pay. This money cannot all come from individuals. Usually the bigger pay-outs come from companies and organizations is where the real money is
Jonathan Luff on Co-Founding an Incubator for Early-Stage Cybersecurity Companies in the U.K.
"I'm not by background attack person I come from a liberal arts background I studied politics in languages at university, and I was fascinated in international affairs I was always interested in history and politics. And that developed into a into a study of international relations, so I I studied. To universities in the UK Newcastle, which is in the north of England, and a Master's degree at Bristol University in the south and it was really. While? I was at Bristol that I developed. An interest in joining the foreign, Service Exams for the for the Foreign Service while I was at university there and I joined the British Foreign Office in in one, thousand, nine, hundred eight, and that took me on a fascinating professional journey, had the opportunity to study Arabic while I was in the Foreign Office and that took me to the Middle East. where I I had a couple of postings. Including some time spent his adviser to UK and US military forces during the war in two thousand and three, and over the course of my my government career over the course of my Foreign Office career I increasingly focused on national security issues. So you know things like counterproliferation, counterterrorism and Cybersecurity, and so that that really took me sort of further towards the the work that I now do but really my my leap into startup space, and and the work that we now do with with cybersecurity companies that was that was triggered towards the end of my government service, I spent a couple of years as an adviser. Downing, street a prime. Minister's Office that was two thousand ten eleven twelve, and around that time there were number of reviews taking place into UK national security, and that flowed some very interesting work around cybersecurity as a as a tier, one, a national security threat, and and you know I I was involved in some of that work. And after leaving, government decided to to make it one of the things that I would focus on. And so, what are you involved with today? What is your day to day like these days? Well since two thousand fifteen with my co-founder grace, cassie, who was another friend of mine from Foreign Service Days A. WE wanted to put in place. A way to support entrepreneurs. In the! Early days of establishing a cybersecurity company we had seen in our time. In government that the this was one of the most important. Challenges and opportunities of of the of the of the decade and we felt that weren't really any. Systems or structures in place to provide the support that was needed. This is fascinating complex area of technology and business, and while there were united some fantastic institutions in the UK there were already a number of significant companies operating this space. We couldn't see the number of innovative new companies emerging that we that we expected to say on the E. found in in somewhat more mature ecosystems like the US, and and to some extent Israel, so we started, Ceylon and Ceylon was A. In early days and experimental accelerator modeled to some extent on programs like Y combinator, but dedicated to Cybersecurity, so we initially Ranna three month program in London, and it's really grown from there and over the last five years we've. We've run ten programs in London and four programs in Singapore and we've had with one hundred companies come through those programs, and so we we spend our. We spend our day odd as in running those programs finding and supporting those entrepreneurs, and then, and then continuing that that support once they leave the program. Can you give us some insights on the state of Cybersecurity and entrepreneurship there in the UK? Yeah well I think it's developed. significantly certainly over the the ten years. That we've been really focusing on this and. Definitely we've seen that. Over the five years we've been running ceylon there really wasn't a a community of of of cybersecurity startups here in the UK back in in the first part of the last decade. We we've helped to capitalize that community here, and there is now a thriving startup ecosystem right across the range of technologies, but definitely in cybersecurity. And I think there are now there are some really quite successful companies that have been set up and developed here over the past five years, and it's now very much part of a a broader technology system here in the UK. And part part of the reason for that is that? The UK has a good reputation in this space, but it's also a a good place to to set up a business if you'll from somewhere else It's been a draw for talent. globally and we certainly saw that in in cybersecurity. We could see the talent. In cybersecurity was was very much distributed around the world. It wasn't just an isolated pockets, and and we found in. Many people wanted to come and. Join our program and get the business started in the UK, and as a result there now you know tens, if not hundreds of of interesting small companies in this field. Is there, even a geographic advantage of of being where you are. I'm thinking you're sort of you. Know equidistant to S- to some of the other important centers of cybersecurity. There's no question. I think you know. Greenwich Meantime has been a competitive advantage for the UK in many different areas of a of business and finance. Over the centuries I think it gives us a genuine advantages being as you say, in time term sort of equidistant between. The economies of the of the of the Americas and those of The Middle East Asia, and that definitely that definitely helps you know having the the economies of Europe on on our doorstep, and you know the last forty years at least strong connections to those economies has been helpful. London has been a melting pot for anybody trying to start a business seek finance and I. Think you know the world the world does come to London or at least it did until we were hit by the pandemic I. Think it will nonetheless emerge from the current crisis is one of the world's great global cities, and and so you know geography masters in Business and certainly been helpful to the development of the cyber ecosystem here.
Solving hard problems and pursuing your passions.
"My name is Matt Devo. And the CEO of Buddha LLC. I was writing a lot of my own programs I grew up in a very rural area, so you know it didn't have exposure to some of the early BS systems, and actually with my first computer did not have a disk drive or any storage medium, so I would spend all my time programming, know all of the available memory on that commodore sixty four with different applications and had written menu application that would kinda. Let me jump between the different sections, and then I would cry every time we lost power, which was quite frequently because I. had you know would lose everything that I had coded into the device minute was powered off. I was lucky again. I was in a very rural area. There are nineteen people in my graduating class, and there is nothing offered from a computer science perspective. But when I expressed interest, my high school math teacher actually go in the summer to learn how to teach computer science, and then would come back and teach me. In the interest of adapted over time when I got to college focused on not only computer science, but also national security studies became very interested in how things work and taking them apart, and you know that was kind of my early entree into Kinda true hacking, an looking at other people's programs and other people's systems, and I happened to see this convergence between the two topics that I love, and if you think back to the early nineties, really the combination of political science. Science and computer science was all around statistics and analysis, and I saw this new career field, or at least I hoped based on what I saw was increasing use of computer technology in critical things so critical infrastructure, society, finance, etc, and then the inherent vulnerability of those systems, because I was capable of hacking them. The friends that I was meeting were capable of hacking them and then if you combine that with my National Security Focus, I saw this as a new national security. Bull boats I started writing on that topic back in Nineteen, Ninety two, and attracted a tremendous amount of attention to myself, because as one of the early people to highlight the risks of what would become information warfare cyber war, so I was viewed a little bit by some of the folks in the national security circles and intelligence community as well as kind of the equivalent of the KID building an atomic weapon in his garage I was coming to the same conclusions and researching the same things that they had identified at the same time as this key national security risk that they were trying to keep under wraps for the most part. There was quite a bit of friction at the time you know for example in nineteen, ninety three I graduated from Undergrad and win straight into Grad School, and got a masters, or was pursuing a master's in national security studies in political science and the political science team at my graduate school basically told me that the topic of information warfare was not. Not Valid from a thesis perspective, so it would have been easy to give up at that point, but I was persistent, and I had folks who were advocating for me and telling me look at issues of command and control warfare, or look at this, or we're kind of giving me pointers to kind of redirect my research. It also gave me some great. I. I built a red team that that emulated the adversary during classified coalition military exercises, and during that red team was the first person to hack into systems on an aircraft carrier. While it was at sea, we did that with a nuclear submarine or these very headline, invoking the work we're doing at the time wasn't covered in the press, but internally at the classified level within Dod, these wars significant wakeup calls. My favorite part is solving hard problems I like being in the room when we're confronting something that seems almost unconfrontational. And working through the process of how to we adequately addressed that. So I really thrive on that. Kinda read teamer perspective of give me something that you think is one of your most difficult things to achieve most difficult realities that you face, and let's build some approaches for how you do are able to take advantage of. You have the interest and the passion. By all means we have the need within the community. We have a workforce that just doesn't have the numbers by way of the professionals in it so I would encourage folks. You have the interest get involved. You have to engage in self learning. certifications are great. It's great to get on the job experience, but I always like to look at the folks who built basement lab, or set up their own aws cloud infrastructure, and we're hacking against that, so I would encourage them to take advantage of the opportunities that exist for that self directed learning as well.
No magic wand for business email compromise (BEC)
"Sadly, it's not possible just to waive some magic technology wand and Mike. Go Away is a complicated and diabolical problem but as a company with a specialty in email security per point is expected to at least help its customers and clients get on top of it now. Obviously, a lot of east stuff comes down to training and process and things like that right, so you can't just buy a product and it magically goes away, but there are things you can do as an email security provided to help right. So yeah in this conversation you'll hear us. Talk about about the problem and also about proof points approach in trying to minimize basie or try to make a dent in it. I'll drop you in here. Where Ryan is explaining that be scam is these days aren't necessarily trying to go fix giant paydays that can be clawed back right like there was that facebook one years ago with one stall. One hundred million people tend to notice, and you know they're not trying to do a million small payments, either it's really about hitting targets for just the right amount. He is Ryan Kalemba. It's really more about. About finding a sweet spot in between when it is too large to be easily transferable and too small to be economically meaningful, and what we're seeing now is a Q.. Twenty things like payroll, the version right payroll diversion. If you, if you add up the number of payroll diversion, social engineering attempts that we stop day, and just sort of multiply that by the average pay packet at millions and millions of dollars every day. But. It's those sorts of numbers that become really repeatable and really successful for the type of cybercriminals. We're talking about here. We're not talking about apex predators about something that is broadly democratized across the cyber criminal world, and is available to a huge number of groups operating worldwide. So what is the sweet spot in terms of monetary value? Right like where is the median level that you can do this and not set off fraud. Fraud controls. I guess you know. Let's do a step by step on how to do really good BC right. It is interesting because you have certain groups operating at scale where they really WANNA steal a few thousand at a time because they know that with a big company. That's just breakage, right? They're just GONNA call them at a minor loss and then move on. But that's it. There's a fair amount of them that are a little bit closer to the big game hunting trend to be ransomware side one. I, remember in particular was an organization, basically set up a very very convincing fake version of the contractor that was building a brand new hospital, and they spent months actually going back and forth before they knew a large payment was going to get moved, and then they knew actually how much time they'd have between the payment going through and somebody noticing the payment had not actually shown up yet and they social engineer. Engineer the payment to come across three weeks before the bill is actually do, and then they had three weeks to move that money in as many places as possible and none of that got recovered. So those are the ones and those kind of represent I think the two ends of the spectrum anyone who has as spectacularly unlucky or lucky as a as as what was the the Estonian Diner Lithuanian. They will also Indian guy that went after facebook and Google is probably on the wrong end of that spectrum, but that's just not happening that often lately.
Apple forces the industry down to one-year web browser certificate lifespans
"February We talked about apple's surprise announcement during the CA Browser Forum. That in the future. And this was just unilateral that in the future it. First Affari on all of its platforms would rejecting any web server certificate having a not valid before date, which is technically the way the the date ranges stated, so it's very clear, not valid before. Date after August thirty first of this year of Twenty Twenty! And, which has a certificate lifetime greater than total lifetime greater than three hundred ninety eight days, so in other words starting just two months from now that is to say from September first on all CA certificates issued for use by web. Browsers must be issued with a one year plus thirty three days lifetime or shorter, not longer so this is the death of the more arguably convenient two or three year web server search that we've traditionally been using. Essentially sort of apple, biting the bullet and pushing an issue that the various non certificate authority participants in the so-called. The CAB forum to see a browser forum had been asking for for a long time. Google had put forth this issue. This measure for a vote at at the prior meeting and it had been in voted down. In a partisan vote by the certificate authorities said No. We don't want to shorten. Server certificates to a year. Well, Apple said okay tough. We're just we're just knocking on. Accept any and arguably safari is strong enough that Basically. They forced the issue so. When I talked about this initially in February. I discussed the many implications of this in great depth and detail so I'm not going to go into all that again if anyone. has joined us since then or wants a refresher. It's back in February. The reason this is back in the news. Is that now? The other two significant browsers in the industry, Mozilla and Google. Premium based offshoots of of Google's chrome browser have also announced there exactly aligned policies yes. Roy. Resting Wow. Yes that'll Ryan sleepy. Yeah he posted in. As sort of like they're, they're equivalent of things. We're going to change in the chromium blog. He said in force three ninety eight day validity for certificates issued on or after twenty, twenty, nine, a one September first of this year, and then the body of the messages enforce publicly trusted t LS server certificates have a lifetime of three hundred ninety eight days or less, if they are issued honor after you know September first twenty twenty and he said certificates that violate this will be rejected with an and the error. is error certificate validity too long and we'll be treated as miss issued. And also following up. Mozilla is Kathleen Wilson posted. Limit Reuse of domain name verification to three ninety five days and that was. A pound two. Oh six. And I think she did say three ninety five. I copied and pasted so that they're off by three three ninety eight. I believe that because our member three thirty one year plus thirty three was. That's just sort of give people a little bit such room. So. There is a long and very interesting discussion for people who've like such things. among the industry insiders who are the ones who make these essentially earthmoving decisions so I've included the Google groups discussion through a link in the show notes for anyone who's interested. I. Mean It's you know it's back and forth and a lot of discussion, but basically it comes down to well. You know this is what we wanted. Thank you apple for a biting the bullet. I. WE'RE ALL GONNA. Jump on board, so I mean so. And you know th the certificate authorities will end up changing their model rather than like for example you having to have a a cash transaction annually. You'll be able to. Purchase some block of time that you WANNA have certificates from them. And I imagine since that does create a little bit of lock in that they may extend that. You know they may say. Hey, we know. Stay with us, com-, commit to staying with us for ten years and we will lower the per year cost of certificates, and then it'll be like you know you log into your account, and basically you re issue a certificate before the one you have expires. What this will also do. We always run across instances where people are forgetting or sort of. Like it laps, or maybe it's a holiday, or it's a covert nineteen event one way or the other server certificates are expiring, and they're finding out only when people are screaming that they can no longer access the website, so maybe it being an annual thing, and it's as opposed to for example every three years, which maybe you're more likely to forget. That might help prevent that
The Essential Skills of Evaluating and Communicating Risk
"Designed when it comes to cyber risk is really difficult because you have to. Incorporate in that scary aspect of it, you know everyone always worries. What if this really happens I? Mean right now we're in the COVID pandemic and everyone's worried. What if an entire country is taken out and all of our critical people can't come in, or it can't even work from home. Risk responsibility design has taken that scare factor you know. Are we going to go down in flames? Are we going to go down in that plane? When if you look at it and you look at the likelihood of it? You know what is the likelihood I. Mean I I travel a lot, but I I take you know. Maybe I think that. My statistics show that I've been around the globe. Four Times around the entire Earth in-flight Santa whatever that AIDS have no idea that means, but I'm sure it's not good for my carbon footprint. But. You know. What is the likelihood that I'm to go down in flames? You know so. We're scared about that. And we envision that we see it our mind, but is really not the way to convey to the decision maker the risk responsibility. In cyber design and cyber risk, and whenever you're analyzing AP, abt's don't just put out fires. You GotTa do that. You've got to put out the fires, but look at the responsibility design in the sense. That is this really likely to happen? Are you really GonNa have a crash in the plane? Is the organization really going to be hit with this threat, you know as you and I know, and you broadcast on on many of your podcasts. Ninety percent of all threats come from fishing. The fishing initially and in a is it really likely that the person is going to get the perpetrator, or the group is going to be on the initial fish to actually hook some data and actually act on it. Are they going to be a perpetrator? Admit the fraud, and and you know actually abused the organization and their data. I don't know I don't always know with all threats. And that's what I struggled with every day. I think about how many of those threats are really going to happen. What's the likelihood of? It's really going to happen. It would be if if and if in an F. end the bad guy or the bad gal would really have to be lucky to get to that point. In there's not a Lotta pros in the in the in the cyber. In the Cyber Bagai world well when you're being mindful of letting your imagination, run away with you. Is there still a place in all these equations for a gut feeling there is and I think that we need to rely on that I rely on that every day I. Really don't know the answers and I'm often presented with complex questions, and I need to respond to decision makers and. Decision makers compensating me so I I'm really worried about how I respond to them. That I do rely on my God. I try to lean towards more of a human decision. People do good or bad things for either love or money in the world, and I think that that's very true. I know that sounds very very basic, but I think it's true. And when I answer a decision maker, especially one that is my boss or someone who's in keeping me employed I really really worry about that I. Worry about how I'm going to answer. And I try to go with my gut feeling. I know that when you're young and you're a young professional. You don't WanNa. Go with gut feeling. You're afraid to take risks. You're afraid to give a ban answer I had a colleague at one of the banks Advising for. She didn't want to take the risk on the decision. She was worried about you know, go ahead and using her gut feeling and making giving some advice to a manager, a senior leadership and She was worried because she didn't want to make it look like she did something wrong, but you gotta take those risks. You can't do everything right. You're not a perfect employee. You're not gonNA make perfect decisions. As a young person I think you've gotta go with your gut instincts, and you got to take a chance and say in a what I think. We need to move forward this. We need to raise his risk. We need to learn all the people in, and maybe all say all. That was a dumb thing to bring up or something, but that's a better risk to take then leading that actual threat to get into the organization. Do something really bad results in reputational risk or multimillion dollar. risks to the organization in the end take a chance exposure yourself and don't be afraid to say that you can do things wrong, and you're vulnerable, and you're not always right.